by Peter Mularien
Now Available (May 29, 2010) from Packt Publishing
I was inspired to write this book after my 5 Minute Guide to Spring Security tutorial became one of the top Google search results for "spring security tutorial". Packt and I joined up, and, almost one year later, here we are with a May 29, 2010 release date!
After spending a lot of time on the Spring Security community forums helping people, I realized that fundamentally many users of Spring Security (and Acegi before it) really do not understand how it's all put together from a high-level perspective. Furthermore, many users have the additional complexity of requiring integration with external authentication systems such as CAS, LDAP, or Active Directory, and fail to fully understand the integrations in a holistic way. These are the primary reasons why I wrote this book.
Why should you buy it?
I'm very proud of this book, and you should know that hours and hours of research went into it, to make it the most accurate, yet approachable, book on Spring Security 3 on the market. If you have any feedback, do write me at the email address in the "About this Site" section.
Peter Mularien, May 2010
In a nutshell, all of the following and more. You can see the full table of contents using the book preview feature on Amazon.
It's the only source for written, detailed documentation on many of these topics as they relate to Spring Security. If you value your time, the book is definitely a worthwhile investment! You may wish to read my blog post announcing the release of the book for additional information and commentary.
You can purchase the book from the following online vendors:
The Spring Security 3 book is also available on at least two subscription services (that I am aware of):
My understanding is that Packt stocks physical books in some bookstores in the US and UK - please refer to their web site for more details on their distribution channels in your country.
The Spring Security 3 reference manual, and accompanying Javadoc, are bar none the most accurate and comprehensive documentation available for the technology. Ben, Luke, and the entire Acegi team worked hard to deliver a top-notch user manual, with a very high level of quality for an open source project. This book is not a reference manual. It is intended to offer the reader a high level architectural view of "why and how things work", and then lead the user through a variety of common and uncommon configuration and customization scenarios. The material is covered to a depth that makes sense in a book, and which you're unlikely to see in a random blog post. This book will help you learn Spring Security.
We do have a section covering migration from Spring Security 2 to Spring Security 3 in a good level of detail, regarding configuration changes (major and minor) and class renaming and moves that occurred in the major version jump. Additionally, the overall architecture has not changed significantly since the days of Acegi security, so even Acegi 1.x users will find the overall architecture, high level component diagrams, and sections on integration with other systems valuable at a high level. I'd be interested in hearing from users of earlier versions of the technology as to what works for you and what doesn't!
Packt has excerpted some of the content as articles on their web site. Although the articles have some minor editorial changes for formatting on the web site, and (IMO) don't look quite as crisply laid out as in the book, it gives you a good sense of the content, writing style, and depth of the book. There are currently a total of 3 published articles:
The source code for the book is available at the book's page on the Packt Publishing site. Note that an email address is required to download the code.
No. Personally I am not a fan of recipe-style books, because I don't think they lead to the reader really understanding what goes on behind the scenes. With something like Spring Security, it is critically important to understand how the framework operates, because sooner or later you will be extending it; this is why the book's focus is much more on the "why" of the framework.
Please contact me! I have helped a number of readers get started with the sample code. Although most are able to get up and running fairly quickly (typically, these readers are already familiar with Spring and Eclipse, but not with Spring Security), it can be overwhelming for someone who is completely new. I'm very happy to help you get up and learning!
All the reviews I'm aware of will be posted below. In order to remain in compliance with the owning sites' copyright policies, I will only excerpt a summary of the relevant reviews. Please do read the full reviews, as many of the reviewers highlight strengths and (mostly minor) weaknesses of the book. Note that I am not responsible for any content of these reviews.
In addition to the published reviews I've linked to below, I have received numerous emails appreciating the contents of the book. Thanks! These type of emails mean a lot to me! If you have any questions prior to purchase, please do contact me!
Although I hate to hear of anyone disliking the book or feeling that they wasted their time and/or money on it, it's important to note that some have had negative impressions of the book. If you have any questions yourself, prior to or after purchase, I'd encourage you to contact me, read some of the sample chapters available, or use the "Look Inside the Book" feature on Amazon.
