Monday, September 15, 2014

Secure your AngularJS Apps with Spring Security and Spring Session


A few days ago I was in the middle of preparing for my Spring One 2GX 2014 talk Creating Modular Test-Driven SPAs (Slideshare) with Spring and AngularJS. Part of the presentation is a demo application I created called botanic-ng. This application uses AngularJS on the client side and Spring (Boot) on the server-side. As I wanted to not merely create a simplistic toy app, I also intended to add authentication and (simple) authorization to the application.

I did not want to go too crazy with this (e.g. implementing full-fledged OAuth 2.0 integration). Nevertheless, I wanted to add (I hope) some meaningful security features inside my AngularJS application.

Disclaimer: I am not a security expert. Proceed with caution as this solution may not provide enough security for your application needs.

By chance I came across a demo application that Josh Long created a while back. That application, while using Spring Security, did not integrate with Spring Security to the fullest extends, and I felt that I could improve upon that implementation using Spring Session which is new project created by Spring Security lead Rob Winch.

Spring Session

The Servlet 3.0 Specification (JSR 315) introduced several ways to customize the handling of session cookies, for instance changing the name of the cookie (from the default JSESSIONID) and providing additional security relevant settings:


However, you're still pretty much bound to using cookies in order to store your Session IDs. For cases where you need more comprehensive flexibility for handling your sessions, Spring Session comes in quite handy and provides numerous advantages.

By default Spring Session stores session information in Redis using the RedisOperationsSessionRepository. Sessions expire by default after 30 minutes but this can be customized using the setDefaultMaxInactiveInterval property. Beyond Redis a MapSessionRepository is also provided to allow for easy integration with e.g. Hazelcast.

For my use-case, I wanted to expose the Session ID not via a standard cookies but via an HTTP header. Luckily, Spring Session provides various pluggable strategies to customize that behavior. As Spring Session works as a Filter you have to configure a SessionRepositoryFilter. On this filter you can set the used HttpSessionStrategy. By default it uses the CookieHttpSessionStrategy. For my use-case, though, I am using the HeaderHttpSessionStrategy, which by default stores the Session ID in an HTTP header called x-auth-token (This is customizable though).

On the client-side in my AngularJS application, I am adding a HTTP header via $http to every request.

$http.defaults.headers.common['x-auth-token'] = user.token;

This is configured upon successful login through the LoginControllerBotanic-ng submits the login credentials to the server, which in turn uses them to authenticate the user using Spring Security (AuthenticationController) and if successful, the AuthenticationToken containing the Session ID and user roles will be send back to the client.

The Session ID on the client is stored in memory only and if you refresh the client, the user must re-authenticate.

For the full source code, please see: 




Saturday, September 13, 2014

Spring One 2GX 2014 - My session slides

Have not blogged in a while. Need to make a mental note to revive that. Just came back from Spring One 2GX 2014 in Dallas, TX. It's been a wonderful event and I learned a lot - From microservices to reactive streams. I also gave 2 presentations which I think were well received. For my AngularJS with Spring (Boot) talk I had 140 attendees, yeah :-)

Creating Modular Test-Driven SPAs with Spring and AngularJS



Spring Batch Performance Tuning


Thursday, December 5, 2013

DevNexus 2014 - Feb 24-25 - Atlanta - 10+1 Tracks - 100 sessions

The preparations for DevNexus 2014 are in full swing and we are targeting to have the biggest and boldest DevNexus developer conference ever. DevNexus will take place February 24-25 at the Cobb Galleria Centre in Atlanta, GA. With the holiday season upon us, why not reward yourself with a DevNexus ticket?

Registration is now open at: http://www.devnexus.com

Best of all, DevNexus will not break your wallet. The Early Bird Pass is available for $210 ($240 regular) and the Group Pass for groups of 5 or more is $210. We also have a $150 Student Pass available (Contact us for the code - info at ajug dot org). Keep in mind not to wait too long as DevNexus has sold out completely in the past couple of years.

This year we will offer 10 parallel tracks + 1 workshop track covering a wide spectrum of topics such as:
  • Java/JavaEE/Spring
  • HTML5
  • JavaScript
  • Data + Integration
  • Alternative Languages on the JVM
  • User Experience
  • Cloud
  • Agile + Tools
  • Mobile
In total we will have almost 100 sessions for you! 

