Learn Spring Security

The definitive video guide to secure your Java application

Why Learn About Security?

Robust security for web applications is and has always been a must. But the security landscape has been changing rapidly over the last few years, with REST APIs becoming mainstream,  the huge adoption and evolution of OAuth2, single-page apps (SPAs), two-factor authentication (2FA) and so many other security requirements.

And the security market is huge – Gartner puts the numbers at 150 billion in 2021 and this is predicted to grow in the next few years. Security work to be done well is abundant and very well paid.

Simply put, not having a solid, deep understanding of the current security landscape is no longer a good option.

Why Spring Security?

Spring Security has been getting better as well, with the launch of v6, the framework has become even more mature and stable. The already fantastic Boot integration, new OAuth2 stack, and support for pretty much any security mechanism you need are all here. 

Right now, in 2024, there’s no debate. Spring Security is THE framework to properly and intelligently do security if you’re working in Java.

The framework is fully able to handle everything you throw at it – from simple scenarios to highly complex security requirements. There are some OK alternatives, but nothing really comes close.

A Video Course is the best way you’ll learn coding
and tactical know-how.

Learn Spring Security... Accelerated

I’ve created this course to help you get to a full security education quickly. That’s the whole point in going through a course – it’s the fast way to learn the material and give you the Spring Security tools you need to secure your system.

Each module contains exhaustive video lessons along with code, lesson notes and resources to help you put the framework to use immediately in your app.

Each of the 2 classes features a different level of education:

The Master Class

This is the full material – the comprehensive, start-to-finish path from starting out with security to a real-world, solid understanding of how to use Spring Security in practice.

 

The deep-dives focus on implementations such as a complete OAuth2 from the ground-up, Two-Factor authentication, a full ACL system, Single Sign On, a complete registration mechanism, how to deal with various attack vectors – and many others.

The Certification Class

This class is simple – it contains the full material from the Master Class, plus downloads, and multiple-choice questions – to help you get the most out of the material.


When you’re done, you’re going to get a “Certificate of Completion” for the course.

This is generally where professional developers find the greatest value.

I’ve created the Master Class to be THE reference Spring Security education if you’re working with Java today

Why Learn From Me?

I’m Eugen, and I’ll be your instructor through this course.

I’ve been teaching Spring Security quite extensively in my own consulting work for over a decade now. I’ve helped teams implement (most commonly re-implement) security in their systems over a ridiculous number of Spring versions. And I’ve been teaching security throughout most of that time.

The lessons here came out of that experience, with the core goal of showing you the ins and outs of the security framework, and give you a clear map of how to use it in practice (especially in the more advanced modules).

To be clear – you can’t get there by just watching videos – you’ll need to code, along with me, through the material. The videos and the multiple-choice questions are your reference to come back to – whenever you need them.

The course is amazing. I’m not really a junior regarding the Spring framework. I decided to go through all your materials, even the ones focused on beginners, though I’m not a beginner myself.

I try to apply what I’ve learned in live projects that I’m working on and improve my coding skills by using your course. The only problem that I have is time, but step by step I’m going through all your materials. Sometimes I only go through the lesson I need at that moment.

I recommend your course to anyone who might need it – my colleagues, friends, and fellow students. You did a great job with this course. Thank you for that!

– Alexandru-Bogdan Galusca, Software Engineer at Miracle A/S

 

The Master Class

The canonical reference for securing a Spring application.

The 20 modules, with over 13 hours of video material, cover everything from the basics of Spring Security in both an MVC application and a REST API, to advanced deep-dives into fully working security implementations.

We’ll do a complete ACL implementation for applications that simply need to go beyond roles and privileges, we’ll tackle 2FA for extra security and we’ll focus on Multi-Tenancy, LDAP, Single Sign On and a wide variety of other scenarios.

And, of course, we’ll focus on OAuth – specifically on the new OAuth2 stack in Spring Security – with almost half of the course dedicated to it.

This is everything I wish I had access to when I secured my first application with Spring Security.

1. Secure a Simple Spring MVC Application

7 LESSONS (6 Video + 1 Text) ~ 3 HOURS

  1. Intro to Spring Security 
  2. A Basic Security Java Config 
  3. URL Authorization (Preview lesson)
  4. Building a Login Form 
  5. Implementing Logout 
  6. Anonymous “Authentication”
  7. Overview of Spring Security Objects (text)

2. A Full Registration Flow

6 LESSONS (6 Video) ~ 2.5 HOURS

  1. A Simple Registration Flow 
  2. Authentication using Real Users 
  3. Activate a New Account via Email 
  4. Deal with “I forgot my password” 
  5. Do Security Questions Right 
  6. Ensure Password Strength during Registration (2 parts)

3. Remember Me

3 LESSONS (Video) ~ 1 HOUR

  1. A Simple Remember Me Flow (Preview lesson) 
  2. Remember Me with Cookie 
  3. Remember Me with Persistence (Preview lesson)

