Friday, December 24, 2010

Book Review: Spring Security Reference Documentation

My team recently started working on a project to migrate a legacy system from a home-grown security framework to Spring Security.  While the team already had quite a bit of experience with Spring Security, my last ground-up implementation was of the 1.x series (ACEGI) and my team had some experience with version 2.  This reference documentation for version 3 was, therefore, an easy read for me.  My reading this while working on the early stages of the project helped me understand the new idioms and helped me make suggestions to the team to use some new standard technologies to solve interesting problems.  The most interesting feature of the 3.x series is that a single security definition can be made through annotation in the controller of the secure URL, and then JSP pages and other resources that needed to check security (whether to show a link or not for instance) can simple be made using a syntax like this:

<sec:authorize access="hasRole('supervisor')"> This content will only be visible to users who have the "supervisor" authority in their list of GrantedAuthoritys. </sec:authorize>
Or, even cooler, like this:
<sec:authorize url="/admin"> This content will only be visible to users who are authorized to send requests to the "/admin" URL. </sec:authorize url="/admin">
It was an easy read, if a little verbose. Some sections were worth skimming, and knowledge of Spring Security is advised before reading.

No comments:

Post a Comment


Bookmark and Share