Currently the call for papers is still under way and the response so far has been nothing short of phenomenal. Already we have started confirming a few speakers. We are excited to have Brett Meyer, a core Hibernate team member. Mark PollackSpring Data and Spring XD co-lead as well as Rob Winch, the lead developer for Spring Security will present as well. Furthermore, industry experts such as Venkat Subramaniam and Peter Bell are confirmed to speak. Over the next couple of weeks you will see an explosion of new speakers and sessions being added to the DevNexus website at:


Please check in often to see the progress! Also, we are very excited to announce our first keynote presenter who will fly in all the way from Germany: Sven Peters is a software geek working as an ambassador for Atlassian. He has been developing Java applications for over 12 years and leading small teams using lean methodologies. Sven likes effective software development and cares about the motivation of developers.

He will present:

How To Do Kick-Ass Software Development

With Kick-Ass Software Development you actually get stuff done. Feedback cycles are short, code quality is awesome and customers get the features they lust after. Less mangers managing, less testers testing and less IT-operators operating. The developers take the power back, making them much happier. Sound like paradise? It is! This session will show you how we do Kick-Ass Software Development at Atlassian. I will talk about how we: use pull requests for better code quality; collaborate fast to develop ideas; avoid meetings to get more stuff done; tighten our feedback loops to fail faster; shorten our release cycles; and work together happily on different continents. It's a great way to develop software and we think it can work in your company, too.

With this line-up of topics and many more to come, attending DevNexus should be a top priority - This is the South-East’s best, yet affordable, developer conference! We, the volunteers from the Atlanta Java Users Group would be delighted to see you all at DevNexus! Learn, network and have fun -

We would like to thank all our Sponsors that help us greatly to keep DevNexus super-affordable.

Platinum Sponsor:
Gold Sponsors:
Silver Sponsors:
Cocktail Hour Sponsor:
We are looking forward seeing you all in February!!!

Please register today at: http://www.devnexus.com

If you have any questions let us know at info at ajug.org and please follow
us on Twitter at http://twitter.com/devnexus for news and updates.

Monday, October 28, 2013

DevNexus 2014 - Atlanta (Feb 24-25) - Call for Papers

The Atlanta Java Users Group is in the middle of organizing its annual developer conference for 2014. 

We are excited to announce that the Call for Papers is active now. Please spread the word among your peers and if your are interested we would love if you submit session proposals for our conference at:


This is what we plan so far:

DevNexus 2014 is on February 24-25 (Monday and Tuesday). We plan on having 1000+ attendees with 10 parallel tracks and 1 workshop track. This equates to:
  • 90+ sessions (75min each)
  • 4 workshops
  • 2 keynotes (60 min each)
Topic-wise we plan to cover the following:
  • Java/JavaEE/Spring
  • HTML5 + JavaScript
  • Data + Integration
  • User Experience
  • Alternative Languages on the JVM
  • Cloud
  • Agile
  • Tools
  • Mobile
Here is a short promo video that we did during DevNexus 2013:



If you have any questions, please ping me or the rest of the organizers at info at ajug dot org.

Thursday, August 8, 2013

SpringOne2GX 2013 - Early-bird registration

Just a quick note to point out that SpringOne2GX is coming up next month in Santa Clara (Sept 9-12) and the early bird registration (save $200) expires tomorrow, Aug 9th.

Therefore, please join us and register at: http://www.springone2gx.com/conference/santa_clara/2013/09/register

In case you haven't been following the massive amount of activity that has been happening in the Spring community such as Spring 4.0, Spring XD, Spring Reactor, Spring Boot, and much, much more (Please check http://blog.springsource.org for some of the latest), I think it is fairly safe to say there will be a LOT of announcements and news this year!

If you are involved with, or work with the Spring framework, Grails, Groovy - This will be a big one and it would be very worthwhile to be there!

Furthermore, if you are interested in cloud/PaaS, the first ever Cloud Foundry conference, Platform, is co-hosted at the same venue on Sept 8-9 and registration for SpringOne means you get to go to that too, if you want. http://www.platformcf.com

Just FYI - there is some crazy massive Cloud Foundry usage going on in China right now: http://www.wired.com/wiredenterprise/2013/07/cloudfoundry/

I will see you there!

Monday, April 22, 2013

Spring Integration STS Templates Updated - 1.0.0.M5

We are proud to announce a new milestone release of the Spring Integration Templates version 1.0.0.M5 for Spring Tool Suite (STS). This release brings numerous fixes and enhancements as detailed below. If you are using the latest version of STS version 3.2, the updated templates are automatically available to you. Just press the "Refresh" button under File --> New --> Spring Template Project.



