Spring Boot Buch: 2nd month

Last month I promised a quick update on my upcoming #SpringBootBuch (it has not yet a title), so here we go:

Writing a book takes time, but it is really fun. Today, I send out a new version of the manuscript to my lector, now containing the full chapters for “Deployment” (which contains actuator as well) and “Testing”. I also incorporated the 12-Factor App as a red line. By doing so I realized how much thought went into the design of Spring Boots incredible powerful configuration mechanism.

I promised the table of contents, which is still somewhat work in progress but I have my red line in the meantime (the image is linked to a pdf):



What has been amazing is the really extensive feedback from several people. That did not only good the the book itself but also gave me a real boost. Thank you! I also have to thank the Spring Boot Team, for taking my feedback on the docs, but especially Stéphane Nicoll for the great discussions.

Apart from that, whats going on? I managed somehow more than 300km on bike in February. Yep, I was ill and did not feel good, but staying home would have ruined my mood, too…

Thanks to a lengthy discussion with Heinz I tried high dosed magnesium in the evening, shortly before sleep. That helped a lot prolonging dry January into dry February and also getting me some rest. Thanks man!

March is gonna be a busy month. Tomorrow I’m heading towards Düsseldorf, learning about scalable Webarchitectures at innoQ.

Shortly after that we’ll have an in-house Oracle APEX workshop which I am organizing. And by the end of March there’s already Javaland 2017. I have been to all installments and this year, I’ll be part of the Javaland4Kids day… That’s gonna be something.

Hard to tell, which chapter I’m gonna finish next month in #SpringBootBuch.

| Comments (5) »

28-Feb-17


A quick note on Spring Boot Security

I just stumbled upon an article that wants to show in great detail how to customize Spring Security inside a Spring Boot application.

It first adds the spring-boot-security-starter through

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Nothing wrong here: Together with @SpringBootApplication the starter configures Spring Security with the filter chain and all auth in the correct places. You dont’t have to add @EnableWebSecurity, in fact: you shouldn’t! It will turn the default auto configuration of your starter of.

Next, the article continuous on how to overwrite the generated user and password: I would go with the security.user.name and security.user.password properties if I wouldn’t have a good reason otherwise.

If I want to add more in-memory users, than I have to do some configuration. But: When extending WebSecurityConfigurerAdapter, just use the methods provided, no need to @EnableWebSecurity if you already have @SpringBootApplication on a class! Also no need to invent custom methods, just use the following:

package de.springbootbuch.actuators;
 
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
public class SecurityConfig 
		extends WebSecurityConfigurerAdapter {
 
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {		
		auth.inMemoryAuthentication().withUser("poef").password("fump").roles("ACTUATOR");
	}
}

If you want to role your own UserDetailsService implementation, it’s even easier:

package de.springbootbuch.actuators;
 
import java.util.Collections;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
@Configuration
public class SecurityConfig {
	@Bean
	public UserDetailsService userDetailsService() {
		return (String username) -> {
			if("poef".equals(username))
				return new User("poef", "fump", Collections.EMPTY_LIST);
			else
				throw new UsernameNotFoundException("n/a");
		};
	};	
}

Notice that there’s just one bean of type UserDetailsService.

And finally, if you want to overwrite some settings of Spring Boot Starter Security defaults, it’s the order of WebSecurityConfigurerAdapter that matters.

This one

package de.springbootbuch.actuators;
 
import org.springframework.boot.actuate.autoconfigure.ManagementServerProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig 
		extends WebSecurityConfigurerAdapter {
 
	@Override
	protected void configure(final HttpSecurity http) 
			throws Exception {
		http
			.httpBasic()
			.and()
			.authorizeRequests()
			.antMatchers("/metrics/counter**")
				.permitAll()
			.antMatchers("/metrics/**")
				.authenticated();
	}
}

together with endpoints.metrics.sensitive = false (needed since Spring Boot 1.5.1 to turn off the handler interceptor that secures Actuator endpoints without even having Security on the class path), it overwrites the settings for the Actuator endpoints, allowing unauthorized access to /metrics/counter but not to the other metrics by putting the configuration at the right place: @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER).

