I am considering to utilize Expression-Based Access Control from Spring Security 3.0.
The documentation says: You can access any of the method arguments by name as expression variables, provided your code has debug information compiled in.
That means that I have to have debug info left in my production wars and jars to properly use Expression-Based Access Control. For me it seems not very good idea at all.
Please tell me your opinions on this issue, so I can summarize your expirience to deside where I go for it or not.
Thank you in advance!
Max
It is a little strange, but this isn't tied to Spring Security. Spring Web MVC uses it too; e.g., to discover #RequestParam and #PathVariable default values.
In my experience people typically leave debug information in their builds (even production builds) to support troubleshooting (debug level logging is a different story), so Spring takes advantage of this. But it's fair to say that Spring is violating the principle of least surprise here, meaning that one wouldn't expect turning debug info off to turn a working app into a broken app.
Please see Spring security annotations with EL — requires debug information compiled in?
Related
Spring boot 2.1.5
Project Reactor 3.2.9
I am setting up a bunch of rest reactive APIs using the above-mentioned frameworks and I am running into an annoying problem with MDC (mapped diagnostic context). My applications are in JAVA.
MDC relies on thread locals to store the current query's mapped context to put in the logs. That system, obviously, is not perfect and contradicts the reactive pattern since the different steps of your execution will be executed through different threads.
I have run into the same problem with the Play Reactive framework but found a workaround there by copying the mapped context transparently from one actor to another.
For spring and reactor, I could not find a satisfying solution yet.
Some random examples found on the internet:
First - It works but forces you to use a bunch of utility methods
Same thing
Second - It tries to copy the context during the onNext publisher event but seems to lose some features on the way of doing that. The signal context, for example, is lost.
I am in need of a proper solution to deal with this:
A library which would make the link between MDC and reactor?
A way to tweak reactor/spring to achieve it transparently?
Any advice?
"I could not find a satisfying solution yet."
Working with contexts is the only solution for the moment. Since as you said threadlocals goes against everything that has to do with reactive programming. Using thread local as a storage point during a request is a resource heavy way of solving things and in my opinion poor design. Unless logging frameworks themselves come up with a better solution to the problem we developers must pass the data through the context to accommodate for the logging frameworks blocking nature.
Reactive programming is a paradigm shift in the programming world. Other things like database drivers, that use threadlocal to rollback transactions are also in big trouble. the JDBC database driver spec is defined as blocking in nature, and atm. there has been attempts by spring and the R2DBC project to define a new JDBC driver spec that is inherently non/blocking. This means that all vendors must rewrite ther database driver implementations from scratch.
Reactive program is so new that lots of libraries need to rewrite entire codebases. The logging frameworks as we know it needs to be rewritten from the ground up which is a huge task. And the context in reactive is actually something that should not even be in reactive programming, it was implemented just to accommodate for MDC problems.
It's actually a lot of overhead needing to pass data from thread to thread.
So what can we do?
push on logging frameworks, and/or help logging frameworks to rewrite their codebase
Accept that there is no "tweak" that will magically fix this
use the context and the way suggested in the blogposts
Project reactor context
I'm going to start the development of an web application system with multiple modules. The system will be built over Springframework, which is the reason why I'm going to use Spring Security. However, I have doubts about the choice of the authentication system.
The idea is to create restufull services that will be consumed by extjs pages (in case of web application) and mobile application.
Please suggest alternative authentication systems (more current). I have minimal expertise in system security and I'm worried about how to protect user credentials while maintaining a high level of response speed.
Even though you have no prior experience with Spring Security, I would still recomend that you use it:
It works very well out of the box with minumum configuration effort.
There is alot of support available because it has become the de facto standard security implementation on many full stack solutions. It is unlikely that you will run into a problem that has not been solved before
Spring Security is very robust and well tested.
out-of-the box integration for almost anything i can think of
finally, spring-security is ment for the springframework. The integration is flawless. Why give up the best part the framework has to offer?
Response speed should not be a criteria when selecting security framwork. Usually repsonse speed is slow due to bad software design or configuration issues. I have never ecountered a system that was slow due to the selected security framework.
I started using Spring Security a few years ago. It took me less than a week to set it up and It has worked properly ever since.
If you need to go for simple authentication then this can easily be achieved mentioning it in Deployment Descriptors , you can specify Authorization Constraint, Security Constraints for Resources, Authentication mechanism and all . pls have a look at this link :
http://docs.oracle.com/javaee/6/tutorial/doc/gkbaa.html
What security features does Spring provide that are not already provided by the Java EE specs?
In the Java EE specs we have:
A range of sevlet security options in the web.xml. Most people will configure basic or form based authentication. They link their Java EE application to an LDAP server - which stores users / groups. Request will be encrypted and come in over HTTPS.
Possibility to annotate any EJB and only allow certain roles execute certain methods
Ability to check user principle at runtime programmatically
So what security extras does Spring 3.0 give me?
Even if you just need some fairly simple authentication, Spring Security provides support for lots of simple but useful features (think of redirecting after logout, redirecting to login page on all URLs, remember-me). With Java EE you'll end up writing this yourself and - possibly - screwing up so you'll have an insecure app.
