Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Spring Security
Spring Security

Spring Security: Secure your web applications, RESTful services, and microservice architectures , Third Edition

Arrow left icon
Profile Icon Mick Knutson Profile Icon Mularien Profile Icon Robert Winch
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (4 Ratings)
Paperback Nov 2017 542 pages 3rd Edition
eBook
$51.99
Paperback
$64.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Mick Knutson Profile Icon Mularien Profile Icon Robert Winch
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (4 Ratings)
Paperback Nov 2017 542 pages 3rd Edition
eBook
$51.99
Paperback
$64.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$51.99
Paperback
$64.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Spring Security

Anatomy of an Unsafe Application

Security is arguably one of the most critical architectural components of any 
web-based application written in the 21st century. In an era where malware, criminals, and rogue employees are always present and actively testing software 
for exploits, smart and comprehensive use of security is a key element to any project for which you'll be responsible.

This book is written to follow a pattern of development that, we feel, provides a useful premise for tackling a complex subject—taking a web-based application with a Spring 4.2 foundation, and understanding the core concepts and strategies for securing it with Spring Security 4.2. We complement this approach by providing sample code for each chapter in the form of complete web applications.

Whether you're already using Spring Security or are interested in taking your basic use of the software to the next level of complexity, you'll find something to help you in this book. During the course of this chapter, we will cover the following topics:

  • The results of a fictional security audit
  • Some common security problems of web-based applications
  • Several core software security terms and concepts

If you are already familiar with basic security terminology, you may skip to 
Chapter 2, Getting Started with Spring Security, where we start using the basic functionality of the framework.

Security audit

It's early in the morning at your job as a software developer for the Jim Bob Circle Pants Online Calendar (JBCPCalendar.com), and you're halfway through your first cup of coffee when you get the following email from your supervisor:

What? You didn't think about security when you designed the application? In fact, at this point, you are not even sure what a security audit is. Sounds like you'll have a lot to learn from the security auditors! Later in this chapter, we will review what an audit is, along with the results of an audit. First, let's spend a bit of time examining the application that's under review.

About the sample application

Although we'll be working through a contrived scenario as we progress through this book, the design of the application and the changes that we'll make to it are drawn from the real-world usage of Spring-based applications. The calendar application allows users to create and view events:

After entering the details for a new event, you will be presented with the 
following screenshot:

The application is designed to be simplistic, to allow us to focus on the important aspects of security and not get tied up in the details of object-relational mapping (ORM) and complex UI techniques. We expect you to refer to other supplementary materials in the Appendix, Additional Reference Material (in the Supplementary Materials section of this book) to cover some of the baseline functionality that is provided as part of the sample code.

The code is written in Spring and Spring Security 4.2, but it would be relatively easy to adapt many of the examples to other versions of Spring Security. Refer to the discussion about the detailed changes between Spring Security 3 and 4.2 in Chapter 16, Migration to Spring Security 4.2, for assistance in translating the examples to the Spring Security 4 syntax.

Please don't use this application as a baseline to build a real online calendar application. It has been purposely structured to be simple and to focus on the concepts and configuration that we illustrate in this book.

The JBCP calendar application architecture

The web application follows a standard three-tier architecture consisting of a web, service, and data access layer, as indicated in the following diagram:

You can find additional material about MVC architectures in the Supplementary Materials section of the Appendix, Additional Reference Material.

The web layer encapsulates MVC code and functionality. In this sample application, we will use the Spring MVC framework, but we could just as easily use Spring Web Flow (SWF), Apache Struts, or even a Spring-friendly web stack, such as Apache Wicket.

In a typical web application, leveraging Spring Security, the web layer is where much of the configuration and augmentation of code takes place. For example, the EventsController class is used to transform an HTTP request into persisting an event into the database. If you haven't had a lot of experience with web applications and Spring MVC specifically, it would be wise to review the baseline code closely and make sure you understand it before we move on to more complex subjects. Again, we've tried to make the website as simple as possible, and the construct of a calendar application is used just to provide a sensible title and light structure to the site.

You can find detailed instructions on setting up the sample application within the Appendix, Additional Reference Material.

The service layer encapsulates the business logic for the application. In our sample application, we use DefaultCalendarService as a very light facade over the data access layer, to illustrate particular points about securing application service methods. The service layer is also used to operate on both Spring Security APIs and our Calendar APIs within a single method call. We will discuss this in greater detail in Chapter 3, Custom Authentication.

