Java Security Learning Path
A complete ordered Java security guide covering application security fundamentals, Spring Security, authentication, authorization, JWT, OAuth2, OIDC, SAML, MFA, API security, encryption, secrets, OWASP, vulnerability scanning, and production security checklists.
Java application security is the practice of protecting APIs, services, data, users, credentials, infrastructure integrations, and production systems from unauthorized access and abuse.
This page is the home article for the Java Security framework section. Use it as the ordered table of contents for the complete Java security series.
The order below also controls the left menu order and the Previous/Next navigation buttons at the bottom of each Java Security article.
What You Will Learn
By completing this series, you will understand:
- Java application security fundamentals.
- Authentication, authorization, RBAC, and method-level security.
- Spring Security architecture and request processing flow.
- Password hashing, JWT, refresh tokens, OAuth2, OIDC, LDAP, SAML, and MFA.
- API security topics such as API keys, rate limiting, CORS, CSRF, security headers, and secure file upload.
- Microservice security with service-to-service authentication and mTLS.
- Data protection with encryption, hashing, tokenization, masking, and secrets management.
- OWASP Top 10 risks, vulnerability scanning, secure logging, and production security checklists.
Complete Java Security Order
1. Security Foundation
Start here to understand the core concepts before adding frameworks or protocols.
| No | Article | What You Will Learn |
|---|---|---|
| 01 | Java Application Security Fundamentals | Security basics, authentication, authorization, secure API design, password hashing, input validation, logging, secrets, and production practices |
| 02 | Authentication vs Authorization in Java | Identity verification, access control, roles, permissions, authorization decisions, and Spring Security examples |
| 03 | Spring Security Architecture Deep Dive | SecurityFilterChain, filters, AuthenticationManager, SecurityContext, providers, and request flow |
| 04 | Secure Password Hashing with BCrypt | BCrypt, salting, password verification, password storage, migration, and best practices |
2. Authentication and Authorization
These topics build secure login, token, role, and permission systems.
| No | Article | What You Will Learn |
|---|---|---|
| 05 | Role-Based Access Control with Spring Security | Roles, authorities, access rules, endpoint protection, and RBAC design |
| 06 | JWT Authentication in Spring Boot | JWT structure, signing, validation, filters, stateless authentication, and Spring Boot implementation |
| 07 | Refresh Token Implementation in Java | Access tokens, refresh tokens, rotation, revocation, expiration, storage, and secure renewal flow |
| 08 | OAuth2 Login with Google and GitHub | OAuth2 authorization code flow, client registration, providers, callbacks, and user identity mapping |
| 09 | OpenID Connect with Spring Security | OIDC, ID tokens, scopes, claims, discovery, user info, and identity provider integration |
| 10 | API Key Authentication for Internal APIs | API key generation, validation, rotation, internal service access, and API key limitations |
3. API Protection
This section focuses on protecting public and internal APIs from abuse and browser-based threats.
| No | Article | What You Will Learn |
|---|---|---|
| 11 | Rate Limiting APIs with Bucket4j and Redis | Rate limiting algorithms, Bucket4j, Redis-backed limits, quotas, throttling, and abuse prevention |
| 12 | CORS and CSRF Protection in Spring Boot | Browser security, cross-origin requests, CSRF risks, tokens, and correct Spring Boot configuration |
4. Enterprise Identity
Enterprise applications often integrate with centralized identity systems.
| No | Article | What You Will Learn |
|---|---|---|
| 13 | LDAP Authentication with Spring Boot | LDAP directories, bind authentication, user lookup, groups, and enterprise login integration |
| 14 | SAML SSO Integration in Java Applications | SAML concepts, identity providers, service providers, assertions, metadata, and SSO flow |
| 15 | Multi-Factor Authentication Implementation | MFA concepts, OTP, TOTP, backup codes, verification flow, and account protection |
| 16 | Method-Level Security with PreAuthorize | @PreAuthorize, @PostAuthorize, SpEL expressions, service-level authorization, and fine-grained access control |
5. Microservice Security
Service-to-service security is essential in distributed Java systems.
| No | Article | What You Will Learn |
|---|---|---|
| 17 | Secure Microservice-to-Microservice Communication | Internal API trust, token propagation, service identity, gateway patterns, and zero-trust basics |
| 18 | mTLS Authentication between Java Services | Mutual TLS, certificates, keystores, truststores, service authentication, and secure transport |
6. Data Protection
These topics protect sensitive data at rest, in transit, and in logs.
