A quick note on Spring Boot Security

I just stumbled upon an article that wants to show in great detail how to customize Spring Security inside a Spring Boot application.

It first adds the spring-boot-security-starter through

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Nothing wrong here: Together with @SpringBootApplication the starter configures Spring Security with the filter chain and all auth in the correct places. You dont’t have to add @EnableWebSecurity, in fact: you shouldn’t! It will turn the default auto configuration of your starter of.

Next, the article continuous on how to overwrite the generated user and password: I would go with the security.user.name and security.user.password properties if I wouldn’t have a good reason otherwise.

If I want to add more in-memory users, than I have to do some configuration. But: When extending WebSecurityConfigurerAdapter, just use the methods provided, no need to @EnableWebSecurity if you already have @SpringBootApplication on a class! Also no need to invent custom methods, just use the following:

package de.springbootbuch.actuators;
 
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
public class SecurityConfig 
		extends WebSecurityConfigurerAdapter {
 
	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {		
		auth.inMemoryAuthentication().withUser("poef").password("fump").roles("ACTUATOR");
	}
}

If you want to role your own UserDetailsService implementation, it’s even easier:

package de.springbootbuch.actuators;
 
import java.util.Collections;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
@Configuration
public class SecurityConfig {
	@Bean
	public UserDetailsService userDetailsService() {
		return (String username) -> {
			if("poef".equals(username))
				return new User("poef", "fump", Collections.EMPTY_LIST);
			else
				throw new UsernameNotFoundException("n/a");
		};
	};	
}

Notice that there’s just one bean of type UserDetailsService.

And finally, if you want to overwrite some settings of Spring Boot Starter Security defaults, it’s the order of WebSecurityConfigurerAdapter that matters.

This one

package de.springbootbuch.actuators;
 
import org.springframework.boot.actuate.autoconfigure.ManagementServerProperties;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 
@Configuration
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig 
		extends WebSecurityConfigurerAdapter {
 
	@Override
	protected void configure(final HttpSecurity http) 
			throws Exception {
		http
			.httpBasic()
			.and()
			.authorizeRequests()
			.antMatchers("/metrics/counter**")
				.permitAll()
			.antMatchers("/metrics/**")
				.authenticated();
	}
}

together with endpoints.metrics.sensitive = false (needed since Spring Boot 1.5.1 to turn off the handler interceptor that secures Actuator endpoints without even having Security on the class path), it overwrites the settings for the Actuator endpoints, allowing unauthorized access to /metrics/counter but not to the other metrics by putting the configuration at the right place: @Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER).

My tip for Spring Boot and Spring Security: Don’t think too much, don’t try to be smarter than the starter. Don’t turn off the defaults completely if you don’t know what you’re doing. If you extend a WebSecurityConfigurerAdapter, make sure you put it into the right order through @Order and one of those XXX_OVERRIDE_ORDER constants. And also: Use the provided hooks!

The samples here are from my upcoming German Spring Boot Buch, which will be available right in time with Spring Boot 2.0 in autumn.

| Comments (4) »

14-Feb-17


OCPJP, Talks and the Spring Boot Buch

January was an intense month, even if it started with a week off. I didn’t have vacation during the seasons like my wife. Sad thing: We couldn’t really spend the vacation together, but that seems to be the standard when both parents are working and the number of holiday days doesn’t fit the number of free days the kids have.

In the last year quarter of 2016 I decided that I should finally upgrade my good, old Sun certificate from SCJP 5.0 to a shiny, new Oracle OCPJP 8.0. The incentive came from Tim. I didn’t know before that there was an upgrade path and I didn’t to pay for both associate and professional. But that upgrade paths exists and last week, I scored 93%. It was actually fun (yes, I enjoy those things). As preparation I read both OCA and OCP Java 8 Study Guide by Jeanne Boyarsky and Scott Selikoff. The quality varies, but overall, the books are ok. If you do prep exams, I’ll really recommend enthuware. Much cheaper than the Oracle recommend sell from selftestsoftware.com. The buying process of the later is frustrating and they contain a lot of plain wrong questions.

