I'm a Java developer living in Lodz (Łódź), Poland, working for several years with Java EE/Spring platform. As most Java web developers, I started with plain JSPs, went through Struts, EJBs, JSF, and other technologies, in the continuous investigation of the best solution for my job. I'm still searching, but I've already found some pieces of software, which are programmer's masterpieces, like Spring Framework or Ext-JS JavaScript framework. Recently I'm experimenting with RESTful web services and web applications, combining Spring with REST and Ext-JS. Other areas of my interest cover Groovy/Grails, OSGI, and modern build tools. Grzegorz has posted 2 posts at DZone. View Full User Profile

Spring Security 3 by Packt Publishing - Review

  • submit to reddit

I've just finished reading Spring Security 3, and I can honestly recommend it to any Spring Security user. Peter Mularien's book is well written and easy to follow. I can't say it's the best Spring Security book on the market - simply because it is the only one... so there is no comparison to make. But even without it, it is highly recommended and worth its price.

The book is especially important, because Spring Security (SS - for short) documentation is not as user friendly as, for example, Spring Framework documentation. Spring Framework has some of the best documentation (I mean reference manual here) of an open source project that I have ever seen. Spring Security also has such a manual, which is not that bad, and is definitely a good starting point (when I started with SS, there was no other point of reference, so it had to suffice to start) - but it can't be compared to Spring Framework documentation. Because of this, any additional high-quality materials on SS are valuable. The Mularien's book is definitely such material.

The book covers all the important topics related to Spring Security: authentication and authorization mechanisms, namespace and bean-based configuration, additional services (e.g. remember me, session management, custom filters), advances topics, like ACLs, and integration features (OpenID, CAS, etc). A really broad spectrum of SS applications is covered there. I really like the approach of presenting logic flow and classes relationships on diagrams - in the case of such complicated beast as Spring Security is, they are really necessary to get a clear picture. Also, I really liked the fact that author points the user to the places in code or javadocs where additional or comprehensive information may be found - for example he put a note: "Methods and pseudo-properties for SpEL access expressions are declared by the public methods provided by the WebSecuirtyExpressionRoot class, and its superclasses" - a very practical link to the right place (in Spring Security it is often not easy to find the exact class, which JavaDoc contains relevant information - that's why such information is valuable). The book also warns about some peculiarities of SS naming (e.g. interface Authentication is implemented by classes XxxAuthenticationToken - really strange and not intuitive), so it's good to be warned, it's then easier to remember such facts and not get lost.

To make this review fair, I have to also point some shortcomings.

First - some things which are not directly related to Spring Security, and because of this don't have to be described in this book, but are so closely related to the topic that I believe they deserve a bit more focus. For example, author mentions some typical security flaws and attack, but doesn't describe them (only points to external resources). I understand it's a book about Spring Security, not general web security. But in such context adding 3 more pages describing a few of the most important threats, mistakes and attacks (SQL injection, XSS, CSRF) would be nice, I think. For sure the book will be read also by some beginners, who may not be aware of those attacks. And there are two other small missing things. The book described hypothetical security audit results: audit identified that user passwords were stored in clear text in database - and then we can read how to fix it. However, it doesn't mention the typical security problem: storing database passwords in clear text in the Spring Security configuration file (e.g. if you use standalone DBCP bean) - which would be probably identified by such an audit too. Obviously, Spring Security (nor Spring Framework, unfortunately) doesn't have any answer to this, and that's why it is not in the book. Still, if we talk about securing web application, I expected this problem to be at least mentioned there. And, similarly, it would be nice to have some information about protecting from brute force attack on passwords in database - again, Spring Security doesn't have any built-in tools for dealing with it, but it is worth mentioning at least (for example, how we can use Spring Security events in order to try to identify such attacks).

For me, the biggest missing point of the book is the lack of description of using UserDetails with mutable objects, such as JPA @Entities. This used to be one of the most unclear points in Spring Security - documentation in the past recommended using immutable objects as UserDetails implementations, but most of applications used some sort of ORM, like Hibernate, with mutable entities. The documentation has been actually fixed - now UserDetails javadoc clearly says that immutability is not required. However, taking into account that it is so common setup, and it used to be unclear in context of UserDetails, and caused many questions on SS forums, I expected to have example with such setup in this book - with info how it influences user caches etc (UserCache is not mentioned at all in the book, if I remember correctly).

Few other points - remember me services are described very good, but then, when second type of remember me is introduces, author says that, "...something that you may have noticed by now...", basic Remember Me tokens will not survive server restart. I rewound back to Remember Me service description and tried hard to find out why it won't - but couldn't find any clue. So something is missing here (or I didn't read carefully enough). Next: on page 143, author says "be aware that it is strongly encouraged to declare AOP rules on interfaces, and not on implementation classes". Well, this is embarrassing. I always though exactly opposite. See the citation from Spring Framework reference docs: "Spring recommends that you only annotate concrete classes (and methods of concrete classes) with the @Transactional annotation, as opposed to annotating interfaces." (and @Transactional is definitely kind of AOP rule). Next weak point: in section devoted to session-fixation attack protection, description of the attack itself is very unclear, and doesn't touch real problem I think. The book says "if hacker steals your session, he can only use it until you log in, because session-fixation protection will change your session identifier then". But if he stole my session before I logged in, he can do it again after, so what's this protection about? For me, the real session fixation attack is based on sending someone a link with session ID in it. So in fact the hacker don't steal the session, instead he "suggests" you the session. (Maybe this is not the only possible case, but the most popular at least.) Then this protection makes sense. But you probably won't figure it out from the book.

All in all, despite those small shortcomings, the book is really good, and highly recommended to everybody who starts using Spring Security, or already knows it, but doesn't feel Spring Security expert yet (also experts can learn some new things from this book, for example bout integration with external authentication systems). Because of those small shortcomings, I wouldn't probably give it full 5 stars, but 4.5 is a fair note.

From http://grzegorzborkowski.blogspot.com/2010/08/spring-security-3-by-packt-review.html

Published at DZone with permission of its author, Grzegorz Borkowski.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)



Adedayo Abiodun replied on Thu, 2010/08/19 - 5:37pm

Lodz, was just reading through your blog on ACL, cos i needed something to complement what Packt SS3 offered on ACL. I tink your blog (http://grzegorzborkowski.blogspot.com/2008/10/spring-security-acl-very-basic-tutorial.html) is also a nice reference to understanding ACL in SS. I just read the book too. I must say it's a great book. Am not a great fan of Packt books, but Spring Security 3 is certainly worth reading. While i have used SS, and was kinda comfortable with it, reading this book did empower my knowledge of Spring Security and also pointed out some important references for further reading. I will be making reference to it from time to time. If anyone still contemplating getting Packt's SS3, den i will say go head. I believe it will help both beginners and intermediate users.

Abel Morelos replied on Fri, 2010/08/27 - 11:55am

I have read 3 chapters of this book so far, and I think it is a great introduction to Spring Security, but maybe not enough for a serious security treatment, it is just about Spring Security with a few tips on real security topics.

King Sam replied on Fri, 2012/02/24 - 10:19am

Thank you for the detailed review, Grzegorz! Certainly all valid points (both positive and negative), and I appreciate you spending your time reading the book. I'm sure this review will be valuable for those considering purchasing it.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.