For all the folks asking for Spring Security Architecture Slides here you go... github.com/jgrandja/presentations/blob/master/SpringIO-Barcelona2017-JoeGrandja.pdf
This is an excellent presentation. Gives a good understanding of spring security basics. Video has an issue though. Its very difficult to read the slides on the tv as its rendered pretty much white blob on small screen devices (phones). Would you be able to share the slides ?
I awaited you to show us the big picture first: the web-app without security, what's happening when an http request comes in. After that, just by adding the spring-security dependecie the "magic" is security begins. The one important filter that welcomes the request and how the security process involves. I must admit that I have just seen the first 11 minutes.
Only after the video I understand how Spring Security works. However I still don't understand how Spring Security remembers the Authenticated User. Because after the request is done SecurityContextHolder clears the Authentication from the ThreadLocal. So what happens on next request from user? How SecurityContext know that the request come from the same user?
I found an answer in the Spring Security Reference documentation at 9.4.4 Storing the SecurityContext between requests. Depending on the type of application, there may need to be a strategy in place to store the security context between user operations. In a typical web application, a user logs in once and is subsequently identified by their session Id. The server caches the principal information for the duration session. In Spring Security, the responsibility for storing the SecurityContext between requests falls to the SecurityContextPersistenceFilter, which by default stores the context as an HttpSession attribute between HTTP requests. It restores the context to the SecurityContextHolder for each request and, crucially, clears the SecurityContextHolder when the request completes. You shouldn’t interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead.
Spring Security definitely sucks because: 1) a very awful design decisions 2) overengineered concepts for simple things, for example http.addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(new AntPathRequestMatcher("/login"), new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.facebook.com", "www.google.com"))))) 3) expressions in annotations like @AuthenticationPrincipal(expression = "@jpaEntityManager.merge(#this)") 4) SecurityContext.getInstance() static method to retrieve security context while using DI-container at the same time 5) SecurityContextHolder sucks 6) horrible code
For all the folks asking for Spring Security Architecture Slides here you go...
github.com/jgrandja/presentations/blob/master/SpringIO-Barcelona2017-JoeGrandja.pdf
Thank you
For those looking for the slides: files.meetup.com/6015342/Spring%20Toronto%20-%20Joe%20Grandja.pdf.
Wonderful talk Mr Joe . Thank you .
Excellent video. Joe gave a lot of useful information. Thanks a lot for this vidoe.
Very good explanation and the questions were very helpful to understand more !!
It was really helpful to get high level view on spring security..
can I get slides very difficult to see the monitor
Anyhow it is fine session, but properly displaying the screen would have been a lot more helpful.
please update the Slideshare link..
Use above link
neat talk. thanks a bunch.
This is an excellent presentation. Gives a good understanding of spring security basics. Video has an issue though. Its very difficult to read the slides on the tv as its rendered pretty much white blob on small screen devices (phones). Would you be able to share the slides ?
Are there slides available to go with this? Slideshare perhaps?
Slides link pls?
Afe dare +
+1
what about 1080p?
Presentation: files.meetup.com/6015342/Spring%20Toronto%20-%20Joe%20Grandja.pdf
Excellent presentation. A link to the slides might have added even more excellence for the cause :)
Not able to read anything from screens
Detail can be found here
docs.spring.io/spring-security/site/docs/3.0.x/reference/technical-overview.html
How can I download the slides?
Please share the slides
Great session with nice information, but this video needs to be edited where slides should run in any side of the the speaker.
मैं टीवी पर कुछ देख नहीं पाया। पर कार्यशाला अच्छी थी।
SpringBoot developers seem generally very tired
I hope their projects are working fine
where is the link for the github repo
plz share the slides link
I awaited you to show us the big picture first: the web-app without security, what's happening when an http request comes in.
After that, just by adding the spring-security dependecie the "magic" is security begins.
The one important filter that welcomes the request and how the security process involves.
I must admit that I have just seen the first 11 minutes.
I learnt a lot today ,because before this I am totally confused about spring security..Thank you..But Slides are difficult to view and no clarity.
I cant see the presentation :(
Please share the slides!
Wonderful talk!
Too bad slides are not provided
slides please
Only after the video I understand how Spring Security works. However I still don't understand how Spring Security remembers the Authenticated User. Because after the request is done SecurityContextHolder clears the Authentication from the ThreadLocal. So what happens on next request from user? How SecurityContext know that the request come from the same user?
Great question!
I found an answer in the Spring Security Reference documentation at 9.4.4 Storing the SecurityContext between requests.
Depending on the type of application, there may need to be a strategy in place to store the security context between user operations. In a typical web application, a user logs in once and is subsequently identified by their session Id. The server caches the principal information for the duration session. In Spring Security, the responsibility for storing the SecurityContext between requests falls to the SecurityContextPersistenceFilter, which by default stores the context as an HttpSession attribute between HTTP requests. It restores the context to the SecurityContextHolder for each request and, crucially, clears the SecurityContextHolder when the request completes. You shouldn’t interact directly with the HttpSession for security purposes. There is simply no justification for doing so - always use the SecurityContextHolder instead.
Properly displaying the screen would have been a lot more helpful. At least here, on youtube. Oh well..
the monitor behind him is so fuzzy, cannot see nothing.
Spring Security definitely sucks because:
1) a very awful design decisions
2) overengineered concepts for simple things, for example http.addHeaderWriter(new DelegatingRequestMatcherHeaderWriter(new AntPathRequestMatcher("/login"), new XFrameOptionsHeaderWriter(new WhiteListedAllowFromStrategy(Arrays.asList("www.facebook.com", "www.google.com")))))
3) expressions in annotations like @AuthenticationPrincipal(expression = "@jpaEntityManager.merge(#this)")
4) SecurityContext.getInstance() static method to retrieve security context while using DI-container at the same time
5) SecurityContextHolder sucks
6) horrible code
Please put the subtitles, these automatically generated are not good.
Sad. It's spoiled by bad video... Like tons of others spoiled by bad some...
Please share the slides