Category Archives: spring security

That’s a wrap! “Learning #SpringBoot” ‘s 1st draft has been submitted to @PacktPub

learning-spring-boot-ch-5Last night, I worked from 9:30pm until 2am on Learning Spring Boot. Whew! It was tough work, but I needed to pull it across the finish line. I had the code lined up quite nicely for the entire chapter. I simply need to tell the story of how all this stuff worked together.

As I’ve said before, security by itself is complicated. There is a lot of fine details involved. When someone first starts reading the reference docs of Spring Security, it can get real intimidating real fast. That isn’t Spring Security’s fault. It’s inherent to the nature of locking something down except for the right people in the right context with the right protections. “right” and “wrong” can be very hard to define in just a couple sentences.

I tried to walk through what is happening, provide a little “why is this happening” and finally leave some links for those that want to dig a little deeper and understand the incredibly complex stuff that Spring Security is ACTUALLY doing for them. The protocols Spring Security picks up and handles are quite complex, and when you get to the end, I hope the reader has a strong appreciation for how simple Spring Security has made it to give the developer control while still protecting system integrity.

With all that said, I breathed a big “whew!” as I bundled up this chapter’s manuscript and emailed it over to my editor at Packt. I have already started receiving feedback on the other chapters from my review team. These people are sharp! They really know Spring and have spotted some sloppy mistakes on my part. After I parse all their comments, this should be one well honed book!

asciidoctorI also have truly enjoyed the development process of this book. Writing it in asciidoctor has let me focus 95% of my effort on the content. I work with an IDE open so I can tweak the code, run it, tweak again, and then commit the changes. My manuscript simply includes code files and fragments, and I layer it with some prose to explain what is happening and why it’s happening. Here and there I put tips and notes to answer questions I can foresee.

Then on the command line, I constantly regenerate an HTML rendering of the book. I read through it in chunks and polish it up. After all is done, I finally open up the LibreOffice output and and walk through to fine tune bits of code that overrun the width of the page. By staying away from the word processor as much as possibly, the integrity of this book’s content has been kept at what I feel is tip-top shape.

Chapter 5 of Learning #SpringBoot almost done!

This Thursday I’ll be submitting the first draft for Chapter 5 – Securing Your App with Spring Boot inside Learning Spring Boot. If you have no experience with Spring Security, then I hope you’ll enjoy this chapter. Security by itself is a complex topic. There is no single thing that instantly makes your entire application secure from everything.

Spring Security is a powerful application level security tool. You get very detailed control and can customize to your heart’s content. But as is often the case, people want to use some basic settings that enact a common security model: authentication and authorization.

When you add Spring Security to a Spring Boot project, things get automatically locked down. This is handy for demos, but this chapter will show you can then go in and configure things more to your liking. My plan is to walk through in-memory based options (good for testing and getting started) as well as a configuring a couple different databases that are commonly used. With that sort of introduction to Spring Boot + Spring Security, it becomes much easier to read the online reference docs if you want to cut over to an LDAP-based user data store.

As I said earlier, security doesn’t start and end at the application level. I want this chapter to be comprehensive in the sense that security doesn’t end at the application level. Spring Boot does a fantastic job of inverting the concept of a container by having the app bring along embedded Tomcat to run itself. In this chapter, we’ll see how to configure Spring Boot’s embedded Tomcat servlet container use SSL, strengthening the end-to-end security of your app.

Chapter 4 of Learning #SpringBoot submitted…upgrading manuscript to 1.1.5.RELEASE

learning-spring-boot-ch-4Yesterday afternoon, I bundled up Chapter 4, Data Access with Spring Boot for Learning Spring Boot and shipped it off to Packt Publishing. They were happy to receive it on time.

Then I saw Spring Boot release version 1.1.5.RELEASE. I just updated all my source code to the latest version, edited the fragments, and fixed the links in my asciidoctor files. Reading through all the issues of this release, nothing appears to be of any impact to this book.

