Eugen Paraschiv

Rest with Spring Software Support
+ Follow
since Sep 19, 2015
Eugen likes ...
Eclipse IDE Spring Java
Cows and Likes
Cows
Total received
5
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Eugen Paraschiv

I definitely did pick up: https://github.com/apache/shiro/graphs/contributors
So that's very cool.
That being said, I'm personally going to let it sit for a while before looking at it again.
Looking at that graph - I'm a bit hesitant to really build any production logic with a library that's developed on and off. However, if it's going to be stable for a while - that's going to change.

Cheers,
Eugen.
5 years ago
I've only introduced that as part of the Coaching program (which is closed beta right now) - so I'm still looking into more scalable options of doing it properly.
6 years ago
Sure thing Guillaume - happy to help. Cheers,
Eugen.
6 years ago
So, OAuth2 is explained from ground up. Same for SSO.
LDAP is introduced, but I'm not going to deep into what LDAP is, just because it's outside the scope of the course and there is a lot of intro material out there about it. Same for SAML.
The goal is to hit the right balance between introducing core concepts and assuming some prior knowledge.
6 years ago
That's my experience as well - these kinds of security concerns usually need to start top down. And the huge volume of compromised systems in the last few years has definitely made it clear that security is a major priority.
Now, it's hard to put a number on the value of a solid security implementation vs the risk of not having it. The risk of a compromised system is basically going out of business (like so many of these compromised companies do) - so the priority of getting to this solid security implementation is usually quite high.

Cheers,
Eugen.
6 years ago
Yes, this one is definitely not a course about Spring, and some basic Spring knowledge is necessary.
That being said, my goal throughout the material is to keep Spring Security as self contained as possible, and generally work on top of a very simple application (even when the security scenarios get complex, the underlying app shouldn't).
But yeah, simply put, you do need to have an understanding of Spring before you pick up the course.
Hope that clears things up. Cheers,
Eugen.
6 years ago
That's a very interesting question.
I did have several client engagements where the Spring Security config was sub-par.
The most common ones are simply older implementations that did the best they could do at the time, but didn't take advantage of the many new simplifications and improvements in the framework.
Things like manual LDAP integrations, manual protections against various types of attacks that are now supported out of the box, lots of custom filters, verbose XML configs - and many others.
It's hard to really put a clear list together - just because there's a lot of variety in these sub-optimal scenarios.
My suggestion for approaching the framework in a good way is simply digging deeper into how things work, debugging through scenarios, and plain experience.
Hope that helps. Cheers,
Eugen.
6 years ago
The material is structured - broadly speaking - from simple to complex.
The best practice that I'd say applies here is - always keep things as simple as you can, while not compromising on the security of your system.
So - yes, I always keep simplicity in mind when I'm creating these lessons - that's why, if you have a look at the Master Class, you'll find the most complex scenarios there.
Hope that helps. Cheers,
Eugen.
6 years ago
That's a good point - their news site is missing an update (1.2.3).
However, all of these are not even minor updates, but patch updates (the last one for instances fixes 5 small bugs) - so the point still stands - they're pretty much standing still.
And don't get me wrong - it would be great to see some real movement in Shiro or any of the other security solutions in the Java space - as that would benefit the entire ecosystem. But - the reality is that it's simply not the case right now.
Cheers,
Eugen.
6 years ago
Hey Pankaj - so, to answer your cloud question - if you mean the new Spring Cloud project - yes, that's definitely an interesting one. Most of it is not really related to security, but there is a small part of it that is - so I'll be covering that part in a bonus lesson after launch.
Good luck with the contest and keep in touch,
Cheers,
Eugen.
6 years ago
Hey Sundar,
First - let me link you to a question I answered yesterday, for a few notes on Spring Security vs other frameworks .
Now - let's look at complexity.
The way I look at complexity is - always in the scope of what I'm trying to do.
Let me unpack that. Complexity that hinders you getting your scenario implemented is bad. Complexity that gets out of the way and is only there if you need it - that's not necessarily bad.
So, if the design of the framework is done intelligently - then you should be able to implement simple scenarios without a lot of complexity, and only go into more complex, low level things if you have very custom, non-standard needs.
And in the case of Spring Security, that's mostly the case.
Hope that helps.
Cheers,
Eugen.
6 years ago
Hey Pankaj - let me first answer the first part of your question by linking to another question I answered yesterday about the differences between Spring Security and other frameworks - JAAS and Shiro: Spring Security vs other frameworks

Now, looking at your list of technologies there, we have a few more. LDAP for example isn't necessarily a competing framework, it's more of an underlying tech that is usually used in the security stack, and yes, Spring Security has solid native integration with LDAP.
And Acegi is the old name of Spring Security - they're the same framework (of course Spring Security has evolved a lot since the days of Acegi).

Finally, the most exciting features - that's definitely an interesting question
I can tell you what I'm most excited about - it's the stuff in the last few modules of the course (have a look at the breakdown on the course page).

Hope that helps. Cheers,
Eugen.
6 years ago
Hey Stewart - that's an interesting question and I've added to the list of requested bonus lessons. My experience with Weblogic is limited, so I'll have to do some research before tackling this one.
Cheers,
Eugen.
6 years ago
Hey Sam - that's a good question.
It's always a balance, but the simple answer is - some, but not a lot.
The application where all the security concepts are illustrated is very simple, with the explicit goal of not getting in the way of the student.
Even if we can into more complex scenarios with security, the application itself doesn't have to get complex. And so - it's a basic MVC CRUD app made up of a just a few pages.
Hope that clears things up. Cheers,
Eugen.
6 years ago
Hey Sam,
API Security (OAuth2, JWT, Token management, etc) is a major focus of the course - yes.
If you're curious about the breakdown of modules and lessons - have a look at the page (scroll down a bit) - and you'll find a bit more detail over there.
Hope that clears things out. Cheers,
Eugen.
6 years ago