Customizing spring Session Cookies

By convention, most of the java web application use JSESSIONID as the cookie name to store the session key. In this post, We will see how this cookie behaviour can be changed. Typical behaviour In session based authentications like Form-Login and CAS(Central Authentication System), the session is established via cookies. This is done by sending a Set-Cookie header after … View This post

Roles and Privileges in Spring Security

In this post, we will take a look at Role Based Access Control (RBAC) with Spring boot. Understanding RBAC In an RBAC model there are three key entities. They are, User or Subject – The actors of the system who perform operations. It can represent a physical person,an automated account, or even another application. Role – Authority … View This post

Understanding Password Encoders in Spring Security

Since Spring Security 5, numerous changes happened to how passwords are handled within the security context. The major change was how the framework started making developers encode or hash the passwords when storing and validating them. If passwords are stored in plain text, the security would be compromised by anyone who has access to the … View This post

UserDetailsService : Loading UserDetails from database

In the last post, We have seen how easy it is to set up an in-memory UserDetailsService and dynamically add users to the applications. However, we all know that the implementation is only good for demos and short-lived applications. Once these applications are stopped, All the information about the users are lost. This is why most of … View This post

In-Memory UserDetailsService in Spring Security

In this post, we will take a look at how the default in-memory UserDetailsService works in Spring Boot application. Default behaviour The default autoconfiguration provides an InMemoryUserDetailsManager that generates a single user for the application to support. We can override these user properties to an extent with changes to application.properties file. For instance, you can change the default username … View This post

Basic Authentication in Spring Boot

Let’s learn how to implement Basic authentication in a Spring MVC application with an example. Configure Basic Auth To set up basic authentication, you need to provide our own HttpSecurity configuration. Similar to providing custom login form, this setup also requires a custom WebSecurityConfigurerAdapter as shown below. This is the only change that you have to do. After … View This post

Session Tracking modes in Spring security

Applications maintain their state with the user using a concept called session. In this post we will see about different type of session tracking modes and how they work. When an application authenticates a user, it can do two possible things. Forget about the user after the request is processed and user will have to authenticate for each … View This post

Form Login with Spring Boot

This article concentrates on the default form login implementation from Spring Boot and Spring Security. Let’s dive in to understand spring security with form based username and password login. To start with, I have written a simple web application with an API that prints hello world. There is nothing special about this Controller. When we … View This post

Spring Boot Security for Secure web applications

Post Header

This post compiles a list of Spring Boot Security related topics with appropriate examples. You can learn about form-login, Securing an MVC application, password encoders, session management and other important security concepts. Login and Logout in Spring Boot How to implement form login Customizing Form Login with an Example How to implement Basic Authentication Spring … View This post