| No | Article | What You Will Learn |
|---|---|---|
| 19 | Field-Level Encryption in Spring Boot | Encrypting selected fields, key handling, converters, and application-level data protection |
| 20 | Database Encryption and JPA Attribute Converter | JPA AttributeConverter, database column encryption, transparent encryption, and limitations |
| 21 | Secrets Management using AWS Secrets Manager | Secrets storage, rotation, IAM access, Spring Boot integration, and avoiding hardcoded credentials |
| 22 | Hashing vs Encryption vs Tokenization | When to hash, encrypt, tokenize, mask, or avoid storing sensitive data |
| 23 | PII Data Masking in Java Applications | Masking names, emails, phone numbers, account numbers, logs, DTOs, and compliance-friendly output |
| 24 | Secure Logging and Preventing Sensitive Data Leaks | Secure logging, redaction, structured logs, audit logs, and avoiding token/password leakage |
7. OWASP, Hardening, and Production Readiness
Finish with vulnerability prevention, scanning, hardening, and production checklists.
| No | Article | What You Will Learn |
|---|---|---|
| 25 | OWASP Top 10 for Java Developers | OWASP risks, injection, broken access control, insecure design, vulnerable components, and Java prevention patterns |
| 26 | Input Validation and SQL Injection Prevention | Validation, parameterized queries, ORM safety, SQL injection examples, and secure query patterns |
| 27 | Secure File Upload Implementation | File validation, content type checks, storage safety, malware scanning, limits, and path traversal prevention |
| 28 | Security Headers in Spring Boot | CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and browser hardening |
| 29 | Vulnerability Scanning with OWASP Dependency Check | Dependency scanning, CVEs, build integration, suppression files, and secure dependency management |
| 30 | Production Security Checklist for Java Applications | Final production checklist for authentication, authorization, secrets, logging, headers, dependencies, monitoring, and incident readiness |
Recommended Learning Flow
flowchart TD
A["01 Security Fundamentals"] --> B["02 Authentication vs Authorization"]
B --> C["03 Spring Security Architecture"]
C --> D["04 Password Hashing"]
D --> E["05 RBAC"]
E --> F["06 JWT"]
F --> G["07 Refresh Tokens"]
G --> H["08 OAuth2"]
H --> I["09 OIDC"]
I --> J["10 API Keys"]
J --> K["11 Rate Limiting"]
K --> L["12 CORS and CSRF"]
L --> M["13 LDAP"]
M --> N["14 SAML"]
N --> O["15 MFA"]
O --> P["16 Method Security"]
P --> Q["17 Service-to-Service Security"]
Q --> R["18 mTLS"]
R --> S["19-24 Data Protection"]
S --> T["25-30 OWASP and Production Readiness"]
Java Security Request Flow
flowchart LR
A["Client request"] --> B["Security filters"]
B --> C["Authentication"]
C --> D["SecurityContext"]
D --> E["Authorization"]
E --> F["Controller"]
F --> G["Service method security"]
G --> H["Data protection and audit logging"]
H --> I["Response with secure headers"]
Navigation Behavior
This parent page is intentionally named Java-Security.md inside the java-security folder. The generic series navigation resolves it as the home article for this folder.
The links above are the source of truth for:
- Left-side Java Security article ordering.
- Previous article button.
- Next article button.
- Future articles as their content is added.
Study Guidance
If you are new to application security, study articles 01 to 04 first.
If you are building authentication for a Spring Boot API, focus on articles 03 to 10.
If you are securing enterprise systems, study LDAP, SAML, MFA, method-level security, microservice security, mTLS, secrets management, and encryption.
If you are preparing for production, finish with OWASP, secure file upload, headers, dependency scanning, and the production security checklist.
Final Outcome
After completing this path, you should be able to:
- Explain Java and Spring Security fundamentals clearly.
- Design secure authentication and authorization flows.
- Protect APIs from abuse, browser attacks, injection, and data leaks.
- Secure microservice communication.
- Protect sensitive data using encryption, hashing, tokenization, masking, and secrets management.
- Navigate the Java Security article series using the correct left menu and Previous/Next buttons.