I did my my talk database centric applications with Spring Boot and jOOQ based on that series at the Spring Meetup Munich. It was real good fun and I like the results very much. But preparing for the talks stresses me a lot. I want to give my best and I’m not yet relaxed. But, I’m gonna train this. I’ll be at JUG Essen on April 26th and in June in Cluj with Vlad at the Transylvania Java User Group who have probably the coolest of all Dukes. Vlad and I are gonna speak about getting the most of your persistence layer.

As early as November 2016 I started looking for a publisher for my idea writing a German Spring Boot Buch. I’m really happy that dpunkt.verlag took my offer. I have been working on the manuscript since mid December and it starts to take shape.

It’s an interesting process. The first book I contributed to is arc42 by example (by the way, version 7 of arc42 was just released this month). Basically, I had written everything at this point and we did proofread and everything ourself.

Having a lector does help a lot so far and it feels very different than just scribbling down whatever is in ones head.

For me personally it was a good thing to “pitch” the book idea. Helps getting structure into the content.

This is a screenshot of how I’m working at the moment: I’m writing LaTeX inside Texpad on a Mac. Next to it is Safari. Click on it for a larger view.



My first draft was indeed an Asciidoctor version and I already had setup a continuous compilation pipeline that worked quite well. The syntax is ok, too and what is really nice is including examples, like a did here. But dpunkt.verlag takes either LaTeX or Word and I didn’t want to cross-translate stuff. I used to write a lot of LaTex during university and it came back instantly.

Texpad is a good piece of software for writing LaTex. It supports includes and inserts, makes it really easy to cross reference stuff, draws a good outline and has a simple todo feature, basically everything I need. The sources are of course versioned in a private repo so I can write from everywhere. Sometimes I have to write some paragraphs in plain text in Pages or Word to get the flow right while not being disturbed by LaTeX commands, but that is fine for me.

If you want to read about writing a book in Asciidoctor, have a look at Thoughts on Java: Thorben has just switch to Asciidoctor away from the Leanpub Markdown dialect for his first book.

So far I’m following my outline rather closely and the first milestone was just done in time today. Even I know many things by heart now, I do a lot of research, too. I’ll keep my notes in a separate file inside the project with todos on them. Really easy to get back to. While working myself through the documentation, I took the time to file some PR over at Spring Boot itself, fixing stuff in the documentation (and, by the way, got my first bigger PR into Spring Boot 1.5, the @DataMongoTest).

And I actually bought a Duden on paper. It’s slower, but doesn’t distract me. Have a look at Judiths page to see how other writer work.

Apart from that, I’m doing a lot of examples. They are already only at the official Spring Boot Buch repo: github.com/springbootbuch.

What I don’t do is writing Mind Maps of any kind. They just don’t work for me.

The book will appear closely to Spring Boot 2.0 by the end of the year.

At the end of February, I’m gonna publish the outline. Bye then it shouldn’t change much anymore.

| Comments (1) »

31-Jan-17



Using JShell in NetBeans

With Java 9 comes JShell, the first official Java Read-Eval-Print-Loop (REPL). The Takipi blog has a nice article out, just in case you don’t know nothing about it. Read it here: Java 9 Early Access: A Hands-on Session with JShell – The Java REPL.

I’m gonna show you today a short screen cast using the current nightly build from the free and Open Source IDE NetBeans. NetBeans allows to run JShell not only with JDK 8 but also agains an opened Maven project, containing all the dependencies from your POM file and the classes of your project.

The first part is a recap what JShell REPL is all about. In the second part, I’m gonna use my DOAG 2016 project. The project is a database centric project using jOOQ for creating database queries.

I’m gonna open up a JDBC connection to a local Oracle Database and execute some queries, from really simple ones to the ones I used in this talk:

What is it good for? In this case I can design complex database queries, try them out, having all the NetBeans features and tools at hand without going through a save / compile / reload whatever cycle. The NetBeans nightly has a lot of rough edges, sure, but you see the potential here.

