Spring Security - Third Edition Secure Your Web Applications Restful Services And Microservice Architectures

Have you run into any of these three pitfalls in your own projects? The patterns above might just save your next security audit.

Move @PreAuthorize to the service layer and use method security expressions that check both role and ownership: Have you run into any of these three

@Service public class DocumentService { public Document findById(Long id) { // No security here! return documentRepository.findById(id); } } If any other service calls findById(1) – maybe from a scheduled job, a message listener, or another microservice – the authorization check is gone. return documentRepository

If you take one concept from this book, make it this: “Authentication identifies who can knock. Authorization decides what they can touch. But in microservices, every internal call needs its own authorization – don’t trust the incoming token just because it’s signed.” Look at the book’s section on @CurrentSecurityContext to replace SecurityContextHolder boilerplate, and the chapter on reactive security for WebFlux – where even @PreAuthorize works differently than you expect. But in microservices, every internal call needs its