Feature Interaction Problems and Spring Security

Feature interaction problem is something that features work smoothly and without any problem in your system individually; however, problems arise with those features when you bring them together. Bertrand Meyer has recently published his thoughts about the topic as well. While reading on it, I’ve come to realize that Spring Security has several similar issues […]

Activating Authorization Success Event Publish Feature

Spring Security publishes various authentication and authorization events during its security checks. Spring managed beans which implement ApplicationListener interface or beans with methods annotated with @EventListener can consume those events within the application. One of those security related events is AuthorizedEvent which indicates that user request is allowed to access secure web resource. It is, […]

Things to Fix When Upgrading from Spring Security 3.2.x to 4.x

Some things have been changed in Spring Security 4.x compared to previous 3.2.x branches. They are not overwhelming but you may have to deal with them so that your application can work without any problem after upgrading to Spring 4.x release. I noted them down during my upgrade process, and post here in case you […]

Adding New Permission Types to Spring Security ACL

Domain object level security is probably least used feature of Spring Security compared to url based and method level security features for enterprise Java web applications. However, when you have a security requirement something like “I want to restrict some operations which is allowed for some roles based on criteria that can be obtained from […]

Allowing roles without defining them in intercept-url element

Spring Security Framework has lots of authentication and authorization features, and almost all of them can be customized and extended according to your own needs. One of the common requests I come up with is that developers don’t want to explicitly define roles which have administrative priviledges in intercept-url elements like below; <intercept-url pattern=”/secured/*” access=”ROLE_ADMINISTRATOR,ROLE_USER,ROLE_EDITOR”/> […]

Reusing Persistent Token Mechanism of Spring Security

Spring Security Framework exists in my enterprise application development tool suite for ages. Over years it has evolved a lot and become a much more reusable and extendable framework for various security needs. Recently, one of my clients came up with an interesting requirement. They are developing a mobile client for their enterprise web application, […]

Spring Security ile Aynı Kullanıcının Oturum Sayısını Yönetmek

Spring Security kurumsal web uygulamaları için kapsamlı bir güvenlik framework’üdür. Kurumsal web uygulamalarında karşımıza çıkan pek çok kimliklendirme ve yetkilendirme ihtiyacına hazır bir çözümü içermektedir. Bu ihtiyaçlardan birisi de aynı kullanıcı ile aynı zamanda fakat farklı yerlerden yapılabilecek login sayısının denetlenmesidir. Spring Security bunun için sunduğu hazır yapıda iki farklı opsiyon sunar. Aynı kullanıcı ile […]

Spring Security RememberMe Servisine Detaylı Bir Bakış

Spring Security’nin hazır paket şeklinde sunduğu servislerden birisi de beni hatırla (remember-me) servisidir. Beni hatırla ile form tabanlı kimliklendirmeye tabi tutulan kullanıcı, tarayıcısını her açtığında kullanıcı adı ve şifresini tekrar girmek zorunda kalmaz. Bunun için login ekranında “Beni hatırla” şeklinde bir seçimlik alan olur. Bunu seçen kullanıcının kimlik bilgileri çerez olarak kullanıcının bilgisayarında saklanır ve […]

Delegating Authentication to Web Services in Acegi

What I like most about Acegi Security Framework is its configurability and extendibility. I think those two features are very crucial for any framework to be successfull. Recently, I have come accross with a requirement of authenticating users via a web service, and giving more detailed authentication failure messages according to result codes returned from […]

Moving FilterInvocation Definitions out of XML Files in Acegi

SpringSource has recently announced that they renamed Acegi Security as Spring Security, and are preparing for a major release which will be called as 2.0. Actually its first milestone release is already available for download. According to Ben Alex, there are various enhancements to bean configurations and new features introduced such as hierarchical roles etc. […]