Spring Security 3 -- Table of Contents -- Spring Security 3 -- Credits -- Foreword -- About the Author -- About the Reviewers -- Preface -- What this book covers -- Other notes -- Acknowledgements and thanks -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Errata -- Piracy -- Questions -- 1. Anatomy of an Unsafe Application -- Security audit -- About the sample application -- The JBCP pets application architecture -- Application technology -- Reviewing the audit results -- Authentication -- Authorization -- Database Credential Security -- Sensitive Information -- Transport-Level Protection -- Using Spring Security 3 to address security concerns -- Why Spring Security? -- Summary -- 2. Getting Started with Spring Security -- Core security concepts -- Authentication -- Authorization -- Securing our application in three easy steps -- Implementing a Spring Security XML configuration file -- Adding the Spring DelegatingFilterProxy to your web.xml file -- Adding the Spring Security XML configuration file reference to web.xml -- Mind the gaps! -- Common problems -- Security is complicated: The architecture of secured web requests -- How requests are processed? -- What does auto-config do behind the scenes? -- How users are authenticated? -- What is spring_security_login and how did we get here? -- Where do the user's credentials get validated? -- When good authentication goes bad? -- How requests are authorized? -- Configuration of access decision aggregation -- Configuring to use a UnanimousBased access decision manager -- Access configuration using spring expression language -- Summary -- 3. Enhancing the User Experience -- Customizing the login page -- Implementing a custom login page -- Implementing the login controller -- Adding the login JSP -- Configuring Spring Security to use our Spring MVC login page.

Understanding logout functionality -- Adding a Log Out link to the site header -- How logout works -- Changing the logout URL -- Logout configuration directives -- Remember me -- Implementing the remember me option -- How remember me works -- Remember me and the user lifecycle -- Remember me configuration directives -- Is remember me secure? -- Authorization rules differentiating remembered and fully authenticated sessions -- Building an IP-aware remember me service -- Extending TokenBasedRememberMeServices -- Configuring the custom RememberMeServices -- Customizing the remember me signature -- Implementing password change management -- Extending the in-memory credential store to support password change -- Extending InMemoryDaoImpl with InMemoryChangePasswordDaoImpl -- Configuring Spring Security to use InMemoryChangePasswordDaoImpl -- Building a change password page -- Adding a change password handler to AccountController -- Exercise notes -- Summary -- 4. Securing Credential Storage -- Database-backed authentication with Spring Security -- Configuring a database-resident authentication store -- Creating the default Spring Security schema -- Configuring the HSQL embedded database -- Configuring JdbcDaoImpl authentication store -- Adding user definitions to the schema -- How database-backed authentication works -- Implementing a custom JDBC UserDetailsService -- Creating a custom JDBC UserDetailsService class -- Adding a Spring Bean declaration for the custom UserDetailsService -- Out of the box JDBC-based user management -- Advanced configuration of JdbcDaoImpl -- Configuring group-based authorization -- Configuring JdbcDaoImpl to use groups -- Modifying the initial load SQL script -- Modifying the embedded database creation declaration -- Using a legacy or custom schema with database-resident authentication.

