Multi Client Development with Spring - Josh Long

© 2013 SpringSource, by VMware
Multi Client Development with Spring
Josh Long (⻰龙之春)
@starbuxman
joshlong.com
josh.long@springsource.com
slideshare.net/joshlong
Wednesday, June 5, 13

Spring’s Servlet support

Servlet 3.0 Initializer Classes
public class SampleWebApplicationInitializer implements WebApplicationInitializer {
public void onStartup(ServletContext sc) throws ServletException {
AnnotationConﬁgWebApplicationContext ac = new AnnotationConﬁgWebApplicationContext();
ac.setServletContext(sc);
ac.scan( “a.package.full.of.services”, “a.package.full.of.controllers” );
sc.addServlet("spring", new DispatcherServlet(ac));
}
}

Servlet Support in Spring
§ Spring Dispatcher Servlet provides a lot of powerful support
§ lots of convenient utility objects
HttpRequestHandlers supports remoting: Caucho, Resin, JAX RPC, etc.
DelegatingFilterProxy javax.ﬁlter.Filter that delegates to a Spring-managed lifecycle
HandlerInterceptor wraps requests to HttpRequestHandlers
ServletWrappingController lets you force requests to a servlet through the Spring Handler chain
OncePerRequestFilter ensures that an action only occurs once
WebApplicationContextUtils has a static method to look up the current ApplicationContext given a ServletContext

Spring Web Framework Support
•Spring Faces for JSF 1 and 2
•Struts support for Struts 1
•Tapestry, Struts 2, Stripes, Wicket, Vaadin, Play framework, etc.
•GWT, Flex

introducing Spring MVC

classic Spring MVC application architecture
DispatcherServlet controller
view
template
delegate
request
delegate
rendering of
response
render
response
return
control
model
model
incoming
requests
return
response

the anatomy of a Spring MVC controller
@Controller
public class CustomerController {
// ...
}

@Controller
@RequestMapping(value= “/url/of/my/resource”)
public String processTheRequest() {
// ...
return “home”;
}
}
GET http://127.0.0.1:8080/url/of/my/resource

@Controller
@RequestMapping(value= “/url/of/my/resource”, method = RequestMethod.GET)
public String processTheRequest() {
// ...
return “home”;
}
}

@Controller
@RequestMapping(value=“/url/of/my/resource”, method = RequestMethod.GET)
public String processTheRequest( HttpServletRequest request) {
String contextPath = request.getContextPath();
// ...
return “home”;
}
}

@Controller
@RequestMapping(value=“/url/of/my/resource”, method = RequestMethod.GET)
public String processTheRequest( @RequestParam(“search”) String searchQuery){
// ...
return “home”;
}
}
GET http://127.0.0.1:8080/url/of/my/resource?search=searchQuery

@Controller
@RequestMapping(value=“/url/of/my/{id}”, method = RequestMethod.GET)
public String processTheRequest( @PathVariable(“id”) Long id){
// ...
return “home”;
}
}
GET http://127.0.0.1:8080/url/of/my/12345

@Controller
@Inject private CustomerService service ;
public String processTheRequest(Model model, @PathVariable(“id”) Long id){
model.addAttribute(“customer”, service.getCustomerById( id ) );
return “home”;
}
}
GET http://127.0.0.1:8080/url/of/my/12345

@Controller
public String processTheRequest( ... ){
return “home”;
}
}

@Controller
public View processTheRequest( ... ){
return new XsltView(...);
}
}

@Controller
@RequestMapping(value=“/url/of/my/{id}”, method = RequestMethod.PUT)
public ResponseEntity<byte[]> processTheRequest(UriComponentsBuilder componentsBuilder){
byte[] bytesToReturn = ...
HttpHeaders headers = new HttpHeaders();
headers.setLocation( componentsBuilder.toUri() );
return new ResponseEntity<byte[]>(
bytesToReturn, headers, HttpStatus.CREATED
);
}
}

Demonstration

when dumb clients
roamed the earth...

