Begin an introduction to the core concepts of Spring Security.
- [Instructor] The Spring Security Project is one of the most powerful abstractions from the prospective of the developer, however, it is also one of the most complex considering everything that it includes. Throughout this course, we will focus on Spring Security and the problems it tries to solve and the complexities that it abstracts. In order to fully grasp the power of Spring Security, we first need to know where it fits in. Security should be tackled in a layered fashion.
This layered security pattern provides you distinct focus areas to secure, monitor, and tune. Now, I'm not going to go too deep here. These topics can comprise several courses on their own, but I do want a conceptual framework so you get a feel of where Spring Security comes into play. Most often, the focus in this layered model starts at the lowest level and that is the physical hardware. Hardware must be physically secured and uniquely identifiable to other trusted systems.
After you plan to secure the hardware, you start looking at the network. Here we deploy transport-layer security, firewalls, network segmentation strategies like VLANs and security zones, IDS systems, and the list goes on and on. We then move to the operating systems, where user access controls, patching policies, and software restrictions provide additional layers of security for our system as a whole. Finally, we look at application security.
And this is where we focus on good coding practices, proper data handling, and application user access controls. And this is where Spring Security comes into play. Spring Security is a project that provides amazing abstractions in the J2EE, now called Jakarta EE, application space. These abstractions help solve the various issues of traditional Java enterprise security like portability and vendor lock-in.
By abstracting these topics, we are providing a clean and efficient way to provide security services. Now, Spring Security isn't just for enterprise developers. It also provides valuable tools for internet facing applications running in the JVM. Obviously, as a Spring project, it plays very nicely with the Spring framework as a whole, but that isn't a requirement. In this course, we will do all of our work using Spring boot.
But at no point should that feel like a requirement. You can use Spring Security with traditional Spring-based war applications, as well as raw Java applications. Most of Spring Security is designed to focus on authentication and authorization. These are often the most critical needs at the application level outside of secure coding practices themselves. We will focus on these topics exclusively in this course, but there's a lot of material in these topics, so buckle up and let's dig into what authentication and authorization really is about.
- Authentication vs. authorization
- Implementing in-memory and JDBC authentication
- Form-based authentication
- Building login and logout pages
- Configuring LDAP authentication
- Leveraging OAuth 2
- WebFlux basic security