Chapter 18. Securing Your App with Spring Boot
It's not real until it's secured.
– Greg L. Turnquist @gregturn
In the previous chapter, you learned how to turn our application into a fully asynchronous, message-based app using WebSockets.
Security is hard. Even among the experts. Rob Winch, the lead for Spring Security, has stated in multiple forums, "Do not implement security on your own."Â A classic example is when someone wrote a utility to crack password-protected Microsoft Word documents. It had an intentional delay so that it didn't operate in subsecond time. Get it? The author of the tool didn't want to show how easy it was to break a Word document.
Suffice it to say, there are lots of attack vectors. Especially on the web. The fact that our applications partially run in a remote location (the browser) on someone else's machine leaves little in guarantees. In fact, whole books have been written on Spring Security. We can't cover everything, but we will cover Just Enoughâ„¢ to secure our...