Reviews: Spring Security 3.1 (1)
“comprehensive build out”
(Paperback)
The book starts off well with chapter 1 which proffers an example of an unsafe application built under Spring. But in one section it cites "inadvertant privilege escalation due to lack of URL protection and general authorisation". The text does not explain what lack of URL protection is; it sounds intriguing. There is indeed a synopsis of what general authorisation means, however. The index also does not seem to have an entry for this lack of URL protection, under various possible forms. So a reader who is puzzled might have to read the rest of the book to find out. Maybe this is the intent!
Chapter 4 on JDBC authorisation contains generally useful advice about secure passwords. We see that Spring Security has a password encoder interface that is implemented by several classes of increasing complexity and security. You are advised to hash a new user's password and not store it anywhere in plaintext. Even stronger is the suggestion of adding a salt to a password. This avoids a rainbow attack by a cracker. Luckily Spring lets you easily generate and add a salt.
The book goes on to discuss OpenID, which is a centralised identity management. OpenID is a reaction against the fragmentation of the Internet, where each domain rolls its own security and other measures. The narrative contrasts this to Microsoft's Passport from 10 years ago. OpenID is an open specification with multiple independent providers. You might note the slight apparent irony in this, for it does centralise a specification. But unlike Microsoft, it permits the existence of different providers who meet that. The book warns us to not trust OpenID entirely. Identity fabrication can still exist due to real world considerations. Nicely, Spring Security easily lets you access OpenID for your users and the book shows how to do this.
Page of 1

Spring Security 3.1
Non-Fiction, Computing & Internet
Robert Winch (author)
Paperback Published on: 26/12/2012
Price: £30.99
