Authentication and authorization done correctly
Day 1
Spring Security Core & Form Auth
- SecurityFilterChain: filter order, request matching, how authentication flows
- UserDetailsService and UserDetails: custom user loading
- Password encoding: BCrypt, Argon2 — never plain text
- CSRF: when to enable, when to disable, and why
- CORS configuration in Spring Security vs MVC
- Session management: stateful vs stateless, session fixation protection
- Method security: @EnableMethodSecurity, @PreAuthorize with SpEL
- Testing security: @WithMockUser, @WithUserDetails, MockMvc security integration
Day 2
OAuth2, JWT & Keycloak
- OAuth2 flows: Authorization Code with PKCE, Client Credentials — which to use when
- Spring Security OAuth2 Resource Server: JWT decoder configuration
- JWT validation: signature, expiry, audience, issuer claims
- Custom JWT converters: mapping claims to Spring Security authorities
- OAuth2 Client: authorization code flow in Spring Boot, token storage
- Keycloak integration: realm setup, client configuration, Spring Boot integration
- Scope-based and role-based authorization: @PreAuthorize with hasAuthority vs hasRole
- Refresh token handling and silent renewal patterns
What your team walks away with
Teams who understand their own security configuration — not copying stack overflow snippets and hoping for the best.
- Configure Spring Security filter chains with correct authentication and authorization logic
- Implement JWT-based OAuth2 resource servers that validate tokens correctly
- Integrate Keycloak as an identity provider with Spring Boot
- Write security tests that verify the actual security behavior, not just bypass it
Book the Spring Security training
Available as a 1-day focused session on OAuth2/JWT or a full 2-day course including Spring Security fundamentals.
Get in touch