Spring presentation notes

Usually you should be sleeping at this hour but I just couldn’t, so I stumbled upon a Spring Security 3 presentation from SpringOne 2010 by Mike Wiesner. (Great presentation by the way.)

Quick notes:

  • still a lot of focus on url-based control (surprise) — still cannot see how we could benefit from expressions in our app
  • UserContextService (why didn’t I think of that!! — 00:24:00) — should store only simple serializable token (like username) in Authentication and have UserContextService provide us with the User entity, perhaps the related entities, sids, stuff like that
  • more specific about roles and rights than with 2.0, which is very good — must’ve confused many
    • rights = business actions
  • @PreAuthorize for rules, not acl 00:54:00, with expressions … abstracting “what the permission is” behind “do this permission check” helps with deployment-time/customer customizations; acl is just one way to implement the check
    • DefaultMethodSecurityExpressionHandler
    • PermissionEvaluator 00:59:00
  • looks better and better with PermissionEvaluator
  • yet I’m guessing there’s nothing on database searches with permissions….
    • yep, @PostFilter, lets see if anyone asks the question what to do with 50000 entities
    • Mike Wiesner has good jokes
    • extends PermissionEvaluator to express itself in sql?
  • using groovy for evaluators, less code, more visibility, powerassert 01:08:00 (extermly nice assert error)
  • deleteable discussion 01:11:00 — good stuff; do not push security properties into entities
    • throw in a mix-in … with groovy…
    • basically groovy supports pushing some kind of map store as “mixins”
    • can access from (jsp) expressions — surprise
    • aha, introduce a SecureEntity interface, push it with @Transient using @AspectJ mixin — looks nice, requires compile/load time weaving
    • if we use hibernate session#load, loadable model wrapper to push values might be the best place, or rewrite loaded proxy to use service layer, push behaviour with annotation to service
    • remember to do service first, ui last
  • kerberos/spnego at 1:21:00
    • default on windows, thank god for no more ntlm
    • at the time of presentation at milestone2
    • missing mostly documentation, hardest part should be kerberos environment setup
  • spring security 3.1 at 01:24:00
    • want to have better/easier right mapping (?)
    • better Active Directory integration

And I also used my night on another great presentation by David Syer and Mark Fisher: Concurrent Distributed Applications with Spring.


  • first SEDA explanation I’ve understood, with the same old Cafe example
  • way too much JCIP repeating

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: