Call in the USCall in Canada1 877 849 1850 Call internationally +1 678 648 3113
Please contact us
for GSA pricing.

Contract #
GS-35F-0307T

Spring Security Training: Introduction to Spring Security

Course Number: SPRG-141
Duration: 4 days
view course outline

Spring Security Training Overview

Accelebrate’s Introduction to Spring Security course teaches attendees how to secure their Spring Framework applications. This course is appropriate for users of Spring 3 or Spring 4.

Location and Pricing

Most Accelebrate courses are delivered as private, customized, on-site training at our clients' locations worldwide for groups of 3 or more attendees and are custom tailored to their specific needs. Please visit our client list to see organizations for whom we have delivered private in-house training. These courses can also be delivered as live, private online classes for groups that are geographically dispersed or wish to save on the instructor's or students' travel expenses. To receive a customized proposal and price quote for private training at your site or online, please contact us.

In addition, some courses are available as live, online classes for individuals. See a schedule of online courses.

Spring Security Training Prerequisites

All attendees must be experienced Java developers and have some experience with the Spring Framework.

Hands-on/Lecture Ratio

This Spring Security training class is 60% hands-on, 40% lecture, with the longest lecture segments lasting for 30 minutes.

Spring Security Training Materials

All attendees receive comprehensive courseware covering all topics in the course.

Software Needed on Each Student PC

  • Java SE SDK (JDK) version 6 or later
  • Eclipse for Java EE Developers
  • Related lab files that Accelebrate provides

Spring Security Training Objectives

All students will:

  • Configure Spring Security for HTTP BASIC authentication
  • Implement form-based authentication
  • Configure other authentication features including remember-me, anonymous users, and logout
  • Apply authorization constraints to URLs and URL patterns
  • Bind authorization roles to user accounts in relational databases
  • Plug application-specific user realms into Spring Security by implementing UserDetailsService
  • Implement application-specific authorization constraints as AccessDecisionVoters
  • Fix authorization constraints over individual methods of service beans, in lieu of URL authorization or in tandem with it
  • Express user identity in terms of SAML <Subject>s
  • Apply SAML SSO from the service-provider side
  • Implement OAuth 2.0 authorization-server and resource-server roles
  • Use an OAuth 2.0 client

Spring Security Training Outline

  • Introduction
  • Spring Security
    • Acquiring and Integrating Spring Security
    • Relationship to Spring
    • Relationship to Java EE Standards
    • Basic Configuration
    • How It Works
    • Integration: LDAP, CAS, X.509, OpenID, etc.
    • Integration: JAAS
  • Authentication
    • The <http> Configuration
    • The <intercept-url> Constraint
    • The <form-login> Configuration
    • Login Form Design
    • "Remember Me"
    • Anonymous "Authentication"
    • Logout
    • The JDBC Authentication Provider
    • The Authentication/Authorization Schema
    • Using Hashed Passwords
    • Why Hashing Isn't Enough
    • Using Salts
    • PasswordEncoder and SaltSource
    • Key Lengthening
    • Channel Security
    • Session Management
  • URL Authorization
    • URL Authorization
    • Programmatic Authorization: Servlets
    • Programmatic Authorization: Spring Security
    • Role-Based Presentation
    • The Spring Security Tag Library
  • Under the Hood: Authentication
    • The Spring Security API
    • The Filter Chain
    • Authentication Manager and Providers
    • The Security Context
    • Plug-In Points
    • Implementing UserDetailsService
    • Connecting User Details to the Domain Model
  • Under the Hood: Authorization
    • Authorization
    • FilterSecurityInterceptor and Friends
    • The AccessDecisionManager
    • Voting
    • Configuration Attributes
    • Access-Decision Strategies
    • Implementing AccessDecisionVoter
    • The Role Prefix
  • Method and Instance Authorization
    • Method Authorization
    • Using Spring AOP
    • XML vs. Annotations
    • @PreAuthorize and @PostAuthorize
    • Spring EL for Authorization
    • @PreFilter and @PostFilter
    • Domain-Object Authorization
    • The ACL Schema
    • Interface Model
    • ACL-Based Presentation
  • Introduction to SAML
    • History of SAML
    • Assertions
    • Protocol
    • Bindings
    • Profiles
    • Using OpenSAML
  • SAML Assertions and Protocol
    • "Vouching for" a User
    • Assertions and Subjects
    • NameID Types
    • Authentication Contexts
    • Requests, Queries, and Responses
    • Attribute Queries
    • SAML and XML Signature
  • SAML Bindings
    • Speaking "Through" the Browser
    • The SOAP Binding
    • SAML Over HTTP
    • The Redirect, POST, and Artifact Bindings
    • The PAOS Binding
    • The URI Binding
  • Federated Identity and SSO
    • SAML 2.0 Federations
    • Single Sign-On
    • Account Linking and Persistent Pseudonyms
    • Transient Pseudonyms
    • Name ID Mapping
    • Single Logout
    • Federation Termination
  • The Spring Security SAML Extension
    • The Spring Security SAML Extension
    • The SAML Entry Point
    • The SAML Filter Chain
    • The SSO Processing Filters
    • IdP Discovery
    • Login and Logout Handlers
    • Configuring OpenAM
    • Configuring an SP
    • Customization
    • Combining SSO and Other Authentication Styles
    • Authorization and Attributes
  • OAuth for Spring Security
    • Third-Party Authorization
    • OAuth
    • Roles and Initial Flow
    • Grant Types
    • Access Tokens
    • The Google OAuth API
    • OAuth for Spring Security
    • Client-Details Services
    • Token Services
    • The AuthorizationEndpoint
    • The TokenEndpoint
    • The UserApprovalHandler
    • The Resource-Server Filter
    • The ScopeVoter
    • The OAuth-Aware RestTemplate
    • AccessTokenProviders
    • The OAuth Redirecting Filter
  • Conclusion