1174. Spring Security
This fast-paced course introduces the Java web developer to the Spring Security framework. The first half of the course gives an overview and quickly moves into practical exercises in basic usage: XML configuration for authentication and URL-based authorization. Then we start to dig into Spring Security as a Java model, and develop advanced techniques including custom user realms, custom authorization constraints, method-based authorization, and instance-based authorization.
By the end of the course students will be able to use Spring security to implement authentication and role-based authorization policies for their own Java web applications (whether or not those applications use Spring themselves), and customize the behavior of Spring Security to their requirements.
Note that, in this short time frame, the course does not give much background on general web-application security -- for example, pros and cons of HTTP BASIC, DIGEST, and form-based authentication strategies, or what a session-fixation attack actually is. Rather, it is focused on the Spring Security library and what we can do with it. For a complete treatment of web security, consider pairing this course with Course 121, "Securing Java Web Applications."
Prerequisites: Java programming is excellent preparation. Basic knowledge of XML. Some servlets and/or JSP experience will be beneficial for purposes of understanding the impact of each security feature that we configure. There is no web-application coding involved in the course. Experience with the Spring framework is strongly recommended.
This course offers an optional "Chapter 0" briefing on features of Spring that are essential to Spring Security; but full coverage of this chapter will come at the expense of some of the later material in the course.
IDE Support: Eclipse Galileo. In addition to the primary lab files, an optional overlay is available that adds support for Eclipse Galileo. Students can code, build, deploy, and test all exercises from within Eclipse, and take advantage of Eclipse WTP's built-in editors and wizards for web applications, XML files, JSPs, and more. Some administrative tasks must be performed externally -- mostly having to do with database administration. See also our orientation to Using Capstone's Eclipse Overlays.
0. The Spring Framework
a. Overview of Spring
b. The Core Module
c. Inversion of Control
d. XML and Java Views of the Container
e. Configuring JavaBeans
f. Dependency Injection
g. Web Application Contexts
1. Spring Security
a. Acquiring and Integrating Spring Security
b. Relationship to Spring
c. Relationship to Java EE Standards
d. Basic Configuration
e. How It Works
f. Integration: LDAP, CAS, X.509, OpeID, etc.
g. Integration: JAAS
a. The <http> Configuration
b. The <intercept-url> Constraint
c. The <form-login> Configuration
d. Login Form Design
e. "Remember Me"
f. Anonymous "Authentication"
h. The JDBC Authentication Provider
i. The Authentication/Authorization Schema
j. Using Hashed Passwords
k. Channel Security
l. Session Management
3. URL Authorization
a. URL Authorization
b. Programmatic Authorization: Servlets
c. Programmatic Authorization: Spring Security
d. Role-Based Presentation
e. The Spring Security Tag Library
4. Under the Hood: Authentication
a. The Spring Security API
b. The Filter Chain
c. Authentication Manager and Providers
d. The Security Context
e. Plug-In Points
f. Implementing UserDetailsService
g. Connecting User Details to the Domain Model
5. Under the Hood: Authorization
b. FilterSecurityInterceptor and Friends
c. The AccessDecisionManager
e. Configuration Attributes
f. Access-Decision Strategies
g. Implementing AccessDecisionVoter
h. The Role Prefix
6. Method and Instance Authorization
a. Method Authorization
b. Using Spring AOP
c. XML vs. Annotations
d. Domain-Object Authorization
e. The ACL Schema
f. Interface Model
g. ACL-Based Presentation
System Requirements: Hardware Requirements (Minimum) Core 2 Duo 1.5 GHz or equivalent, 1 gig RAM, 2 gig disk space. Hardware Requirements (Recommended) Core 2 Duo 2.5 GHz or equivalent, 4 gig RAM, 2 gig disk space. Operating System Tested on Windows XP Professional. Course software should be viable on all systems which support a Java 6 Developer's Kit. Network and Security: Limited privileges required -- please see our standard security requirements. Software Requirements: All free downloadable tools.