Naturally, I’ll recheck everything after I wrap up Chapter 5, Securing Your App. In the next and final chapter, I’ll show how Spring Boot speeds up securing apps. By merely adding Spring Security to your classpath, Spring Boot leaps into action and locks things down with suitable defaults. You can easily alter various settings. Finally, you can start plugging in custom configurations as needed.

secure-ssl-appSecurity, in my experience, has historically been a tricky subject. I’ve seen countless teams apply security as the last step. People also don’t understand that security is a multi-layer effort. It’s not ALL contained in the application.

And security requires a certain understanding; a frame of mind. When I worked on the commercial engineering team a couple years ago, I applied several strategies to prevent users having their data compromises. Not all of these ideas were my own. Many came from a teammate that had a prankster’s perspective.

If you look at the second image in this blog, you’ll see a perfect depiction about how people will do something like configure SSL for a website and call it a day. SSL only secures one aspect of things. Usernames and passwords only cover a few more aspects.

This chapter will help cover how Spring Boot makes it much simpler to secure the embedded Tomcat servlet container. It will show how to institute authentication and authorization to verify you are who you say you are and that you’re authorized to do what you must. It’s important to plug in security from the get go, and Spring Boot makes this even easier than ever. But never stop looking for attack vectors that you must block to avoid issues.

 

SpringOne – Days 1 and 2

I finally found some time to post updates. Whew! It has been busy!

Day 1
================================
On Monday, I hooked up with the SpringSource guys. It seems everyone had something to work on. I wanted to get 0.9.0 completed and working before giving my demo of PetClinic on Thursday. Just about anyone I spoke to was polishing up their slides. It is truly fantastic to be chatting with the guys at SpringSource.

Rod Johnson gave the keynote addresss, focusing on the target goal of SpringSource in reducing the complexity of application development. Complexity means more development, more risk, and in turn, more cost. SpringSource’s overarching goal of reducing complexity must be working, because he had several metrics showing how much has been adopted in some degree by the industry.

After the keynote, I was finally able to meet up with Keith Donald. We have been playing email tag for some time, and I was surprised to find out his office is probably 10 minutes away from mine. Hopefully we can get together soon after the conference. It was also great to meet Mark Pollack, Chris Beams, Ben Alex, and of course, Rod Johnson himself. While I enjoy reading their blog entries and source code, there is no substitute for meeting the real person.

Day 2
================================
In the morning, I attended the Grail presentation. That was awesome. Graeme demonstrated building a twitter-like site using Grails in 40 minutes. Okay, he promised 40 minutes, and took 45 minutes, but only because he started adding extra functionality not found at the actual twitter site. In the process, I was realizing the value Grails places on plugins. Grails is good at creating a skeleton application, and then letting you flesh it out. I was starting to get the idea that Spring Python could use a command line utility with plugins to generate a skeleton CherryPy app, Django app, or anything else developed by a plugin. Well, I went to the next session, “Intro to Spring Security 2.5”, opened my laptop, and started coding. I managed to write a static skeleton app, and then began working on a command-line utility to dynamically generate this. That is still in progress.

I admit I was only listening with one ear to Ben’s presentation. Sorry Ben! 1) I am already somewhat familiar with Spring Security, 2) most of it is geared towards web apps which I don’t write, and 3) I was really stoked at the idea of a command-line tool that download Spring Python plugins from a network location. I did catch his question, “who here is NOT writing web apps?” I was the only person in the room who raised a hand to that. When asked what I was using, I answered “Swing desktop apps.” That plugged Ben’s point that Spring Security uses the same tactics.

After lunch, I attend two sessions about Spring Integration. This is channel based messaging, which is sort of like JMS on steroids in my book. They interface with JMS, but also with other things like file-based systems, web services, RMI, anything. And it is easy to plug in your non-message based service to a chain of processing. This is wiring your app in a different, more decoupled way. I sure could have used this about five years ago.

Later that evening, Russ and I got together to work on his Spring Extensions presentation. Russ is planning to talk about the process Spring has set up to better manage new code, and wanted to compare the process with real life, and Spring Python is his choice target. If you are at SpringOne and can read this before Thursday, I highly suggest you attend that presentation. It will definitely be entertaining (shameless plug).