Spring Security (Acegi)

Introduction to Building Enterprise Web Application with Spring MVCBy Abdelmonaim Remani

abdelmonaim.remani@gmail.comPolymathic-coder.com

Silicon Valley Code Camp v 4.0Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.1Enterprise ApplicationComplexFunctional RequirementsNon-Functional RequirementsExecutionPerformanceReliabilitySecurityEvolutionTestabilityMaintainabilityExtensibilityScalability (Horizontal and Vertical)

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Software Complexity: The Complexity of the problem remains constant no matter what abstractions we apply to reduce it.Design Patterns Frameworks, Off-the-Shelve component are just abstractions.

Functional Requirements drive the application architectureNon-Functional Requirements drive the technical architecture

2Modern Enterprise ApplicationThe ArchitectureN-Tier ApplicationPresentation LayerMicro-Architecture (Commands, Valuators, etc..)MVC PatternService / Business LayerData Access LayerNaked Objects PatternDataMiddlewareResource LookupService locator pattern Implicit InvocationCross-Cutting ConcernsAspect Oriented ProgrammingCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Before we talk about Modern Enterprise Application

The terms tier and layer are used loosely (Logical/Physical)In N-tier model is linear whereas MVC is triangular

Naked Object Pattern and ORM: Encouraging encapsulating data and logic into domain objects and eliminating the need to provide a conventional Data Access layer underneath the these objects

Middleware: RPC, WS, MOM, or as sophisticated as an ESB or a SOA (WS Orchestration Etc)

3FrameworksAn ArchitectureA well defined structure to solve a problemLibraryFramework vs. LibraryInvoking you vs. Being InvokedGeneric vs. SpecificToolsCompiler, Debugger, EtcScaffolding and other utilitiesEtcCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Framework vs. PlatformHardware + OS + Runtime for platformsAs you go up to the next level of abstraction, the lower on serves as a platform to the on top of it4FrameworksHeavyweight vs. LightweightThe need for a platform or a stack (JEE as an example)The ability to load in-demand the only the necessary componentsThe memory footprintThe build sizeDeployment easeEtcCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.5The Spring FrameworkCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.6What is Spring?Application FrameworkJavaOther Implementations are available (Spring .NET)Open-SourceLightweightPOJO Based By Rod JohnsonExpert One-on-One J2EE Design and Developmentin, 20022EE without EJB, 2004Becoming the De Facto Standard of Java Enterprise ApplicationsCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.7Features: Inversion ControlThe ProblemResource acquiring viaStatic method of a singleton factoryInstantiation of an concrete classDirectory Services API that allows for discorery and lookup (For example JNDI)Hard Dependencies are createdProblems with reusing code with hard dependenciesPainful Unit Testing in isolationCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.8Features: Inversion ControlThe solutionUse parameterized classesDependencies are decoupled from classesBy Coding against interfacesInversion of Control: Dependency InjectionThe Hollywood Principle Don't call us, we'll call you.Wait a minute this a lot of work!Spring to the rescueCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Good Side Effect: Easy Unit Testing and DRYness9The TradeoffResource injection is done at runtimeUsually done using reflectionNo static type checkingCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.10Features: AgilityIf you read the Agile Manifesto, Agile is for the most part for a technical prospectiveFrequent deliverablesAbility and ease of refactoringDecoupling , DRY, and TDD are key makesem easier

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.11Features: AOPOOP creates a hierarchical object model by natureCross cutting concernsare not necessary part of the application logicOccur across the object model in unrelated partsLoggingSecurityTransaction managementEtcAOP (Aspect Oriented Programming)Modularization of cross cutting concerns

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.12Features: LibrariesPOJO Wrappers for most popular frameworksAllowing injection of dependencies into the standard implementationStrutsJSFApache TapestryEtcFull support of JEEIntegration with other frameworks

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.13Features: Other

Source: http://www.developersbook.com/spring/images/SpringFrameworkModules.PNGCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.14Spring CoreCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.15Spring CoreAll you need to know is:The ContainerThe Bean FactoryManage bean instances (POJOs) life cycleConfiguring their dependenciesEtcCan be used a partially compliant EJB3 ContainerSpring PitchforkCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.16Spring MVCCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.17Spring MVCA Front Controller PatternDispatcherRequest RoutingControllers are Spring beans (Managed POJOs)No session scope for scalability

