Thanks for the question about the book. Yes, in the book, we spend quite a lot of time on the high level design and architecture of Spring Security, including some concepts such as filter chains that are core to the framework, but many developers don't really understand. As part of this overview, we cover (at a high level) all of the standard servlet filters that are part of the framework, and what they do.
As the book progresses, we work our way through enhancing a (purposely) very simple web-based application. To this application, we add a variety of features enabled by the Spring Security framework (and supporting filters) - for example, standard form-based authentication, CAS authentication, OpenID, session fixation protection, concurrency control, etc. We also illustrate how and when to implement custom filters through hands-on examples. Finally, in Chapter 6 we go through a full Spring Bean-style of configuration, where we throw away the entire <security:http> style of configuration and instead configure everything as Spring beans. Although this might be somewhat boring , interspersed between the configuration instructions are bits of explanation about what each bean (or filter) is doing.
I hope that answers your question!
Author, Spring Security 3 (the Book), Packt Publishing, 2010
Thanks for the reply Peter was hoping there would be a progressive use of filters in the book and seems there is
Am looking forward to the book now and wish you great success with it.
Joined: Sep 06, 2007
Pradeep bhatt wrote:Peter,
How is Spring filters different from http filters ?
I assume you mean Spring [Security] filters, in which case they are largely the same thing. Some (but not all) of the Spr Sec filters simply extend the relevant javax.servlet class, while others extend some Spring [Web] Framework helper classes (OncePerRequestFilter etc).
Thanks Peter. you did answer my question but I have one more. Can you tell me more about concurrency control. Is it same as database concurrency. I wonder what has it got to do with security.
Joined: Sep 06, 2007
Pradeep bhatt wrote:Thanks Peter. you did answer my question but I have one more. Can you tell me more about concurrency control. Is it same as database concurrency. I wonder what has it got to do with security.
Sure (although this seems like a slightly different topic) - concurrency control is intended to prevent certain types of session fixation attacks by allowing a particular user to have no more than "n" active sessions (where "n" is typically 1). There are pros and cons with the way Spring Security has implemented this, such that it tends to lead to a lot of confusion among users when it doesn't work -- we do explain this (and session fixation protection) in detail in Chapter 6 of the book, including walking you through how a "hacker" would be prevented from stealing your session through the use of concurrent session control.