In a typical web application, this layer would incorporate business rule validation, composition and decomposition of business objects, and cross-cutting concerns such as auditing.

The data access layer encapsulates the code responsible for manipulating the contents of database tables. In many Spring applications, this is where you would see the use of ORM, such as Hibernate or JPA. It exposes an object-based API to the service layer. In our sample application, we use basic JDBC functionality to achieve persistence to the in-memory H2 database. For example, JdbcEventDao is used to save event objects to the database.

In a typical web application, a more comprehensive data access solution would be utilized. As ORM, and more generally data access, tends to be confusing for some developers, this is an area we have chosen to simplify as much as possible for the purposes of clarity.

Application technology

We have endeavored to make the application as easy to run as possible by focusing on some basic tools and technologies that almost every Spring developer would have on their development machine. Nevertheless, we have provided the Getting started section as supplementary information in the Append, Getting Started with JBCP Calendar Sample Code.

The primary method for integrating with the sample code is providing Gradle--compatible projects. Since many IDEs have rich integration with Gradle, users should be able to import the code into any IDE that supports Gradle. As many developers use Gradle, we felt this was the most straightforward method of packaging the examples. Whatever development environment you are familiar with, hopefully, you will find a way to work through the examples in this book.

Many IDEs provide Gradle tooling that can automatically download the Spring and Spring Security 4.2 Javadoc and source code for you. However, there may be times when this is not possible. In such cases, you'll want to download the full releases of both Spring 4.2 and Spring Security 4.2. The Javadoc and source code are top-notch. If you get confused or want more information, the samples can provide an additional level of support or reassurance for your learning. Visit the Supplementary Materials section, in Appendix, Additional Reference Material to find additional information about Gradle, including running the samples, obtaining the source code and Javadoc, and the alternatives for building your projects without Gradle.

Reviewing the audit results

Let's return to our email and see how the audit is progressing. Uh-oh, the results don't look good:

APPLICATION AUDIT RESULTS

This application exhibits the following insecure behavior:

  • Inadvertent privilege escalation due to lack of URL protection and 
general authentication
  • Inappropriate or non-existent use of authorization
  • Missing database credential security
  • Personally-identifiable or sensitive information is easily accessible 
or unencrypted
  • Insecure transport-level protection due to lack of SSL encryption
  • Risk level is high

We recommend that this application should be taken offline until these issues can 
be resolved.

Ouch! This result looks bad for our company. We'd better work to resolve these issues as quickly as possible.

Third-party security specialists are often hired by companies (or their partners or customers) to audit the effectiveness of their software security, through a combination of white hat hacking, source code review, and formal or informal conversations with application developers and architects.

White hat hacking or ethical hacking is done by professionals who are hired to instruct companies on how to protect themselves better, rather than with the intent 
to be malicious.

Typically, the goal of security audits is to provide management or clients with the assurance that basic secure development practices have been followed, to ensure the integrity and safety of the customer's data and system functions. Depending on the industry the software is targeted at, the auditor may also test it using industry-specific standards or compliance metrics.

Two specific security standards that you're likely to run into at some point in your career are the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Privacy and Accountability Act (HIPAA) privacy rules. Both these standards are intended to ensure the safety of specific sensitive information (such as credit card and medical information) through a combination of process and software controls. Many other industries and countries have similar rules about sensitive or Personally Identifiable Information (PII). Failure to follow these standards is not only bad practice but also something that could expose you or your company to significant liability (not to mention bad press) in the event of a security breach.

Receiving the results of a security audit can be an eye-opening experience. Following through with the required software improvements can be the perfect opportunity for self-education and software improvement, and can allow you to implement practices and policies that lead to secure software.

Let's review the auditor's findings, and come up with a plan to address them 
in detail.

