00 Preface Spring Security Ensures the Safety and Career Path of Your Application

00 Preface Spring Security Ensures the Safety and Career Path of Your Application #

Hello, I am Jian Xiang, the author of the Lagou Education column “Spring Cloud Principles and Practice,” “Spring Boot Practical Development,” “Spring Reactive Programming Practice,” and “ShardingSphere Core Principles.”

With over 10 years of experience in building and optimizing large-scale Java EE and distributed systems, I have led teams of over 100 people to develop billion-user application systems based on the Spring technology stack. I have extensive practical experience in system development and maintenance using the Spring framework.

Throughout my career, I have worked on various projects, whether it be traditional e-commerce systems or internet-related intelligent terminal platforms, all of which require considerations for security. Any security vulnerability can bring irreparable damage to a product or even an entire company.

Therefore, as the designer and implementer of a system, ensuring the system’s high level of security at all times becomes a critical question.

When it comes to security, you may think of encryption algorithms, HTTPS protocols, and other common technological systems. However, system security is a comprehensive topic and cannot be effectively addressed simply by adopting a few technological systems.

Let’s take a distributed application scenario as an example. Suppose you are developing a work order system that relies on user order information maintained in a third-party order system to generate work orders. In order to generate work orders, the work order system must be able to read user order information from the order system.

So, the question is, how does the work order system obtain user authorization? The typical method we think of is for the user to provide their username and password from the order management platform to the work order system. Then, the work order system logs in to the order management platform using the provided username and password to read the user’s order records. The entire process is illustrated in the following diagram:

Drawing 0.png

Illustration of the authentication and authorization interaction in the order system

The above solution may seem fine, but upon closer analysis, you will discover some vulnerabilities in terms of security.

For example, if a user changes their password on the order management platform, the work order system will no longer be able to access it. To address this issue, we need to introduce protocols like OAuth2 to achieve authentication and authorization in a distributed environment.

Let’s briefly compare OAuth2 and traditional implementation solutions with a diagram:

Drawing 1.png

Comparison between OAuth2 and traditional implementation solutions

However, implementing OAuth2 is not that simple. OAuth2 involves a complex technological system that requires comprehensive considerations such as user authentication, password encryption and storage, token generation and validation, distributed session and public-private key management, as well as managing permissions for various clients. This is where we need to introduce a dedicated security development framework, and Spring Security is one such development framework.

Spring Security provides a dedicated User Account and Authentication (UAA) service that encapsulates the OAuth2 protocol for managing user accounts, OAuth2 clients, and authorization tokens. UAA is just one part of the many core features of Spring Security.

Why do you need to learn this course? #

Spring Security is a longstanding development framework within the Spring family, providing a powerful security feature system for web applications.

In fact, for web applications, in addition to authentication and authorization vulnerabilities in distributed environments, common security issues also include cross-site scripting attacks, cross-site request forgery, sensitive data exposure, and lack of method-level access control. To address these security issues, we need to design and implement comprehensive security features, and Spring Security has provided developers with corresponding solutions, including:

  • User information management;
  • Encryption and decryption of sensitive information;
  • User authentication;
  • Access control;
  • Cross-site request forgery protection;
  • Cross-origin support;
  • Global security methods
  • Single sign-on

At the same time, in today’s era where user privacy and data value are widely advocated, developers and architects who master various security-related technologies have become scarce talents and are increasingly recognized and valued by the industry.

Drawing 2.png

(Source of job information: Lagou.com)

For developers, how to solve security issues using various technology systems is a major challenge. Experienced developers need to proficiently use the Spring Security framework to meet the needs of business development. For example, having a comprehensive understanding of the core functionalities provided by the Spring Security framework, such as authentication, authorization, method-level security access, OAuth2, JWT, etc., and building their own knowledge system and solutions for system security design.

As for architects, the challenge lies in how to extend and customize the framework based on the functionalities it provides and combining them with specific business scenarios. This requires them to have a thorough understanding of the design principles behind core functionalities such as user authentication and access authorization in Spring Security, and the ability to analyze the underlying implementation mechanisms of the framework from the source code level to meet deeper needs.

With the continuous occurrence of various security issues, it can be said that security technology is an indispensable part of building a personal technical system, and it is also an important factor in enhancing your professional competitiveness.

