I know there are many security frameworks and "building" a security framework is a bad idea.
In the recent project I have worked on, I used spring security to secure the web application. In the process, I over rided/tweaked some spring security classes to fit my requirement.
My management now wants me to "takeout" the things I did and distribute it as a re usable code in an internal portal.
Now, Is this is a fair thing to ask? I tried to explain them it's just some classes build on spring security and nothing special. But they are insisting on "creating" this framework.
Is this a fair requirement ? Any ideas on how to start ? I understand that getting started with spring security is not very easy.
If I am building this, what are the functions I need to provide?
If they need you to "takeout" the things you did then they should know what they want the framework to do. So Its probably better to ask them for requirements directly.
Regarding:
Is this a fair requirement ?
The answer is probably no. If they want you to do something they should give you specific requirements.
Just Yesterday I asked wheter someone knows a security-library which provides security-apis but at a bit lowerlevl than spring-security. Meaning a library which I call instead of a framework where I have to organize the code according to it (ie using a spring context).
So something I would need are apis for example to create safe remember-me tokens, do basic and dighest authentication, connecting to ldap - or just simply where I could use spring-security but without the spring-container).
Related
I am doing a small RESTfull API tutorial project as an information portal. I wrote the front by myself (html + css + js + a little burstrap). Rest chose because of the increasing popularity, since studying, then learning what is needed at the current time.
In general, I will pass to the essence of the problem: a site is a few pages with articles, general information, pictures, etc. - in short, nothing supernatural, and there is no magic logic. I decided to implement an administrator, because someone has to edit these articles, and then I rested.
I don’t understand how to implement it correctly? All I found was about spring security and the distribution of roles to users, but I don't need any users, I only need the site admin. How is this implemented correctly? Which way should I look?
P.S. Several people advised me not to use spring for this, but to take something simpler, such as django or flask, but I am studying Java and would like to master spring.
How about considering spring boot admin https://codecentric.github.io/spring-boot-admin/current/ ?
I also used spring boot admin. it is powerful
Your question is not a coding question, it's an application design question.
The solution is actually embedded in your question,
All I found was about spring security and the distribution of roles to users
You can create a page from which the admin can log in and edit whatever needed, you will have to design the admin panel and stuff like that.
The users' creation and login mechanism is a well-documented subject.
check here for example.
Check this for the JWT solution.
I am a newbie to java security, I need to implement input validator to my project , we are using struts 2.5.13 and we are testing through contrast security tool.
We had one vulnerability shown by contrast tool and that is “Expression Language Injection” and During my research on Owasp website , I have seen two projects one is Stinger Filter and Other Parameter Validation Filter . I am confused and not being able to decide which one is better and could provide more protection to my application.
Any of the security experts can answer this, I would like to know the thought on both the projects and which one I should use and why you think that’s better.
I will be thankful to you , if you provide me some detailed insight and help me in understanding security principles.
Both Stinger and PVF are ancient. I wouldn't use either. Fortunately, you don't need validation. You need to prevent untrusted input (like an HTTP parameter) from getting into an Expression Engine. So look at the full stack that Contrast gives you. Find where in your code is making that happen. Then fix it. Unfortunately, the problem may not be in your code, it may be in Struts itself. In that case, you should upgrade to the latest version. If that doesn't fix the problem, then you've discovered a new vulnerability in Struts -- fame and fortune await. Or you can just turn on Contrast Protect to prevent all EL vulnerabilities from being exploited.
I'm quite new to the Spring Security framework, and especially ACLs. After a few hours of reading I think I grasped most of what I need to do to start securing my application.
However something bothers me: while it's very easy to find usage descriptions on how to read the ACL permissions (via #PreAuthorize for example), it starts getting confusing when you want to create and persist them.
The Spring Security manual tells us they don't want to bother with any standard but we are encouraged to use AOP. Many tutorials and answers here rather use the AclService directly inside their business code, destroying the "separation of concerns" principle in the process.
So what should I do ? How do the pros do ? Should I try defining pointcuts on custom annotations for creation/deletion of ACL entries ? Or should I "pollute" my code with ACL concerns ?
Alright so I now understand much better, after one week of work, how these things work.
