While reading the Light-4j document, it looks like Light-4j is very similar to the AOP programming. What is the relationship between Light-4j and AOP programming?
Light-4j is a subset of AOP programming that is leveraging the nature of the request/response flow of the HTTP based application. If we look at the request/response flow as chain, Light-4j put all the AOP cross-cutting concerns into the chain transparently to the developers. All cross-cutting concerns are implemented as middleware handlers, and they can be enabled or disabled with individual config files or a centralized values.yml file. With externalized config files, we can move a dockerized application from one environment to another with only config changes. Another benefit of this design is to increase the productivity of developers. Unlike other frameworks, developers have to wire in the cross-cutting concerns manually with code or annotations, Light-4j wire in the cross-cutting concerns with configuration files, and these can be applied by the operation team instead of the development team. This allows developers to focus on the business logic at the endpoint level without thinking about metrics, tracing, monitoring, alerting, etc.
Related
I get that Feign is declarative and hence it abstracts out a lot of things for the developer. But, when should one choose one over the other? Though feign is declarative, it has serious problems with oAuth. What are some of the considerations in using RestTemplate over Feign
Feign allows you to abstract the mechanics of calling a REST service. Once you configure and annotate the Feign interface, you can call a REST service by making a simple Java function call. The actual implementation of making a REST call is handled at runtime by Feign. This means that the implementation can be configured without changing your business logic code.
By just changing the Feign configuration in Java or using properties you can add encoding/decoding, logging, and change the REST call implementation library. All this is done through configuration only, while the business logic that calls the service remains unchanged.
Since Feign uses standard Java interfaces, it's also easy to mock them during unit tests.
There are certain advantages.
1.URLs are not hardcoded.
2.you don't have to write unit test cases for feign as there is no code to test however you have to write integration tests.
3.we can use Eureka Client ID instead of the URL.
4.Feign handled the actual code.
5.Feign integrates with Ribbon and Eureka Automatically.
6.Feign provides a very easy way to call RESTful services.
One of the advantages of using Feign over RestTemplate is that, we do not need to write any implementation to call the other services. So there is no
need to write any unit test as there is no code to test in the first place. However, it is advised that we write Integration tests.
Using Feign-clients over rest-templates has number of advantages. I will list down those below.
The developer need not worry about the implementation. Just to create abstract Feign interface and few annotations - declarative
principle. (If you want customized configuration, then it will hold
some code)
With Spring Cloud Eureka, Ribbon client-side load-balancer will be equipped with Feign client.
No need to worry about the unit test, because there is no implementation from you to test. (Arguable)
Supports Feign annotations and JAX-RS annotations.
Highly compatible and easily configurable with Spring Cloud (Specially with Eureka server registry)
Allows Feign client configuration via #Configuration class or application properties.
Allows us to add interceptors. (Add interceptors via #Configuration or application properties. Alternatively can use
Spring Cloud provided interceptors as well. Example -
BasicAuthRequestInterceptor)
Hystrix support for fall-back mechanism.
Logging
Error handling
Feign is a good choice, If you are fascinated with JPA and the way how it resolves your queries, then Feign is the tool for you. Feign will handle your server requests perfectly fine.
RestTemplate is used for making the synchronous call. When using RestTemplate, the URL parameter is constructed programmatically, and data is sent across to the other service. In more complex scenarios, we will have to get to the details of the HTTP APIs provided by RestTemplate or even to APIs at a much lower level.
Feign is a Spring Cloud Netflix library for providing a higher level of abstraction over REST-based service calls. Spring Cloud Feign works on a declarative principle. When using Feign, we write declarative REST service interfaces at the client, and use those interfaces to program the client. The developer need not worry about the implementation ...
Advantages of using Feign over RestTemplate:
Declarative approach: Feign provides a more declarative approach to define and use REST API clients, which can make the code more readable and easier to maintain.
Integrated with Eureka: Feign is integrated with Netflix Eureka for service discovery, making it easier to build and consume APIs in a microservices architecture.
