Learn Java Authentication Pattern
// Authentication mental model untuk engineer Java: identity, credential, principal, subject, session, token, assurance, dan bagaimana hasil autentikasi bergerak di aplikasi production-grade.
This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.
Curriculum Map
Navigate by phase, then choose the lesson that matches your current depth.
Authentication Mental Model
18 minAuthentication mental model untuk engineer Java: identity, credential, principal, subject, session, token, assurance, dan bagaimana hasil autentikasi bergerak di aplikasi production-grade.
Authentication Boundary and Trust Model
15 minBoundary dan trust model untuk authentication Java production-grade: edge, gateway, application, identity provider, internal service, async worker, dan data layer.
Threat Model for Authentication
24 minThreat model autentikasi untuk engineer Java: credential theft, replay, phishing, session fixation, token substitution, confused deputy, tenant confusion, recovery abuse, dan bagaimana ancaman ini mengubah desain implementasi.
Java Authentication Landscape
19 minLandscape autentikasi Java modern: Servlet, FilterChain, Spring Security, Jakarta Security, Jakarta Authentication/JASPIC, JAAS, JAX-RS, MicroProfile JWT, container-managed security, dan Identity Provider integration.
Servlet Filter Chain Authentication
18 minServlet Filter Chain Authentication untuk engineer Java: bagaimana request masuk, filter bekerja, authentication diputuskan, SecurityContext dibangun, response keluar, dan failure mode muncul dari ordering, dispatch, thread, dan boundary.
Spring Security Architecture Deep Dive
18 minSpring Security Architecture Deep Dive untuk engineer Java: DelegatingFilterProxy, FilterChainProxy, SecurityFilterChain, SecurityContextHolder, AuthenticationManager, ProviderManager, AuthenticationProvider, EntryPoint, Success/Failure handler, dan production-grade customization.
Jakarta Security Authentication Model
15 minJakarta Security Authentication Model untuk engineer Java: HttpAuthenticationMechanism, IdentityStore, IdentityStoreHandler, CredentialValidationResult, SecurityContext, built-in mechanisms, custom mechanism, role/group mapping, dan failure mode production-grade.
User Identity Domain Model
13 minUser Identity Domain Model untuk Java authentication system production-grade: account, person, subject, tenant, credential, authenticator, session, device, recovery, risk signal, audit event, lifecycle state, invariant, schema, dan service boundary.
Password Authentication Pattern
12 minPassword Authentication Pattern untuk Java system production-grade: registration, login, password change, reset, lifecycle state, enumeration defense, rate limiting, abuse control, audit, Spring/Jakarta implementation, invariant, dan failure mode.
Password Storage & Verification
12 minPassword Storage & Verification untuk Java production-grade: Argon2id, BCrypt, PBKDF2, salt, pepper, parameter tuning, DelegatingPasswordEncoder, rehash strategy, legacy migration, verification pipeline, dan operational failure mode.
Login Flow as State Machine
14 minLogin Flow as State Machine untuk Java production-grade: authentication attempt lifecycle, account state, credential verification, MFA challenge, session issuance, failure handling, audit, concurrency, dan invariant desain.
Account Enumeration & Rate Limiting
15 minAccount Enumeration & Rate Limiting untuk Java authentication production-grade: generic response, timing resistance, synthetic verification, multi-dimensional throttling, lockout trade-off, Redis/PostgreSQL implementation, Spring/Jakarta integration, dan abuse observability.
Session Authentication Pattern
12 minSession Authentication Pattern untuk Java production-grade: stateful login, HttpSession, SecurityContext, session id rotation, timeout, logout semantics, concurrent session, failover, observability, dan failure modes.
Cookie Security & Browser Auth
11 minCookie Security & Browser Auth untuk Java authentication: HttpOnly, Secure, SameSite, Domain, Path, cookie prefix, CSRF, CORS, Origin boundary, SPA/BFF pattern, logout cookie deletion, Spring/Jakarta implementation, dan failure modes.
Session Store Design
14 minSession Store Design untuk Java authentication: in-memory, sticky session, Redis, database, clustered session, session indexing, TTL, revocation, failover, Spring Session, Servlet/Jakarta implementation, observability, dan failure modes.
Token Authentication Pattern
13 minToken Authentication Pattern untuk Java authentication: bearer token, JWT, opaque token, reference token, token extraction, validation pipeline, Spring Security Resource Server, JAX-RS filters, claim design, transport, failure modes, dan decision matrix.
JWT Production-Grade Usage
9 minJWT Production-Grade Usage untuk Java authentication: JWS, JWE, claims, issuer, audience, JWK, key rotation, algorithm allowlist, token confusion, Spring Security JwtDecoder, JAX-RS validation, dan failure modes.
Token Lifecycle & Revocation
10 minToken Lifecycle & Revocation untuk Java authentication: access token, refresh token, expiry, rotation, token family, reuse detection, revocation endpoint, introspection, logout semantics, Redis/PostgreSQL design, dan incident runbook.
API Key Authentication Pattern
9 minAPI Key Authentication Pattern untuk Java: client credential, key format, entropy, lookup prefix, hashed storage, secret vault, validation pipeline, scope, tenant binding, rotation, revocation, rate limiting, observability, Spring Security, JAX-RS, dan production runbook.
HMAC Request Signing Pattern
9 minHMAC Request Signing Pattern untuk Java authentication: proof-of-possession, canonical request, signed headers, timestamp, nonce, replay window, payload hash, constant-time verification, key rotation, Spring/JAX-RS filters, webhook verification, testing, performance, dan production failure modes.
Mutual TLS Authentication Pattern
10 minMutual TLS Authentication Pattern untuk Java systems: client certificate authentication, certificate-bound identity, TLS termination, service identity, SPIFFE/SPIRE concepts, Java SSLContext, Spring Security, JAX-RS, gateway integration, revocation, rotation, observability, testing, dan production failure modes.
OAuth 2.x Mental Model
8 minOAuth 2.x Mental Model untuk Java engineers: delegated authorization vs authentication misuse, actors, grant types, tokens, scopes, audience, consent, authorization server, resource server, client types, PKCE, OAuth 2.1 direction, security BCP, Spring Security, Jakarta/JAX-RS integration, dan failure modes.