What are good framework choices for web security in a Scala web application. We would like to try out Scala web development, but couldn't yet find good Scala web app security frameworks.
From the Java side I know at least Spring Security and Apache Shiro.
Do you have experience with Scala web app security frameworks or with Spring Security / Apache Shiro in a Scala context?
Lift has security baked in as described here by David Pollak, the author of Lift.
I used Spring Security in small Scala web application. I created it as I started to learn Scala and I tried to use complete Java stack: Spring MVC + Spring + Spring Security + Hibernate + BlazeDS (I also used Flex in this project for the frontend). Now I can tell that it was really nice and positive experience. Generally the question is how good scala integrates with Spring and Hibernate. I had to use #BeanProperty or #BeanInfo and java collections in entities.
But I have not faced any real issues from the spring security side. It was working as expected. I can remember only one minor issue with Spring AOP: service classes were publishing their methods through BlazeDS to the flex application. I also secured them with Spring Security's object ACLs (with <security:intercept-methods /> and <security:protect />). All this stuff, of course, is possible because of AOP magic. So I noticed this wired Spring AOP's behavior - if your class implements some interfaces, then it will use JDK's proxies to implement them and delegate all calls to target, but if class does not implementing any interfaces, then it will use cglib to extend your class and delegate each method call. The problem is that my public service classes does not implement any interfaces, but AOP was not working properly. The reason is ScalaObject interface that is implemented by all scala classes. So I created new traits for all public services in order to solve this problem (I have not found any way to configure Spring AOP - seems that this behavior is hardcoded).
So as you can see it's not a problem to use Spring Security with Scala. I believe that it should be even easier to use Apache Shiro because it claims to be completely container or environment independent (I heard that it's possible to use Spring Security outside Spring, but I also heard that it's pretty painful). Generally in Scala you can archive everything you can in Java. The question is how pretty/idiomatic/pure/side-effect-free resulting code would be.
By the way, there is a new project that integrates Lift with Apache Shiro: lift-shiro. Here you can also find small blog post about it.
Hope this helps.
Related
I'm so new to Spring and Spring security , we have an extended java application (not web application) and trying to use spring as a framework.
I've read a little about jaas and have made a simple jaas security framework for my application (not a perfect one).
now , as we want to merge to Spring framework , I have some questions:
Does "Spring Security" based on "jaas" or it can use jaas as an optional provider which can be replaced by something exactly different?
Does "Spring Security" has the ability to manage multiple parallel users in a single application? (particularly for authorization)
I've found that you should have lots of work to convert basic jaas api to a useful api (using DB, user/group management classes,...), what about "Spring Security"? (seems in jaas-Provider we have a lot's of useful implementations)
do you know any sample code using "Spring Security" for a swing application?
thanks a lot for your time
Spring Security is not based on JAAS. Indeed, it can use JAAS as an
optional provider.
Yes, it does. I'm not sure to fully understand your question, as if
it couldn't, it would be pointless.
Building a JAAS provider is indeed a lot of work. Developing a Spring
Security authentication provider is much much simpler.
You'll find a good sample here
Spring Security integrates quite nicely with JAAS .
Parallel users are all individually managed, both in terms of authentication as well as authorization, and includes a variety of constructs to configure authorization, from taglibs to pointcuts and annotations.
I have a working knowledge of Struts2 and Spring. I want to develop an application that manages information for multiple companies. I am totally confused about what technologies are best for my application. For instance: Struts2, and Hibernate MVC with Spring.
Can somebody help me select appropriate technologies?
Here is a quick breakdown of a J2EE stack you can use:
Use Struts2 for your controller layer
Use Hibernate for your data abstraction layer. Create service interfaces for your DAO. The interfaces will allow you to use some type of RMI for services later if desired, meaning those services can run on different machines than your web app. Have concrete classes implement those interfaces. The classes will contain business logic and validation of data, and will wrap the Hibernate session. The Hibernate session is used to read/write to/from the database. Use Hibernate annotations to expedite the implementation of Hibernate beans.
