The document provides an overview of Spring Security, an authentication and authorization framework for Java web applications. It discusses what Spring Security is and is not, assumptions about the audience's knowledge, and an outline of topics to be covered, including basic and advanced security configurations, user authentication and authorization, security at the view layer, enabling HTTPS, and protecting against CSRF attacks. The presentation aims to introduce Spring Security and demonstrate how to implement common security features.

1. Spring Security Introduction
Presenter: Nishant Handa, Mindfire Solutions
Date: 05/05/2015

2. What is Spring Security

It's a powerful and highly customizable authentication and access control
framework for web applications/ web services

It is build on top of Spring Framework

It handles authentication and authorization and alot of things

3. What Spring Security is not

Firewal, proxy server, intrusion detection system

Operating system security

JVM sandbox security

4. What I am Assuming

You are familiar with Java

You are at least somewhat familiar with Spring Framework

5. What I will cover

Spring security introduction done with that..

Start with minimal security to you web app

User Detail Storage in database

Spring security at view layer

How to enable HTTP Basic security

Password Encryption

Let's customize some by default configuration

Let's add powerfull spring security expression language

Enable HTTPS channel via spring security

Let's implement Remember-Me functionality

Introduction to CSRF attacks..

6. Minimal security configuration

Register DelegatingFilterProxy in your application

Authentication via in-memory user details storage

Declare Intercept url pattern

7. Let's store user detail in database

Register datasource for your database as a spring bean

Use this datasource in spring security flow

You can also write your customized SQLs or Java implementation(not cover in
this session)

8. Spring security at view layer

Introduction to Spring security taglibs

Display current user name

Let's control the view rendering on the basis of users role/authorities

9. Let's add HTTP basic authentication

Just add one simple tag <http-basic />

10. Password encryption

Better to go with Bcrypt mechanism

11. Let's do some customization

Customized login screen

Add logout functionality

Customize unauthorized error

12. Expression based access control

Enable expressions in spring security

Power of @Pre and @Post Annotations

13. Enable HTTPS channel

Enable https in your container

Force your application to use HTTPS channel

14. Remember-ME

Simple hash based token approach

Persistent token approach

Let's decide between comfort and security

15. Security against CSRF attacks

What the heck is this CSRF

Basic protection by spring security

16. Way to go, this is just the beginning!

17. Queries????

18. References

Spring in action 3rd
edition

Pro Spring Security By Carlo Scarioni

http://www.mkyong.com/tutorials/spring-security-tutorials/

19. Presenter: Nishant Handa, Mindfire Solutions