Determining the correct JDBC SQL queries -- Configuring the JdbcDaoImpl to use customSQL queries -- Configuring secure passwords -- Configuring password encoding -- Configuring the PasswordEncoder -- Configuring the AuthenticationProvider -- Writing the database bootstrap password encoder -- Configuring the bootstrap password encoder -- Would you like some salt with that password? -- Configuring a salted password -- Declaring the SaltSource Spring bean -- Wiring the PasswordEncoder to the SaltSource -- Augmenting DatabasePasswordSecurerBean -- Enhancing the change password functionality -- Configuring a custom salt source -- Extending the database schema -- Tweaking configuration of the CustomJdbcDaoImpl UserDetails service -- Overriding the baseline UserDetails implementation -- Extending the functionality of CustomJdbcDaoImpl -- Moving remember me to the database -- Configuring database-resident remember me tokens -- Adding SQL to create the remember me schema -- Adding new SQL script to the embedded database declaration -- Configuring remember me services to persist to the database -- Are database-backed persistent tokens more secure? -- Securing your site with SSL -- Setting up Apache Tomcat for SSL -- Generating a server key store -- Configuring Tomcat's SSL Connector -- Automatically securing portions of the site -- Secure port mapping -- Summary -- 5. Fine-Grained Access Control -- Re-thinking application functionality and security -- Planning for application security -- Planning user roles -- Planning page-level security -- Methods of Fine-Grained authorization -- Using Spring Security Tag Library to conditionally render content -- Conditional rendering based on URL access rules -- Conditional rendering based on Spring EL Expressions -- Conditionally rendering the Spring Security 2 way -- Conditional display based on absence of a role.

Conditional display based on any one of a list of roles -- Conditional display Based on all of a list of roles -- Using JSP Expressions -- Using controller logic to conditionally render content -- Adding conditional display of the Log In link -- Populating model data based on user credentials -- What is the best way to configure in-page authorization? -- Securing the business tier -- The basics of securing business methods -- Adding @PreAuthorize method annotation -- Instructing Spring Security to use method annotations -- Validating method security -- Several flavors of method security -- JSR-250 compliant standardized rules -- Method security using Spring's @Secured annotation -- Method security rules using Aspect Oriented Programming -- Comparing method authorization types -- How does method security work? -- Advanced method security -- Method security rules using bean decorators -- Method security rules incorporating method parameters -- How method parameter binding works -- Securing method data through Role-based filtering -- Adding Role-based data filtering with @PostFilter -- Pre-filtering collections with method @PreFilter -- Why use a @PreFilter at all? -- A fair warning about method security -- Summary -- 6. Advanced Configuration and Extension -- Writing a custom security filter -- IP filtering at the servlet filter level -- Writing our custom servlet filter -- Configuring the IP servlet filter -- Adding the IP servlet filter to the Spring Security filter chain -- Writing a custom AuthenticationProvider -- Implementing simple single sign-on with an AuthenticationProvider -- Customizing the authentication token -- Writing the request header processing servlet filter -- Writing the request header AuthenticationProvider -- Combining AuthenticationProviders -- Simulating single sign-on with request headers.

Considerations when writing a custom AuthenticationProvider -- Session management and concurrency -- Configuring session fixation protection -- Understanding session fixation attacks -- Preventing session fixation attacks with Spring Security -- Simulating a session fixation attack -- Comparing session-fixation-protection options -- Enhancing user protection with concurrent session control -- Configuring concurrent session control -- Understanding concurrent session control -- Testing concurrent session control -- Configuring expired session redirect -- Other benefits of concurrent session control -- Displaying a count of active users -- Displaying information about all users -- Understanding and configuring exception handling -- Configuring "Access Denied" handling -- Configuring an "Access Denied" destination URL -- Adding controller handling of AccessDeniedException -- Writing the Access Denied page -- What causes an AccessDeniedException -- The importance of the AuthenticationEntryPoint -- Configuring Spring Security infrastructure beans manually -- A high level overview of Spring Security bean dependencies -- Reconfiguring the web application -- Configuring a minimal Spring Security environment -- Configuring a minimal servlet filter set -- SecurityContextPersistenceFilter -- UsernamePasswordAuthenticationFilter -- AnonymousAuthenticationFilter -- FilterSecurityInterceptor -- Configuring a minimal supporting object set -- Advanced Spring Security bean-based configuration -- Adjusting factors related to session lifecycle -- Manual configuration of other common services -- Declaring remaining missing filters -- LogoutFilter -- RememberMeAuthenticationFilter -- ExceptionTranslationFilter -- Explicit configuration of the SpEL expression evaluator and Voter -- Bean-based configuration of method security -- Wrapping up explicit configuration.

Which type of configuration should I choose?.