Use Spring for instantiating your service classes and Struts2 actions. Configure Spring to inject service instances into your Struts2 actions. This is called dependency injection. Reference interfaces, not classes in your Struts2 action's setter methods for the DI.
Use the Struts2 tag library or JSTL in your JSP, which will be your view layer.
Use Maven for your builds and deploys.
Run Apache with mod_jk, and use Tomcat as your servlet container. mod_jk runs w/ the Apache process, and passes requests to the Tomcat servlet container, which lives in the JVM.
If your application requires search capabilities, use SOLR, a REST service built on top of Lucene.
Instead of using Struts2, you could also take a look at Apache Wicket.
I had the same question few days back and following are the links I used to make a decision - I settled for Spring MVC. Also check out Spring ROO if you are starting afresh.
Choosing the right web framework
Comparing web frameworks
What Web Application Framework?
Ultimately choice will be based on your needs - but above links discuss what parameters you should consider before choosing one.
Hope that helps.
Agree with #Simian, and add some comments and reasons.
From a technological perspective, you should use any framework that utilize modern and mature technologies, such as Struts 2, Spring MVC, Hibernate, JSF, and etc.
However, from a business perspective, you should take more emphasis on the business model that your project consist of, and the demand for the framework is easy and rapid to implement, as well as robust and easy to maintain.
Therefore, as you are familiar with Struts 2, and Spring, I recommend:
1, Use Struts 2 as the MVC framework of your project, but use AJAX if required. You can also develop your interceptors to fulfill some common requirements of your project.
(Or, if you have time, you can learn Spring MVC as it works well with Spring framework, and has better support of AJAX and RESTful. JSF is not recommended, not because it isn't a superb framework, but it use a set of complete different concepts comparing to Struts 2 and Spring MVC, and it is difficult for an unskilled person to debug )
2, Just use Spring jdbcTemplate as your data layer, use DAO pattern to decouple.
(Or , you can learn Hibernate or JPA as your ORM framework, if you have time.)
3, Use Spring IoC to manage your objects and integration with Struts 2 and Hibernate, and manage transactions with Spring's annotations.
I've been doing it like this lately and find it so much better than XML hell(Spring security) or Glassfish security(because I don't need to have groups or set the tables up a certain way). Is this an ok way to secure Java EE applications? Thanks!
A homegrown Filter is perfectly doable when properly written, but it's less maintainable/reuseable because it's tight coupled to the webapplication in question. Java EE container managed security and Spring Security offers an API which is the same and reuseable for every webapplication. This may end up to be easier for developers/maintainers who are working on multiple different projects and wanted to implement/maintain the same. While relatively easy to implement, a homegrown Filter simply violates the DRY.
By the way, I wouldn't recommend using a PhaseListener for this since this hooks on JSF requests only, not on other requests like static CSS/JS/HTML files and "plain" JSP files.
So, I have an web-based application that is using the Wicket 1.4 framework, and it uses Spring beans, the Java Persistence API (JPA), and the OpenSessionInView pattern. I'm hoping to find a security model that is declarative, but doesn't require gobs of XML configuration -- I'd prefer annotations.
Here are the options so far:
Spring Security (guide) - looks complete, but every guide I find that combines it with Wicket still calls it Acegi Security, which makes me think it must be old.
Wicket-Auth-Roles (guide 1 and guide 2) - Most guides recommend mixing this with Spring Security, and I love the declarative style of #Authorize("ROLE1","ROLE2",etc). I'm concerned about having to extend AuthenticatedWebApplication, since I'm already extending org.apache.wicket.protocol.http.WebApplication, and Spring is already proxying that behind org.apache.wicket.spring.SpringWebApplicationFactory.
SWARM / WASP (guide) - This looks the newest (though the main contributor passed away years ago), but I hate all of the JAAS-styled text files that declare permissions for principals. I also don't like the idea of making an Action class for every single thing a user might want to do. Secure models also aren't immediately obvious to me. Plus, there isn't an Authn example.
Additionally, it looks like lots of folks recommend mixing the first and second options. I can't tell what the best practice is at all, though.
