I have a classic Java SOA application, with a web UI module, web services module, a service module (Java API), a domain module and a persistence module. In a sense, each of these modules has their own public API.
My understanding of Spring Security is that I can use web filters to handle the security of the web gui and web services, and method level security (via annotations) for the service module.
My question is this: should I bother to add method level security to the domain module and the persistence module or is that considered overkill?
If you secure the external API's it's normally not needed to secure additional internal layers such as the domain model or DAO persistence layer.
But all depends on you're security requirements. Adding security roles to you're methods in the internal API's will make it more secure and can be considered a good defensive practice against security holes in you’re exposed API.
Related
I am pretty new to spring and currently I was able to create a complete web service with spring-ws. Now I want to separate the functionalities of my web service in to two separate web services. But except the service layer there are other spring components (business layer) which are common to both of these services.
So my question is there a way to make spring web service depend on another spring project (business layer)? If you can provide such example or a tutorial where a spring web service depends on another spring project it will be really helpful.
Thanks in advance.
UPDATE
I could achieve above by building my business layer as a jar file and adding it as a dependency to the service. But now my supervisor wants me to deploy the business layer in a separate server. But I could not find any information on how to handle communication here between web service and the business layer. Any idea?
I've created a "framework/toolkit" for a specific type of database search. This was done with Spring-Data JPA using hibernate. This framework is usable by standalone desktop app or as a web application.
This framework ships with entity classes, Spring-Data Repositories and a transactional Service layer with optional method level security (spring-security annotations).
now I would like to create a web application using this framework. Since grails is from spring to and also uses hibernate I thought this might work but I'm open to other suggestions.
The entities in the web application will extend such provided by my framework and should use spring-data repositories extending repositories provided by the framework and services extending provided services for data access.
Or said otherwise I'm mainly interested in the scaffolding part (controller and CRUD web pages) and not the data access part. I'm open to any other tools that can achieve this.
Is this possible with grails? Other suggestions? Spring Roo?
I'm starting new application. I would like to have all business logic and domain classes separeted in standalone module (something like remote EJB). This is because of the app will have at least two (later more may be) clients - Desktop, Web (Spring MVC).
Is this possible with Spring? Or should I use EJB and Spring only for MVC in web app client?
Thank you for reply.
Yes, this can be done. You'll either put the resulting jar as a library in your full application, or host is separately and use some remoting system (hessian, soap, rmi, ...) to interface between them. Spring can help with that as well.
I'm wondering if it is possible to create XML-RPC server component within EJB module without servlets. I know EJB typically uses RMI as communication protocol but what if I want to omit RMI. What if i want to exchange data between EJB and web module (WAR) or other clients by different way like XML-RPC.
Can EJB-module work as stand-alone unit which will expose its state and services as XML-RPC server?
I still can do EJB module connected with WAR via RMI while this WAR will expose those services via servlet. Then other WARs or whatever-they-are clients can call this first WAR. Is this right or there is some other possibility?
What you probably want is to use Spring Remoting to expose your EJBs via for instance JAX-WS. Spring will create automatically servlets for handling the requests for you. The bad news is that you have to call your EJBs from the remoting services you build - meaning some boilerplate code. It should be quite straight forward though.
An other possibility you might take a look at is Restlet which can be used to build restful services.
In EJB3, your service beans are just annotated POJOs. You can simply annotate the same POJOs with #WebService (and the rest of this family of annotations) to expose the same services as web services.
I realize this isn't strictly what you asked for as the implementation for services exposed in this way is JAX-WS which uses SOAP messages. But I think it achieves your intent.
I wanted to build an application based on Java EE 6, but the security mechanisms of Java EE are not sufficient and a pain to with for my needs. Spring Security seems the best way to secure my application. Now I wonder if Spring Security + EJB is a good combination or if I should be better use Spring only.
I need method interception, ACLs and possibly URL pattern access control. The main problem I see is to use EJB interception with Spring Security. It is a problem? What other areas could be problematic?
Would you prefer Spring Security + EJB or Spring Security + Spring (only)?
As skaffman said the real question is Java EE vs. Spring. There is a nice comparison from JBoss.
Spring Security is distinct from the Spring Framework. They work well together, but Spring Security does not require you to use the Spring Framework underneath.
So in a very real sense, it doesn't matter, it becomes a question of whether you prefer EJB3 or Spring, regardless of Spring Security.
I am not very familiar with EJB but my understanding has always been that it is essentially a data-access technology, or a way to distribute services.
Spring itself, and the Spring Security module, is designed to be very lightweight and unobtrusive. If you are building a web application and using Spring Security for logins/security, then it doesn't care or even know if you are using EJB vs JDBC vs remoting technologies etc.
After having spent a lot of days trying to find a way to only uses springsecurity to secure the ejb, I've adopted kind of hybrid solution: JAAS + springsecurity.
The client uses JAAS to be authenticated to the ejb on the sever, I've created a custom JAAS LoginModule which delegates authentication to the springsecurity code.
EJBs to perform their logic use methods which are annotated with jsr250 annotations (RolesAllowed), and this part is fully handled by spring security.
In this way I've achieved a clear separation between ejb and spring security so my business code, secured by springsecurity, is fully portable to any other kind of ApplicationServer or it can even run as standalone application.