Many purchasers of the book have written to me regarding questions, problems, or issues. Let me try to help you ensure that you get the best and most prompt response to your issue:
I would also like to extend my deepest thanks and gratitude to those kind readers who have very nicely contacted me by email or in real life to express thanks, offer suggestions, or talk shop. Please don't hesitate to write!
While any developer hates to find bugs in their deliverables, it's incredibly frustrating with a book, because there's no chance of correcting it! Although I tried hard to avoid any errors in the book, in some cases edits were made without my knowledge that introduced errors. I'll document these here, and will communicate them to Packt as they are reported. If you notice anything, please contact me!
Introducing the Spring Security Tag Library
The Spring Security Tag Library is a standard JSP tag library which provides several bits of helpful functionality, invoked similarly to other JSP tag libraries. We’ll make more full use of the more sophisticated portions of the tag library in Chapters 5 and 7, but here we’ll add a minor feature to help out our users which will serve as an introduction to the tag library.
Adding Tag Library Reference to Header JSP
In WEB-INF/common/header.jsp, we’ll add a reference to the Spring Security tag library:<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
Much like the JSTL tag library reference we added earlier, the Spring Security tag library reference will need to be added to any page on which you use it.
Displaying the Current User’s Name
We’d like to have our authenticated users greeted when they visit the site, and display something like Welcome, guest in the header, when they are logged in. Fortunately, we can use the Spring Security tag library to accomplish this quickly and easily. Simply add the following to WEB-INF/common/header.jsp:<div id="header">
Welcome, <strong><sec:authentication property="principal.username"/></strong>
We will see that when we log in, the friendly greeting is now displayed to the user. In fact, the <authentication> tag exposes the entire Authentication object for display. Any property on the object can be rendered, using standard JavaBeans property syntax. Recall from Chapter 2 that Authentication contains a getPrincipal() method, which typically returns a UserDetails object after authentication. We’d suggest referring to the JavaDoc for these interfaces to see what other kinds of information are available for use with the <authentication> tag!.
We'll attempt to keep this section updates as progress continues on Spring Security 3.1 (as of Sept 2010, currently at 3.1.0M1 release, with active development continuing in the git repository). I haven't yet reviewed all the chapters, so please drop me an email if you spot anything!
Note that there are a number of enhancements in Spring Security 3.1. We aren't covering those here, but I hope to follow up with some relevant articles as Spring Security 3.1 gets finalized.
If you wish to use Spring Security 3.1 with the code in the book, the following changes are required:
Several changes are required to the bean-based configuration in this chapter, and the accompanying appendix. Thanks to alert reader Jaron Schut for giving me the heads up on this issue!
<bean class="org.springframework.security.access.intercept .aopalliance.MethodSecurityMetadataSourceAdvisor" id="methodSecurityMetadataSourceAdvisor"> <constructor-arg value="methodSecurityInterceptor"/> <constructor-arg ref="delegatingMetadataSource"/> <!-- Spr Sec 3.1 --> <constructor-arg value="delegatingMetadataSource"/> </bean>
<bean class="org.springframework.security.access .method.DelegatingMethodSecurityMetadataSource" id="delegatingMetadataSource"> <!-- Spr Sec 3.1 --> <constructor-arg name="methodSecurityMetadataSources"> <list> <ref local="prePostMetadataSource"/> <ref local="securedMetadataSource"/> <ref local="jsr250MetadataSource"/> </list> </constructor-arg> </bean>
This site is the "unofficial" site for the book, written and maintained by the author, Peter Mularien. Although Packt Publishing is aware of the site and has approved of it, Packt Publishing is not responsible for the content or maintenance of the site. All content on the site is the property of myself, the author.
If you're looking to contact the publisher, Packt Publishing, please visit their the book's page on the Packt Publishing site.
If you have questions about the content of the book, interview requests, reviews, feedback, etc, please contact me at info (shift-2) springsecuritybook.com.
All brand names and trademarks are copyright their respective owners.