4. Spring Security on the Client

4 LESSONS (Video) ~ 1.5 HOURS

  1. Spring Security with JSP 
  2. The Authentication Tag and Displaying the Current User 
  3. Spring Security with Thymeleaf 
  4. The Authorize Tag

5. Spring Security Expressions

4 LESSONS (Video) ~ 1.5 HOURS

  1. By URL Authorization with Expressions 
  2. On-method Authorization with Expressions 
  3. In-page URL Authorization with Expressions 
  4. Programmatic Expressions and a custom PermissionEvaluator

6. Password Storage

5 LESSONS (Video) ~ 2 HOURS

  1. Introduction to Storing Passwords 
  2. Hashing Passwords (MD5 and SHA-256) 
  3. Why Hashing Isn’t Enough – Using Salts 
  4. Key Stretching 
  5. The bcrypt Solution

7. Spring Security Advanced Configuration

4 LESSONS (Video) ~ 2 HOURS

  1. Breaking Down the Authentication Flow 
  2. Run As a Different User 
  3. The Security Context 
  4. Configure the Filter Chain

8. Advanced Authentication

5 LESSONS (4 Video + 1 Text) ~ 2.5 HOURS

  1. A Custom Authentication Provider 
  2. Multiple Providers and the Authentication Manager 
  3. In-Memory, JDBC and Hibernate/JPA User Storage 
  4. Tracking Logged-in Users
  5. Setting up Users at Startup (text)

9. Advanced Authorization

4 LESSONS (Video) ~ 2.5 HOURS

  1. How Authorization Works 
  2. The Topology of Roles and Privileges (2 parts) 
  3. Secure Method Invocations with AOP 
  4. A Custom AccessDecisionVoter (Preview lesson)

10. Basic REST API Security

3 LESSONS (Video) ~ 1 HOUR

  1. The Basics of API Security 
  2. Basic Authentication for the API  
  3. Certificates and HTTPS for Tomcat

11. ACL with Spring Security

3 LESSONS (Video) ~ 2 HOURS

  1. Introduction to ACL and Domain Object Security 
  2. The Data Structure of ACL
  3. ACL with Spring Security (2 parts)

12. Two-Factor Authentication

2 LESSONS (Video) ~ 1 HOUR

  1. A Simple Two-Factor Implementation with a Soft Token (Preview lesson) 
  2. A Two-Factor Implementation with SMS

13. Advanced Spring Security Scenarios

4 LESSONS (Video) ~ 2 HOURS

  1. Spring Security for a non-Spring Application 
  2. Multi-Tenancy with Spring Security 
  3. Session Management with spring-session 
  4. Spring Security with LDAP 

14. Reactive Security

3 LESSONS (2 Video + 1 Text) ~ 1 HOUR

  1. A Basic Reactive Security Example 
  2. Reactive Method Security
  3. WebFlux Form Login (text)

1. Intro to OAuth2 and the OAuth2 Roles

4 LESSONS (2 Video + 2 Text) ~ 2 HOURS

  1. Intro to OAuth2 and the OAuth2 Roles (theory) (text)
  2. Picking the Right OAuth Grant Type/Flow to Use (theory) 
  3. The State of OAuth2 in Spring Security (theory) 
  4. Setting up the Project (text)

2. The Basics of OAuth2 (New Stack)

5 LESSONS (4 Video + 1 Text) ~ 3 HOURS

  1. The Authorization Code Flow (theory) 
  2. The Authorization Server with Keycloak 
  3. The New OAuth2 Client Support (2 Parts)
  4. The New Resource Server Support (2 Parts )
  5. JWT Support (text)

3. OAuth2 Beyond the Basics - The Resource Server (New Stack)

8 LESSONS (8 Text) ~ 8 HOURS

  1. Basic Authorization with OAuth2 (text)
  2. Verify/Validate Claims from the JWT (text)
  3. Accessing JWT Bearer Token Authentication Attributes (text)
  4. Accessing JWT Bearer Token Authentication Attributes Using SpEL (text)
  5. Custom Authorities From JWT Claims (text)
  6. Custom Validators For JWT Claims (text)
  7. Resource Server Multi-Tenancy Support (text)
  8. Resource Server Testing Support (text)

4. OAuth2 Beyond the Basics - The Client (New Stack)

4 LESSONS (4 Text) ~ 5 HOURS

  1. The Client Configuration Under the Hood (text)
  2. New OAuth2 Social Login (text)
  3. Refreshing a Token (text)
  4. Testing OAuth2 Clients (text)
  5. The Authorization Code Flow with PKCE (text)

5. OAuth2 Beyond the Basics - Deep-Dives (New Stack)

9 LESSONS (9 Text) ~ 11 HOURS

  1. OAuth2 and SPAs (theory) (text)
  2. OAuth2 and SPAs (implementation) (text)
  3. Exploring JWS with OAuth2 (text)
  4. Testing OAuth2 with REST-assured (text)
  5. OAuth2 and OpenID Connect (text) 
  6. Logout with OAuth and OIDC (text)
  7. The Client Credentials Flow (text)
  8. Token Revocation (text)
  9. The Legacy Stack Authorization Server (text)