Authentication

Authentication is one of two key security concepts that you must internalize when developing secure applications (the other being authorization). Authentication identifies who is attempting to request a resource. You may be familiar with authentication in your daily online and offline life, in very different contexts, as follows:

  • Credential-based authentication: When you log in to your web-based email account, you most likely provide your username and password. The email provider matches your username with a known user in its database and verifies that your password matches what they have on record. These credentials are what the email system uses to validate that you are a valid user of the system. First, we'll use this type of authentication to secure sensitive areas of the JBCP calendar application. Technically speaking, the email system can check credentials not only in the database but anywhere, for example, a corporate directory server such as Microsoft Active Directory. A number of these types of integrations are covered throughout this book.
  • Two-factor authentication: When you withdraw money from your bank's automated teller machine, you swipe your ID card and enter your personal identification number before you are allowed to retrieve cash or conduct other transactions. This type of authentication is similar to the username and password authentication, except that the username is encoded on the card's magnetic strip. The combination of the physical card and user-entered PIN allows the bank to ensure that you should have access to the account. The combination of a password and a physical device (your plastic ATM card) is a ubiquitous form of two-factor authentication. In a professional, security-conscious environment, it's common to see these types of devices in regular use for access to highly secure systems, especially dealing with finance or personally identifiable information. A hardware device, such as RSA SecurID, combines a time-based hardware device with server-based authentication software, making the environment extremely difficult to compromise.
  • Hardware authentication: When you start your car in the morning, you slip your metal key into the ignition and turn it to get the car started. Although it may not feel similar to the other two examples, the correct match of the bumps on the key and the tumblers in the ignition switch function as a form of hardware authentication.

There are literally dozens of forms of authentication that can be applied to the problem of software and hardware security, each with their own pros and cons. We'll review some of these methods as they apply to Spring Security throughout the first half of this book. Our application lacks any type of authentication, which is why the audit included the risk of inadvertent privilege escalation.

Typically, a software system will be divided into two high-level realms, 
such as unauthenticated (or anonymous) and authenticated, as shown 
in the following screenshot:

Application functionality in the anonymous realm is the functionality that is independent of a user's identity (think of a welcome page for an online application).

Anonymous areas do not do the following:

  • Require a user to log in to the system or otherwise identify themselves 
to be usable
  • Display sensitive information, such as names, addresses, credit cards, 
and orders
  • Provide functionality to manipulate the overall state of the system or its data

Unauthenticated areas of the system are intended for use by everyone, even by users who we haven't specifically identified yet. However, it may be that additional functionality appears to identified users in these areas (for example, the ubiquitous Welcome {First Name} text). The selective displaying of content to authenticated users is fully supported through the use of the Spring Security tag library and is covered in Chapter 11, Fine-Grained Access Control.

We'll resolve this finding and implement form-based authentication using the automatic configuration capability of Spring Security in Chapter 2, Getting Started with Spring Security. Afterwards, we will explore various other means of performing authentication (which usually revolves around system integration with enterprise 
or other external authentication stores).

Authorization

Inappropriate or non-existent use of authorization

Authorization is the second of two core security concepts that are crucial in implementing and understanding application security. Authorization uses the information that was validated during authentication to determine whether access should be granted to a particular resource. Built around the authorization model for the application, authorization partitions the application functionality and data so that the availability of these items can be controlled by matching the combination of privileges, functionality, and data to users. Our application's failure at this point of the audit indicates that the application's functionality isn't restricted by the user role. Imagine if you were running an e-commerce site and the ability to view, cancel, or modify orders and customer information was available to any user of the site!

Authorization typically involves the following two separate aspects that combine to describe the accessibility of the secured system:

  • The first is the mapping of an authenticated principal to one or more authorities (often called roles). For example, a casual user of your website might be viewed 
as having visitor authority, while a site administrator might be assigned administrative authority.
  • The second is the assignment of authority checks to secured resources of the system. This is typically done at the time a system is developed, either through an explicit declaration in code or through configuration parameters. For example, the screen that allows for the viewing of other users' events should be made available only to those users with administrative authority.
A secured resource may be any aspect of the system that should be conditionally available based on the authority of the user.

Secured resources of a web-based application could be individual web pages, entire portions of the website, or portions of individual pages. Conversely, secured business resources might be method calls on classes or individual business objects.

You might imagine an authority check that would examine the principal, look up its user account, and determine whether the principal is, in fact, an administrator. If this authority check determines that the principal who is attempting to access the secured area is, in fact, an administrator, then the request will succeed. If, however, the principal does not have the sufficient authority, the request should be denied.

Let's take a closer look at an example of a particular secured resource, the All Events page. The All Events page requires administrative access (after all, we don't want regular users viewing other users' events), and as such, looks for a certain level of authority in the principal accessing it.

