Spring Security

2011.10.27. 06:08 tvk

In the recent days, I had to get acquainted with Spring Security, which is a security framework for Java (Web) applications, based on the popular Spring framework. Instead of wading through the docs, I chose to pick and watch a screencast. I've found this one on InfoQ with a lot of well understandable examples and code. It had been recorded at SpringOne 2GX Chicago 2010, October 22. I found myself relistening parts of the screencast again and again, so I decided to write a "table of content" about it with timepoints. It may be useful for others so I post it here. (Well, SpringOne 2GX 2011 is held just now.)

From InfoQ: "Mike Wiesner is a Senior Consultant with SpringSource and has 10+ years experience in Java enterprise development and consulting. He is a committer of the Spring Security Framework and the creator of the Spring Security Kerberos Extension. He regularly speaks at various conferences and publishes work around Application Security and Spring."

0:00:00 Introduction
0:01:55 What's Spring Security? "Flexible Powerful Java Enterprise Security Framework"
0:04:00 History of Spring Security
0:07:45 Authentication highlights: LDAP, OpenID, JAAS, ...
0:09:30 DEMO TIME!
0:10:00 Introducing Holiday Request Application (without any security)
0:11:40 Application context configuration
0:11:50 Authentication manager in appContext.xml, LDAP example, embedded LDAP server
0:13:25 Authorization: securing URLs, login and failure pages
0:14:40 Default pattern: "Don't use permitAll().", "Strict everything and make it open again."
0:15:50 Most specific pattern on the top, most unspecific one on the bottom. Regex also can be used.
0:16:30 web.xml configuration for using Spring Security.
0:17:00 Don't ignore security with a filter pattern.
0:17:55 Demo Login.
0:18:40 Restrict acces for own items. (Creating holiday request only for yourself.)
0:19:20 Finding logged in user in the Controller code. NPE can occur.
0:20:30 Disabling field in JSP.
0:21:40 User check in the service. - SecurityContextHolder
0:22:30 Eliminating Spring dependency from the service.
0:25:00 Advantages of eliminating dependencies - better testability.
0:28:20 Restricting a URL in the app context by role: hasRole('ROLE_USER') or/and.
0:30:55 use-expressions flag.
0:33:30 Malicious URLs don't match patterns. You must secure your service methods. You can't rely on URL pattern checks. Defense in depth.
0:34:45 Securing service method with @Secured annotation by role.
0:35:30 Enabling global-method-security in appContext.xml.
0:38:40 Security interceptor. Global method security check can be disabled for testing.
0:40:35 Roles are not good. Role-right pattern: Role consists of rights. By using that, it's easy to create new roles without changing the source code.
0:42:40 @PreAuthorize annotation. Better than @Secured.
0:44:50 Enabling the above pre-post-annotations in app context.
0:47:50 Inspecting method parameters with @PreAuthorize. ACL
0:52:00 Permissions
0:54:00 Centralizing security rules. Using hasPermission in @PreAuthorize.
0:56:55 You can have more than one hasPermission-s.
0:57:30 Default implementation of hasPermission denies everything.
0:57:50 Setting up DefaultMethodSecurityExpressionHandler in app context for using hasPermission. PermissionEvaluator. expression-handler-ref.
0:58:50 Digging in PermissionEvaluator code.
1:02:00 Filtering returning list values with @PostFilter and hasPermission.
1:04:20 It's interesting this when using JPA. Make sure that your transaction ended.
1:05:15 Direct expression in @PostFilter.
1:07:00 Implementing permission evaluator in Groovy.
1:08:10 Power assert in Groovy.
1:09:30 Preventing rendering GUI components.
1:11:10 AspectJ in the backend: inserts a new property (deletable) into the domain object.
1:12:40 Changing the domain object in expression evaluator.
1:13:25 Editing JSP. Or more precisely a JSP tag in the tag library.
1:16:10 Begin with securing the backend. User interface should be the last one.
1:14:30 Bugging AspectJ config.
1:19:30 About expression language.
1:20:45 Spring Extensions module, Kerberos, SPNEGO
1:23:35 About Spring Security 3.1, easy Active Directory integration.
1:25:20 3.1's Google App Engine compatibility
1:25:55 Thank you for listening.

Szólj hozzá!

Címkék: java security webapp

A bejegyzés trackback címe:


A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.