Trifork Academy is the official training partner of VMware in the Netherlands & exclusive provider of the Spring Security Masterclass. Learn more from our CTO & Trainer, Joris Kuipers.

In this masterclass you will learn the foundation for securing enterprise & microservices applications using Spring Security. You will gain hands-on experience with major features of Spring Security such as, authentication, authorization, password handling & many more.

Course Overview

Objectives & Prerequisites

By the end of the course, you should be able to meet the following objectives:

  • Use Spring Security in Spring and Spring Boot applications
  • Configure the Spring Security filter chain
  • Protect HTTP endpoints with expression-based access control and the AuthorizationManager API
  • Protect method execution
  • Use different authentication mechanisms
  • Handle passwords in an efficient way
  • Integrate Spring Security with Junit 5 and MockMVC to test HTTP and method security
  • Protect against common vulnerabilities and threats
  • Understand what OAuth2 is
  • Use and configure the Spring Authorization Server
  • Implement a resource server and client


Developer experience building applications with Spring Boot, experience using an IDE (Eclipse, Spring Tools, IntelliJ, or VS .ode), and experience using build tools such as Maven or Gradle.

Day 1: Security Introduction, Spring Security Basics, Customising Authentication...

Security Introduction

  • Need for security
  • Basic security concepts
  • Common security vulnerabilities

Spring Security Basics

  • Introduction to Spring Security
  • High-level architecture
  • Overview of SecurityContext
  • Spring Security with Spring Boot

Customising Authentication

  • Building blocks for authentication
  • Authentication mechanisms based on user name and password
  • Other authentication mechanisms
  • Authentication events

Securing Web Applications

  • Configuring authorization
  • Using AccessDecisionsManager for authorization
  • Using AuthorizationManager for authorization
  • Bypassing security

Method Security

  • Method security architecture
  • Declarative method security with annotations

Spring Testing

  • Spring Security Testing Support
  • Security mock annotations and meta-annotations
  • Using MockMvc to test security

Day 2: Handling Passwords, OAuth2 and OIDC Concepts, Spring Authorization Server...

Handling Passwords

  • Password hashing
  • Upgrading passwords

(Optional) Protecting Against Common Vulnerabilities

  • Hardening web applications with security headers
  • Preventing cross-site request forgery
  • Encrypting data in transit

OAuth2 and OIDC Concepts

  • Need for OAuth
  • Overview of OAuth2 and OIDC
  • OAuth2 grant types
  • Types of tokens
  • Spring Security OAuth2 support and OAuth2 login

Spring Authorization Server

  • Introduction to Authorization Server
  • Spring Authorization Server endpoints
  • Spring Authorization Server configuration

Protecting and accessing resources with OAuth2

  • Resource server
  • Using JWT tokens
  • Using opaque tokens
  • Configuring an OAuth2 client