Tag Archives: springframework

Spring Book – Chapter 18 – Remoting

Fundamentally Spring remoting is a Remote Procedure Call (RPC) feature which uses a communication protocol like RMI, HTTP or JMS, to inter-operate across multiple JVM’s. The plumbing involved in actually talking to one another using these protocols and other complexities are hidden away from the developer by employing a proxy object created by Spring.

In this Chapter, we will first go through the basic concepts in remoting and then go on to the support provided by Spring. We will then go on in detail to cover the various remoting technologies which Spring supports in detail.

Basic Concepts

This section provides standard definitions for the basic concepts and terminologies that will be used throughout to explain Spring remoting in detail.

Remote Procedure Call (RPC)

A remote procedure call (RPC) is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space (commonly on another computer on a shared network) without the programmer explicitly coding the details for this remote interaction.

– wikipedia.org

Remote Method Invocation (RMI)

Java Remote Method Invocation (Java RMI) enables the programmer to create distributed Java technology-based to Java technology-based applications, in which the methods of remote Java objects can be invoked from other Java virtual machines*, possibly on different hosts. RMI uses object serialization to marshal and unmarshal parameters and does not truncate types, supporting true object-oriented polymorphism.

– oracle.com

Proxy Pattern

Proxy patterns are key for gaining an understanding of Spring remoting. Figure 19-1 shows the UML diagram for the proxy software design pattern.

Figure 19-1. UML diagram of proxy software design pattern

Figure 19-1. UML diagram of proxy software design pattern

In simple terms, a Proxy object is one through which we control access to the actual object on which the functionality lies. Based on the context in which these proxy objects are used, it can be categorized into three types:

  • Virtual Proxy – If you would like to control the creation of resource intensive objects in a lazy fashion (objects will be created only when the application actually uses it for the first time to do something), the heavy objects can be put inside the proxy objects and its creation can be controlled according to the requirement of your application.
  • Remote Proxy – Used to mask the complexity in communication mechanism between remote objects. Spring remoting uses this type of proxy for abstraction.
  • Access Proxy – Used to control the access to a sensitive object by wrapping it with a proxy.
  • Smart Proxy – If you would like to provide additional functionality to the existing object, smart proxies can be created to address this in your application.

The Proxy pattern is one of the most important design patterns because it provides an alternative to extending functionality in Java using inheritance. Another alternative is object composition, where an object (proxy, now you know) forwards method calls to an enclosed object (real subject).

Problems Faced Today

Most of the remoting mechanisms provide a layer of abstraction over the transport details used for communication in a distributed environment. This locks your code to a particular programming model. In present day of application development, locking to any model is not considered a right approach especially with frameworks like Spring being around which allows non-locking integration with other third party technologies and programming models.

In the case of using Java RMI (Remote Method Invocation), your service interface has to extend the java.rmi.Remote interface and your client is forced to catch the java.rmi.RemoteException exception class. This dependency of your code to Java RMI makes your code tightly couple with this programming model. It not only locks you in, but also clutters your business logic with the remoting infrastructure hurting the principle of separation of concerns.

Any enterprise application normally will be using many applications and services that function on different platforms. When the need arise for sharing the data or functions between these existing applications, the need for remoting could arise.

Integration will remain a high priority in coming years, according to Forrester analyst Ken Vollmer, as virtually all enterprise application delivery projects require significant integration among applications, internal data sources, external trading partners, and more and more frequently, external data resources.

To answer these challenges, the main goals on which Spring Remoting was built and the advantages it brings can be summarized as below:

  • Hide plumbing code as much as possible through abstraction—Spring Remoting hides a lot of plumbing code from the developer by the use of service providers in the server side and client proxy in the client side. Due to this the code becomes cleaner and more maintainable in the longer run. Clear separation of concerns and avoiding tangling and scattering of code.
  • Remoting capability by configuring and exposing services declaratively—Spring’s abstraction uses the configuration based approach for remoting. On the server side no code change is required at all and you have the power of exposing your existing services as remote services with ease. In the client side expose remote methods from existing code. You can then use Spring’s dependency injection to wire various objects into your remote objet with ease.
  • Support for multiple protocols and handling exceptions in  a consistent way—Spring offers a consistent way of writing service exporters, and client FactoryBeans for various protocols represents the same approach and is also consistent across. It provides consistency and ease of adoption as the overall flow remains the same irrespective of remoting technology. In addition, due to this consistency, on the server side ,you have the provision of exposing the services using various protocols declaratively. In the client side it brings in easy swapping of various available protocols according to infrastructure and other considerations. It is also easy to switch between remote and local deployment by mere configuration change which is very handy during testing and actual deployment phase.

