Building Secure RESTful Services using Spring Boot

Course Overview

This highly stimulating course guides students through all the steps required to build secure contemporary RESTful services as well as rich and easy-to-maintain HTML5 web applications using the fantastic Spring MVC framework.

During this course you will be exposed to: Spring MVC, building Restful services, Jackson, view technologies such as Thymeleaf/JSP and a thorough introduction of Spring Security. For some exercises you will be using Spring Boot. The build system during the course is gradle.

Course Prerequisites

Students should be familiar with the Spring IoC and have practical development experience using HTML5, Thymeleaf or JSP. Some exposure to RESTful services is helpful, but not required.

Outline

Here's what we'll be covering over the course:

Spring MVC

Introduction

• Introduce the Spring MVC architecture
• Discuss Spring MVC's features
• Introduce the DispatchServlet
• Configure Spring MVC using Java configuration (Servlet Environment)
• Configure Spring MVC inside a Spring Boot application
• Introduce controllers and RequestMapping
• Map URIs and HTTP methods
• Handle request parameters
• Handle http headers
• List the possible return types of handler methods
• Overview of Handling exceptions
• Using the @ControllerAdvice

Testing

• Introduction to Testing Spring MVC Applications
• Mocking Spring MVC
• Understand how to use the RequestBuilder
• Supply parameters, mime-types, headers, cookies, …
• Setup expectations with ResultMatcher
• Using jsonPath to state expectations on returned json data

Rest with Spring

Introduction

• Overview of Rest with Spring
• Creating ResultController implementations
• More on URL Patterns mapping (path variables, regex)
• Handle mime-types
• Using HttpEntity in handler methods
• Validating data using jsr303

Jackson

• Introduction to Jackson
• Mapping pojos to json/xml/protobuf etc.
• Use Jackson annotations
• Mapping null, Optional.none, and empty strings values
• Introduce Jacksons Views
• Discuss various plugins for data types (most notably jdk8 and jsr310)
• Same for data formats (xml, protobuf, avro, …)
• Configuring Jackson with Spring
• Configure Spring's content negotiation

View (An introduction, optional)

• Overview of view types
• Configuring view resolvers
• Using JSP for the view
• Using Thymeleaf for the view
• Configuration for Thymeleaf
• Introduce ModelAndView
• Configure Resource Handlers
• Writing handler methods and dispatching to a view
• Sharing data with a view
• Using Spring's tag library
• Handle form data
• Validate form data
• Customising the WebDataBinder
• Handling file uploads
• Other kinds of views: PDF, Excel, Images, …

Introduction to Spring Security

• Architectural overview of Spring Security
• Authentication and Authorisation with Spring
• Introduce the UserDetailsService
• Integrate with LDAP, Database realms, JAAS, …
• Basic configuration
• Introduce the HttpSecurity DSL
• URL-based authentication
• Introduce the AuthenticationManagerBuilder DSL
• Understand the default protections (Session Fixation, X-XSS Protection, clickjacking)
• Logging in and logging out (form-based, basic, etc)
• Building login forms (Thymeleaf and JSP)
• CSRF attack prevention
• Adding remember-me to login forms
• Use OpenID for web authentication
• Discuss authentication for RESTful services
• Use Method level security (REST and with view)