Training Capstone Courseware

Training goals dlearning

code: CC-117D | version: v3.2

Version 3.2

This in-depth course introduces the Java web developer to the Spring Security framework. We start with an overview and practical exercises in basic usage: XML configuration for authentication and URL-based authorization. Then we start to dig into Spring Security as a Java model, and develop advanced techniques including custom user realms, custom authorization constraints, method-based authorization, and instance-based authorization.

We then explore two increasingly popular extensions to Spring Security. We consider the Security Assertions Markup Language, or SAML, and the wide range of identity and security features it offers -- but quickly focus on it's support for single sign-on (SSO), and learn how the Spring Security SAML Extension enables applications to interact with SAML identity providers to implement SSO and single logout. And we look at OAuth for Spring Security, which enables third-party authorization scenarios, and learn how to implement both the server and client sides of the OAuth 2.0 flow.

Note that the course does not give much background on general web-application security -- pros and cons of HTTP BASIC, DIGEST, and form-based authentication strategies, cross-site scripting, injection, CSRF, etc. Course 121, "Securing Java Web Applications," makes a nice compliment to Course 117D, and custom hybrids of the two courses are available.

Learning Objectives

  • Configure Spring Security for HTTP BASIC authentication.
  • Implement form-based authentication.
  • Configure other authentication features including remember-me, anonymous users, and logout.
  • Apply authorization constraints to URLs and URL patterns.
  • Bind authorization roles to user accounts in relational databases.
  • Plug application-specific user realms into Spring Security by implementing UserDetailsService.
  • Implement application-specific authorization constraints as AccessDecisionVoters.
  • Fix authorization constraints over individual methods of service beans, in lieu of URL authorization or in tandem with it.
  • Express user identity in terms of SAMLs.
  • Implement SAML SSO from the service-provider side.
  • Implement OAuth 2.0 authorization-server and resource-server roles.
  • Implement an OAuth 2.0 client.

Conspect Show list

  1. Spring Security
    • Acquiring and Integrating Spring Security
    • Relationship to Spring
    • Relationship to Java EE Standards
    • Basic Configuration
    • How It Works
    • Integration: LDAP, CAS, X.509, OpenID, etc.
    • Integration: JAAS
  2. Authentication
    • TheConfiguration
    • TheConstraint
    • TheConfiguration
    • Login Form Design
    • "Remember Me"
    • Anonymous "Authentication"
    • Logout
    • The JDBC Authentication Provider
    • The Authentication/Authorization Schema
    • Using Hashed Passwords
    • Why Hashing Isn't Enough
    • Using Salts
    • PasswordEncoder and SaltSource
    • Key Lengthening
    • Channel Security
    • Session Management
  3. URL Authorization
    • URL Authorization
    • Programmatic Authorization: Servlets
    • Programmatic Authorization: Spring Security
    • Role-Based Presentation
    • The Spring Security Tag Library
  4. Under the Hood: Authentication
    • The Spring Security API
    • The Filter Chain
    • Authentication Manager and Providers
    • The Security Context
    • Plug-In Points
    • Implementing UserDetailsService
    • Connecting User Details to the Domain Model
  5. Under the Hood: Authorization
    • Authorization
    • FilterSecurityInterceptor and Friends
    • The AccessDecisionManager
    • Voting
    • Configuration Attributes
    • Access-Decision Strategies
    • Implementing AccessDecisionVoter
    • The Role Prefix
  6. Method and Instance Authorization
    • Method Authorization
    • Using Spring AOP
    • XML vs. Annotations
    • @PreAuthorize and @PostAuthorize
    • Spring EL for Authorization
    • @PreFilter and @PostFilter
    • Domain-Object Authorization
    • The ACL Schema
    • Interface Model
    • ACL-Based Presentation
  7. Introduction to SAML
    • History of SAML
    • Assertions
    • Protocol
    • Bindings
    • Profiles
    • Using OpenSAML
  8. SAML Assertions and Protocol
    • "Vouching for" a User
    • Assertions and Subjects
    • NameID Types
    • Authentication Contexts
    • Requests, Queries, and Responses
    • Attribute Queries
    • SAML and XML Signature
  9. SAML Bindings
    • Speaking "Through" the Browser
    • The SOAP Binding
    • SAML Over HTTP
    • The Redirect, POST, and Artifact Bindings
    • The PAOS Binding
    • The URI Binding
  10. Federated Identity and SSO
    • SAML 2.0 Federations
    • Single Sign-On
    • Account Linking and Persistent Pseudonyms
    • Transient Pseudonyms
    • Name ID Mapping
    • Single Logout
    • Federation Termination
  11. The Spring Security SAML Extension
    • The Spring Security SAML Extension
    • The SAML Entry Point
    • The SAML Filter Chain
    • The SSO Processing Filters
    • IdP Discovery
    • Login and Logout Handlers
    • Configuring OpenAM
    • Configuring an SP
    • Customization
    • Combining SSO and Other Authentication Styles
    • Authorization and Attributes
  12. OAuth for Spring Security
    • Third-Party Authorization
    • OAuth
    • Roles and Initial Flow
    • Grant Types
    • Access Tokens
    • The Google OAuth API
    • OAuth for Spring Security
    • Client-Details Services
    • Token Services
    • The AuthorizationEndpoint
    • The TokenEndpoint
    • The UserApprovalHandler
    • The Resource-Server Filter
    • The ScopeVoter
    • The OAuth-Aware RestTemplate
    • AccessTokenProviders
    • The OAuth Redirecting Filter
Download conspect training as PDF

Additional information

  • Java programming: Course 103 is excellent preparation.
  • Experience with the Spring framework -- consider at Course 117 Introduction to Spring on Core Spring as a minimum, or Course 117A for an understanding of Spring MVC.
  • Basic knowledge of XML: Course 501 Introduction to XML.
  • Some servlets and/or JSP experience will be beneficial for purposes of understanding the impact of each security feature that we configure. There is no web-application coding involved in the course.
Difficulty level
Duration 4 days

The participants will obtain certificates signed by Capstone Courseware.


Authorized Capstone Courseware Trainer.

Other training Capstone Courseware | Source Frameworks

Training thematically related


IT Security


Contact form

Please fill form below to obtain more info about this training.

* Fields marked with (*) are required !!!

Information on data processing by Compendium - Centrum Edukacyjne Spółka z o.o.

940 EUR


Discount codes

Discount code may refer to (training, producer, deadline). If you have a discount code, enter it in the appropriate field.
(green means entering the correct code | red means the code is incorrect)



Traditional training

Sessions organised at Compendium CE are usually held in our locations in Kraków and Warsaw, but also in venues designated by the client. The group participating in training meets at a specific place and specific time with a coach and actively participates in laboratory sessions.

Dlearning training

You may participate from at any place in the world. It is sufficient to have a computer (or, actually a tablet, or smartphone) connected to the Internet. Compendium CE provides each Distance Learning training participant with adequate software enabling connection to the Data Center. For more information, please visit site



Paper materials

Traditional Materials: The price includes standard materials issued in the form of paper books, printed or other, depending on the arrangements with the manufacturer.

Ctab materials

Ctab materials: the price includes ctab tablet and electronic training materials or traditional training materials and supplies provided electronically according to manufacturer's specifications (in PDF or EPUB form). The materials provided are adapted for display on ctab tablets. For more information, check out the ctab website.



No deadlines for this training.

Suggest your own appointment

Upcoming Capstone Courseware training

Training schedule
Capstone Courseware