Course intended for:

The training is intended for programmers wanting to learn and understand the functioning of Spring Security 3 quickly and gain a general understanding of alternative possibilities of implementation of security mechanisms in Web applications and in the JEE environment

Course objective:

The training objective is to get familiar with programming and configuration techniques allowing for implementation of security mechanisms in Web applications using Spring Security 3.

The training in its basic format provides a detailed discussion of capabilities of Spring Security 3. The remaining solutions have been discussed only theoretically for the sake of comparison. On request, the training curriculum can be adjusted – the technology discussed in detail can be e.g. Apache Shiro, while other issues (that is, Spring Security 3, JBoss Picketlink) are a complementation only.

  • Security in the world of JEE

  • JEE application security and Web application security

  • Discussing of the principles of functioning of Spring Security with substantial emphasis on the architecture of the solution and correlations between its components (objects, services) – necessary to understand this solution

  • Practical use of Spring Security mechanisms delivered

  • broadening of the scope of Spring Security mechanisms available for the purpose of implementation of own requirements

  • How to speed up the process of testing of the security mechanisms implemented through tests overriding the container?

Course strengths:

Spring Security is considered to be one of the best solutions, allowing for implementation of security mechanisms in Web applications. On the other hand, many believe this solution to be too complicated, as it required much time for understanding of the underlying principles of this mechanism. This training addresses these problems, providing specific information that allows the users to get familiar with the world of Spring Security 3. The training starts with a theoretical introduction, during which key concepts and dependencies are discussed that are necessary to be able to „control" this solution. The key objects and services and correlations between them are presented. Apart from theory, in the further part of the training, the issues discussed are used in practice. Thanks to this, in a relatively short period of time, the user will be able to acquire a much broader scope of knowledge and skills than it would be possible for the participants on their own.


The training participants are required to have the Java language programming skills (to be learned at the course J/JP), to be familiar with the basic issues of the Spring framework (to be learned at the course J/SPRING) and with the basic concepts associated with Web application programming (to be learned at the course J/WEB2b).

Course parameters:

3*8 hours (3*7 net hours) of lectures and workshops (with a visible emphasis on workshops).

Group size: no more than 8-10 participants.

Course curriculum

  1. Security of JEE applications and security of Web applications – introduction

    1. Security from the perspective of the JEE standard (authentication, authorization, data integrity, data transmission security)

    2. Basic terms (credentials, principal, realm, session etc.)

    3. Discussing of available authentication mechanisms in Web modules

      1. HTTP Basic Authentication: BASIC

      2. Digest Authentication: DIGEST

      3. HTTPS Client Authentication: CLIENT-CERT

      4. Form-Based Authentication: FORM

    4. Security of data transmission (transport security)

      1. 2 available levels: Confidential and Integral
    5. Authorization:

      1. Declarative: use of available annotations (e.g. @RolesAllowed, @PermitAll , @DeclareRoles, @RunAs , @DenyAll, @ServletSecurity)

      2. Programming: use of methods (getRemoteUser(), isUserInRole(), getUserPrincipal(), getAuthType() , login(), logout(), getScheme())

    6. Discussion of specific characteristics of EJB module protection

      1. Authentication and authorization in the area of session beans and entities

      2. EJB Deployment Descriptors and dependence on the selected application server

  2. A review of the available techniques/ solutions allowing for programming of security mechanisms in the JEE application:

    1. Security based on application server mechanisms

    2. Overriding of application server in implementation of security mechanisms

    3. JAAS

    4. Spring Security

    5. Apache Shiro

    6. PicketBox

  3. Spring Security – discussing of key concepts and their correlations

    1. SecurityContextHolder, SecurityContext

    2. Authentication, AuthenticationEntryPoint, UserDetailsService, UserDetails, Principal, Credentials, GrantedAuthority

    3. Immediately available implementations of UserDetailsService e.g. InMemoryDaoImpl, JdbcDaoImpl

    4. AuthenticationManager, UsernamePasswordAuthenticationToken, ProviderManager

    5. AuthenticationProviders with the available implementations, e.g. DaoAuthenticationProvider, LdapAuthenticationProvider, CasAuthenticationProvider

    6. Password Encoders (hash, salt)

    7. AOP and authorization mechanisms

    8. AccessDecisionManager, Secure Objects, AccessDecisionVoter (e.g. RoleVoter), RunAsManager, AfterInvocationManager, AbstractSecurityInterceptor

    9. Filters in the security process e.g. DelegatingFilterProxy, FilterChainProxy, BasicAuthenticationFilter, UsernamePasswordAuthenticationFilter, RememberMeAuthenticationFilter, FormLoginFilter, ExceptionTranslationFilter, ConcurrentSessionFilter, SecurityContextPersistenceFilter

      1. Overriding of filter chain (filters = "none")

      2. The impact of order, in which filters were declared, on the authentication and authorization process

      3. Own filters

    10. Configuration using the name space

      1. Benefits of declarative configuration

      2. Discussing of name space components that exert impact on configuration (Web/HTTP, Authentication Manager, Authentication Providers, UserDetailsService, AccessDecisionManager, BusinessObject)

      3. auto-config, form-login, logout attributes

    11. The model of exceptions in Spring Security 3

      1. AuthenticationException and available subclasses e.g. BadCredentialsException, UsernameNotFoundException

      2. AccountStatusException as a subclass of AuthenticationException but also as one of the most significant classes supporting management of „invalid" user accounts. (subclasses e.g. AccountExpiredException, LockedException, DisabledException or CredentialsExpiredException)

      3. AccessDeniedException with subclass AuthorizationServiceException

  4. Authentication in practice

    1. Implementation of the simple authentication mechanism, using name space configuration mechanisms

    2. Implementation of the simple authentication mechanism in "in-memory" mode using mechanisms available in Spring Security 3 ( e.g. InMemoryDaoImpl)

    3. A standard, predefined data model representing user accounts and their roles

    4. Implementation of the simple authentication mechanism in the "jdbc" mode using the mechanisms available in Spring Security 3 (e.g. JdbcDaoImpl) and a predefined data model

    5. Authentication in the „Remember-me" mode

  5. Authorization in practice

    1. Authorization using RoleVoter and AuthenticationVoter

    2. Protection of business method requests

    3. Using of expressions in access control (e.g. hasRole, principal, isAuthenticated, isFullyAuthenticated )

    4. Annotations @PreAuthorize, @PreFilter, @PostAuthorize and @PostFilter

  6. Spring Security – advanced issues

    1. Testing outside container – how to speed up the process of testing of the solutions implemented?

    2. Implementation of own logic and data model, which will support non-standard requirements (e.g. having no predefined implementation in Spring Security) with regard to user authentication and authorization

    3. Practical use of ACL (Access Control List)

    4. Use of SSL

    5. User session management

    6. Control of Web page content via the available tag library (tags: authorize, authentication, accesscontrollist)

  7. What else is worth knowing (a theoretical outline)

    1. LDAP Authentication

    2. JAAS Provider

    3. CAS Authentication

    4. X.509 Authentication

    5. Support of OpenID

    6. Projects enhancing the capabilities of Spring Security

      1. The Spring Crypto module and its support for (symmetric) encoding, key generation or password coding

      2. The Spring Security Extension project and its support for SSO, integration with Kerberos and SAML2

      3. OAuth for Spring Security Project and its support for OAuth

      4. Summary

Any questions?

* Required.

Phone +48 22 2035600
Fax +48 22 2035601