If we think about how a decision might be made when a site administrator 
attempts to access the protected resource, we'd imagine that the examination of the actual authority versus the required authority might be expressed concisely in terms 
of the set theory. We might then choose to represent this decision as a Venn diagram for the administrative user:

There is an intersection between User Authorities (users and administrators) 
and Required Authorities (administrators) for the page, so the user is provided 
with access.

Contrast this with an unauthorized user, as follows:

The sets of authorities are disjointed and have no common elements. So, the user is denied access to the page. Thus, we have demonstrated the basic principle of the authorization of access to resources.

In reality, there's real code making this decision, with the consequence that the user is granted or denied access to the requested protected resource. We'll address the basic authorization problem with the authorization infrastructure of Spring Security in Chapter 2, Getting Started with Spring Security, followed by more advanced authorization in Chapter 12, Access Control Lists, and Chapter 13, Custom Authorization.

Database credential security

Database credentials are not secure or easily accessible. Through the examination of the application source code and configuration files, 
the auditors noted that user passwords were stored in plain text in the configuration files, making it very easy for a malicious user with access to the server to gain access to the application.

As the application contains personal and financial data, a rogue user being able to access any data could expose the company to identity theft or tampering. Protecting access to the credentials used to access the application should be a top priority for us, and an important first step is ensuring that one point of failure in security does not compromise the entire system.

We'll examine the configuration of database access layers in Spring Security for credential storage, which requires JDBC connectivity, in Chapter 4, JDBC-Based Authentication. In the same chapter, we'll also look at built-in techniques to increase the security of passwords stored in the database.

Sensitive information

Personally identifiable or sensitive information is easily accessible or unencrypted. The auditors noted that some significant and sensitive pieces of data were completely unencrypted or masked anywhere in the system. Fortunately, there are some simple design patterns and tools that allow us to protect this information securely, with annotation-based AOP support in Spring Security.

Transport-level protection

There is insecure transport-level protection due to lack of SSL encryption.

While, in the real world, it's unthinkable that an online application containing private information would operate without SSL protection, unfortunately, the JBCP calendar is in just this situation. SSL protection ensures that communication between the browser client and the web application server are secure against many kinds of tampering and snooping.

In the HTTPS Setup in Tomcat section, in Appendix, Additional Reference Material, we'll review the basic options for 
using transport-level security as part of the definition of the secured structure 
of the application.

Using Spring Security 4.2 to address security concerns

Spring Security 4.2 provides a wealth of resources that allow for many common security practices to be declared or configured in a straightforward manner. In the coming chapters, we'll apply a combination of source code and application configuration changes to address all of the concerns raised by the security auditors (and more), to give ourselves the confidence that our calendar application is secure.

With Spring Security 4.2, we'll be able to make the following changes to increase our application's security:

  • Segment users of the system into user classes
  • Assign levels of authorization to user roles
  • Assign user roles to user classes
  • Apply authentication rules globally across application resources
  • Apply authorization rules at all levels of the application architecture
  • Prevent common types of attacks intended to manipulate or steal a 
user's session

Why Spring Security?

Spring Security exists to fill a gap in the universe of Java third-party libraries, much as the Spring Framework originally did when it was first introduced. Standards such as Java Authentication and Authorization Service (JAAS) or Java EE Security do offer some ways of performing some of the same authentication and authorization functions, but Spring Security is a winner because it includes everything you need to implement a top-to-bottom application security solution in a concise and sensible way.

Additionally, Spring Security appeals to many, because it offers out-of-the-box integration with many common enterprise authentication systems; so it's adaptable to most situations with little effort (beyond configuration) on the part of the developer.

It's in wide use because there's really no other mainstream framework quite like it!

Summary

In this chapter, we have reviewed the common points of risk in an unsecured web application and the basic architecture of the sample application. We have also discussed the strategies for securing the application.