6. Microservices, Spring Security and OAuth2 (New Stack)

3 LESSONS (3 Text) ~ 4 HOURS

  1. OAuth Security Patterns in a Microservice Application (text)
  2. Sharing Principal Information in Microservices (text)
  3. Exploring Topologies – Gateway API as OAuth2 Client (2 parts) (text)

The Certification Class

This Class contains the same material as the Master Class, but goes beyond the core material with:

  • multiple-choice questions in each lesson to make sure you fully understood the material
  • a Certificate of Completion (example)
  • the download ability for all video lessons – to help you learn offline

Of course, if you have any questions about the material, ping me directly here, on chat, or over email.

Master Class


The canonical reference to secure a web application.
  • All 20 Modules
  • 81 Video Lessons
  • -
  • -
  • -

Certification Class


The Class includes the Master Class material, exercises, downloads and the Certificate of Completion
  • All 20 Modules
  • 81 Video Lessons
  • + Exercises in Each Lesson
  • + Full Downloads for All Videos
  • + Certificate of Completion

Learn Spring Security + REST With Spring - Certification Class


The Complete Spring Education
  • All 34 Modules
  • 149 Video Lessons
  • + Exercises in Each Lesson
  • + Full Downloads for All Videos
  • + Certificate of Completion

If you’re looking to get both this course and Learn Spring or REST With Spring,

have a look the Bulk Package →

Do you have a team who would benefit from taking the course?

rws-course-page-img-guarantee.png

20-Day Money Back Guarantee

I believe strongly in the quality of the course material to teach you the fundamentals of coding in Spring. I’ve put a lot of work and care into these lessons and hope you’re going to use it fully and up your Spring game.

I confidently back all classes with a 20-Day Money Back Guarantee. I want you to dive in deep and experience the full wealth of this resource without hesitation.

If the material isn’t a good fit, just contact me within 20 days of purchase, and ask for a full refund for any single course package.

Eugen is a very knowledgeable teacher and communicates his material in a clear and concise manner. I am self-taught in Spring and a semi-ok to good Java developer but found the barrier to entry to learn Spring too high.

I’ve saved myself hundreds of hours of research and learning effort by taking his courses. The material is easy to follow and broken up into appropriate lengths allowing for timely progress. The course also can be used as reference material on the subject matter allowing you to quickly jump in and explore a given topic. The courses are worth every cent!

– Thomas Sødring, Associate Professor at Oslo and Akershus University College of Applied Sciences

 

The lessons are practical and easy to follow and the structure of the course allows you to watch the videos in one go, or pick individual topics any time you want. Some previous experience with Spring is needed but I think that’s to be expected from an advanced course..
Alexander Fridlund
Consultant and owner Visegue Solutions AB
I got a lot out of the course, especially the registration with email validation, two factor authentication and how to use the framework interfaces. I was actually able to apply the knowledge in a project for my client, so I’d definitely recommend the course to anyone wanting to learn about Spring Security.
Li Zhang
Senior Software Engineer at Grant Thornton LLP
I have several years of experience with Java and REST, and I am now working on a project that makes heavy use of Spring and OAuth2. Because initially I was not involved in it, a lot of Spring aspects have been hard work for me. This course has given me a better knowledge of Spring and showed really good examples of how to test.
John Reah
Head of Software Engineering at HTK
The great combination of theory and practice turned this video course into a real workshop. With all the practical knowledge and live examples, I’ve not only learned a lot but also systematized my Spring knowledge.
Maciej Scislowski
Senior Java Consultant
I went through the course step by step and I’ve been using it in many ways ever since. I like the combination of theory and real-life implementation - that helped me solve many practical problems in my daily work.
Bernd Fischer
CTO at MindApproach GmbH
The course is very practical and shows how things can be done in production-grade code. The fact that the lessons are video-based with transcripts and code projects for each step makes the course very accessible. It requires literally only a few minutes between buying the course and following the first lessons.
Bavo De Ridder
IT Solution Architect at VDAB
Thanks for putting this together. I greatly appreciate the great lesson's pace - they're not dry or boring. The content is well worth it - industry-standard stuff, and used throughout enterprises and start-ups alike. It'd be hard to gather this much information and detail even after years of experience
Rob Anhart
Senior Professional Services Engineer at Netskope
I knew what authentication and authorization were and the basic methodologies for implementing them in an application. What I seriously lacked was the knowledge of what was going on behind the scenes. The videos really helped me understand what is happening under the hood and truly customize Spring Security to fit my needs.
Timothy Schmiandle
Engineering Team Lead at Finicity
The implementation of best security practice for production grade apps is a real minefield. This course has been an invaluable resource in helping us with our web application security. There are dozens of toy Spring Security examples on the web, but we really needed one which showed us what a production grade implementation looks like.
Leon Roy
CEO at Brring