I also tried starting up Springs application context, but that didn’t work for me yet. That would also incredible useful, especially in regard to generated Spring Data repositories.

| Comments (0) »

19-Dec-16


Java: 2016 recap

As last year I’m gonna write a short recap here. In global life, 2016 wasn’t a good year, in my private and work life however, 2016 was the best year in a long time. Java activity started early 2016, first with an Euregio JUG event having Bert-Jan in Aachen, NetBeans day in Utrecht and Java Land in Brühl. Also in the pictures Toni, Geertjan, René, Rainer, Josh and Adam:


I’m inclined to say that this:



changed everything again. I’ve been visiting conferences now for years and they started to become really awesome after having some great friends in the community but I never spoke. I changed that for good in May at Spring I/O and it was a great event. Thank you Sergi for putting your trust in me and René Glen from above for giving me great feedback for my first talk!

Michael^2, Geertjan

I continued speaking in a small NetBeans event in cologne and spoke about NetBeans, Maven and Spring Boot, meeting Michael Müller, Geertjan Wielenga and Stephan Knitelius.

Speaking of NetBeans: My friend Geertjan from Oracle, seen in disguise in the picture below, proposed me as member of the NetBeans dream team. What an honor!

Roughly at the same time, Red Hats Vlad Mihalcea, Developer Advocate for Hibernate, not only author of FlexyPool but also the other the definitive guide to all things persistence with Java named High-Performance Java Persistence started a series of great interviews on in.relation.to and invited me to join that list. Thank you again, Vlad!

In November I spoke again, at W-JAX 2016 and also at DOAG Konferenz und Ausstellung. It was an honor to be there:


Throughout those days these with Lukas, Henning, Axel, Niko, Christian, Matthias, Michael, Wolfgang, Oliver and Kai:

Even if I really get nervous all the time, speaking at this conferences was a valuable experience and I’ll try to continue that, starting early in 2017 at the newly founded Spring Meetup Munich together with Michael Plöd from InnoQ. If you think a talk about anything Spring and Databases or how to work with them using NetBeans would fit your JUG, please, drop me a line.

I wrote a lot this year and could publish several articles on German and English JAXenter which I collected on my about page. Apart from that stuff I wrote 35 blog posts this year here… Many of them got featured on the Spring blog, the jOOQ community page, in both Eugens and Thorbens Java Web weekly newsletters. Thank you Thorben, Eugen, Lukas and Josh.

The first book I ever wrote sold over 700 times which surprised me a lot. Have a look, Arc42 by example.

I managed to organize 6 events at our Euregio JUG, having Bert Jan Schrijver, Johan Vos, Max Wielsch, Manuel Mauky, Gernot Starke, Geoffrey De Smet, Carola Lilienthal and Mark Paluch:

Running this JUG is incredible rewarding: Not only I learn a lot of stuff, but can meet and talk with awesome people who love to share their knowledge and I’m looking forward to continue this in 2017. If you want to visit Aachen, please contact me: michael@euregjug.eu and we arrange something!

with Mark Heckler

Also, as a visitor: Go to a JUG at your place. In Germany, there’s one easily reachable from nearly everywhere in Germany, see the iJUG website. There’s also a curated map of JUGs worldwide, see Java User Group & events. It’s really easy to learn first hand knowledge from the experts or just have drink and talk. Invite others and convince them that those meet ups are great places. Smaller conferences like J-Fall, organized by the nl.JUG are also a day worth spent!

with Bruno Borges

Oh and by the way: In my last years Christmas holiday, I wrote the site for the Euregio JUG using Spring Boot and some other tools and it has been running on a sponsored Pivotal CF account for a year now. Really easy to deploy, using marketplace services like various databases, Elasticsearch and more is a no-brainer thanks to automatic reconfiguration of Spring Boot. Highly recommended!

The community we have in “Java land” is one of the most important assets, despite having sometimes a heated discussion over a few topics (I *have* to create an insult con some time), but that’s fine… The selfies in this post are my tribute to this community. You rock!

Also, a big thank you to my company ENERKO INFORMATIK, making it possible not only work on the stuff I like but also running a JUG amongst other stuff.

But most important, thank you to @tinasimons, wife, mother, developer and one of the hardest working persons I know and the one person I can always rely on. I’m so glad that she supports the ideas (and there are quite some right now) I have for next year. Here are just 11 years from 16 we have spent together in two pictures:


| Comments (2) »

10-Dec-16