I don't know if you saw this blog post so I'm adding it here as reference and I'll just quote the end:
Update 2009/03/12: those interested in securing Wicket
applications should also be aware that
there is an alternative to
Wicket-Security, called
wicket-auth-roles. This thread
will give you a good overview of the
status of the two frameworks.
Integrating wicket-auth-roles with
Spring Security is covered here.
One compelling feature of
wicket-auth-roles is the ability to
configure authorizations with Java
annotations. I find it somehow more
elegant than a centralized
configuration file. There is an
example here.
Based on the information above and the one your provided, and because I prefer annotations too, I'd go for Wicket-Auth-Roles with Spring Security (i.e. guide 2). Extending AuthenticatedWebApplication shouldn't be a problem as this class extends WebApplication. And pulling your application object out of spring context using SpringWebApplicationFactory should also just work.
And if your concerns are really big, this would be pretty easy and fast to confirm with a test IMO :)
We've been using Wicket-security for years now and we have used it together with jaas files and with annotatations. Defining jaas files is quite a hassle and maintaining them is near impossible...
With annotations one has to define actions and principals for every page. This is timeconsuming however it does allow you to let the user define roles and authorizations dynamically. It is also possible to test all the principals using the WicketTester.
Each of the 3 packages has it's (dis)advantages, it's a matter of taste and it also depends on the size of the application.
Security always tends to take the last place in a new project. Or you use a framework like Spring where security is already build-in and can be switched on easily.
I try to find an open security framework that can be plugged-in to both Swing and Web applications (and JavaFX?), maybe easy to digest. I looked at plain JAAS, JGuard and JSecurity but its just too complicated to get started.
Any recommendations or experience to share ?
I am working with NB, Glassfish and MySQL.
Thanks
Sven
I have just taken a view of this http://shiro.apache.org/
Apache Shiro is a powerful and
easy-to-use Java security framework
that performs authentication,
authorization, cryptography, and
session management. With Shiro’s
easy-to-understand API, you can
quickly and easily secure any
application – from the smallest mobile
applications to the largest web and
enterprise applications.
I would strongly recommend learning JAAS. It really isn't that difficult to pick up, and there are some useful tutorials and a reference guide on the Sun web site.
In my experience, JAAS is pretty widely used, so it's definitely something you'll be able to reuse once you're learnt it. It also happens to be one of the building blocks for the Glassfish authentication mechanism!
I have done a similar research in JAAS for web application and has ran into a "mind roadblock" until I finally realize JAAS is a framework addressing security at a different "layer" then traditional web applications in the Java World. It is build to tackle security issues in J2SE not J2EE.
JAAS is a security framework build for securing things at a much lower level then web-application. Some example of these things are code and resources available at the JVM level, hence all these ability to set policy files in the JVM level.
However, since J2EE is build on top of J2SE, a few modules from JAAS was reuse in J2EE security such as the LoginModules and Callbacks.
On the other hand, Acegi, aka Spring Security, tackles a much higher "layer" in the securing web-application problem. It is build on top of J2EE security hence J2SE hence JAAS. Unless you are looking to secure resources in the J2SE level (classes, System resources), I don't see any real use of JAAS other than the using the common class and interfaces. Just focus on using Acegi or plain old J2EE security which solves a lot of common web application security problems.
At the end of the day, it is important to learn which "layer" of the J2EE-J2SE security issue you are tackling and choose the write tool(s) for the problem.
I would recommend you take a look at OACC (http://oaccframework.org). OACC was designed for solving the problem of application security. Unlike most frameworks OACC is able to store/manage the authorization relationships in your application. OACC's authorization model is more powerful that Shiro or Spring Security.
There is alternative from JBoss. A new version for PicketBox. More information here:
https://docs.jboss.org/author/display/SECURITY/Java+Application+Security
apache shiro miserably fails when you stress a web application under JBoss (say 2 million requests of a simple GET with a concurrency of 50 threads).
was very dissapointing to find out this.
it happens when you use filters.
You can read http://code4reference.com/2013/08/guest-posttop-java-security-frameworks-for-developing-defensive-java-applications/
It gives 1000mile view from various Java Security framework, such as JAAS, Shiro or Spring Security. All are depended on your requirements and technology stacks that you choose