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.18Spring MVCViewsJSP, JSF, FlexControllersMany typesCustom controllersModelService LayerDAO for persistenceJDBC and ORM (Hibernate, iBATIS, etc...)Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.19Spring MVC ComplementsSpring Web FlowFor Web Application that areMore dynamicNon-linear without arbitrary end pointsSpring Portlet MVCA JSR 168 compliant Portlet environnentLarge web application composed with subcomponents on the same web pageCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Spring Web FlowAllows web apps to act like state machinesEvents are raised to change to statesSpring Portlet MVCShared StateSSO and User authentication and authorization

20Spring SecurityFormally Known As AcegiCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.21Code Time!Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.22Spring Security (Acegi)Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.23Security TerminologyAuthenticationthe verification of the user identityAuthorizationPermissions granted to the identified userAccess ControlBy arbitrary conditions that may depend to Attributes of clientsTemporal and Local ConditionHuman User DetectionOtherChannel or Transport SecurityEncryptionCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Access control is like a gate that is either closed or open under certain conditions and designated to certain people only24Security TerminologyRealmA Defined the authentication policyUserA defined individual in the Application ServerGroupA defined classification of users by common traits in the Application Server.RoleAn abstract name of the permissions to access a particular set of resources in an applicationCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.25Available FrameworksSpring SecurityFormer AcegiJAAS (Java Authentication and Authorization Service)jGuardApache Shiro

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.26Spring SecuritySecurity is your responsibilityFeatures:It is not the standardNo class loader authorization capabilitiesSimple configurationPortable across containersCustomizable and extendablePluggable authentication and web request URI securitySupport method interception, Single Sign-On, and Swing clientsCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Compare to JAASSimple configuration compared with .policy whose authors still need to be trustedNot all the containers implement JAAS-based authorization27AuthenticationAuthenticationForm-BasedBasicDigestLDAPNTLM (NT LAN Manager)SSO (Single Sign-On)JA-SIG CASOpen IDAtlassian CrowdSiteMinderX.509Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.BasicHTTP Standard (Pop-up)HTTPS is used for EncryptionDigest: S-HTTPSSL is designed to establish a secure connection, whereas S-HTTP is designed to send individual messages securely28AuthenticationMechanismsInteract with the userProvidersCheck credentialsBundles details in a Thread Local security context holderRepositoriesStore roles and profile infoIn MemoryJDBCLDAPEtcCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.29AuthorizationWeb AuthorizationURL-BasedWhich URL patterns and HTTP methods are allowed to be accessed by which roleThe rules are top-down with most specific at the topPaths are in Ant format by defaultMethod authorizationReusableProtocol AngosticUses AOPAnnotations SupportJSR 250Spring @SecuredSpring Security 2.5 ELSupport for Instance-based XML

Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.30Spring AOPCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.31Cross Cutting ConcernsLoggingTransaction ManagementSecurityCashingSome Business LogicEtcCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.Introduce AOP by comparing it to OOP32Aspect Oriented ProgrammingThe ProblemCode TanglingNo CohesionCode ScatteringNot DRYThe SolutionAspect Oriented ProgrammingAspectJModulation in Aspects and weaving into the application codeCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.33Spring APOSpring AOPJava based AOP FrameworkBuilt on top of AspectJInterception basedCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.AspectJ vs. Spring AOPAspectJ uses Byte code modification for code weavingSpring AOP uses dynamic proxies for code weavingInterception removes the need for compilation or load-time weavingBut only allows for public or protected method execution at a join point34AOP TerminologyJoint PointA point in the execution of the programPoint CutAn expression that selects one or more joint pointAspectJ Expression LanguageAdviceThe code to be weaved at a joint pointAspectPoint Cut + AdviceCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.35Types of AdvicesAnnotationsBeforeAfterReturningAfterThrowingAfterAroundCopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.36Q & ACopyright (C) 2009 by Abdelmonaim Remani. All rights reserved.37Thank You!Copyright (C) 2009 by Abdelmonaim Remani. All rights reserved.38