Course · Training · Workshop
Spring Security
Secure Spring Security 6 and 7 in modern Spring Boot architectures – from classic web apps to SPA + Backend-for-Frontend (BFF), with OAuth 2.0, OpenID Connect and Keycloak.
Spring Security is a powerful and highly customisable authentication and authorisation framework from the Spring ecosystem. It is the de facto standard for securing Spring-based applications – from classic MVC apps to APIs for Single Page Applications (SPA). As with all Spring projects, the real strength of Spring Security lies in its flexibility to adapt to individual security requirements. In this fully updated 2-day course you will learn step by step how to use Spring Security 6 and 7 in Spring and Spring Boot applications. We cover the core concepts such as the `SecurityFilterChain`, authorisation and method security, and place a strong focus on OAuth 2.0, OpenID Connect and the integration of identity providers (e.g. Keycloak). Another key topic is the design of modern security architectures for SPA + Backend-for-Frontend (BFF): how to handle tokens and sessions, how to use HttpOnly cookies correctly and how to protect your APIs in an identity-centric way. This course will equip you with the knowledge you need to secure your Spring-based applications effectively in real-world projects.
Trainers
What participants say






These customers booked courses in the same topic cluster.More customers →
Content
-
Modern security architecture with Spring Security 6 & 7
… - The importance of security in today’s web and cloud applications
… - The role of Spring Security within the Spring ecosystem
… - Key changes since Spring Security 5 (SecurityFilterChain, lambda DSL) -
Authentication and authorisation in Spring Security
… - The difference between authentication and authorisation
… - UnderstandingSecurityContext,AuthenticationandGrantedAuthority
… - Designing a clean role and permission model -
Configuring Spring Security
… - Java-based configuration usingSecurityFilterChain
… - URL/request-based authorisation with theAuthorizationManager(e.g.authorizeHttpRequests) on the HTTP endpoint level
… - Fine-grained method security with@PreAuthorizeetc. on the service layer -
User and identity management
… - Managing users via database backends or directory services (e.g. LDAP/Active Directory)
… -PasswordEncoderand modern hashing algorithms (e.g. bcrypt)
… - Working withUserDetailsand authorities -
Sessions, cookies and tokens
… - Session-based security vs. token-based approaches (JWT, opaque tokens)
… -HttpOnly,SameSite,Securecookies and why they matter
… - Understanding and correctly configuring CSRF protection -
OAuth 2.0 in Spring Security
… - Overview of OAuth 2.0: roles, flows and common use cases
… - Authorization Code Flow (with PKCE), Client Credentials, etc.
… - Using Spring Boot as OAuth2 client and resource server -
OpenID Connect & identity providers
… - OpenID Connect as an identity layer on top of OAuth 2.0
… - Understanding ID tokens, UserInfo endpoint, scopes and claims
… - Integrating an identity provider (e.g. Keycloak) for login and Single Sign-On (SSO) -
Patterns for SPA & APIs: Backend-for-Frontend (BFF)
… - Challenges of Angular/React SPAs (CORS, XSRF, token leakage)
… - BFF with sessions vs. BFF with tokens (e.g. JWT in HttpOnly cookies)
… - Practical implementation of a BFF using Spring Boot and Spring Security -
Migration and upgrade
… - Typical pitfalls when upgrading to Spring Security 6 and 7
… - Strategies for existing projects (legacy code vs. greenfield) -
Best practices and security tips
… - Defense in depth, least privilege, secure defaults
… - Detecting and avoiding common misconfigurations
… - Recommendations for production, monitoring and operations -
Q&A and closing discussion
We will focus on deepening and understanding a specific selection of topics and adjust the emphasis (e.g. more SPA/BFF vs. classic web apps) according to the participants’ needs.
The actual course content may differ from the above depending on the trainer, delivery, duration and the composition of participants.
Request this course in-house
Request a public date
No suitable public date? Register without obligation — once there is enough interest we schedule a new public date and let you know first.
More about Spring Security
The course content is continuously aligned with the current Spring Security releases (currently 6.x and 7.x). On request, we can also address specific questions from your projects during the course (e.g. migrating existing applications, integrating a particular identity provider or evaluating different BFF variants).Further resources:
History
Spring Security originated in 2003 as Acegi Security, developed by Ben Alex. The project was officially integrated into the Spring Portfolio in 2008 as Spring Security 2.0 and further developed by the Spring community under the leadership of Luke Taylor and Rob Winch.
The evolution of Spring Security went through several important milestones: version 3.x brought comprehensive annotation support, version 4.x introduced modern Java configuration, and version 5.x revolutionized the framework with OAuth 2.0/OpenID Connect integration and reactive programming. The current versions 6.x and 7.x focus on lambda DSL, SecurityFilterChain API, and improved observability.
Today, Spring Security is the de facto standard for security in JVM-based applications and is used by millions of developers worldwide. The framework has significantly shaped the development of modern security architectures and seamlessly supports cloud-native patterns, microservices architectures, and modern identity provider integrations such as Keycloak, Auth0, and Azure AD.

