I'm using Spring MVC v3.1.0 and HDIV (HTTP Data Integrity Validator) v2.1.0 as server-side framework and ExtJS v4.0 as client-side framework.
Now, I'm confused how to generate secure forms and links which contains HDIV state
and how to transform/convert those forms using ExtJS on client-side.
Any suggestion?
Thank you very much.
Now, I'm confused how to generate secure forms and links which contains HDIV
state and how to transform/convert those forms ....
Hdiv will do it for you if you configure spring to use hdiv.
See chapter 7.2.1.2 Modify the deployment descriptor in /WEB-INF/web.xml of the hdiv-reference.pdf
Related
We have a existing java web based application built on Jersey framework and looking to provide SSO support using Okta or any other IDP. I have seen many example applications for saml support for spring based applications. Is there any framework which can provide saml support for Jersey based applications? Or Spring SAML extensions can be tweaked to provide support for non-spring baed applications?
Please provide any links or pointers.
Thanks in advance!
It's possible to apply the Spring Security SAML extension on a non-Spring application. We are using Spring SAML with a Wicket web application.
I built a prototype with ADFS as an IdP to check feasibility, before we implemented this approach on the project. You can find the prototype in my Bitbucket repository: blog-spring-security.
Basically, you can use AbstractSecurityWebApplicationInitializer which should transparently enable Spring Security in your application.
public class WebAppInitializer extends AbstractSecurityWebApplicationInitializer {
public WebAppInitializer() {
super(SecurityConfiguration.class);
}
}
Spring configuration for SAML is quite extensive (couple of pages of source code), so I won't paste it here, but if you are going to use Java configuration you can utilize my SecurityConfiguration.java.
In case of XML configuration, I would recommend to follow either Reference Documentation, or sample project securityContext.xml.
Are there any Web Application Template Generators...
Something that would generate a Template Web application for me using the following technologies (or whatever i choose):
Spring MVC
Spring Security
JPA
Hibernate
JQuery
Idea is to have all the mundane stuff, already in place.
I found 'appfuse', but i can't find meaningful documentation on it.
Its QuickStart application uses Struts(instead of Spring mvc) - which i do not want to use.
Any other ideas?
I think Spring Roo is what you are looking for.
Spring Roo can easily generate configuration and sample template for most technologies which you mentioned.
There are many Java web application frameworks available but what are my alternatives when developing JSR 168 portlets? I found a couple:
Struts
Spring
That's it Sven, I haven't tried JSF portlet bridge, but I have been working with Struts portlet bridge and spring-webmvc-portlet almost 2 years.
this is my own opinion :
I would try to avoid using Struts portlet bridge. It's a dead thing that still exists because some Portals had utilized it and it is still built in them. It's quite old, it serves its purpose, but with something like spring-webmvc-portlet - using it wouldn't be wise. Unless you are Struts enthusiast and you haven't tried Spring-mvc or JSF.
I like the principle how spring portlet environment is integrated into servlet env. There is also everyhing that developer needs already implemented, except few things like
Add multipart request support to portlet resource requests (SPR-7662)
Spring Portlet MVC - Unable to return JSON data from #ResourceMapping (SPR-7344)
With Struts bridge you end up doing tons of low level stuff to hide the fact, that after request hits the Main Portal Servlet, it becomes "portlet request". With Spring you don't care :-) Talking about portals like Liferay, JBoss or uPortal
JSF with a portlet bridge: http://jboss.org/portletbridge
I'm developing a Java EE application (JSF2 + richfaces+ Facelets + Tomcat).
What's the best way to perform authentication when using JSF?
Or should I make my own ?
People usually pick between ( in no specific order) :
JAAS ( wich is Java/Java EE default security framework )
Spring Security
Custom Made Security
I never used Spring Security but the documentation is huge, i gave up trying that once because of time constraint. JAAS have the advantages of being simple and work out of the box with Tomcat.
I've seen custom security built on top of JAAS too.
What you really have to do is figure out what you will especifically need in your application and check wich frameworks suits your needs better.
Without knowing your business needs, if you only need Authentication (User login) i would say JAAS is the most simple way to go as is it not application intrusive and you wont need to add Spring dependencies if you are not already using it.
Go for Spring Security
Here is how to integrate it with JSF
Edit:
http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/
I think that Leonardo answered it correctly, but you could also consider Central Authentication Service(CAS) for enterprise wide security. It is a little more complex to configure, but the benefits are tremendous. It also supports an enormous number of out of the box authentication mechanisms from LDAP to NTLM. CAS also provides extension for custom authentication.
If you choose to use Java EE containers, and wish to use form based authentication, I have published a couple of examples for use with JSF 1.2 and 2.0 and j_security_check
JSF 1.2 Facelets Form Based Authentication (j_security_check)
JSF 2.x Facelets Form Based Authentication (j_security_check)
In addition, the Servlet 3.0 API provides login and authentication based on the container via the HttpServletRequest API.
JBoss Seam integrates EJB 3, Facelets, JSF, and hibernate really nicely. Also provides validation of data and some security stuff too. If you use it for all its features, it is really sweet. If you try to pick and choose only certain things out of it, then it is still cool, but you have a few work arounds. But I've been impressed with what I've seen of Seam so far.
Apart from the mentioned frameworks there's also Seam Security which integrates nicely with CDI through an Extension.
You can try Apache Shiro, which gives authentication, authorization and many other.
For simple authentication , a very simple approach is to check for valid user object in the template using JSTL, and show the login form if not.
for exmaple , assume your template is webapp/WEB-INF/templates/default.xhtml , inside the template:
<html...>
.
.
<h:body>
<c:if test="#{mbSecurity.validUser}">
.
. authenticated template sections goes here
.
</c:if>
<c:if test="#{not mbSecurity.validUser}">
<ui:include src="/WEB-INF/inc/login-form.xhtml" />
</c:if>
</h:body>
</html>
Advantages: Zero dependencies & zero-configurations, also if the session is expired, after the login, the user will back to the original page which he was in .
I know the Commons Validator framework is the de facto standard for Struts projects to validate input values both on the server side and the client side.
Is the same true for Spring MVC projects?
The reason I get the impression that it may not is that most Struts books and forums talk a lot about the Commons Validator framework, but only a few Spring books and forums do.
What's the best practice for validating input in Spring MVC projects?
Cheers!
Commons Validator is more or less obsolete now, following the introduction of the JSR-303 Validation API, which Spring 3 fully supports. It's an annotation-driven declarative framework.
See the relevant parts (here and here) of the Spring docs to see how Spring uses it.
These examples of server-side validation using JSR-330 rich client-side validation with Spring MVC should give you some easy-to-follow examples to get you started.