The document summarizes key topics from a Spring Security Patterns presentation, including: 1. Secure by default principles like separating application configuration files for different environments and restricting access. 2. The principle of least privilege like implementing specific permissions for users instead of broad access. 3. Storing security-related data in a request thread local for only the current thread to access, and clearing it after to reuse the thread local for the next request. 4. Component composition in Spring Security to modularize features like registration that can be included on different pages.

1. Spring Security Patterns
September 2–3, 2020
springone.io
Ria Stein – Spring Security Maintainer
Josh Cummings – Spring Security Maintainer – @jzheaux

2. Secure by Default
PG
application.properties
App
H2
App
App
H2
application-prod.properties
PG
App
application.properties application-dev.properties

3. Principle of Least Privilege
Username:
Forgot Password
jzheaux OK
Sorry, we don’t recognize that username
Username:
Forgot Password
jzheaux OK
If that username exists, we’ve just sent an email

4. Request Thread Local
try {
SecurityContext ctx = lookup(request);
SecurityContextHolder.setContext(ctx);
chain.doFilter(request, response);
}
finally {
SecurityContextHolder.clearContext()
}
public void serviceLayerMethod() {
var ctx = SecurityContextHolder.getContext();
}
Stores data in a
ThreadLocal so only
visible to this thread
Clears data so
ThreadLocal can be
used for next request
Now data can be
retrieved at the service
layer
ForReactiveapps,use
theReactorContext
insteadofThreadLocals

5. Composition
registration.html
<div class=“registration-banner”>
<button class=“registration-button”>
Register Now
</button>
</div>
<div>
<span>Welcome to our talk!</span>
<registration/>
</div>
homepage.html

6. Stay Connected.
And be secure.
https://github.com/spring-projects/spring-security
https://github.com/jzheaux/springone2020
#springone@s1p