In the following sections, we will see whether Spring Framework was able to deliver their goals and in what way they allow extension to it following the Spring philosophy.

Page Visitors: 3416

Spring Book – Chapter 15 – Web Application Security with Spring

Security is one of the very important services which any application needs to have in a comprehensive manner taking care of all the essential parts in a very elegant and simple manner. Spring Security framework is used in several domains including government, banking and military applications. Although written in Java, due to its high adoption and success, its architecture is ported to other platforms such as Microsoft .NET and Python to name few.

Spring Security provides declarative security especially for Spring based application. Having said that it has appropriate extension points and pluggability built into it using which it can be even plugged and used with other standard frameworks available in the software industry. Spring Security provides enterprise level authentication and authorization services at the web request level and at the method invocation level for JEE based enterprise software applications.

Security Concepts

Before diving deep into the Security and Spring Security in detail in this Chapter, there are certain terms in the Security world which should be understood in all aspects. This section aims to do just that and armor you with adequate concepts and terminologies which will be used throughout the Chapter.

Principal

Any user, system or a device which performs an action is called as a “Principal”. In simple terms in the case an application, anything which would like to interact with the application can be called as a “Principal”.

Authentication

The process by which the application checks or validates if the interacting “Principal” is who or what it claims to be is called authentication. There are various ways by which authentication process can take place like basic, form, digest, etc.

Credentials

The application does the process of authentication by challenging the principal. The challenge is usually a request by the application to get the principal to pass on valid credentials, usually a username/password combination already stored in a persistent store of any nature as the application please to be. There are various storage mechanisms by which to store the credentials and various authority details like a database, LDAP, etc.

Authorization

After a principal is successfully authenticated, it still needs necessary access rights to perform an action on the application like creating a new record, viewing a page etc. This process makes sure that the principal has necessary access to perform the action.

Secured Item

Any resource or item in an application which requires appropriate access rights to perform action on it is called “Secured Item” or “Secured Resource”.

GrantedAuthority

Spring Security related term and is used to refer to application-wide permissions/access rights granted to a principal.

SecurityContext

It’s the Spring Security object which is responsible for holding authentication and other security related details.

SecurityContextHolder

It’s the Spring Security object which is responsible for providing access to the SecurityContext object. It uses various strategies like ThreadLocal, inherited ThreadLocal and Global to provide the SecurityContext object within an application.

Spring Security Motivation

Spring Security was developed keeping in mind certain considerations. These considerations have become the core motivation on which Spring Security thrives and competes. These motivations can be summarized as shown below:

  • Portability – Spring Security is portable across different containers both commercial and open-source alike in all aspects. Web application using Spring Security can be deployed as is in different containers and can also run in standalone environments. Non-portability in servlet specification security is overcome by Spring Security by not having container specific adapters and role mappings.
  • Flexibility – Spring Security supports almost all the common authentication mechanisms and also keeps adding new supports as new technologies arises making it up-to-date almost all the time. It also provides configurable storage options for user credentials and authorities. Being built on top of Spring, we can do all of these by mere configuration, making it simple and easy.
  • Extensibility – This is high level of extensibility which Spring Security provides in the form of how the principal is defined, where the authentication information stored, how authorization decisions made, where security constraints stored etc. making is highly customizable in nature according to various application requirements.
  • Separation of Concerns – one of the very important motivations on which Spring Security is built on is the level of separation of concerns it provides allowing business logic to completely decouple from the security code. Also security concerns like authentication and authorization is also decoupled from each other making it possible to change authentication process without affecting authorization.
  • Consistency – regardless of mechanisms followed to achieve both authentication and authorization, Spring Security keeps the consistency in all aspects.

Spring Security History

Spring Security was originally called Acegi Security created by Ben Alex in the year 2003. Version 1.0 got release in March 2003. Acegi Security provided declarative security and was extremely powerful and flexible in numerous aspects. Although it had advantages in many aspects it had a big inherent problem in having all configurations in XML making it really cumbersome and sometimes troublesome in various aspects.

In Spring Framework 2.0 version Acegi Security was adopted into it and was renamed as Spring Security. With advances in Spring Framework, came advances in Spring Security. Additional modules kept added on and with Spring namespace configurations slowly became easy and more manageable and paved way to configuration by convention. It applies security rules by extensive use of Servlet filters and Spring AOP. Although Spring Security is Spring-based, it can be used with non-Spring based web applications with ease.

Page Visitors: 6706