Better error handling: Feign provides better error handling, including support for custom error handling and retries.
Support for multiple encodings: Feign supports multiple encoding types, including JSON, XML, and form data, while RestTemplate only supports JSON and XML.
Disadvantages of using Feign over RestTemplate:
Limited flexibility: Feign provides a more opinionated approach to defining and using REST API clients, which may limit flexibility in certain situations.
Limited control over HTTP request and response: Feign abstracts away some of the low-level details of the HTTP request and response, which can make it harder to control and customize these details if needed.
Lack of official support: Feign is not an officially supported library from Spring, which may be a consideration for some developers or organizations.
I have a Spring MVC web application protected with Spring Security. Life seems so calm until I was forced to do a Static Application Security Testing (SAST) and the tool threw a bunch of security issues. Have a look at here:
I have gone through all CVEs and got a rough picture about the vulnerabilities. I have a few queries:
How a web application is vulnerable to such exploitation, when a security framework like (Spring Security) is integrated with it?
Can I ignore all those vulnerabilities since Spring Security might have some sort of workaround for all those vulnerabilities?
From the Spring Security manual:
Spring Security is a powerful and highly customizable authentication
and access-control framework. It is the de-facto standard for securing
Spring-based applications.
Think of spring security as an authentication framework, it covers one piece of the security puzzle.
As an example, let's have a look at the #1 of the OWASP Top 10 Application Security Risks: A1 - Injection
Assume you use a jar for accessing an SQL database (e.g. hibernate) and it has an injection vulnerability, then your application could be vulnerable as well. However even if hibernate doesn't have any security bugs, if a programmer concatenates an SQL query together without correctly escaping the user input the application is vulnerable to an injection attack.
Spring security doesn't protect your application from either of these injection attacks.
If a jar has a vulnerability and you are calling the vulnerable methods/features then your app may also have that vulnerability, it depends a lot on what the vulnerability is and how its executed and how your application is configured to use the jar.
For a quick look over the other OWASP Top 10 Application Security Risks:
A1-Injection - No protection from Spring Security
A2-Broken Authentication and Session Management - Spring Security can help manage some of these, however a miss configured spring security will expose these.
A3-Cross-Site Scripting (XSS) - No protection from Spring Security
A4-Insecure Direct Object References - No added protection from Spring Security (Spring Security gives you the tool to manage this)
A5-Security Misconfiguration - No protection from Spring Security
A6-Sensitive Data Exposure - Spring Security can assist with this however it also depends a lot on how you store and manage your data (E.g. log files)
A7-Missing Function Level Access Control - If the access control has been missed, Spring Security can't help you, however spring security makes it easy to add these
A8-Cross-Site Request Forgery (CSRF) - Spring Security (depending on how your application is configured) will assist you or even manage this risk for you.
A9-Using Components with Known Vulnerabilities - This is the CVE's you have listed in your question - No protection from Spring Security
A10-Unvalidated Redirects and Forwards - Spring Security could be used to manage this however it doesn't protect your application from this out of the box
The list of CVEs found during the STAT of your application is an example of A9-Using Components with Known Vulnerabilities have a look at the OWASP wiki for more information.
Example Attack Scenarios
Component vulnerabilities can cause almost any type of risk
imaginable, ranging from the trivial to sophisticated malware designed
to target a specific organization. Components almost always run with
the full privilege of the application, so flaws in any component can
be serious, The following two vulnerable components were downloaded
22m times in 2011.
Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full
permission. (Apache CXF is a services framework, not to be confused
with the Apache Application Server.)
Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code,
effectively taking over the server.
Every application using either of these vulnerable libraries is
vulnerable to attack as both of these components are directly
accessible by application users. Other vulnerable libraries, used
deeper in an application, may be harder to exploit.
Note from the last paragraph above, the deeper the component (jar) is the harder it is to exploit, however, that doesn't mean a determined entity can't exploit them.
In summary, Spring Security is a great tool for managing authentication and access-controls in your application but it isn't a magic bullet to fix all security problems.
