Spring Boot Buch: Getting there

The third month was a though one: It started with a workshop in Düsseldorf, lead by innoQs Till. “Skalierbare Web-Architekturen” got me the last points I need to do the ISAQB-CPSA-A, but I wish they workshop had taken a different direction. Anyway, not something I can blame on Till.

I changed my milestones a little bit. After getting really valuable feedback I was occupied working that into the book. As it happened the chapter “Die Magie hinter Spring Boot” was a good fit finishing, so I did this before writing about persistence:



While trying to write the persistence chapter, a lot of stuff happened: I was occupied with an In-House APEX-Workhshop lead by Niels de Bruijn. The Workshop was great and I am convinced I chose the right tool for the special combination of task ahead and people available. Let’s see how that turns out.

Shortly before going to #JavaLand 2017, I setup the Spring Boot Buch Twitter account. Support me here, if you like: @SpringBootBuch. See what I did with the profile picture?

At JavaLand I asked Kai Toedter – to who’s music I am listening while writing the post – if I can share his neat idea to create small Spring Boot Docker files in the book. I can and I am happy about it.

Also in Brühl I finally met Thorben Janssen, who’s Book “Hibernate Tips” will be published on April 4th. It was a pleasure talking with Thorben (and also fun 😉 ) and I’m looking forward to his tips who which I contributed a small part.

I chose the title picture for this post to pay a little tribute to Markus @myfear Eisele. Thanks for kicking of JavaLand 4 years ago.

Next month I’m gonna first finish the persistence topic before finally getting work done on my bigger example project.

Last but not least I want to mention that I didn’t drink any alcohol for nearly the last 3 months. Sadly, I didn’t loose some kilos, but anyway: I actually feel a lot better. I do have more strength again and sleep better. Not more, but a lot better.

So, until next month 🙂

| Comments (0) »

01-Apr-17




Spring Boot Buch: 2nd month

Last month I promised a quick update on my upcoming #SpringBootBuch (it has not yet a title), so here we go:

Writing a book takes time, but it is really fun. Today, I send out a new version of the manuscript to my lector, now containing the full chapters for “Deployment” (which contains actuator as well) and “Testing”. I also incorporated the 12-Factor App as a red line. By doing so I realized how much thought went into the design of Spring Boots incredible powerful configuration mechanism.

I promised the table of contents, which is still somewhat work in progress but I have my red line in the meantime (the image is linked to a pdf):



What has been amazing is the really extensive feedback from several people. That did not only good the the book itself but also gave me a real boost. Thank you! I also have to thank the Spring Boot Team, for taking my feedback on the docs, but especially Stéphane Nicoll for the great discussions.

Apart from that, whats going on? I managed somehow more than 300km on bike in February. Yep, I was ill and did not feel good, but staying home would have ruined my mood, too…

Thanks to a lengthy discussion with Heinz I tried high dosed magnesium in the evening, shortly before sleep. That helped a lot prolonging dry January into dry February and also getting me some rest. Thanks man!

March is gonna be a busy month. Tomorrow I’m heading towards Düsseldorf, learning about scalable Webarchitectures at innoQ.

Shortly after that we’ll have an in-house Oracle APEX workshop which I am organizing. And by the end of March there’s already Javaland 2017. I have been to all installments and this year, I’ll be part of the Javaland4Kids day… That’s gonna be something.

Hard to tell, which chapter I’m gonna finish next month in #SpringBootBuch.

| Comments (4) »

28-Feb-17


A quick note on Spring Boot Security

I just stumbled upon an article that wants to show in great detail how to customize Spring Security inside a Spring Boot application.

It first adds the spring-boot-security-starter through

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Nothing wrong here: Together with @SpringBootApplication the starter configures Spring Security with the filter chain and all auth in the correct places. You dont’t have to add @EnableWebSecurity, in fact: you shouldn’t! It will turn the default auto configuration of your starter of.

Next, the article continuous on how to overwrite the generated user and password: I would go with the security.user.name and security.user.password properties if I wouldn’t have a good reason otherwise.

If I want to add more in-memory users, than I have to do some configuration. But: When extending WebSecurityConfigurerAdapter, just use the methods provided, no need to @EnableWebSecurity if you already have @SpringBootApplication on a class! Also no need to invent custom methods, just use the following:

package de.springbootbuch.actuators;
 
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
public class SecurityConfig 
		extends WebSecurityConfigurerAdapter {
 
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {		
		auth.inMemoryAuthentication().withUser("poef").password("fump").roles("ACTUATOR");
	}
}

If you want to role your own UserDetailsService implementation, it’s even easier:

package de.springbootbuch.actuators;
 
import java.util.Collections;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
@Configuration
public class SecurityConfig {
	@Bean
	public UserDetailsService userDetailsService() {
		return (String username) -> {
			if("poef".equals(username))
				return new User("poef", "fump", Collections.EMPTY_LIST);
			else
				throw new UsernameNotFoundException("n/a");
		};
	};	
}

Notice that there’s just one bean of type UserDetailsService.

And finally, if you want to overwrite some settings of Spring Boot Starter Security defaults, it’s the order of WebSecurityConfigurerAdapter that matters.

This one

package de.springbootbuch.actuators;
 
import org.springframework.boot.actuate.autoconfigure.ManagementServerProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig 
		extends WebSecurityConfigurerAdapter {
 
	@Override
	protected void configure(final HttpSecurity http) 
			throws Exception {
		http
			.httpBasic()
			.and()
			.authorizeRequests()
			.antMatchers("/metrics/counter**")
				.permitAll()
			.antMatchers("/metrics/**")
				.authenticated();
	}
}

together with endpoints.metrics.sensitive = false (needed since Spring Boot 1.5.1 to turn off the handler interceptor that secures Actuator endpoints without even having Security on the class path), it overwrites the settings for the Actuator endpoints, allowing unauthorized access to /metrics/counter but not to the other metrics by putting the configuration at the right place: @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER).

My tip for Spring Boot and Spring Security: Don’t think too much, don’t try to be smarter than the starter. Don’t turn off the defaults completely if you don’t know what you’re doing. If you extend a WebSecurityConfigurerAdapter, make sure you put it into the right order through @Order and one of those XXX_OVERRIDE_ORDER constants. And also: Use the provided hooks!

The samples here are from my upcoming German Spring Boot Buch, which will be available right in time with Spring Boot 2.0 in autumn.

| Comments (4) »

14-Feb-17