Spring Security In Action Second Edition [top] <2025>

In the first edition of Spring Security in Action , many readers fell in love with the classic "formLogin" flow. But in the second edition, Laurentiu Spilca makes one thing crystal clear: In a modern cloud-native world, servers must forget.

@Component public class JwtService private final SecretKey key = Keys.secretKeyFor(SignatureAlgorithm.HS256); private final long EXPIRATION = 86400000; // 24 hours public String generateToken(String username) return Jwts.builder() .setSubject(username) .setIssuedAt(new Date()) .setExpiration(new Date(System.currentTimeMillis() + EXPIRATION)) .signWith(key) .compact(); spring security in action second edition

The most critical piece from the second edition is the custom filter. It intercepts every request, grabs the Authorization: Bearer header, and populates the SecurityContextHolder for that request only (because there is no session to carry it forward). In the first edition of Spring Security in

With sessions disabled, every request must carry its own proof of identity. Here is a simplified implementation of a JWT service as described in the book: It intercepts every request, grabs the Authorization: Bearer

"The best session is no session at all." — A mantra for modern Spring Security developers.