My tip for Spring Boot and Spring Security: Don’t think too much, don’t try to be smarter than the starter. Don’t turn off the defaults completely if you don’t know what you’re doing. If you extend a WebSecurityConfigurerAdapter, make sure you put it into the right order through @Order and one of those XXX_OVERRIDE_ORDER constants. And also: Use the provided hooks!

The samples here are from my upcoming German Spring Boot Buch, which will be available right in time with Spring Boot 2.0 in autumn.

| Comments (4) »

14-Feb-17


OCPJP, Talks and the Spring Boot Buch

January was an intense month, even if it started with a week off. I didn’t have vacation during the seasons like my wife. Sad thing: We couldn’t really spend the vacation together, but that seems to be the standard when both parents are working and the number of holiday days doesn’t fit the number of free days the kids have.

In the last year quarter of 2016 I decided that I should finally upgrade my good, old Sun certificate from SCJP 5.0 to a shiny, new Oracle OCPJP 8.0. The incentive came from Tim. I didn’t know before that there was an upgrade path and I didn’t to pay for both associate and professional. But that upgrade paths exists and last week, I scored 93%. It was actually fun (yes, I enjoy those things). As preparation I read both OCA and OCP Java 8 Study Guide by Jeanne Boyarsky and Scott Selikoff. The quality varies, but overall, the books are ok. If you do prep exams, I’ll really recommend enthuware. Much cheaper than the Oracle recommend sell from selftestsoftware.com. The buying process of the later is frustrating and they contain a lot of plain wrong questions.

I did my my talk database centric applications with Spring Boot and jOOQ based on that series at the Spring Meetup Munich. It was real good fun and I like the results very much. But preparing for the talks stresses me a lot. I want to give my best and I’m not yet relaxed. But, I’m gonna train this. I’ll be at JUG Essen on April 26th and in June in Cluj with Vlad at the Transylvania Java User Group who have probably the coolest of all Dukes. Vlad and I are gonna speak about getting the most of your persistence layer.

As early as November 2016 I started looking for a publisher for my idea writing a German Spring Boot Buch. I’m really happy that dpunkt.verlag took my offer. I have been working on the manuscript since mid December and it starts to take shape.

It’s an interesting process. The first book I contributed to is arc42 by example (by the way, version 7 of arc42 was just released this month). Basically, I had written everything at this point and we did proofread and everything ourself.

Having a lector does help a lot so far and it feels very different than just scribbling down whatever is in ones head.

For me personally it was a good thing to “pitch” the book idea. Helps getting structure into the content.

This is a screenshot of how I’m working at the moment: I’m writing LaTeX inside Texpad on a Mac. Next to it is Safari. Click on it for a larger view.



My first draft was indeed an Asciidoctor version and I already had setup a continuous compilation pipeline that worked quite well. The syntax is ok, too and what is really nice is including examples, like a did here. But dpunkt.verlag takes either LaTeX or Word and I didn’t want to cross-translate stuff. I used to write a lot of LaTex during university and it came back instantly.

Texpad is a good piece of software for writing LaTex. It supports includes and inserts, makes it really easy to cross reference stuff, draws a good outline and has a simple todo feature, basically everything I need. The sources are of course versioned in a private repo so I can write from everywhere. Sometimes I have to write some paragraphs in plain text in Pages or Word to get the flow right while not being disturbed by LaTeX commands, but that is fine for me.

If you want to read about writing a book in Asciidoctor, have a look at Thoughts on Java: Thorben has just switch to Asciidoctor away from the Leanpub Markdown dialect for his first book.

So far I’m following my outline rather closely and the first milestone was just done in time today. Even I know many things by heart now, I do a lot of research, too. I’ll keep my notes in a separate file inside the project with todos on them. Really easy to get back to. While working myself through the documentation, I took the time to file some PR over at Spring Boot itself, fixing stuff in the documentation (and, by the way, got my first bigger PR into Spring Boot 1.5, the @DataMongoTest).

And I actually bought a Duden on paper. It’s slower, but doesn’t distract me. Have a look at Judiths page to see how other writer work.

Apart from that, I’m doing a lot of examples. They are already only at the official Spring Boot Buch repo: github.com/springbootbuch.

What I don’t do is writing Mind Maps of any kind. They just don’t work for me.

The book will appear closely to Spring Boot 2.0 by the end of the year.

At the end of February, I’m gonna publish the outline. Bye then it shouldn’t change much anymore.

| Comments (1) »

31-Jan-17