Roy Fielding’s “REST”
• The term Representational State Transfer was introduced and
defined in 2000 by Roy Fielding in his doctoral dissertation.
§ Takeaways:
• Use HTTP methods explicitly.
• Be stateless
• an HTTP resource is uniquely described by its URL

RestTemplate
•DELETE delete(...)
•GET getForObject(...)
•HEAD headForHeaders(...)
•OPTIONS optionsForAllow(...)
•POST postForLocation(...)
•PUT put(...)
•any HTTP operation - exchange(...) and execute(...)

RestTemplate
§ Google search example
§ Multiple parameters
RestTemplate restTemplate = new RestTemplate();
String url = "http://example.com/hotels/{hotel}/bookings/{booking}";
String result = restTemplate.getForObject(url, String.class, "42", “21”);
String url = "https://ajax.googleapis.com/ajax/services/search/web?v=1.0&q={query}";
String result = restTemplate.getForObject(url, String.class, "SpringSource");

the anatomy of a Spring MVC REST controller
@Controller
@Inject private CustomerService service ;
@RequestMapping(value=”/url/of/my/resource”, method = RequestMethod.GET)
public @ResponseBody Customer processTheRequest( ... ) {
Customer c = service.getCustomerById( id) ;
return c;
}
}

the anatomy of a Spring MVC REST controller
@Controller
@RequestMapping(value=”/url/of/my/resource”, method = RequestMethod.POST)
public void processTheRequest( @RequestBody Customer customer ) {
// ...
}
}
POST http://127.0.0.1:8080/url/of/my/resource

A Fly in the Ointment
•modern browsers only speak GET and POST
<filter>
<filter-name>hiddenHttpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>hiddenHttpMethodFilter</filter-name>
<url-pattern>/</url-pattern>
<servlet-name>appServlet</servlet-name>
</filter-mapping>

build mobile
friendly web applications

Be Where Your Users Are
§ Best strategy? Develop Native
• Fallback to client-optimized web applications
§ Spring MVC mobile client-specific content
negotiation and rendering
• for other devices

Registering Spring Android
@EnableWebMvc
@Configuration
public class MobileConfiguration extends WebMvcConfigurerAdapter {
@Override
public void addArgumentResolvers(List< HandlerMethodArgumentResolver > argumentResolvers) {
argumentResolvers.add(new DeviceHandlerMethodArgumentResolver());
}
@Override
public void addInterceptors(InterceptorRegistry registry) {
registry.addInterceptor(new DeviceResolverHandlerInterceptor());
}
}

build native Android applications

What is Spring for Android?
§ does not prescribe a dependency injection solution
§ provides an implementation of RestTemplate

Some Native Android Code
public Customer updateCustomer(long id, String firstName, String lastName) {

String url = “http://...8080/url/of/my/{id}”;
Customer input = new Customer(id, firstName, lastName);
ResponseEntity<Customer> re = restTemplate.postForEntity( url, input, Customer.class, id);
HttpStatus statusOfRequest = re.getStatusCode();
if(statusOfRequest.equals( HttpStatus.OK )){
Customer payloadOfResponse = re.getBody();
return payloadOfResponse;
}
...
}

Make Work with
§ install android development kit http://developer.android.com/sdk/index.html
§ set up m2e-android http://rgladwell.github.io/m2e-android/

NOT CONFIDENTIAL -- TELL EVERYONE
@SpringSource @Starbuxman
Questions?

a more sociable Spring

A Web of APIs

What Problems Does OAuth Solve?
• new world of many, cooperating web services
• some web services may have a user context
• this user context can refer to a centrally managed identity (single sign-on)
• user passwords should be decoupled from the permissions a client is given

What Problems Does OAuth Solve?

Key Components of Spring Social
§ Connection Factories
• Creates connections; Handles back-end of authorization flow
§ Connection Repository
• Persists connections for long-term use
§ Connection Factory Locator
• Used by connect controller and connection repository to find connection factories
§ API Bindings
• Perform requests to APIs, binding to domain objects, error-handling (Facebook, Twitter, etc.)
§ ConnectController
• Orchestrates the web-based connection flow
§ ProviderSignInController
• Signs a user into an application based on an existing connection and links it to the local system

Bindings...

