Spring Security 3 (the Book)

by Peter Mularien
Now Available (May 29, 2010) from Packt Publishing

Why this Book?

I was inspired to write this book after my 5 Minute Guide to Spring Security tutorial became one of the top Google search results for "spring security tutorial". Packt and I joined up, and, almost one year later, here we are with a May 29, 2010 release date!

After spending a lot of time on the Spring Security community forums helping people, I realized that fundamentally many users of Spring Security (and Acegi before it) really do not understand how it's all put together from a high-level perspective. Furthermore, many users have the additional complexity of requiring integration with external authentication systems such as CAS, LDAP, or Active Directory, and fail to fully understand the integrations in a holistic way. These are the primary reasons why I wrote this book.

Why should you buy it?

  • You are implementing Spring Security 3 in a web-based application and want to understand how and why it works.
  • You are extending Spring Security 3 to incorporate your business needs for authentication, authorization, or custom integration.
  • You are a beginner to Spring Security 3 and would like an example-driven approach to learning to secure a web application from scratch.
  • You are integrating Spring Security 3 with an advanced security technology such as OpenID, CAS, LDAP, or Microsoft Active Directory.

I'm very proud of this book, and you should know that hours and hours of research went into it, to make it the most accurate, yet approachable, book on Spring Security 3 on the market. If you have any feedback, do write me at the email address in the "About this Site" section.

Best,

Peter Mularien, May 2010

What does it Cover?

In a nutshell, all of the following and more. You can see the full table of contents using the book preview feature on Amazon.

  • Overall Spring Security architecture, at both a high and low level
  • Implementation of all major Spring Security features, including:
    • JDBC-backed authentication
    • Method security with annotations and pointcuts
    • Session fixation protection
    • Concurrent session control
    • Password hashing
    • Access control lists (ACLs)
  • Integration of Spring Security with external authentication providers, including:
    • OpenID
    • LDAP
    • CAS
    • Client certificates (X.509)
    • Kerberos
    • Microsoft Active Directory
  • Full configuration of Spring Security using explicit Spring Bean declarations
  • Many custom coding samples, including custom servlet filters, custom AuthenticationProviders, exception handlers, and much more.

It's the only source for written, detailed documentation on many of these topics as they relate to Spring Security. If you value your time, the book is definitely a worthwhile investment! You may wish to read my blog post announcing the release of the book for additional information and commentary.

Where to get it?

You can purchase the book from the following online vendors:

The Spring Security 3 book is also available on at least two subscription services (that I am aware of):

  • PacktLib (from Packt Publishing) - online copies of all Packt Publishing books
  • Safari (from O'Reilly Publishing) - thousands of books from various publishers

My understanding is that Packt stocks physical books in some bookstores in the US and UK - please refer to their web site for more details on their distribution channels in your country.

FAQs

Why not use the Reference Manual or Blogs?

The Spring Security 3 reference manual, and accompanying Javadoc, are bar none the most accurate and comprehensive documentation available for the technology. Ben, Luke, and the entire Acegi team worked hard to deliver a top-notch user manual, with a very high level of quality for an open source project. This book is not a reference manual. It is intended to offer the reader a high level architectural view of "why and how things work", and then lead the user through a variety of common and uncommon configuration and customization scenarios. The material is covered to a depth that makes sense in a book, and which you're unlikely to see in a random blog post. This book will help you learn Spring Security.

I'm Using Acegi Security, or Spring Security 2 - Should I buy it?

We do have a section covering migration from Spring Security 2 to Spring Security 3 in a good level of detail, regarding configuration changes (major and minor) and class renaming and moves that occurred in the major version jump. Additionally, the overall architecture has not changed significantly since the days of Acegi security, so even Acegi 1.x users will find the overall architecture, high level component diagrams, and sections on integration with other systems valuable at a high level. I'd be interested in hearing from users of earlier versions of the technology as to what works for you and what doesn't!

Are there any Sample Chapters?

Packt has excerpted some of the content as articles on their web site. Although the articles have some minor editorial changes for formatting on the web site, and (IMO) don't look quite as crisply laid out as in the book, it gives you a good sense of the content, writing style, and depth of the book. There are currently a total of 3 published articles:

Is there Source Code?

The source code for the book is available at the book's page on the Packt Publishing site. Note that an email address is required to download the code.

Is this a "Recipes" Style Book?

No. Personally I am not a fan of recipe-style books, because I don't think they lead to the reader really understanding what goes on behind the scenes. With something like Spring Security, it is critically important to understand how the framework operates, because sooner or later you will be extending it; this is why the book's focus is much more on the "why" of the framework.

I'm Having Trouble Following the Examples...

Please contact me! I have helped a number of readers get started with the sample code. Although most are able to get up and running fairly quickly (typically, these readers are already familiar with Spring and Eclipse, but not with Spring Security), it can be overwhelming for someone who is completely new. I'm very happy to help you get up and learning!

