Talk to an Instructor:
Jonas Felix
Spring Security
Course & Training
Join our 2-day hands-on course and learn how to use Spring Security 6 and 7 in modern Spring Boot architectures – from classic web applications to SPA + Backend-for-Frontend (BFF). We cover the fundamentals, dive deep into OAuth 2.0 and OpenID Connect, compare token- and session-based security and demonstrate best practices for integrating identity providers such as Keycloak.
Spring Security is a powerful and highly customisable authentication and authorisation framework from the Spring ecosystem. It is the de facto standard for securing Spring-based applications – from classic MVC apps to APIs for Single Page Applications (SPA). As with all Spring projects, the real strength of Spring Security lies in its flexibility to adapt to individual security requirements.
In this fully updated 2-day course you will learn step by step how to use Spring Security 6 and 7 in Spring and Spring Boot applications. We cover the core concepts such as the `SecurityFilterChain`, authorisation and method security, and place a strong focus on OAuth 2.0, OpenID Connect and the integration of identity providers (e.g. Keycloak).
Another key topic is the design of modern security architectures for SPA + Backend-for-Frontend (BFF): how to handle tokens and sessions, how to use HttpOnly cookies correctly and how to protect your APIs in an identity-centric way. This course will equip you with the knowledge you need to secure your Spring-based applications effectively in real-world projects.
In-House Course:
We are happy to conduct tailored courses for your team - on-site, remotely or in our course rooms.
Content:
- Modern security architecture with Spring Security 6 & 7
... - The importance of security in today’s web and cloud applications
... - The role of Spring Security within the Spring ecosystem
... - Key changes since Spring Security 5 (`SecurityFilterChain`, lambda DSL)
- Authentication and authorisation in Spring Security
... - The difference between authentication and authorisation
... - Understanding `SecurityContext`, `Authentication` and `GrantedAuthority`
... - Designing a clean role and permission model
- Configuring Spring Security
... - Java-based configuration using `SecurityFilterChain`
... - URL/request-based authorisation with the `AuthorizationManager` (e.g. `authorizeHttpRequests`) on the HTTP endpoint level
... - Fine-grained method security with `@PreAuthorize` etc. on the service layer
- User and identity management
... - Managing users via database backends or directory services (e.g. LDAP/Active Directory)
... - `PasswordEncoder` and modern hashing algorithms (e.g. bcrypt)
... - Working with `UserDetails` and authorities
- Sessions, cookies and tokens
... - Session-based security vs. token-based approaches (JWT, opaque tokens)
... - `HttpOnly`, `SameSite`, `Secure` cookies and why they matter
... - Understanding and correctly configuring CSRF protection
- OAuth 2.0 in Spring Security
... - Overview of OAuth 2.0: roles, flows and common use cases
... - Authorization Code Flow (with PKCE), Client Credentials, etc.
... - Using Spring Boot as OAuth2 client and resource server
- OpenID Connect & identity providers
... - OpenID Connect as an identity layer on top of OAuth 2.0
... - Understanding ID tokens, UserInfo endpoint, scopes and claims
... - Integrating an identity provider (e.g. Keycloak) for login and Single Sign-On (SSO)
- Patterns for SPA & APIs: Backend-for-Frontend (BFF)
... - Challenges of Angular/React SPAs (CORS, XSRF, token leakage)
... - BFF with sessions vs. BFF with tokens (e.g. JWT in HttpOnly cookies)
... - Practical implementation of a BFF using Spring Boot and Spring Security
- Migration and upgrade
... - Typical pitfalls when upgrading to Spring Security 6 and 7
... - Strategies for existing projects (legacy code vs. greenfield)
- Best practices and security tips
... - Defense in depth, least privilege, secure defaults
... - Detecting and avoiding common misconfigurations
... - Recommendations for production, monitoring and operations
- Q&A and closing discussion
We will focus on deepening and understanding a specific selection of topics and adjust the emphasis (e.g. more SPA/BFF vs. classic web apps) according to the participants’ needs.
Disclaimer: The actual course content may vary from the above, depending on the trainer, implementation, duration and constellation of participants.
Whether we call it training, course, workshop or seminar, we want to pick up participants at their point and equip them with the necessary practical knowledge so that they can apply the technology directly after the training and deepen it independently.
Goal:
This 2-day course on Spring Security 6 and 7 will give participants a solid understanding of modern security concepts in Spring applications. After the course, you will be able to
- apply basic and advanced security mechanisms of Spring Security with confidence,
- understand when to use sessions, cookies and tokens (e.g. JWT),
- integrate OAuth 2.0 and OpenID Connect with identity providers such as Keycloak into Spring Boot applications, and
- design and implement appropriate security architectures for classic web apps, APIs and SPA + Backend-for-Frontend (BFF) scenarios.
The course has a strong practical focus so that you can directly apply what you have learned to your own projects and migrate existing solutions to Spring Security 6 or 7.
Duration:
2 Days (Is individually adapted for in-house courses.)
Form:
A proven mix of concepts, live coding and collaboration on a coherent sample application (Spring Boot API plus optional SPA + BFF). Short theory segments are immediately followed by hands-on coding and discussion, always geared towards the efficient use of Spring Security in real-life projects and production.
Target Audience:
The target audience of this course are software developers, system architects and IT professionals who want to deepen their knowledge in application security with a focus on Spring Security. The course is designed for participants
- who already have experience in developing Spring or Java applications and
- who want to understand and implement modern security architectures with OAuth 2.0, OpenID Connect and SPA/BFF patterns (e.g. for Angular/React frontends).
Requirements:
Experience in the development of Spring or Java applications. Basic knowledge of HTTP, REST and JSON is required. Initial exposure to security topics (e.g. authentication, roles, sessions) is helpful but not strictly mandatory.
Preparation:
Each participant receives a questionnaire and installation instructions after registration. Based on the answers we provide individual feedback. In addition, we share an overview of the required tools and versions (e.g. JDK, Spring Boot, IDE) before the course.
Request In-House Course:
In-House Kurs Anfragen
Waitinglist for public course:
Sign up for the waiting list for more public course dates. Once we have enough people on the waiting list, we will determine a date that suits everyone as much as possible and schedule a new session. If you want to participate directly with two colleagues, we can even plan a public course specifically for you.
Waiting List Request
More about Spring Security
The course content is continuously aligned with the current Spring Security releases (currently 6.x and 7.x). On request, we can also address specific questions from your projects during the course (e.g. migrating existing applications, integrating a particular identity provider or evaluating different BFF variants).
Further resources:
- Spring Security Project Page
- GitHub page for Spring Security
- Spring Security Reference Documentation
- Spring Security Guides and Tutorials
- Spring Security Samples
History
Spring Security originated in 2003 as Acegi Security , developed by Ben Alex. The project was officially integrated into the Spring Portfolio in 2008 as Spring Security 2.0 and further developed by the Spring community under the leadership of Luke Taylor and Rob Winch.
The evolution of Spring Security went through several important milestones: version 3.x brought comprehensive annotation support, version 4.x introduced modern Java configuration, and version 5.x revolutionized the framework with OAuth 2.0/OpenID Connect integration and reactive programming. The current versions 6.x and 7.x focus on lambda DSL, SecurityFilterChain API, and improved observability.
Today, Spring Security is the de facto standard for security in JVM-based applications and is used by millions of developers worldwide. The framework has significantly shaped the development of modern security architectures and seamlessly supports cloud-native patterns, microservices architectures, and modern identity provider integrations such as Keycloak, Auth0, and Azure AD.