...LOTS of Third Party Bindings

Installing Spring Social
@Conﬁguration
@PropertySource("classpath:social.properties")
@EnableJdbcConnectionRepository
@EnableFacebook(appId = "${facebook.clientId}", appSecret = "${facebook.clientSecret}")
public class SocialConﬁguration {
@Bean
public UserIdSource userIdSource() {
return new AuthenticationNameUserIdSource();
}
...

The ConnectController
@Bean
public ConnectController connectController(
ConnectionFactoryLocator connectionFactoryLocator,
ConnectionRepository connectionRepository) {
return new ConnectController(
connectionFactoryLocator,
connectionRepository);
}
establishes an OAuth-secured connection with the service
provider and returns an access token

The ProviderSignInController
@Bean
public ProviderSignInController providerSignInController(
ﬁnal UsersConnectionRepository usersConnectionRepository,
ﬁnal ConnectionFactoryLocator connectionFactoryLocator) {
SignInAdapter signInAdapter = ...
ProviderSignInController psic = new ProviderSignInController(
connectionFactoryLocator, usersConnectionRepository, signInAdapter);
psic.setSignInUrl("/crm/signin.html");
psic.setPostSignInUrl("/crm/customers.html");
psic.setSignUpUrl("/crm/signup.html");
return psic;
}
}
establishes an OAuth-secured connection with the service
provider and links it to a local account

secure web applications with
Spring Security

Security is Hard, Spring Security is Easy
§ Spring Security provides security services for the Spring framework
§ integrates with backend identity provider services like LDAP, JAAS, OAuth, etc.
§ API Bindings
• there are lots of implementations of the Spring Security API that can be used in terms of a particular backend
identity provider service.
§ can be used to secure web applications
• form submissions, XSS-protection, resource protection
§ can be used to secure method invocations
§ authentication and authorization API
§ cryptography implementations

Install Spring Security in your web.xml or Application Initializer
public class CrmWebApplicationInitializer implements WebApplicationInitializer {
@Override
public void onStartup(ServletContext servletContext) throws ServletException {
String name = "springSecurityFilterChain";
Filter filter = new DelegatingFilterProxy();
FilterRegistration.Dynamic filterRegistration = servletContext.addFilter(name, filter);
filterRegistration.addMappingForUrlPatterns(null, true, "/");
filterRegistration.addMappingForServletNames(null, true, "spring");
filterRegistration.setAsyncSupported(true);
}

Tell Spring About Your Identities: Inline
<sec:authentication-manager>
<sec:authentication-provider>
<sec:user-service>
<sec:user name="jlong" authorities="read" />
<sec:user name="mchang" authorities="read,write" />
</sec:user-service>
</sec:authentication-provider>
</sec:authentication-manager>

Tell Spring About Your Identities With a Custom Implementation
<sec:authentication-provider user-service-ref = “customUserService” />

Tell Spring About Your Identities with LDAP
<sec:ldap-authentication-provider ... />

Secure Access to Certain Web Resources
<sec:http auto-conﬁg="true" use-expressions="true">
<sec:intercept-url pattern="/secured/**" access="hasRole('ROLE_USER')" />
<sec:intercept-url pattern="/**" access="isAnonymous()" />
<sec:anonymous />
</sec:http>

Install a Sign-In Form
<sec:http auto-conﬁg="true" use-expressions="true">
<sec:intercept-url pattern="/secured/**" access="hasRole('ROLE_USER')" />
<sec:intercept-url pattern="/**" access="isAnonymous()" />
<sec:anonymous />
<sec:form-login
login-page="/crm/signin.html"
default-target-url="/crm/proﬁle.html"
authentication-failure-url="/crm/signin.html?error=true" />
</sec:http>

Install a Sign-In Form
<form method="POST" action="j_spring_security_check">
Username:
<input name="j_username" type="text" />
<br/>
Password:
<input name="j_password" type="password" />
<br/>
<button type="submit" name="action" value="signin" > Sign In</button>
</form>