Reviews

All the reviews I'm aware of will be posted below. In order to remain in compliance with the owning sites' copyright policies, I will only excerpt a summary of the relevant reviews. Please do read the full reviews, as many of the reviewers highlight strengths and (mostly minor) weaknesses of the book. Note that I am not responsible for any content of these reviews.

Positive Reviews

In addition to the published reviews I've linked to below, I have received numerous emails appreciating the contents of the book. Thanks! These type of emails mean a lot to me! If you have any questions prior to purchase, please do contact me!

  • amazon.com (November 7, 2010): Five Stars Very good guide about Spring Security 3.
  • grzegorzborkowski.blogspot.com (Aug 17, 2010): [T]he book is really good, and highly recommended to everybody who starts using Spring Security, or already knows it, but doesn't feel [like a] Spring Security expert yet.
  • books.dzone.com (Aug 3, 2010): This is an excellent book, well written, up-to-date, complete, with relevant examples and code.
  • amazon.com (July 7, 2010): Five Stars An Excellent Treatise on Spring Security 3.

Negative Reviews

Although I hate to hear of anyone disliking the book or feeling that they wasted their time and/or money on it, it's important to note that some have had negative impressions of the book. If you have any questions yourself, prior to or after purchase, I'd encourage you to contact me, read some of the sample chapters available, or use the "Look Inside the Book" feature on Amazon.

  • amazon.com (March 9, 2011): One Star Very Difficult to Follow
    • Like the reviwer below, this reader seems to have wanted a "Recipes" style book. I am sorry that they found it hard to follow. Since the first seven chapters of the book build on one long-running example, I agree that it would be hard to jump around in the book and understand what is going on; however, I don't believe the book is hard to follow if read in the order intended. Try it for yourself!
  • amazon.com (March 6, 2011): Two Stars No Depth
    • I hate to read another negative review, but personally I wonder if this reviewer read a different book - I believe this book is more in-depth than any available material on Spring Security 3. I like Gary Mak's Spring Recipes book, but it takes a different approach to learning than my book does. If you like recipe-style books, you most likely will not like Spring Security 3 (see my FAQ entry on this).

For Purchasers of the Book

Many purchasers of the book have written to me regarding questions, problems, or issues. Let me try to help you ensure that you get the best and most prompt response to your issue:

  • Problems with orders from Packtpub.com (or any other vendor): please contact the vendor directly to ensure they address any problems. Note that Packt in particular can have a 24-hour lag time to responses, as their order processing occurs largely overseas. If you haven't heard anything within 48 to 72 hours, let me know and I can attempt to help.
  • Problems with sample code: please do contact me (email address on the "About this Site" tab above) and I will try to help you out. If you are having trouble getting JSTL working in Tomcat, please review my blog post on this very subject.
  • Problems with Spring Security: although I am certainly happy to help out, I would suggest that your question (provided it's not specific to the book or sample code) is best reviewed by the larger community of experts at the Spring Security Community Forums. The forums are routinely monitored by both myself and experts from SpringSource and the community, and are a great way to learn and expand your knowledge, or answer specific problems!

I would also like to extend my deepest thanks and gratitude to those kind readers who have very nicely contacted me by email or in real life to express thanks, offer suggestions, or talk shop. Please don't hesitate to write!

Errata

While any developer hates to find bugs in their deliverables, it's incredibly frustrating with a book, because there's no chance of correcting it! Although I tried hard to avoid any errors in the book, in some cases edits were made without my knowledge that introduced errors. I'll document these here, and will communicate them to Packt as they are reported. If you notice anything, please contact me!

Chapter 2

  • The source code listings on Pages 28 and 36 should have <filter-class> and <servlet-class>, instead of <filterclass> and <servletclass>, respectively. The source code for this chapter contains the correct element names.

Chapter 3

  • When running the sample code for this chapter, you may encounter an error:
    • org.springframework.beans.NotReadablePropertyException: Invalid property 'principal.username' of bean class
    • If this occurs, please edit header.jsp and modify the following line:
      • Welcome, <strong><sec:authentication property="principal.username"/></strong>
    • To:
      • <sec:authorize access="isAuthenticated()">
        Welcome, <strong><sec:authentication property="principal.username"/> </strong>
        </sec:authorize>
    • I apologize for any inconvenience this may cause you!
  • The following section was inadvertently removed from the end of the chapter by the Packt editors. I apologize for missing this during my review of this chapter.
Introducing the Spring Security Tag Library

The Spring Security Tag Library is a standard JSP tag library which provides several bits of helpful functionality, invoked similarly to other JSP tag libraries. We’ll make more full use of the more sophisticated portions of the tag library in Chapters 5 and 7, but here we’ll add a minor feature to help out our users which will serve as an introduction to the tag library.

Adding Tag Library Reference to Header JSP

In WEB-INF/common/header.jsp, we’ll add a reference to the Spring Security tag library:

<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>

Much like the JSTL tag library reference we added earlier, the Spring Security tag library reference will need to be added to any page on which you use it.

