Course · Training · Workshop

Spring Security

Secure Spring Security 6 and 7 in modern Spring Boot architectures – from classic web apps to SPA + Backend-for-Frontend (BFF), with OAuth 2.0, OpenID Connect and Keycloak.

Spring Security is a powerful and highly customisable authentication and authorisation framework from the Spring ecosystem. It is the de facto standard for securing Spring-based applications – from classic MVC apps to APIs for Single Page Applications (SPA). As with all Spring projects, the real strength of Spring Security lies in its flexibility to adapt to individual security requirements. In this fully updated 2-day course you will learn step by step how to use Spring Security 6 and 7 in Spring and Spring Boot applications. We cover the core concepts such as the `SecurityFilterChain`, authorisation and method security, and place a strong focus on OAuth 2.0, OpenID Connect and the integration of identity providers (e.g. Keycloak). Another key topic is the design of modern security architectures for SPA + Backend-for-Frontend (BFF): how to handle tokens and sessions, how to use HttpOnly cookies correctly and how to protect your APIs in an identity-centric way. This course will equip you with the knowledge you need to secure your Spring-based applications effectively in real-world projects.

What participants say

These customers booked courses in the same topic cluster.More customers →

Content

  • Modern security architecture with Spring Security 6 & 7
    … - The importance of security in today’s web and cloud applications
    … - The role of Spring Security within the Spring ecosystem
    … - Key changes since Spring Security 5 (SecurityFilterChain, lambda DSL)

  • Authentication and authorisation in Spring Security
    … - The difference between authentication and authorisation
    … - Understanding SecurityContext, Authentication and GrantedAuthority
    … - Designing a clean role and permission model

  • Configuring Spring Security
    … - Java-based configuration using SecurityFilterChain
    … - URL/request-based authorisation with the AuthorizationManager (e.g. authorizeHttpRequests) on the HTTP endpoint level
    … - Fine-grained method security with @PreAuthorize etc. on the service layer

  • User and identity management
    … - Managing users via database backends or directory services (e.g. LDAP/Active Directory)
    … - PasswordEncoder and modern hashing algorithms (e.g. bcrypt)
    … - Working with UserDetails and authorities

  • Sessions, cookies and tokens
    … - Session-based security vs. token-based approaches (JWT, opaque tokens)
    … - HttpOnly, SameSite, Secure cookies and why they matter
    … - Understanding and correctly configuring CSRF protection

  • OAuth 2.0 in Spring Security
    … - Overview of OAuth 2.0: roles, flows and common use cases
    … - Authorization Code Flow (with PKCE), Client Credentials, etc.
    … - Using Spring Boot as OAuth2 client and resource server

  • OpenID Connect & identity providers
    … - OpenID Connect as an identity layer on top of OAuth 2.0
    … - Understanding ID tokens, UserInfo endpoint, scopes and claims
    … - Integrating an identity provider (e.g. Keycloak) for login and Single Sign-On (SSO)

  • Patterns for SPA & APIs: Backend-for-Frontend (BFF)
    … - Challenges of Angular/React SPAs (CORS, XSRF, token leakage)
    … - BFF with sessions vs. BFF with tokens (e.g. JWT in HttpOnly cookies)
    … - Practical implementation of a BFF using Spring Boot and Spring Security

  • Migration and upgrade
    … - Typical pitfalls when upgrading to Spring Security 6 and 7
    … - Strategies for existing projects (legacy code vs. greenfield)

  • Best practices and security tips
    … - Defense in depth, least privilege, secure defaults
    … - Detecting and avoiding common misconfigurations
    … - Recommendations for production, monitoring and operations

  • Q&A and closing discussion

We will focus on deepening and understanding a specific selection of topics and adjust the emphasis (e.g. more SPA/BFF vs. classic web apps) according to the participants’ needs.

The actual course content may differ from the above depending on the trainer, delivery, duration and the composition of participants.

Request this course in-house

By submitting you accept our Privacy Policy.

Request a public date

No suitable public date? Register without obligation — once there is enough interest we schedule a new public date and let you know first.

Number of participants (approx.)

More than 3 participants? Best to request a dedicated in-house date directly.

By submitting you accept our Privacy Policy.

More about Spring Security

The course content is continuously aligned with the current Spring Security releases (currently 6.x and 7.x). On request, we can also address specific questions from your projects during the course (e.g. migrating existing applications, integrating a particular identity provider or evaluating different BFF variants).

Further resources:

History

Spring Security originated in 2003 as Acegi Security, developed by Ben Alex. The project was officially integrated into the Spring Portfolio in 2008 as Spring Security 2.0 and further developed by the Spring community under the leadership of Luke Taylor and Rob Winch.

The evolution of Spring Security went through several important milestones: version 3.x brought comprehensive annotation support, version 4.x introduced modern Java configuration, and version 5.x revolutionized the framework with OAuth 2.0/OpenID Connect integration and reactive programming. The current versions 6.x and 7.x focus on lambda DSL, SecurityFilterChain API, and improved observability.

Today, Spring Security is the de facto standard for security in JVM-based applications and is used by millions of developers worldwide. The framework has significantly shaped the development of modern security architectures and seamlessly supports cloud-native patterns, microservices architectures, and modern identity provider integrations such as Keycloak, Auth0, and Azure AD.