AI Instructor Live Labs Included

Securing Spring Boot Applications

Secure a Spring Boot REST API through seven progressive layers: HTTP Basic, form login, JWT, RBAC, method security, OAuth2, and audit logging. Build a real Task Management API called Vaultly.

Advanced
1d 0h 25m
14 Lessons
SMU-JAVA-SEC
Spring Security and Authentication Badge

View badge details

About This Course

Incrementally harden a Spring Boot Task Management API called Vaultly through seven security layers. You will start with an unsecured CRUD API and progressively add HTTP Basic authentication, form-based login with database-backed users, stateless JWT token authentication, role-based access control (RBAC) with ADMIN and USER roles, method-level security using @PreAuthorize and @PostAuthorize with SpEL expressions, and OAuth2/OpenID Connect resource server configuration using Keycloak. The capstone adds a full audit trail that records every authentication success and failure event. By the end you will have a deeply-secured, production-quality REST API that demonstrates every major Spring Security pattern.

Course Curriculum

14 Lessons
01
AI Lesson
AI Lesson

Spring Security Architecture

1h 0m

The Spring Security filter chain, SecurityFilterChain bean, DelegatingFilterProxy, authentication vs authorization, Authentication object, SecurityContextHolder, and why auto-configuration is both helpful and dangerous.

02
Lab Exercise
Lab Exercise

Security Architecture - Lab Exercises

2h 5m 4 Exercises

Add spring-boot-starter-security to Vaultly, define a SecurityFilterChain with HTTP Basic, configure InMemoryUserDetailsManager with BCrypt-encoded passwords, and verify all endpoints require authentication.

Add spring-boot-starter-security to pom.xml ~20 min
Create SecurityConfig with SecurityFilterChain ~20 min
Configure InMemoryUserDetailsManager with BCrypt Passwords ~20 min
Verify Authentication with curl ~20 min
03
AI Lesson
AI Lesson

Authentication — HTTP Basic and Form Login

1h 0m

When to use HTTP Basic vs form login, UserDetailsService contract, loading users from a database, BCryptPasswordEncoder, CSRF tokens, and session management.

04
Lab Exercise
Lab Exercise

Authentication - Lab Exercises

2h 5m 4 Exercises

Replace InMemoryUserDetailsManager with a database-backed CustomUserDetailsService, create the User entity with passwordHash, implement /auth/register with BCrypt encoding, and configure form login.

Create User.java Entity and UserRepository ~20 min
Implement CustomUserDetailsService ~20 min
Update SecurityConfig to Use CustomUserDetailsService ~20 min
Implement POST /auth/register and Test Authentication ~20 min
05
AI Lesson
AI Lesson

JWT Token Authentication

1h 0m

Stateless vs stateful authentication, JWT structure (header.payload.signature), signing with HMAC-SHA256, jjwt library, JwtAuthenticationFilter placement, token expiry, and signing secret security.

06
Lab Exercise
Lab Exercise

JWT - Lab Exercises

3h 5m 7 Exercises
Add jjwt Dependencies to pom.xml ~20 min
Configure JWT Properties in application.properties ~20 min
Implement JwtUtil for Token Generation and Validation ~20 min
Implement JwtAuthenticationFilter ~20 min
Update SecurityConfig with STATELESS Session and JWT Filter ~20 min
Implement POST /auth/login to Issue JWT Tokens ~20 min
Test JWT Authentication End-to-End with curl ~20 min
07
AI Lesson
AI Lesson

Role-Based Access Control

1h 0m

GrantedAuthority, roles vs authorities in Spring Security, requestMatchers with hasRole(), @Secured, @RolesAllowed, and proper role seeding.

08
Lab Exercise
Lab Exercise

RBAC - Lab Exercises

2h 45m 6 Exercises
Create the UserRole Enum ~20 min
Add Role Field to AppUser and Update UserRepository ~20 min
Update CustomUserDetailsService to Load Roles ~20 min
Configure Role-Based URL Authorization in SecurityConfig ~20 min
Create AdminController with GET /admin/users ~20 min
Seed Multi-Role Users in data.sql and Verify End-to-End RBAC ~20 min
09
AI Lesson
AI Lesson

Method-Level Security

1h 0m

@EnableMethodSecurity, @PreAuthorize with SpEL expressions, @PostAuthorize for ownership checks, @PreFilter/@PostFilter, accessing the principal in SpEL, and why method security complements URL security.

10
Lab Exercise
Lab Exercise

Method-Level Security - Lab Exercises

2h 45m 6 Exercises
Enable Method Security in SecurityConfig ~20 min
Add ownerUsername Field to Task Entity ~20 min
Set ownerUsername on Task Creation in TaskController ~20 min
Add @PreAuthorize to TaskService for Admin Operations ~20 min
Add @PostAuthorize for Ownership-Based Task Access ~20 min
Verify Method-Level Security with curl ~20 min
11
AI Lesson
AI Lesson

OAuth2 and OpenID Connect

1h 0m

OAuth2 flows (authorization code, client credentials), OpenID Connect ID tokens, JWT resource server validation, spring-boot-starter-oauth2-resource-server, jwk-set-uri, issuer-uri, and scopes as authorities.

12
Lab Exercise
Lab Exercise

OAuth2 Resource Server - Lab Exercises

2h 45m 6 Exercises
Add oauth2-resource-server Dependency to pom.xml ~20 min
Configure issuer-uri in application.properties ~20 min
Implement JwtAuthenticationConverter for Keycloak Roles ~20 min
Update SecurityConfig to Use oauth2ResourceServer() ~20 min
Start Keycloak with Docker and Create Test Realm ~20 min
Obtain a Keycloak Token and Test Vaultly as Resource Server ~20 min
13
AI Lesson
AI Lesson

Capstone Briefing: Vaultly Security Audit

30m
14
Lab Exercise
Lab Exercise

Capstone Project: Implement Vaultly Audit Logging

2h 25m 5 Exercises
Create AuditLog Entity and AuditRepository ~20 min
Implement AuditService ~20 min
Implement AuthEventListener for Security Events ~20 min
Add GET /admin/audit-log Endpoint to AdminController ~20 min
Verify the Complete Audit Logging System End-to-End ~20 min
Sign In to Get Started Start Free Trial

This course includes:

  • 24/7 AI Instructor Support
  • Live Lab Environments
  • 7 Hands-on Lessons
  • 6 Months Access
  • Completion Badge
  • Certificate of Completion
Spring Security and Authentication Badge

Earn Your Badge

Complete all lessons to unlock the Spring Security and Authentication achievement badge.

Category
Skill Level Advanced
Total Duration 1d 0h 25m
Spring Security and Authentication Badge
Achievement Badge

Spring Security and Authentication

Awarded for completing the Spring Security course, demonstrating mastery of authentication, JWT tokens, OAuth2, and role-based access control in Spring applications.

Course Securing Spring Boot Applications
Criteria Complete all lessons and pass assessments in the Spring Security and Authentication course.
Valid For 730 days

Skills You'll Earn

Spring Security JWT OAuth2 Authentication Authorization Security Best Practices

Complete all lessons in this course to earn this badge