Screamy said
Mularien has a comfortable writing style and the book is a lot less dry than several other Spring
books I've read.
The first topics covered are a Authorization/Authentication, XML configuration, the login/logout process and the overall architecture of secured web requests. You are then walked through configuring Spring Security for an example "pet store" web application, which starts off using an "in-memory" user credential store (configured via XML). Next, you progressively face-lift the example for more real-world usage, where your first stop is hooking up an actual database for storing user credentials. For simplicity, Mularien uses an HSQL embedded database, where enough setup/configuration information is provided to ensure success. Following his configuration examples, I was able to point Spring Security to a local MySQL instance instead and everything worked just fine.
Out-of-the box, JDBC-based user management is covered next, where Spring Security's simplified "namespace" configuration tags are used. You then slowly progress towards using your own custom/legacy schema with database-resident authentication. Also covered are secure user passwords, password encryption types, SALT usage/configuration (for extra password security), SSL use/setup via Tomcat and securing portions of your web app via Spring Security's "requires-channel" feature.
Fine-grained access control and authorization is next, with plenty of good coverage on Annotations and AOP expressions. There's also an explanation on JSR-250 compliant annotations vs. Spring Security's annotation set and the differences between them.
From there, Mularien goes on to advanced configuration and extension of Spring Security. You're walked through writing and wiring-up a custom security filter, writing a custom AuthenitcationProvider, Session management/concurrency, exception handling, authentication event handling and most importantly, how to manually configure Spring Infrastructure beans for performing security tasks outside the scope of Spring Security's configuration "namespace" tags.
He also goes on to cover Access Control Lists, LDAP integration, Single-Signon (via CAS), Client Certificate Authentication (as well has how to create your own key pairs), Open ID and Kerberos.
Lastly, roughly 8 pages are devoted to migration from Spring Security v2.x to v3.x. I started out with Spring 3, so this info wasn't useful to me; regardless, I read through this chapter and think it would be helpful to those migrating.
Spring Security 3
- Authors
- Peter Mularien
- ISBN
- 1847199747
- Published
- 26 May 2010
- Purchase online
- amazon.com
Secure your web applications against malicious intruders with this easy to follow practical guide *Make your web applications impenetrable. *Implement authentication and authorization of users. *Integrate Spring Security 3 with common external security providers. *Packed full with concrete, simple, and concise examples.In DetailSecurity is of critical importance to all web applications. Vulnerable applications are easy prey for hackers.
- Editorial Reviews
- Customer Reviews
Customer Reviews
You might also like...
Security books
-
Spring Roo 1.1 Cookbook
Over 60 recipes to help you speed up the development of your Java web applications using the Spring Roo development tool *Learn what goes on behind the scenes when using Spring Roo and how to migrate your existing Spring applications to use Spring R...
Security jobs
-
Build simple tools to solve complex problems at Red Gate
Red Gate Software in Cambridge, UK, United Kingdom
£35,000-55,000 GBP per year -
Java Developer - (Central London & Client Sites)
Fruitful Business Services in London (EC1V), United Kingdom
£27-45k (DOE) -
Content Developer - (Games Studio) - Cambridge
Jagex in Cambridge (CB1), United Kingdom
£Very Competitive +Excellent Benefits -
Senior C++ Developer/ Full-time Atlanta, GA for leader in Software Supply Chain Solutions
Manhattan Associates in Atlanta, United States
Competitive Salary + Bonus as well as Full Benefits (Medical, Dental, strong 401K, etc.)
Security podcasts
-
Java Posse: "Dickless"
Published 7 years ago, running time 0h0m
“Dickless”Fully formatted shownotes can always be found at http://javaposse.com *Interfaces, classes, and API design Blog: http://graphics-geek.blogspot.com/2013/03/for-api-nerds-interfaces-and-inner.html Default Methods: http://www.techempower.com/blog/2013/03/26/everythin.
Comments