ALL_SERIES
SERIES_OVERVIEW // CURRICULUM_MAP

Learn Java Authentication Pattern

// Authentication mental model untuk engineer Java: identity, credential, principal, subject, session, token, assurance, dan bagaimana hasil autentikasi bergerak di aplikasi production-grade.

40 Lessons506 Min Total04 Phases

This overview is designed to help you choose the right entry point quickly. Follow the full track from lesson one, continue from your last checkpoint, or jump straight into a phase that matches what you need right now.

account-enumerationaccount-modeladaptive-authenticationanti-patternsapi-key+149 more

Curriculum Map

Navigate by phase, then choose the lesson that matches your current depth.

01

Authentication Mental Model

18 min

Authentication mental model untuk engineer Java: identity, credential, principal, subject, session, token, assurance, dan bagaimana hasil autentikasi bergerak di aplikasi production-grade.

02

Authentication Boundary and Trust Model

15 min

Boundary dan trust model untuk authentication Java production-grade: edge, gateway, application, identity provider, internal service, async worker, dan data layer.

03

Threat Model for Authentication

24 min

Threat model autentikasi untuk engineer Java: credential theft, replay, phishing, session fixation, token substitution, confused deputy, tenant confusion, recovery abuse, dan bagaimana ancaman ini mengubah desain implementasi.

04

Java Authentication Landscape

19 min

Landscape autentikasi Java modern: Servlet, FilterChain, Spring Security, Jakarta Security, Jakarta Authentication/JASPIC, JAAS, JAX-RS, MicroProfile JWT, container-managed security, dan Identity Provider integration.

05

Servlet Filter Chain Authentication

18 min

Servlet Filter Chain Authentication untuk engineer Java: bagaimana request masuk, filter bekerja, authentication diputuskan, SecurityContext dibangun, response keluar, dan failure mode muncul dari ordering, dispatch, thread, dan boundary.

06

Spring Security Architecture Deep Dive

18 min

Spring Security Architecture Deep Dive untuk engineer Java: DelegatingFilterProxy, FilterChainProxy, SecurityFilterChain, SecurityContextHolder, AuthenticationManager, ProviderManager, AuthenticationProvider, EntryPoint, Success/Failure handler, dan production-grade customization.

07

Jakarta Security Authentication Model

15 min

Jakarta Security Authentication Model untuk engineer Java: HttpAuthenticationMechanism, IdentityStore, IdentityStoreHandler, CredentialValidationResult, SecurityContext, built-in mechanisms, custom mechanism, role/group mapping, dan failure mode production-grade.

08

User Identity Domain Model

13 min

User Identity Domain Model untuk Java authentication system production-grade: account, person, subject, tenant, credential, authenticator, session, device, recovery, risk signal, audit event, lifecycle state, invariant, schema, dan service boundary.

09

Password Authentication Pattern

12 min

Password Authentication Pattern untuk Java system production-grade: registration, login, password change, reset, lifecycle state, enumeration defense, rate limiting, abuse control, audit, Spring/Jakarta implementation, invariant, dan failure mode.

10

Password Storage & Verification

12 min

Password Storage & Verification untuk Java production-grade: Argon2id, BCrypt, PBKDF2, salt, pepper, parameter tuning, DelegatingPasswordEncoder, rehash strategy, legacy migration, verification pipeline, dan operational failure mode.

11

Login Flow as State Machine

14 min

Login Flow as State Machine untuk Java production-grade: authentication attempt lifecycle, account state, credential verification, MFA challenge, session issuance, failure handling, audit, concurrency, dan invariant desain.

12

Account Enumeration & Rate Limiting

15 min

Account Enumeration & Rate Limiting untuk Java authentication production-grade: generic response, timing resistance, synthetic verification, multi-dimensional throttling, lockout trade-off, Redis/PostgreSQL implementation, Spring/Jakarta integration, dan abuse observability.

13

Session Authentication Pattern

12 min

Session Authentication Pattern untuk Java production-grade: stateful login, HttpSession, SecurityContext, session id rotation, timeout, logout semantics, concurrent session, failover, observability, dan failure modes.

14

Cookie Security & Browser Auth

11 min

Cookie Security & Browser Auth untuk Java authentication: HttpOnly, Secure, SameSite, Domain, Path, cookie prefix, CSRF, CORS, Origin boundary, SPA/BFF pattern, logout cookie deletion, Spring/Jakarta implementation, dan failure modes.

15

Session Store Design

14 min

Session Store Design untuk Java authentication: in-memory, sticky session, Redis, database, clustered session, session indexing, TTL, revocation, failover, Spring Session, Servlet/Jakarta implementation, observability, dan failure modes.

16

Token Authentication Pattern

13 min

Token Authentication Pattern untuk Java authentication: bearer token, JWT, opaque token, reference token, token extraction, validation pipeline, Spring Security Resource Server, JAX-RS filters, claim design, transport, failure modes, dan decision matrix.

17

JWT Production-Grade Usage

9 min

JWT Production-Grade Usage untuk Java authentication: JWS, JWE, claims, issuer, audience, JWK, key rotation, algorithm allowlist, token confusion, Spring Security JwtDecoder, JAX-RS validation, dan failure modes.

18

Token Lifecycle & Revocation

10 min

Token Lifecycle & Revocation untuk Java authentication: access token, refresh token, expiry, rotation, token family, reuse detection, revocation endpoint, introspection, logout semantics, Redis/PostgreSQL design, dan incident runbook.

19

API Key Authentication Pattern

9 min

API Key Authentication Pattern untuk Java: client credential, key format, entropy, lookup prefix, hashed storage, secret vault, validation pipeline, scope, tenant binding, rotation, revocation, rate limiting, observability, Spring Security, JAX-RS, dan production runbook.

20

HMAC Request Signing Pattern

9 min

HMAC Request Signing Pattern untuk Java authentication: proof-of-possession, canonical request, signed headers, timestamp, nonce, replay window, payload hash, constant-time verification, key rotation, Spring/JAX-RS filters, webhook verification, testing, performance, dan production failure modes.

21

Mutual TLS Authentication Pattern

10 min

Mutual TLS Authentication Pattern untuk Java systems: client certificate authentication, certificate-bound identity, TLS termination, service identity, SPIFFE/SPIRE concepts, Java SSLContext, Spring Security, JAX-RS, gateway integration, revocation, rotation, observability, testing, dan production failure modes.

22

OAuth 2.x Mental Model

8 min

OAuth 2.x Mental Model untuk Java engineers: delegated authorization vs authentication misuse, actors, grant types, tokens, scopes, audience, consent, authorization server, resource server, client types, PKCE, OAuth 2.1 direction, security BCP, Spring Security, Jakarta/JAX-RS integration, dan failure modes.