I'm a newbie on Spring Cloud, and I'm a little confused about it. Kubernetes and Spring Cloud are both micro-services framework. If I have Kubernetes(or mesos) already, why do I need use Spring Cloud? I notice that many projects use them both.
What's the difference between Kubernetes and Spring Cloud? They both can provide service discovery, load balance and so on.
I'm really confused.
Kubernetes and Spring Cloud address a lot of the same concerns with Microservices, but with different approaches and technologies. Redhat wrote a great article explaining this. Here the main takeaways:
Spring Cloud has a rich set of well integrated Java libraries to
address all runtime concerns as part of the application stack. As a
result, the Microservices themselves have libraries and runtime agents
to do client side service discovery, load balancing, configuration
update, metrics tracking, etc. Patterns such as singleton clustered
services, batch jobs are managed in the JVM too.
Kubernetes is
polyglot, doesn’t target only the Java platform, and addresses the
distributed computing challenges in a generic for all languages way.
It provides services for configuration management, service discovery,
load balancing, tracing, metrics, singletons, scheduled jobs on the
platform level, outside of the application stack. The application
doesn’t need any library or agents for client side logic and it can be
written in any language.
In some areas both platforms rely on similar
third party tools. For example the ELK and EFK stacks, tracing
libraries, etc.
Some libraries such as Hystrix, Spring Boot are useful
equally well on both environments. There are areas where both
platforms are complementary and can be combined together to create a
more powerful solution (KubeFlix and Spring Cloud Kubernetes are such
examples).
Source: https://developers.redhat.com/blog/2016/12/09/spring-cloud-for-microservices-compared-to-kubernetes/
To understand the differences and similarities in more detail I would recommend to the read the full article.
In Spring Integration, handlers and interceptors look like they basically achieve the same thing. There are even some 'duped' implementations, such as MessageTransformingChannelInterceptor and MessageTransformingHandler, which as far as I can tell provide the same functionality with different semantics.
Is there a time when one is appropriate and not another? If it's a matter of preference then I'm guessing that there'd be some sort of convention?
Thanks,
Roy
My general rule of thumb is to use interceptors sparingly; and typically, only for "passive" things like logging, wire tap etc.
Some users like to do message validation in interceptors; especially if they want to apply the same validation to multiple channels, perhaps with a global interceptor with an appropriate channel pattern.
The transforming interceptor was created in a very early iteration of the framework (2008) and we should probably remove (at least) the only mention of it in the reference (in the XML section).
Handlers
Handler means a Class which handles with certain thing.
For example, in the Spring framework, a HandlerMapping is used to map requests to specific controllers or handlers based on the URL pattern or request method.
Handler is responsible for processing a request and generating a response while a Filter is responsible for modifying or inspecting a request or response
Interceptors
Interceptors share a common API for the server and the client side.
Interceptors are often used to implement cross-cutting concerns such as transaction management, security, or logging.
Interceptors are part of Spring's AOP framework and are used to intercept method calls to Spring beans. They allow you to add behaviour to a method call before or after it is executed. Interceptors can be configured using annotations or XML configuration. Interceptors are used to intercept method calls to Spring beans.
I'm getting started at building REST APIs with Spring annotated controllers.
My question is very simple: how to perform authentication/authorization in a common place rather than the APIs?
Being an expert C# developer I usually create a custom FilterAttribute for my controllers in order to implement any required authentication code.
I'm not going to use #Secured attribute because I work on custom REST authorization based on custom HTTP headers. I have understood that #Secured works with predefined roles, or perhaps I didn't understand its usage well.
Does Spring offer annotations to perform early filtering of Controllers working on the HttpRequest?
There is a filter-based authentication and authorization plugin at the web container level, provided by Spring Security. However, you can also apply security annotations to the controllers. . . Behind the scenes this uses Aspect Oriented programming to modularize the security concern. Take a look at Spring Security and AOP.
Once you understand a little about the AOP side of things you can customize the authorization however you like - role-based, time of day, whatever - this can be driven by custom annotations.