Secure-by-Default Spring Apps: Zero Trust, OAuth2, and Runtime Policies
Ivan Šarić - Revolut
Traditional perimeter-based security is obsolete for cloud-native applications. Modern Spring applications must adopt a secure-by-default posture that treats identity, authorization, and runtime policy enforcement as first-class concerns. This talk presents a hands-on, architecture-first guide for building Zero Trust Spring applications that are easier to reason about, operate, and audit.
We start with identity: how to model users, clients, and services using OAuth2 / OIDC and Spring Authorization Server. You’ll see practical token models (JWTs vs reference tokens), approaches to claim design, and patterns for token issuance, introspection, rotation and revocation. Next, we cover service-to-service trust: mutual TLS (mTLS) and workload identity (SPIFFE/SPIRE-compatible patterns) to ensure services authenticate each other even inside a cluster.
Authorization moves beyond static role checks. I’ll introduce runtime policy enforcement using Policy-as-Code: integrating Open Policy Agent (OPA) as a sidecar or using Wasm policies embedded in the JVM, plus patterns for attribute-based access control (ABAC) and contextual decisions (time, location, risk signals). You’ll learn how to evaluate policies inside Spring Security filters, at the controller/method level, and in API gateways (Spring Cloud Gateway) so policy decisions are centralized but enforced everywhere.
Operational concerns are a major focus: how to deliver live policy updates without redeploys, test policies with automated suites, capture rich audit logs for compliance, and surface policy decision telemetry to observability pipelines so security and SRE teams can create SLOs and alerts. Finally, the talk covers CI/CD gating for policies — failing builds on dangerous policy changes — and practical mitigations like safe rollouts and canary policy evaluations.
Throughout, I’ll show concrete Spring configuration snippets, explain tradeoffs (performance vs expressiveness, JWT size vs introspection cost), and demonstrate a compact demo: an Authorization Server, a protected resource service, and a policy engine where policy changes take effect live and are visible via audit logs and traces. Attendees will leave with a clear, actionable checklist and reference patterns to make their Spring apps secure-by-default.