Improve your coding skills from beginner to expert with the largest online Java e-learning platform

Spring Security Core Concepts

Module 1: Core Concepts
  • This course shows how to use Spring Security on a web application.
  • Using Spring Security 4, we use the XML namespace to define authentication and authorisation roles.
  • Common attacks and how to defend against them.
  • How to store passwords safely using BCrypt.
  • Part of our Spring Training series.


You will need previous experience of Java, Web Development and SpringMVC. We have a series of Spring Training courses which cover all of these topics if you need them!

Contents - Equivalent to a 2 day training course. The running time of the videos is 5.5 hours.


Having problems? check the errata for this course.


Course Overview

4m 2s
What the course covers and plans for module 2.


Getting started

49m 38s
We take a standard Spring MVC project and apply security to it.


Form Authentication

29m 24s
How to set up a login form.


Preserving Usernames on Authentication Failure

28m 50s
This optional chapter shows how to keep the username on the form if the login fails. This should be easy but Spring doesn't support this "out of the box".


Database Authentication

39m 47s
We now authenticate against a database table. Note - at this stage the passwords are in cleartext, and very insecure!


Creating Users Programatically

45m 42s
How to add users to the database.


BCrypt Password Encoding

27m 45s
How to store passwords securely, using the industry best-practice of BCrypt.


Preventing Brute Force Attacks

47m 39s
Often, SHA-256 or (even worse) MD-5 is used with a "salt" to encode passwords. This is not recommended, and this chapter explains why.


Tag Library and Preventing Cross Site Request Forgeries (CSRF)

27m 29s
Support for CSRF protection is "ON" by default; we had to switch it "OFF" early on in the course; it's time now to look at what this does, and why you might need it.


Enabling Transport Layer Security (TLS/SSL)

20m 44s
It's important to realise that so far, all transmissions to the server have been unencrypted and therefore passwords have been sent in plaintext. This is a brief overview of how to use TLS/SSL in Spring.


Coming Soon

7m 22s
The next module will feature how to use OAuth (1 and 2), and how to apply security to REST webservices. This is planned for early September 2015.


Bonus Chapter: Standard web.xml

63m 42s
You might not need Spring Security: you can do security using web.xml. This extra video shows the standard "built in" security and also explains the difference between authentication and authorisation.


Bonus Chapter: Using JavaConfig

66m 15s
We've copied this chapter from our JavaConfig module, in case you're unable to access that. This chapter covers how to configure Spring Security without XML. Note: this chapter also covers OAuth configuration, which is the subject of our other Spring Security course.

Let the Course Come to You

About Us Pricing Frequently Asked Questions Contact Privacy T&Cs Affiliates and Resellers
Facebook Twitter YouTube LinkedIn