I'm going to start the development of an web application system with multiple modules. The system will be built over Springframework, which is the reason why I'm going to use Spring Security. However, I have doubts about the choice of the authentication system.
The idea is to create restufull services that will be consumed by extjs pages (in case of web application) and mobile application.
Please suggest alternative authentication systems (more current). I have minimal expertise in system security and I'm worried about how to protect user credentials while maintaining a high level of response speed.
Even though you have no prior experience with Spring Security, I would still recomend that you use it:
It works very well out of the box with minumum configuration effort.
There is alot of support available because it has become the de facto standard security implementation on many full stack solutions. It is unlikely that you will run into a problem that has not been solved before
Spring Security is very robust and well tested.
out-of-the box integration for almost anything i can think of
finally, spring-security is ment for the springframework. The integration is flawless. Why give up the best part the framework has to offer?
Response speed should not be a criteria when selecting security framwork. Usually repsonse speed is slow due to bad software design or configuration issues. I have never ecountered a system that was slow due to the selected security framework.
I started using Spring Security a few years ago. It took me less than a week to set it up and It has worked properly ever since.
If you need to go for simple authentication then this can easily be achieved mentioning it in Deployment Descriptors , you can specify Authorization Constraint, Security Constraints for Resources, Authentication mechanism and all . pls have a look at this link :
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html
Related
In this Spring Developer youtube video, it is stated that Spring helps building robust, reliable, resilient, scalable, and secure application. I can see that the Spring security takes care of the security aspect of an application and the Spring WebFlux helps a resilient application (RSocket also helps in a big deal in the regard. But RSocket isn't a part of Spring). I, however, fail to see how Spring helps building an application which is robust, reliable and scalable, at least directly. For example, in regarding of reliability, a system should continue to work correctly (performing the correct function at the desired level of performance) even in the face of adversity (hardware or software faults, and even human error). How does Spring help in a scenario of hardware or software faults? I really want to persuade our company to use Spring. Can someone shed some light in the regard?
Spring it is a framework that help developers to implement more quickly a vast variety of functionalities, but in the end the kind of reliability that you are talking about falls in the hands of the programmer.
I am going to teach myself some Java EE and making a simple web portal where people can generate their own invoices(pdf lib is needed). Not asking about any code but can you give advice (examples) which technologies I can make use of through the process? I have decided to use "Spring MVC" as the framework + java/Kotlin as a compiler. Some database + server + email+ some micro services?, are needed but which can it be? Thank you!
If you are trying to implement microservices, i prefer spring boot which has embedded tomcat with additional services, and for database you can use open source mysql
if you are also planning for UI stuff and new to it prefer basic Html,css and Bootstrap
If I am there here are my choices. All these choices are based on my past 4 complete end to end web application project experience.
Spring Boot
Using spring boot create micro services. As it has in built tomcat it will be easy to deploy any environment, either local laptop or on premise server or cloud server.
JPA with Hibernate
If you are looking for free you can choose MYSQL. As it has strong community support
almost all the issues you are going to face would have been asked and answered already under stack overflow or somewhere else in the internet. Another think is as you chose JPA you can switch to any database easily.
React
As of now the simplest and one of the fastest ui framework. Also it has strong user support. You can find answer to almost all questions you will have on internet.
Apart from all, you can extend any of these technologies. Happy Coding!!!
You may want to consider using Jaspersoft for generating your pdf files:
https://www.jaspersoft.com/reporting-software
https://community.jaspersoft.com/wiki/introduction-jaspersoft-studio
There may undoubtedly be other solutions out there, but this is the one I'm most used to.
I'm currently researching on Grails, if it would be a good choice to go with a Web Service client project. It is said Grails is highly beneficial for developing Admin Portals and Prototypes. However my concern is to use Grails for an Admin Portal where the Admin Portal is driven by the Rest-API calls. Therefore, I can consider that as a Web Service Client application. Hence, I won't be able get much use of Grails scaffolding feature to generate controllers or its related test cases. And also the Object Relational Mapping via Hibernate as well. But still I can get the views generated according to the domain objects that I'm defining. Considering the above concerns is Grails still reasonably beneficial than going with traditional Java/Spring and Spring RestTemplate approach ?
This is a bit of a subjective question, but IMO yes, a Grails web application that is primarily a web service consumer is still a fine choice. Groovy's remote API functionality is very productive and clean, and the view layer and controllers are high quality regardless of what the domain/service layer looks like.
In my current project one of our Grails apps is acting just like how you're describing, and it's been a success in terms of quality, performance, and productivity.
What security features does Spring provide that are not already provided by the Java EE specs?
In the Java EE specs we have:
A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
Possibility to annotate any EJB and only allow certain roles execute certain methods
Ability to check user principle at runtime programmatically
So what security extras does Spring 3.0 give me?
Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.
Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.
What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.
That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.
(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)
One killer Feature are ACLs!
#See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)
And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.
I am considering to utilize Expression-Based Access Control from Spring Security 3.0.
The documentation says: You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.
That means that I have to have debug info left in my production wars and jars to properly use Expression-Based Access Control. For me it seems not very good idea at all.
Please tell me your opinions on this issue, so I can summarize your expirience to deside where I go for it or not.
Thank you in advance!
Max
It is a little strange, but this isn't tied to Spring Security. Spring Web MVC uses it too; e.g., to discover #RequestParam and #PathVariable default values.
In my experience people typically leave debug information in their builds (even production builds) to support troubleshooting (debug level logging is a different story), so Spring takes advantage of this. But it's fair to say that Spring is violating the principle of least surprise here, meaning that one wouldn't expect turning debug info off to turn a working app into a broken app.
Please see Spring security annotations with EL — requires debug information compiled in?