SecurityDeep Dive180min
Authorization in Spring Security: permissions, roles and beyond
This talk explores advanced authorization in Spring Security, covering user data handling, policy decision and enforcement phases, and practical implementation strategies. Through live coding, it reviews access control patterns and compares various authorization mechanisms, providing foundational knowledge and practical advice for securing Spring Boot applications beyond basic features.
Daniel Garnier-MoirouxSpring
talkDetail.whenAndWhere
talks.scheduleTBD
Room 5
talks.roomOccupancytalks.noOccupancyInfo
When creating Spring Boot apps, Spring Security is the go-to choice for all your security use-cases. It offers protections against exploits, authentication (who is the user?) and authorization (are they allowed to do X?) capabilities. Basic authorization features, such as hasRole(...), are easy to implement, but things quickly become complicated when you have more advanced use-cases.
Many operations must be architected correctly to provide secure and robust authorization, in multiple phases. During the initial login phase, the relevant information about the user is extracted, transformed and stored, for example user data from OpenID claims. Then, for authorization, “policy decision” and “policy enforcement” are defined within the context of an operation: where are the authorization decisions made? Lastly, strategies are implemented in code to produce those authorization decisions.
This talk is a follow-up of the (2022 Deep Dive on Spring Security)[https://www.youtube.com/watch?v=iJ2muJniikY]. Through live-coded examples, you will build a solid, foundational understanding for all your authorization architecture. You will get an overview of all the access control patterns you can apply with Spring Security. And you will get practical advice on different authorization mechanisms available, and their tradeoffs.
Many operations must be architected correctly to provide secure and robust authorization, in multiple phases. During the initial login phase, the relevant information about the user is extracted, transformed and stored, for example user data from OpenID claims. Then, for authorization, “policy decision” and “policy enforcement” are defined within the context of an operation: where are the authorization decisions made? Lastly, strategies are implemented in code to produce those authorization decisions.
This talk is a follow-up of the (2022 Deep Dive on Spring Security)[https://www.youtube.com/watch?v=iJ2muJniikY]. Through live-coded examples, you will build a solid, foundational understanding for all your authorization architecture. You will get an overview of all the access control patterns you can apply with Spring Security. And you will get practical advice on different authorization mechanisms available, and their tradeoffs.
Daniel Garnier-Moiroux
Daniel Garnier is a software engineer at Broadcom, working in the identity space and on SSO for applications. He is an adjunct professor at Mines Paris, where he teaches CS and software engineering classes.
He contributes to Spring Security, and has a keen interest in automation and developer productivity.
He contributes to Spring Security, and has a keen interest in automation and developer productivity.