Tuesday, August 17, 2010

"Spring Security 3" by Packt Publishing - review

I've just finished reading Spring Security 3, and I may honestly recommend it to any Spring Security user. Peter Mularien's book is well written and easy to follow. I can't say it's the best Spring Security book on the market - simply because it is the only one... so there is no comparison to make. But even without it, it is highly recommended and worth its price.


The book is especially important, because Spring Security (SS - for short) documentation is not so user friendly as, for example, Spring Framework documentation. Spring Framework has one of the best documentation (I mean reference manual here) of open source project I ever see. Spring Security also has such manual, which is not that bad, and is definitely a good start point (when I started with SS, there was no other point of reference, so it had to suffice to start) - but it can't be compared to Spring Framework documentation. Because of this, any additional high-quality materials on SS are valuable. The Mularien's book is definitely such material.


The book covers all important topics related to Spring Security: authentication and authorization mechanisms, namespace and bean-based configuration, additional services (e.g. remember me, session management, custom filters), advances topics, like ACLs, and integration features (OpenID, CAS, etc). Really broad spectrum of SS applications is covered there. I really like the approach of presenting logic flow and classes relationships on diagrams - in case of such complicated beast as Spring Security is, they are really necessary to get a clear picture. Also, I really liked the fact that author points the user to the places in code or javadocs where additional or comprehensive information may be found - for example he put a note: "Methods and pseudo-properties for SpEL access expressions are declared by the public methods provided by the WebSecuirtyExpressionRoot class, and its superclasses" - very practical link to the right place (in Spring Security it is often not easy to find the exact class, which JavaDoc contains relevant information - that's why such information is valuable). The book also warns about some peculiarities of SS naming (e.g. interface Authentication is implemented by classes XxxAuthenticationToken - really strange and not intuitive), so it's good to be warned, it's then easier to remember such facts and not get lost.


To make this review fair, I have to also point some shortcomings.


First - some things which are not directly related to Spring Security, and because of this don't have to be described in this book, but are so closely related to the topic that I believe they deserve a bit more focus. For example, author mentions some typical security flaws and attack, but doesn't describe them (only points to external resources). I understand it's a book about Spring Security, not general web security. But in such context adding 3 more pages describing few most important threats, mistakes and attacks (SQL injection, XSS, CSRF) would be nice, I think. For sure the book will be read also by some beginners, who may not be aware of those attacks. And two other small missing things. The book described hypothetical security audit results: audit identified that user passwords were stored in clear text in database - and then we can read how to fix it. However, it doesn't mention the typical security problem: storing database password in clear text in spring security configuration file (e.g. if you use standalone DBCP bean) - which would be probably identified by such audit too. Obviously, Spring Security (nor Spring Framework, unfortunately) doesn't have any answer to this, and that's why it is not in the book. Still, if we talk about securing web application, I expected this problem to be at least mentioned there. And, similarly, it would be nice to have some information about protecting from brute force attack on passwords in database - again, Spring Security doesn't have any built-in tools for dealing with it, but it is worth mentioning at least (for example, how we can use Spring Security events in order to try to identify such attacks).


For me, the biggest missing point of the book is the lack of description of using UserDetails with mutable objects, such as JPA @Entities. This used to be one of the most unclear points in Spring Security - documentation in the past recommended using immutable objects as UserDetails implementations, but most of applications used some sort of ORM, like Hibernate, with mutable entities. The documentation has been actually fixed - now UserDetails javadoc clearly says that immutability is not required. However, taking into account that it is so common setup, and it used to be unclear in context of UserDetails, and caused many questions on SS forums, I expected to have example with such setup in this book - with info how it influences user caches etc (UserCache is not mentioned at all in the book, if I remember correctly).


Few other points - remember me services are described very good, but then, when second type of remember me is introduces, author says that, "...something that you may have noticed by now...", basic Remember Me tokens will not survive server restart. I rewound back to Remember Me service description and tried hard to find out why it won't - but couldn't find any clue. So something is missing here (or I didn't read carefully enough). Next: on page 143, author says "be aware that it is strongly encouraged to declare AOP rules on interfaces, and not on implementation classes". Well, this is embarrassing. I always though exactly opposite. See the citation from Spring Framework reference docs: "Spring recommends that you only annotate concrete classes (and methods of concrete classes) with the @Transactional annotation, as opposed to annotating interfaces." (and @Transactional is definitely kind of AOP rule). Next weak point: in section devoted to session-fixation attack protection, description of the attack itself is very unclear, and doesn't touch real problem I think. The book says "if hacker steals your session, he can only use it until you log in, because session-fixation protection will change your session identifier then". But if he stole my session before I logged in, he can do it again after, so what's this protection about? For me, the real session fixation attack is based on sending someone a link with session ID in it. So in fact the hacker don't steal the session, instead he "suggests" you the session. (Maybe this is not the only possible case, but the most popular at least.) Then this protection makes sense. But you probably won't figure it out from the book.


All in all, despite those small shortcomings, the book is really good, and highly recommended to everybody who starts using Spring Security, or already knows it, but doesn't feel Spring Security expert yet (also experts can learn some new things from this book, for example bout integration with external authentication systems). Because of those small shortcomings, I wouldn't probably give it full 5 stars, but 4.5 is a fair note.

1 comment:

Peter Mularien said...

Thank you for the detailed review, Grzegorz! Certainly all valid points (both positive and negative), and I appreciate you spending your time reading the book. I'm sure this review will be valuable for those considering purchasing it.