Improve your coding skills from beginner to expert with the largest online Java e-learning platform

Spring Security Core Concepts

Module 1: Core Concepts
  • This course shows how to use Spring Security on a web application.
  • Using Spring Security 4, we use the XML namespace to define authentication and authorisation roles.
  • Common attacks and how to defend against them.
  • How to store passwords safely using BCrypt.
  • Part of our Spring Training series.


You will need previous experience of Java, Web Development and SpringMVC. We have a series of Spring Training courses which cover all of these topics if you need them!

Contents - Equivalent to a 2 day training course. The running time of the videos is 5.5 hours.


Having problems? check the errata for this course.


Course Overview

4 m 2 s
What the course covers and plans for module 2.


Getting started

49 m 38 s
We take a standard Spring MVC project and apply security to it.


Form Authentication

29 m 24 s
How to set up a login form.


Preserving Usernames on Authentication Failure

28 m 50 s
This optional chapter shows how to keep the username on the form if the login fails. This should be easy but Spring doesn't support this "out of the box".


Database Authentication

39 m 47 s
We now authenticate against a database table. Note - at this stage the passwords are in cleartext, and very insecure!


Creating Users Programatically

45 m 42 s
How to add users to the database.


BCrypt Password Encoding

27 m 45 s
How to store passwords securely, using the industry best-practice of BCrypt.


Preventing Brute Force Attacks

47 m 39 s
Often, SHA-256 or (even worse) MD-5 is used with a "salt" to encode passwords. This is not recommended, and this chapter explains why.


Tag Library and Preventing Cross Site Request Forgeries (CSRF)

27 m 29 s
Support for CSRF protection is "ON" by default; we had to switch it "OFF" early on in the course; it's time now to look at what this does, and why you might need it.


Enabling Transport Layer Security (TLS/SSL)

20 m 44 s
It's important to realise that so far, all transmissions to the server have been unencrypted and therefore passwords have been sent in plaintext. This is a brief overview of how to use TLS/SSL in Spring.


Coming Soon

7 m 22 s
The next module will feature how to use OAuth (1 and 2), and how to apply security to REST webservices. This is planned for early September 2015.


Bonus Chapter: Standard web.xml

63 m 42 s
You might not need Spring Security: you can do security using web.xml. This extra video shows the standard "built in" security and also explains the difference between authentication and authorisation.


Bonus Chapter: Using JavaConfig

66 m 15 s
We've copied this chapter from our JavaConfig module, in case you're unable to access that. This chapter covers how to configure Spring Security without XML. Note: this chapter also covers OAuth configuration, which is the subject of our other Spring Security course.

Let the Course Come to You

About Us Pricing Frequently Asked Questions Contact Privacy T&Cs Affiliates and Resellers
Facebook Twitter YouTube LinkedIn