First, one shall try to stick with the simple, naive way of using ACLs using the AclService directly inside each service layer method. Building an abstraction helps a lot (basically a grantAccess(username, object, permission,...) method in a #Service bean).
Once everything is secured with ACLs writes and #PreAuthorize/#PostAuthorize/#Secured el tests, then you can start thinking about AOP to clean up your code from all the security concerns. You make up a list of service method using ACL writes and you add Advices to them to have one central place where all the security is handled.
Spring Security ACL is extremely easy to set up and understand, even on an existing project with existing users (you'll have to build a migration script).
I am going to develop small ERP System. The product has only one major requirement to support multiple databases.
I have planned to use
Front side: JSP+JSTL+JQuery [I have good command on that] + I have create my own custom component for re-useability and full control of my component.
Back-end: Using hibernate[ORM] framework [due to Cross database] and I have also good knowledge of it.
I am happy with above and feeling confident to build product, soon.
BUT
My friend made me unhappy ;)
My friend suggest me that you should use spring MVC with hibernate, because when your product become large,it create a problem in future due to many developers involvement.So, you should use framework , so that every developer follow the pattern and then your product remain stable.
But I am already follow hibernate pattern :)
I have no any knowledge of Spring MVC. When I search about spring MVC , I found it is a different thing than my requirement and also find Cross database context issue, if I use Spring MVC with hibernate.
Either should I used spring MVC or not. If yes, I have to learn then Spring MVC and
I do not want to waste my time, if spring is not suitable for me.
That's why I am consulting that forum , to go for right direction.
Actually, Spring MVC does not interfere with any of the components you have chosen already. It just introduces a way to structure your frontend - backend interface in a standard way (MVC pattern).
I actually run the very same setup and is very happy with it. (Jquery, JSP, Spring MVC, Hibernate).
Other than structure, you will get easy return of invested time in Spring MVC when you want to do Ajax heavy things (as I assume you want in an ERP app). It's trivial to build AJAX/JSON stuff with jQuery and SpringMVC.
Using Spring MVC will make your application structured. This will help in future maintenance.
Your code will look clean and you can separate your code into components and Spring will help you wire them together and you might decide to combine them in different ways, or wish to make it easy to swap out one component for another depending on different settings or environments. This would be great for multiple databases when used with hibernate.
Learning spring will not take much time if you have a good knowledge of Java EE.
I'm interested in porting an existing application which was written using Spring/Struts2/Hibernate to GAE. I didn't read many successful stories about that so first of all I'm wondering if it is wise to use any of them there. I want to get rid of hibernate and to use the google data store instead since it's obvious hibernate is not a good choice on GAE. So my main questions refers to Struts2(webworks)/Spring. My app uses simple JSP pages, no other template mechanism.
My question refers to the following aspects:
Currently each page has struts actions associated. Each request is taken by struts dispatcher an then it is dispatched to specific action class after which it invokes a specific jsp, according to the config file.
Everything is instantiated by Spring(actions, factories, hibernate layers,...)
The security is managed through a Spring Security(former acegi).
My first impression is that I should get rid of Spring because GAE should manage all the objects in order to work in a distributed environment. I have a few antagonistic thoughts regarding Struts. However, if I get rid of them ,I'm not sure if I should do it and in case I will, what to choose instead. Is GAE good enough to provide all the things I needed? I assume instantiation should be handled by GAE to have a truly sclalable solution. What about session management, security & user privileges? GAE provides good mechanism to manage them behind the scene or I should manually handle them like in a classic jsp solution? Will I end in having a huge web.xml?
Are there any frameworks that fits well in GAE and which can replace Spring/Struts? I would be interested to find out from someone who experienced those problems in GAE.
Here is a list of frameworks which are known to work or to have issues:
http://code.google.com/p/googleappengine/wiki/WillItPlayInJava
In general Hibernate will not work, but you could potentially use Java Persistence instead. Struts should be OK, but Spring Security is not fully compatible while other Spring parts are fine.
As far as I know, Struts is generally a layer over standard Servlet API - so it should be running without many changes. Spring also is not a problem, in fact, on the web there are many blog entries about spring on GAE. Hibernate - yeah, better use JPA.
If you want to rewrite whole app, you can always go with GWT, even with Spring ( GWT/GAE Spring IoC powered )