What is Spring Security? The short answer.

  •  just a bunch of servlet filters
  • plugs into frameworks like Spring Web MVC, Boot or WebFlux
  • integrates well with standards like OAuth2 or SAML
  • protects against common exploits like CSRF
  •  auto-generates login/logout pages

Credit: @MarcoBehler https://bit.ly/2ZiaCDe

Servlet Filters: the cornerstone of Spring Security

  • been around for about 20 years (since Java Servlet Spec 2.3)

Credit (image inspiration): CodeJava.net

Filter Chain: request's ordeal

  • Order matters! Top to bottom ..
chain.doFilter(req, res)

Authentication vs Authorization

  • Who are you?
  • What are you allowed to do?

Who?

What?

Filter Chain for Reactive Web

  • 12 filters in total! (Spring Security 5.5.1)
org.springframework.security.web.server.*

Get to Know (Some) of Your Filters!

  • Custom login / logout page, enabled by default.
LoginPageGeneratingWebFilter, LogoutWebFilter
AuthenticationWebFilter, SecurityContextServerWebExchangeWebFilter
  • User authentication: from the initial client request to a fully resolved authentication object.
  • Is the user entitled to view the protected data or perform an action?
AuthorizationWebFilter

Spring Security ≈ Filters Config

@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain =
    http
        .authorizeExchange()
        .anyExchange().authenticated()
        .and().formLogin()
        .and().build()
new CsrfSpec()
new FormLoginSpec()
new LoginPageSpec()
new CsrfWebFilter()

CSRF protection enabled

Redirect to "/" after a successful login

Render the default login page

Why WebFlux?

  • Fully non-blocking IO: handles bigger load with fewer threads
  • Adds a concise API for routing and request handling, e.g. not just @Controller
  • Support Reactive Streams back pressure mechanism

Credit (image): spring.io

Let's Get Started!

In my YouTube tutorial you will learn how to

  • configure and successfully secure modern reactive web apps
  • easily enable SSO with social login on Google, Facebook or GitHub
  • load user details from your own database in a non-blocking manner
  • shield against some of the common attacks

.. and more

https://bit.ly/3cFZy5V

  • prevent unauthorized access