In the next chapter, we'll explore how to get Spring Security set up quickly and get a basic understanding of how it works.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Architect solutions that leverage the power of Spring Security while being loosely coupled
  • Implement existing user stores, user sign up, authentication, and supporting AJAX requests
  • Integrate with popular Cloud services such as Zookeeper, Eureka, and Consul, along with advanced techniques, including OAuth, JSON Web Token's (JWS), Hashing, and encryption algorithms

Description

Knowing that experienced hackers are itching to test your skills makes security one of the most difficult and high-pressured concerns of creating an application. The complexity of properly securing an application is compounded when you must also integrate this factor with existing code, new technologies, and other frameworks. Use this book to easily secure your Java application with the tried and trusted Spring Security framework, a powerful and highly customizable authentication and access-control framework. The book starts by integrating a variety of authentication mechanisms. It then demonstrates how to properly restrict access to your application. It also covers tips on integrating with some of the more popular web frameworks. An example of how Spring Security defends against session fixation, moves into concurrency control, and how you can utilize session management for administrative functions is also included. It concludes with advanced security scenarios for RESTful webservices and microservices, detailing the issues surrounding stateless authentication, and demonstrates a concise, step-by-step approach to solving those issues. And, by the end of the book, readers can rest assured that integrating version 4.2 of Spring Security will be a seamless endeavor from start to finish.

Who is this book for?

This book is intended for Java Web and/or RESTful webservice developers and assumes a basic understanding of creating Java 8, Java Web and/or RESTful webservice applications, XML, and the Spring Framework. You are not expected to have any previous experience with Spring Security.

What you will learn

  • Understand common security vulnerabilities and how to resolve them
  • Perform initial penetration testing to uncover common security vulnerabilities
  • Utilize existing corporate infrastructure such as LDAP, Active Directory, Kerberos, OpenID, and OAuth
  • Integrate with popular frameworks such as Spring, Spring-Boot, Spring-Data, jQuery, and AngularJS
  • Deep understanding of the security challenges with RESTful webservices and microservice architectures
  • Integrate Spring with other security infrastructure components like LDAP, Apache Directory server and SAML

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Nov 28, 2017
Length: 542 pages
Edition : 3rd
Language : English
ISBN-13 : 9781787129511
Category :
Languages :
Concepts :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Nov 28, 2017
Length: 542 pages
Edition : 3rd
Language : English
ISBN-13 : 9781787129511
Category :
Languages :
Concepts :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 162.97
Spring Security
$64.99
Learning Spring Boot 2.0
$48.99
Spring 5 Design Patterns
$48.99
Total $ 162.97 Stars icon

Table of Contents

18 Chapters
Anatomy of an Unsafe Application Chevron down icon Chevron up icon
Getting Started with Spring Security Chevron down icon Chevron up icon
Custom Authentication Chevron down icon Chevron up icon
JDBC-Based Authentication Chevron down icon Chevron up icon
Authentication with Spring Data Chevron down icon Chevron up icon
LDAP Directory Services Chevron down icon Chevron up icon
Remember-Me Services Chevron down icon Chevron up icon
Client Certificate Authentication with TLS Chevron down icon Chevron up icon
Opening up to OAuth 2 Chevron down icon Chevron up icon
Single Sign-On with the Central Authentication Service Chevron down icon Chevron up icon
Fine-Grained Access Control Chevron down icon Chevron up icon
Access Control Lists Chevron down icon Chevron up icon
Custom Authorization Chevron down icon Chevron up icon
Session Management Chevron down icon Chevron up icon
Additional Spring Security Features Chevron down icon Chevron up icon
Migration to Spring Security 4.2 Chevron down icon Chevron up icon
Microservice Security with OAuth 2 and JSON Web Tokens Chevron down icon Chevron up icon
Additional Reference Material Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5
(4 Ratings)
5 star 50%
4 star 50%
3 star 0%
2 star 0%
1 star 0%
Jeovany Tenorio Hernandez Mar 02, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Excelente libro, supero todas mis expectativas
Amazon Verified review Amazon
Dmitry Jun 11, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This book has a nice introduction. The code can be compiled with maven after some small modifications and googling. The knowledge can be transformed to the Spring Security 5.*
Amazon Verified review Amazon
Daniel Jun 24, 2019
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
Es un buen libro, llega al fondo de los asuntos de Spring Security y ese puede ser su punto débil. Terminas de leerlo, analizándolo un poco y notas que se te escapa una visión global de Security, y que después de todo, en la práctica, no hacía falta llegar tan al detalle de las configuraciones posibles y de las tripas de security y lo que realmente vale no queda del todo claro. Pero es una obra de calidad
Amazon Verified review Amazon
Vishu May 21, 2018
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
A very good introduction to security using Spring, covers a variety of methods and models. I would highly recommend it to anyone using Spring.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.