OLHub

Spring Security cơ bản

Filter chain architecture, SecurityFilterChain DSL Spring 6, UserDetailsService + BCrypt, JWT authentication, method security với @PreAuthorize, CORS/CSRF. TaskFlow v3 — bảo vệ API với JWT + role-based.

7 bài · ~191 phútMiễn phí

Nội dung

Danh sách bài học

  1. 01

    Spring Security architecture — Filter chain, AuthenticationManager, SecurityContext

    Spring Security là servlet filter chain với 15+ filter. Bài này bóc Filter Chain Proxy, DelegatingFilterProxy, SecurityFilterChain, AuthenticationManager flow, SecurityContextHolder ThreadLocal, Authentication object, GrantedAuthority, AccessDecisionManager. Hiểu architecture trước syntax.

    ~26 phút
  2. 02

    SecurityFilterChain DSL — config Spring Security 6 lambda style

    Spring Security 6 dùng SecurityFilterChain bean + lambda DSL. Bài này bóc HttpSecurity API, requestMatchers, authorizeHttpRequests, multiple SecurityFilterChain với @Order, securityMatcher, ignoring static resources, exceptionHandling, sessionManagement, headers.

    ~24 phút
  3. 03

    Form login & Basic auth — UserDetailsService, BCrypt, DaoAuthenticationProvider

    Form login flow internals, UserDetailsService implement, password encoding với BCrypt + Argon2, DaoAuthenticationProvider, in-memory vs DB user store, password upgrade strategy, account lock/expire, session fixation.

    ~24 phút
  4. 04

    JWT authentication — stateless auth, signing, refresh token

    JWT structure (header.payload.signature), HS256 vs RS256, signing/validation, Spring Security oauth2ResourceServer, custom JwtAuthenticationConverter, refresh token pattern, token revocation, security pitfalls (algorithm none, key leak).

    ~26 phút
  5. 05

    Method security — @PreAuthorize, @PostAuthorize, @Secured

    Method-level security với @EnableMethodSecurity. Bài này bóc @PreAuthorize SpEL syntax, @PostAuthorize, @Secured, custom PermissionEvaluator, ownership check (project owner only), per-method authorization vs URL-based, testing với @WithMockUser.

    ~22 phút
  6. 06

    CORS & CSRF — config + best practices

    CORS bảo vệ browser khỏi đọc cross-origin response, CSRF chống ride session-based auth. Bài này bóc same-origin policy theo RFC 6454, preflight OPTIONS và caching, allowedOrigins/Methods/Headers/Credentials, Synchronizer Token Pattern, Double-Submit Cookie, SameSite cookie, khi nào disable CSRF (REST API stateless), khi nào enable (browser session).

    ~24 phút
  7. 07

    Mini-challenge: TaskFlow v3 — JWT + role-based access control

    Migrate TaskFlow Module 04 (JPA Postgres) sang Module 05 — bảo vệ với Spring Security JWT, role-based authz (USER/MANAGER/ADMIN), ownership check, register/login/refresh/logout endpoints, integration test với @WithMockUser, secure Actuator.

    ~45 phút
← Module trước

Spring Data JPA