Spring boot authority check inside controller? - spring

Had a discussion with a coworker.
He claims we should check user authority inside the controller (with our own implementation) instead of using Spring Security's filters before the controller.
I'm new to Spring and maybe I'm wrong, but I see that authentication should be resolved as early as possible and be implemented by the coding standards and well known methods.
Can anyone comment on this.
Edit: he's main reason for this was the complexicity of the spring boot security mechanism that may introduce security holes.

Related

Spring Security entry point

The problem is that the user is getting logged in with the context "/oauth/token" but I am unable to find the exact entry point. There is no controller or anything written.How is it working? How is the spring security getting call and process the requests? My spring boot project version is 2.2.1.RELEASE and java version 1.8
I tried making some basic project and cannot get a hand on it.I which class or files do I have to look and any documentation or blogs that will help me please provide it.
Spring Security's servlet support is based on servlet filters.
The entry point for Spring Security is the FilterChainProxy which invokes one SecurityFilterChain with multiple filters configured.
Placing a breakpoint in FilterChainProxy#doFilter can help you understand what happens.
https://docs.spring.io/spring-security/reference/5.8/servlet/architecture.html#servlet-filters-review

Integration between Couchdb and Spring

I am new to Spring and Couchdb. I have made a login interface in Spring that authenticates the user using Spring-Security.
Can anybody tell how to add user information at the time of log-in in a Couchdb Database ?
Well, there is no defintion of "spring-mvc annotation" based project.
In this case, someone is trying to differentiate between the usage of annotations and xml-configuration based dependency injection and project configuration.
In case you are not familiar with the old way of using spring-mvc, you might take a look on this example.
If you are planning to use spring-mvc in a new project, i would strongly recommend to use spring and spring-mvc with an annotation based style, as described in the spring reference.

Security configuration without XML with custom filters?

I'm using Spring Boot in STS to build a simple REST API.
I have some basic security requirements, similar to the ones described in the original post here: RESTful Authentication via Spring
The accepted answer above seems like a valid solution but does not translate to Spring Boot due to the lack of XML configuration.
How would I configure my Spring Boot application in the same manner?
You can use the same code as in that post if you want (are you sure that's what you want?) with #Configuration. The HttpSecurity builder has methods addFilter(), addFilterBefore(), addFilterAfter(), so you use those instead of the <custom-filter/> element in XML. Most (if not all) XML elements translate pretty directly into Java config.

Spring security vs Apache Shiro [duplicate]

This question already has answers here:
Shiro vs. SpringSecurity [closed]
(3 answers)
Closed 4 years ago.
What I have researched so far most people are saying Apache Shiro is easy to use and easy to integrate with CAS (for SSO etc). Just to ask if anyone has experience using both of them and which one to use and why one is better than other?
Many of the Shiro developers use Spring for their applications, so Shiro works beautifully in Spring environments. The general feedback we've received thus far is that Shiro is also far easier to understand (for most people) than Spring Security.
If you want full Session clustering support across any web container however, only Shiro will support this easily. Shiro's crypto is also very simple/easy to use.
Choose which fits your mental model best - both will work great in Spring environments.
I have recently had to evaluate both shiro and spring security. We went with spring security (in fact we extended spring security to use the shiro permission strings in a better way - with instance variables on annoations).
Spring Security
under active development.
has much more community support.
Spring security has extensions providing support for both Oauth and kerberos
and SAML.
Shiro
Does not support saml or Oauth.
Makes no mention of supporting before and after security policies.
Active development seems limited, the website still
contains erroneous information.
I have evaluated both Shiro and Spring security. The main advantage that people claim about Shiro is simplicity, but I believe that Spring Security (3.0) is not crazy complicated. It took me almost the same amount of lines of configuration to set up. Also Spring Security is much better documented than Shiro.
But the main issue with Shiro it is that it doesn't support OAuth or Digest Authetication (they are planning to include it in the future https://issues.apache.org/jira/browse/SHIRO-20 ).
My conclusion: Today I would go for spring security.
Shiro is better to use. Its code much simple which provides you flexibility to extend it and provide your custom behaviour wherever needed. It also provides internal cache implementation of Ehcache through which you can replicate session on server clusters.
If you are going to design RBAC(Role based access control) system for your application it will provide you flexibility to handle asset level permission and its access control mechanism is much flexible as compared to spring security.
Spring Security and Shiro both sets awesome with Spring framework. i have tested both of them . for me spring security was easy to integrate and is totally understandable according to developer points of view. and Shiro is also easy to integrate but for me Spring is more easy to integrate.

Spring Framework, Spring Security - possible to use Spring Security without Spring Framework?

Ive been working now with the Spring Framework 3.0.5 and Spring Security 3.0.5 for several time. I know that Spring Framework uses DI and AOP. I also know that Spring Security uses DI, for example when writing custom handlers or filters. Im not sure whether Spring Security also uses AOP - so my first question is: does it?
Well, Id also like to know how Spring Security can be used for non-spring-based applications. Its written in their documentation that this is possible. Well, I wonder how - it seems like it uses DI, so how should it work in a simple java web application? I guess at least a web container which supports dependency injection is needed, correct? (Which one could that be?)
Thank you for answering :-)
[EDIT]
documentation says:
"documentation says: "Spring Security provides comprehensive security services for J2EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading J2EE solution for enterprise software development. If you're not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.""
j2ee-based enterprise software applications......... emphasis on supporting projects using spring framework...... well this means it should be possible to work with it without Spring Framework itself!
?
AND:
Even though we use Spring to configure Spring Seurity, your application doesn't have to be Spring-based. Many people use Spring Security with web frameworks such as Struts, for example.
This is from the spring security homepage. well....
Does it use AOP ?
Yes spring-security uses AOP for its method security (you'd have to search the page to find it).
Can you use spring-security without spring ?
Generally no.
As you need to define spring beans for several spring-security elements.
But! You can use Acegi security without spring as far as I know. Which should give you close to the same functionality.
Can you secure a non-J2EE application
Definitely.
Anything that can run in a servlet container can be secured with spring-security. You just need Spring's IoC/DI.
This answer can help you on the minimal spring-security dependencies.

Resources