This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Spring and the fly likes Spring 3 Security: Filters Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Spring 3 Security: Filters" Watch "Spring 3 Security: Filters" New topic
Author

Spring 3 Security: Filters

Kevin Florish
Ranch Hand

Joined: Jan 06, 2009
Posts: 175
Hi Peter

Great to see a book on Spring Security as I see very few worked examples in books I have.

Does your book go into detail about the numerous Filters used in Spring Security and where best to use these in a security strategy for an application.


Java5 Tutorials | Java6 Tutorials | HTML/CSS Tutorials | JavaScript and jQuery Tutorials
Peter Mularien
Author
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Hi Kevin,

Thanks for the question about the book. Yes, in the book, we spend quite a lot of time on the high level design and architecture of Spring Security, including some concepts such as filter chains that are core to the framework, but many developers don't really understand. As part of this overview, we cover (at a high level) all of the standard servlet filters that are part of the framework, and what they do.

As the book progresses, we work our way through enhancing a (purposely) very simple web-based application. To this application, we add a variety of features enabled by the Spring Security framework (and supporting filters) - for example, standard form-based authentication, CAS authentication, OpenID, session fixation protection, concurrency control, etc. We also illustrate how and when to implement custom filters through hands-on examples. Finally, in Chapter 6 we go through a full Spring Bean-style of configuration, where we throw away the entire <security:http> style of configuration and instead configure everything as Spring beans. Although this might be somewhat boring , interspersed between the configuration instructions are bits of explanation about what each bean (or filter) is doing.

I hope that answers your question!

Best,
Peter


Author, Spring Security 3 (the Book), Packt Publishing, 2010
SCJP, OCP
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8903

Peter,

How is Spring filters different from http filters ?

Thanks,
Pradeep


Groovy
Kevin Florish
Ranch Hand

Joined: Jan 06, 2009
Posts: 175
Thanks for the reply Peter was hoping there would be a progressive use of filters in the book and seems there is

Am looking forward to the book now and wish you great success with it.
Peter Mularien
Author
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Pradeep bhatt wrote:Peter,

How is Spring filters different from http filters ?

Thanks,
Pradeep


I assume you mean Spring [Security] filters, in which case they are largely the same thing. Some (but not all) of the Spr Sec filters simply extend the relevant javax.servlet class, while others extend some Spring [Web] Framework helper classes (OncePerRequestFilter etc).

Hope that answers your question?

Best
Peter
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8903

Thanks Peter. you did answer my question but I have one more. Can you tell me more about concurrency control. Is it same as database concurrency. I wonder what has it got to do with security.
Peter Mularien
Author
Ranch Hand

Joined: Sep 06, 2007
Posts: 84
Pradeep bhatt wrote:Thanks Peter. you did answer my question but I have one more. Can you tell me more about concurrency control. Is it same as database concurrency. I wonder what has it got to do with security.


Sure (although this seems like a slightly different topic) - concurrency control is intended to prevent certain types of session fixation attacks by allowing a particular user to have no more than "n" active sessions (where "n" is typically 1). There are pros and cons with the way Spring Security has implemented this, such that it tends to lead to a lot of confusion among users when it doesn't work -- we do explain this (and session fixation protection) in detail in Chapter 6 of the book, including walking you through how a "hacker" would be prevented from stealing your session through the use of concurrent session control.

Hope that answers your question,

Peter
Pradeep bhatt
Ranch Hand

Joined: Feb 27, 2002
Posts: 8903

Thanks for detailed reply.
 
Consider Paul's rocket mass heater.
 
subject: Spring 3 Security: Filters
 
Similar Threads
need help in spring security process
Spring 3 and 2-way ssl
Spring security on file downloads
Spring/Struts/EJB?
Spring Security or Acegi Security ?