Programmatically Authenticate
SecurityContext securityContext = SecurityContextHolder.getContext();
// read the current context authentication
Authentication authentication = securityContext.getAuthentication();
Object credentials = authentication.getCredentials(); // might be a password String
Object details = authentication.getDetails(); // might be a UserDetails object
// set the current context authentication
Authentication toAuthenticate = ...
securityContext.setAuthentication( toAuthenticate );
thread local

Restrict Method Invocations
@PreAuthorize(" hasRole('ROLE_USER') ")
public void updateProﬁleInformation(String ﬁrstName, String lastName) {
// ...
}
<sec:global-method-security
pre-post-annotations="enabled"
proxy-target-class="true"/>

secure web services
with Spring Security OAuth

When Should I Use Spring Security OAuth?
§ when you want to build an OAuth authentication server
§ when your REST API has a user context that needs to be managed

Spring Security OAuth
§ Extension to Spring Security
• originally a community contribution (now officially part of the project)
§ Features...
• endpoint management for OAuth service types
• token management (persistence, authentication)
• integrations for the web, as well as through standard Spring Security

Tell Spring About the Clients That Might Connect
<oauth:client-details-service id="clientDetailsService">
<oauth:client
client-id="html5-crm"
scope="read,write"
authorities="ROLE_USER"
authorized-grant-types="authorization_code,implicit"
resource-ids="crm"/>
<oauth:client
client-id="android-crm"
scope="read,write"
authorities="ROLE_USER"
authorized-grant-types="authorization_code,implicit"
resource-ids="crm"/>
</oauth:client-details-service>

Tell Spring About the Clients That Might Connect
<oauth:authorization-server
client-details-service-ref="clientDetailsService"
token-services-ref="tokenServices">
<oauth:authorization-code/>
<oauth:implicit/>
<oauth:refresh-token/>
<oauth:client-credentials/>
<oauth:password/>
</oauth:authorization-server>
@Bean
public InMemoryTokenStore tokenStore() {
return new InMemoryTokenStore();
}
@Bean
public DefaultTokenServices tokenServices(
InMemoryTokenStore tokenStore,
ClientDetailsService clientDetailsService) {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore);
defaultTokenServices.setSupportRefreshToken(true);
defaultTokenServices.setClientDetailsService(clientDetailsService);
return defaultTokenServices;
}

Tell Spring About Which Resources It’s Protecting
<oauth:resource-server id="resourceServerFilter"
resource-id="crm" token-services-ref="tokenServices"/>
<sec:http pattern="/api/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<sec:anonymous enabled="true"/>
<sec:custom-ﬁlter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
...

Tell Spring About Which Resources It’s Protecting
<oauth:resource-server id="resourceServerFilter"
resource-id="crm" token-services-ref="tokenServices"/>
<sec:http pattern="/api/**"
create-session="never"
entry-point-ref="oauthAuthenticationEntryPoint"
access-decision-manager-ref="accessDecisionManager">
<sec:anonymous enabled="true"/>
<sec:custom-ﬁlter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>
<sec:intercept-url pattern="/api/users/**/photo" method="GET"
access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/api/users" method="GET" access="IS_AUTHENTI
CATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/api/**"
access="ROLE_USER,SCOPE_READ"/>

Optional: Set Up an OAuth-Aware RestTemplate
<oauth:rest-template id="crmRestTemplate" resource="crm" />

Enable Access to Certain OAuth-Context Objects in SpEL
<sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">
<sec:expression-handler ref="oauthExpressionHandler"/>
</sec:global-method-security>
<oauth:expression-handler id="oauthExpressionHandler"/>
<oauth:web-expression-handler id="oauthWebExpressionHandler"/>

Multi Client Development with Spring - Josh Long

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Multi Client Development with Spring - Josh Long

Similar to Multi Client Development with Spring - Josh Long (20)

Recently uploaded

Recently uploaded (20)

Multi Client Development with Spring - Josh Long