Displaying the Current User’s Name

We’d like to have our authenticated users greeted when they visit the site, and display something like Welcome, guest in the header, when they are logged in. Fortunately, we can use the Spring Security tag library to accomplish this quickly and easily. Simply add the following to WEB-INF/common/header.jsp:

<div id="header">
<div class="username">
Welcome, <strong><sec:authentication property="principal.username"/></strong>
</div>
<ul>

We will see that when we log in, the friendly greeting is now displayed to the user. In fact, the <authentication> tag exposes the entire Authentication object for display. Any property on the object can be rendered, using standard JavaBeans property syntax. Recall from Chapter 2 that Authentication contains a getPrincipal() method, which typically returns a UserDetails object after authentication. We’d suggest referring to the JavaDoc for these interfaces to see what other kinds of information are available for use with the <authentication> tag!.

 

Code Updates for Spring Security 3.1

We'll attempt to keep this section updates as progress continues on Spring Security 3.1 (as of Sept 2010, currently at 3.1.0M1 release, with active development continuing in the git repository). I haven't yet reviewed all the chapters, so please drop me an email if you spot anything!

Note that there are a number of enhancements in Spring Security 3.1. We aren't covering those here, but I hope to follow up with some relevant articles as Spring Security 3.1 gets finalized.

If you wish to use Spring Security 3.1 with the code in the book, the following changes are required:

Overall

  • With Spring Security 3.1, you must use Spring Framework 3.0.3 or greater. The Dependencies ZIP included in the book source code contains Spring Framework 3.0.0 (the most recent available as of the time of publishing). If you do not use Spring Framework 3.0.3 or greater, you may encounter various errors at runtime, although you are unlikely to experience compilation errors (making this mismatch harder to catch).
  • The reference to the Spring Security XSD has been updated, and should now be
    http://www.springframework.org/schema/security/spring-security-3.1.xsd. Note that as of this writing, this URL doesn't exist on the springframework.org site, so you may have to use the existing XSD reference, or http://www.springframework.org/schema/config/spring-security.xsd.

Chapter 6 / Appendix

Several changes are required to the bean-based configuration in this chapter, and the accompanying appendix. Thanks to alert reader Jaron Schut for giving me the heads up on this issue!

  • Page 185: The code reference to AccessDeniedHandlerImpl.SPRING_SECURITY_ACCESS_DENIED_EXCEPTION_KEY has (happily) been removed completely. The code should instead now use org.springframework.security.web.WebAttributes.ACCESS_DENIED_403.
  • Appendix: The constructor for MethodSecurityMetadataSourceAdvisor has an additional required parameter. This should match the name of the bean you've defined for DelegatingMethodSecurityMetadataSource. In our code sample, the resultant constructor should look like this:
    <bean class="org.springframework.security.access.intercept
                    .aopalliance.MethodSecurityMetadataSourceAdvisor" 
                  id="methodSecurityMetadataSourceAdvisor">
    	<constructor-arg value="methodSecurityInterceptor"/>
    	<constructor-arg ref="delegatingMetadataSource"/>
    	<!-- Spr Sec 3.1 -->
    	<constructor-arg value="delegatingMetadataSource"/>
    </bean>
  • Speaking of DelegatingMethodSecurityMetadataSource, the fix for SEC-1467 changed this bean to use constructor injection. This means the explicit bean configuration has to change to compensate:
    <bean class="org.springframework.security.access
                    .method.DelegatingMethodSecurityMetadataSource" 
                  id="delegatingMetadataSource">
    <!-- Spr Sec 3.1 -->
    	<constructor-arg name="methodSecurityMetadataSources">
    		<list>
    			<ref local="prePostMetadataSource"/>
    			<ref local="securedMetadataSource"/>
    			<ref local="jsr250MetadataSource"/>
    		</list>
    	</constructor-arg>
    </bean>
  • Page 210: CustomWebSecurityExpressionHandler requires many changes in order to continue to work with Spr Sec 3.1. I'm hopeful that an alternative method of binding custom expression methods will be provided, and we can do away with the current implementation in the book, which requires us to copy a lot of private members and methods. I'll update this bullet as Spring Sec 3.1 progresses.

 

About this Site

This site is the "unofficial" site for the book, written and maintained by the author, Peter Mularien. Although Packt Publishing is aware of the site and has approved of it, Packt Publishing is not responsible for the content or maintenance of the site. All content on the site is the property of myself, the author.

If you're looking to contact the publisher, Packt Publishing, please visit their the book's page on the Packt Publishing site.

If you have questions about the content of the book, interview requests, reviews, feedback, etc, please contact me at info (shift-2) springsecuritybook.com.

All brand names and trademarks are copyright their respective owners.

 

Lightbox by NyroModal, tabs by jQuery, layout by Blueprint CSS, code highlighting by Alex Gorbatchev's SyntaxHighlighter, icons from the FamFamFam Silk Icon set.
Valid XHTML 1.0 Transitional

Questions? Problems? Contact me at contact me at info (shift-2) springsecuritybook.com. Site © 2010, Peter Mularien.