Spring Security works well with many standards/protocols/etc. out of the box (LDAP, JAAS, X.509). There's also more advanced stuff like SSO or ACLs. And if the standard functionality doesn't suit you, you can customize this fairly easily, often requiring just a little code.
What I also like is that it's fairly non-intrusive, your controller/action/… classes typically don't have to be involved.
That said, if you use it for the first time, it takes some time to set Spring Security up and get used to it.
(Finally, here's their own feature list: http://static.springsource.org/spring-security/site/features.html)
One killer Feature are ACLs!
#See: Spring Security Reference Chapter 17. Domain Object Security (ACLs)
And I have the feeling that Spring Security is much easier to customize. For example if you need a User Management where the User can self register and get some of this privileges limitedly and some others after this email address has been confirmed.
I am using Spring framework in my application and it is deployed on MULE server.
Based on debug or info level, the amount of logging and the percentage of logging will vary.
Till date, I write the log statements explicitly in all my business logic.
Is there any way to do this through configuration, say configure at some point -
CLASS NAME - METHOD NAME - LOG AT ENTRY POINT WITH INPUT PARAMETERS - LOG AT EXIT POINT WITH RETURN
This way my code will not look very clutter.
I am not sure exactly what you are asking, but it sounds like you would like to automatically log entry and exit from methods along with parameters. If that is the case, you might consider some form of Aspect Oriented Programing (AOP). Here and here and here are some links to pages with good examples of implementing exactly this kind of logging with PostSharp. Since you are using Spring (.NET or just Spring?), you might know that Spring.NET has an AOP solution (or here for Spring). Here is a project from CodeProject that provides a log4net logging aspect already written for PostSharp (not sure if this is currently up to date or not). There are other AOP solutions out there, PostSharp is one of the more popular.
I answered with a .NET slant because that is what I am more familiar with and you didn't indicate a language preference (via the tags) in your question.
As wageoghe mentioned, using Spring AOP is an option.
Another one, since you're running in Mule, is to use component interceptors around your Spring beans.
I am just starting to learn about spring and was looking at the difference between Spring 3.0 and Spring 2.5.
Initially i was following this tutorial http://static.springsource.org/docs/Spring-MVC-step-by-step/index.html which is a step by step guide to developing a Spring MVC application. It is based on Spring 2.5 and i notice there are quite a few differences with Spring 3.0. I tried to find the equivalent tutorial that is based on 3.0 but couldnt find it.
The difference i notice with 3.0 is that there is a lot of use of annotations and a lot of things is done for you in the background. I am sure this is a good thing but i am wondering for the purpose of learning the framework should i continue with 2.5 so that i can understand what goes on behind the scenes before i use spring 3.0?
Please also if you can recommend a spring book that is suitable for a beginner i would appreciate it.
Thanks
I'd recommend to always use the latest version of a framework. Especially if you're starting on a new project. There are always (well usually) tons of improvements, and simplifications, and migrating to the latest version later may be a pain.
Spring has a great user manual (see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/), and IMHO a book doesn't have an added value in this case. I found the Spring user manual always easy to read and understand, so don't get intimidated. I think this is definitely the best starting for beginners as well. You don't have to read it all. Only the sections of interest!
Note that Spring 3.x contains many other improvements such as SpEL (Spring Expression Language), improved web support (you already saw that), REST support, and more.
... should i continue with 2.5 so that i can understand what goes on behind the scenes before i use spring 3.0?
That's really up to you to decide, but if you are going down the Spring 3.x annotation-based route, it is not clear that you >>need<< to understand what is happening behind the scenes. Especially for run-of-the-mill applications.
I was not aware of the purchase of Spring by VMware. Do you think this might affect the open source aspect of Spring in that it might not be open source anymore?
First, the SpringFramework guys are thoroughly committed to open source (from what I can see). So a change would probably entail lots of developers leaving.
Second, most of the people who use Spring do so because it is open source, so a change would risk a major migration of (paying) customers away.
Third, turning Spring into a closed source product would be a politically awful move for VMware, and would likely have fallout for other VMware product lines.
Finally, and most importantly for people committed to using Spring: there is no way that the VMware could legally "undo" the open sourcing of current Spring releases. The best they could do would be say that Spring 4.0 etc was closed source. Anyone who wanted to would be free to continue distributing and using SpringFramework 1.0.x, 2.0.x, 2.5.x, 3.0.x and all associated open sourced technologies. And anyone would be free to create a "fork" of any of them to continue Spring open source development. The only possible issue would be the use of trademarks, and that is easily worked around.
Add that all up, and (IMO) there is nothing to worry about.
"Spring in Action", "Pro Spring", and "Spring Recipes" are the three that I'd recommend to anyone.
If you've never used Spring, I'd say that learning either one will suit your purposes. The majority of Spring 2.5 carries over to 3.0, so it's not wasted.
The books and tutorials haven't kept up with Spring 3.0. Another change between versions was the purchase of Spring by VMWare. They've separated paid support from open source, so it's hard to tell what the future will be for non-paying customers.