How is this course designed? #

Learning any technical system is a process of stepping on pitfalls and progressing. In my professional career, I have summarized some common and unavoidable pain points when using the Spring Security framework to solve security issues, which can be roughly categorized as follows:

  • Seemingly simple but actually complex: One of the characteristics of Spring Security is that it comes with many built-in basic functionalities, making it easy to use and giving you the impression that development is fast and simple. However, most of these built-in functionalities adopt default implementation mechanisms, such as user login and logout, password encryption and decryption, etc. It hides the complexity of system development deeply. If you do not understand the core content of the framework, you will not be able to understand these default implementation mechanisms. Therefore, once a problem occurs during development, you will feel confused, and the difficulty of problem diagnosis and resolution will also increase.
  • Powerful but difficult to master: The default implementation mechanism provided by Spring Security may not meet the requirements of different business scenarios, so we need to develop and extend the functionality through the framework. Spring Security provides open interfaces for authentication and authorization, as well as a series of extensibility features such as filters. These features are powerful, but you will find that only by fully understanding the design principles behind these features can you make good use of them. Blindly using these extensibility features will only lead to system instability.
  • Abundance of technology systems and components: Spring Security provides a large number of functional components, which form a huge technology system. You will find that it is difficult to learn a new component, even after mastering one, which leads to low learning efficiency and possible errors. Moreover, many of the functionalities in Spring Security integrate with some open source components and solutions on the market. If you are not familiar with these components and solutions, you may encounter some inexplicable problems during use, which will affect the development rhythm.

Based on the above issues, I have summarized a learning path from basic to advanced level based on my years of architectural experience, as well as my understanding and practical experience with security and the Spring Security framework. This learning path not only helps you master the overall framework of Spring Security, but also provides practical guidance on system security design and development techniques based on the Spring Security framework.

This column is divided into the following four modules, which can help you solve the development pain points mentioned earlier.

  • Module One: Basic Features: In this part, I will introduce some basic features of Spring Security, including authentication, authorization, and encryption. These features serve as the entry point for the Spring Security framework and are indispensable for using the framework. Other features of the framework also rely on these basic functionalities. Therefore, I will not only introduce their usage, but also delve into the principles behind them. Through the learning in this module, you will be able to complete user authentication, access authorization, and integration of encryption mechanisms in daily development, thus adding basic security features to your web application.
  • Module Two: Advanced Topics: This part focuses on specific requirements to build complex application scenarios, including filters, cross-site request forgery protection, cross-origin resource sharing, and global method security mechanisms for non-web applications. Through the learning in this module, you will be able to customize various security strategies for web applications using filters, and integrate features such as cross-site request forgery protection and cross-origin access. Moreover, for non-web applications, you can also use Spring Security to achieve method-level security control.
  • Module Three: OAuth2 and Microservices: This part focuses on the integration of microservice development framework Spring Cloud and Spring Security. We will thoroughly explain the OAuth2 protocol and JWT, and use these technologies to build secure microservice systems and single sign-on systems. Microservices are the mainstream technology system for system development nowadays, and the security aspect of microservices is an important topic in daily development. Through the learning in this module, you will be able to add security to mainstream microservice architectures and implement authorized access at the service level using the OAuth2 protocol and JWT.
  • Module Four: Framework Extensions: This part covers the application of Spring Security framework, including the introduction of new reactive programming techniques in Spring Security, and systematic approaches to testing application security. Through the learning in this module, you will master the systematic approaches to testing the various functionalities provided by Spring Security. With the release of Spring 5, reactive programming emerged as a new technology system, and the new version of Spring Security also provides comprehensive support for reactive programming. This column also provides a systematic introduction to reactive Spring Security.

From the perspective of learning, some functionalities in Spring Security may seem simple, but it is not easy to fully master them. Often, some small configuration issues can cause the entire functionality to fail, and it is not easy to identify the root cause. Therefore, although Spring Security allows you to solve 80% of the problems with only 20% of the effort, understanding the remaining 20% of the issues requires systematic learning. Learning Spring Security requires a systematic and methodical approach, and this is where the value of this column lies.

Furthermore, for each core component and usage method in Spring Security, I will provide detailed code implementation examples, which will facilitate your learning and transformation. The code for this course can be downloaded at https://github.com/lagouEdAnna/SpringSecurity-jianxiang.

Instructor’s Message #

In the process of developing modern internet applications, security is becoming increasingly important. Ensuring that systems are free from security vulnerabilities is a major challenge, and we need to introduce corresponding technology systems and development frameworks to meet the growing security requirements. Faced with this dilemma, the introduction of Spring Security, an important component of the Spring family ecosystem, can be considered an excellent choice.