Spring Security

  1. Web Security Configuration
    1. Component-Based Configuration
      1. Defining `SecurityFilterChain` as a `@Bean`
        1. Java Configuration Approach
          1. Multiple Filter Chains
            1. Filter Chain Ordering
            2. Configuration Method Chaining
              1. Conditional Configuration
              2. Protection Against Common Vulnerabilities
                1. Cross-Site Request Forgery (CSRF)
                  1. How CSRF Protection Works
                    1. CSRF Tokens
                      1. Token Validation Process
                        1. Token Storage
                        2. Synchronizer Token Pattern
                          1. Implementation Details
                            1. Token Generation
                              1. Token Verification
                              2. Configuration and Customization
                                1. Enabling CSRF Protection
                                  1. Disabling CSRF Protection
                                    1. Custom CSRF Token Repository
                                      1. CSRF Request Matcher
                                        1. CSRF Failure Handler
                                      2. Session Management
                                        1. Session Fixation Protection
                                          1. Session Regeneration Strategies
                                            1. Migration Strategy
                                              1. New Session Strategy
                                                1. Change Session ID Strategy
                                                2. Concurrent Session Control
                                                  1. Limiting Concurrent Sessions
                                                    1. Session Registry
                                                      1. Session Expiry Handling
                                                        1. Expired Session Strategy
                                                        2. Session Timeout Configuration
                                                          1. Session Timeout Settings
                                                            1. Inactivity Timeout
                                                              1. Custom Session Timeout Handler
                                                              2. Session Creation Policy
                                                                1. Always Create
                                                                  1. If Required
                                                                    1. Never Create
                                                                      1. Stateless
                                                                    2. Security HTTP Response Headers
                                                                      1. Content Security Policy (CSP)
                                                                        1. Defining Allowed Content Sources
                                                                          1. Mitigating XSS Attacks
                                                                            1. CSP Directives
                                                                              1. Report-Only Mode
                                                                              2. HTTP Strict Transport Security (HSTS)
                                                                                1. Enforcing HTTPS
                                                                                  1. Max Age Configuration
                                                                                    1. Include Subdomains
                                                                                      1. Preload Configuration
                                                                                      2. X-Content-Type-Options
                                                                                        1. Preventing MIME Type Sniffing
                                                                                          1. No Sniff Directive
                                                                                          2. X-XSS-Protection
                                                                                            1. Browser-Based XSS Protection
                                                                                              1. Protection Modes
                                                                                              2. X-Frame-Options
                                                                                                1. Preventing Clickjacking
                                                                                                  1. Deny Option
                                                                                                    1. Same Origin Option
                                                                                                      1. Allow From Option
                                                                                                      2. Referrer Policy
                                                                                                        1. Controlling Referrer Information
                                                                                                          1. Policy Options
                                                                                                          2. Feature Policy
                                                                                                            1. Controlling Browser Features
                                                                                                              1. Feature Directives
                                                                                                          3. Cross-Origin Resource Sharing (CORS)
                                                                                                            1. Integration with Spring MVC CORS Support
                                                                                                              1. CORS Mappings in Controllers
                                                                                                                1. Global CORS Configuration
                                                                                                                2. Configuring CORS within Spring Security
                                                                                                                  1. CORS Filter Configuration
                                                                                                                    1. Allowed Origins
                                                                                                                      1. Allowed Methods
                                                                                                                        1. Allowed Headers
                                                                                                                          1. Exposed Headers
                                                                                                                            1. Allow Credentials
                                                                                                                              1. Max Age Configuration

                                                                                                                          Previous

                                                                                                                          4. Authorization and Access Control

                                                                                                                          Go to top

                                                                                                                          Next

                                                                                                                          6. OAuth 2.0 and OpenID Connect (OIDC)