Win a copy of Svelte and Sapper in Action this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Bear Bibeault
  • Junilu Lacar
Sheriffs:
  • Jeanne Boyarsky
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • salvin francis
  • Frits Walraven
Bartenders:
  • Scott Selikoff
  • Piet Souris
  • Carey Brown

Spring 3 Security: Filters

 
Ranch Hand
Posts: 186
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Peter

Great to see a book on Spring Security as I see very few worked examples in books I have.

Does your book go into detail about the numerous Filters used in Spring Security and where best to use these in a security strategy for an application.
 
Author
Posts: 84
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Kevin,

Thanks for the question about the book. Yes, in the book, we spend quite a lot of time on the high level design and architecture of Spring Security, including some concepts such as filter chains that are core to the framework, but many developers don't really understand. As part of this overview, we cover (at a high level) all of the standard servlet filters that are part of the framework, and what they do.

As the book progresses, we work our way through enhancing a (purposely) very simple web-based application. To this application, we add a variety of features enabled by the Spring Security framework (and supporting filters) - for example, standard form-based authentication, CAS authentication, OpenID, session fixation protection, concurrency control, etc. We also illustrate how and when to implement custom filters through hands-on examples. Finally, in Chapter 6 we go through a full Spring Bean-style of configuration, where we throw away the entire <security:http> style of configuration and instead configure everything as Spring beans. Although this might be somewhat boring , interspersed between the configuration instructions are bits of explanation about what each bean (or filter) is doing.

I hope that answers your question!

Best,
Peter
 
Ranch Hand
Posts: 8943
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Peter,

How is Spring filters different from http filters ?

Thanks,
Pradeep
 
Kevin Florish
Ranch Hand
Posts: 186
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the reply Peter was hoping there would be a progressive use of filters in the book and seems there is

Am looking forward to the book now and wish you great success with it.
 
Peter Mularien
Author
Posts: 84
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Pradeep bhatt wrote:Peter,

How is Spring filters different from http filters ?

Thanks,
Pradeep



I assume you mean Spring [Security] filters, in which case they are largely the same thing. Some (but not all) of the Spr Sec filters simply extend the relevant javax.servlet class, while others extend some Spring [Web] Framework helper classes (OncePerRequestFilter etc).

Hope that answers your question?

Best
Peter
 
Pradeep bhatt
Ranch Hand
Posts: 8943
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Peter. you did answer my question but I have one more. Can you tell me more about concurrency control. Is it same as database concurrency. I wonder what has it got to do with security.
 
Peter Mularien
Author
Posts: 84
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Pradeep bhatt wrote:Thanks Peter. you did answer my question but I have one more. Can you tell me more about concurrency control. Is it same as database concurrency. I wonder what has it got to do with security.



Sure (although this seems like a slightly different topic) - concurrency control is intended to prevent certain types of session fixation attacks by allowing a particular user to have no more than "n" active sessions (where "n" is typically 1). There are pros and cons with the way Spring Security has implemented this, such that it tends to lead to a lot of confusion among users when it doesn't work -- we do explain this (and session fixation protection) in detail in Chapter 6 of the book, including walking you through how a "hacker" would be prevented from stealing your session through the use of concurrent session control.

Hope that answers your question,

Peter
 
Pradeep bhatt
Ranch Hand
Posts: 8943
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for detailed reply.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
What is the name of the book ?
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
    Bookmark Topic Watch Topic
  • New Topic