Tuesday, August 17, 2010

"Spring Security 3" by Packt Publishing - review

I've just finished reading Spring Security 3, and I may honestly recommend it to any Spring Security user. Peter Mularien's book is well written and easy to follow. I can't say it's the best Spring Security book on the market - simply because it is the only one... so there is no comparison to make. But even without it, it is highly recommended and worth its price.

The book is especially important, because Spring Security (SS - for short) documentation is not so user friendly as, for example, Spring Framework documentation. Spring Framework has one of the best documentation (I mean reference manual here) of open source project I ever see. Spring Security also has such manual, which is not that bad, and is definitely a good start point (when I started with SS, there was no other point of reference, so it had to suffice to start) - but it can't be compared to Spring Framework documentation. Because of this, any additional high-quality materials on SS are valuable. The Mularien's book is definitely such material.

The book covers all important topics related to Spring Security: authentication and authorization mechanisms, namespace and bean-based configuration, additional services (e.g. remember me, session management, custom filters), advances topics, like ACLs, and integration features (OpenID, CAS, etc). Really broad spectrum of SS applications is covered there. I really like the approach of presenting logic flow and classes relationships on diagrams - in case of such complicated beast as Spring Security is, they are really necessary to get a clear picture. Also, I really liked the fact that author points the user to the places in code or javadocs where additional or comprehensive information may be found - for example he put a note: "Methods and pseudo-properties for SpEL access expressions are declared by the public methods provided by the WebSecuirtyExpressionRoot class, and its superclasses" - very practical link to the right place (in Spring Security it is often not easy to find the exact class, which JavaDoc contains relevant information - that's why such information is valuable). The book also warns about some peculiarities of SS naming (e.g. interface Authentication is implemented by classes XxxAuthenticationToken - really strange and not intuitive), so it's good to be warned, it's then easier to remember such facts and not get lost.

To make this review fair, I have to also point some shortcomings.

First - some things which are not directly related to Spring Security, and because of this don't have to be described in this book, but are so closely related to the topic that I believe they deserve a bit more focus. For example, author mentions some typical security flaws and attack, but doesn't describe them (only points to external resources). I understand it's a book about Spring Security, not general web security. But in such context adding 3 more pages describing few most important threats, mistakes and attacks (SQL injection, XSS, CSRF) would be nice, I think. For sure the book will be read also by some beginners, who may not be aware of those attacks. And two other small missing things. The book described hypothetical security audit results: audit identified that user passwords were stored in clear text in database - and then we can read how to fix it. However, it doesn't mention the typical security problem: storing database password in clear text in spring security configuration file (e.g. if you use standalone DBCP bean) - which would be probably identified by such audit too. Obviously, Spring Security (nor Spring Framework, unfortunately) doesn't have any answer to this, and that's why it is not in the book. Still, if we talk about securing web application, I expected this problem to be at least mentioned there. And, similarly, it would be nice to have some information about protecting from brute force attack on passwords in database - again, Spring Security doesn't have any built-in tools for dealing with it, but it is worth mentioning at least (for example, how we can use Spring Security events in order to try to identify such attacks).

For me, the biggest missing point of the book is the lack of description of using UserDetails with mutable objects, such as JPA @Entities. This used to be one of the most unclear points in Spring Security - documentation in the past recommended using immutable objects as UserDetails implementations, but most of applications used some sort of ORM, like Hibernate, with mutable entities. The documentation has been actually fixed - now UserDetails javadoc clearly says that immutability is not required. However, taking into account that it is so common setup, and it used to be unclear in context of UserDetails, and caused many questions on SS forums, I expected to have example with such setup in this book - with info how it influences user caches etc (UserCache is not mentioned at all in the book, if I remember correctly).

Few other points - remember me services are described very good, but then, when second type of remember me is introduces, author says that, "...something that you may have noticed by now...", basic Remember Me tokens will not survive server restart. I rewound back to Remember Me service description and tried hard to find out why it won't - but couldn't find any clue. So something is missing here (or I didn't read carefully enough). Next: on page 143, author says "be aware that it is strongly encouraged to declare AOP rules on interfaces, and not on implementation classes". Well, this is embarrassing. I always though exactly opposite. See the citation from Spring Framework reference docs: "Spring recommends that you only annotate concrete classes (and methods of concrete classes) with the @Transactional annotation, as opposed to annotating interfaces." (and @Transactional is definitely kind of AOP rule). Next weak point: in section devoted to session-fixation attack protection, description of the attack itself is very unclear, and doesn't touch real problem I think. The book says "if hacker steals your session, he can only use it until you log in, because session-fixation protection will change your session identifier then". But if he stole my session before I logged in, he can do it again after, so what's this protection about? For me, the real session fixation attack is based on sending someone a link with session ID in it. So in fact the hacker don't steal the session, instead he "suggests" you the session. (Maybe this is not the only possible case, but the most popular at least.) Then this protection makes sense. But you probably won't figure it out from the book.

All in all, despite those small shortcomings, the book is really good, and highly recommended to everybody who starts using Spring Security, or already knows it, but doesn't feel Spring Security expert yet (also experts can learn some new things from this book, for example bout integration with external authentication systems). Because of those small shortcomings, I wouldn't probably give it full 5 stars, but 4.5 is a fair note.

Wednesday, July 21, 2010

"Spring Security 3" published by Packt

Recently (well, actually more than a year) I had not much time for updating this blog - this is because we started our own business and own project, which is very challenging and consumes 100% of my precious time.

This month, however, I was contacted by Packt Publishing, as they just published the book on Spring Security 3 and asked me if I would like to get a copy of this book, in order to write a review. From what it seems (at least looking at Amazon), it's the very first book on the market dedicated to Spring Security (there are books on Spring, containing some chapters about Spring Security, but it looks like there was no book on Spring Security itself). Obviously, I was interested, and just today I found the book in my mailbox. First impressions are very good: for example, fast scanning of the book reveals many UML and pseudo-UML diagrams, presenting decision flows and Spring Security classes hierarchies - this is great, personally I believe that learning this framework without such diagrams is hardly possible. The plethora of Spring Security classes, interfaces, and relations between them, makes them really hard to follow - that's why such diagrams are so important.

So, I start to read the book, and you can expect a new post with the book review soon.