If you are not fully familiar with the STS Template support, please see the original blog post including screencast at:


In this new release, we have updated the templates to the latest Spring Integration version (2.2.3.RELEASE). Also, all templates will now warn if either the Maven support or the Gradle support are not available in the respective Eclipse environment. 

In particular, we made numerous improvements to the War template as well as the Adapter template.

Spring Integration War Template

The War template now provides a much better (prettier) UI using Bootstrap. If you have not used Bootstrap, yet - It is basically the new UI baseline. It is very simple to use and even prototypes, presentation demos etc. shall not look like 1990s websites any longer. 

The updated template also uses wro4j to provide more efficient bundling and minifiacation of CSS and JavaScript resources. This allows the War template to achieve a fairly decent YSlow rating of 97.


Spring Integration Adapter Template

Another area of improvements for this release was the Adapter Template. In 2012, we introduced the Spring Integration Extensions project, to further encourage community contributions to the Spring Integration project. In order to improve the starting experience, we also introduced the Spring Integration Adapter Template for STS back then.



For a detailed overview, please checkout the original blog post introducing the Spring Integration Extensions project as well the Adapter Template:


For the 1.0.0.M5 milestone, we upgraded the project to Gradle 1.5 and also upgraded all project dependencies to the latest release. As a minor enhancement, the user provided version number will now also set the version numbers for the XML Schemas (Which provide the XML namespace support). 

I hope that the Spring Integration STS Templates are helpful to you, be it while learning and exploring Spring Integration, to kickstart new Spring Integration projects or to start developing new extensions for Spring Integration. If you see any issues, please let us know either in Jira or the community forums.

Monday, February 4, 2013

DevNexus 2013 Registration closing on 2/5/13 - Only 50 tickets left

With two weeks to go and 800 people attending we have only 50 tickets left for DevNexus 2013. The support from the community has been incredible and we will be closing registration on Tuesday evening, so if you are coming and have not registered, yet, now would be the time...
  • We have 8 incredible tracks with 50 speakers covering;
  • HTML5 + JavaScript (Backbone.js, Bootstrap, CoffeeScript, Canvas, IndexedDB, WebSocket, LESS)
  • Mobile Development (PhoneGap, Android, Titanium, Mobile Web, AeroGear)
  • Data + Integration (MongoDB, Storm, Spring Integration + Batch, Ehcache, JPA)
  • Java/JavaEE/Spring (Java 8, Java EE 7+8, Concurrent Programming)
  • Web (Play, REST, Spring MVC)
  • Alternative Languages (Groovy, Scala, Clojure)
  • Cloud (Cloud Foundry, AWS, MS Azure)
  • Agile + Tools (Git, Gradle, XP, Kanban, Continuous Delivery, Vagrant)
Adding to the fun, we will have a happy hour sponsored by eHire Labs, most of our sponsors will be raffling off cool stuff and we will be giving away a MacBook Air, Nexus 10 tablet and an unlocked Samsung Galaxy SIII in the raffle. http://devnexus.com/s/index

A big thank you to all our sponsors without whom we would not be able to put on this event for such an incredibly affordable price.

Gold Sponsors:

Silver Sponsors:

Cocktail Hour Sponsor:


Thursday, January 17, 2013

DevNexus 2013 - Schedule Published



DevNexus 2013 is only 4 weeks away and will take place February 18-19 at the Cobb Galleria Centre in Atlanta, GA. The past days and weeks, we have been super-busy organizing and confirming the best speakers of our industry. Finally, we are now happy to announce the preliminary schedule for DevNexus 2013 at:


This year will mark our biggest DevNexus conference event, yet! Compared to last year, we added 2 more tracks to the conference, bringing the total to 8 tracks40 speakers will deliver 71 sessions equipping you with the critical knowledge to take your career to the next level. This also includes 2 wonderful keynote sessions by Neal Ford and Ben Evans.

As in prior years, we will cover a wide variety of crucial topics and we will have dedicated tracks on:
  • HTML5 + JavaScript (Backbone.js, Bootstrap, CoffeeScript, Canvas, IndexDB, WebSockets, LESS)
  • Mobile Development (PhoneGap, Android, Titanium, Mobile Web, AeroGear)
  • Data + Integration (MongoDB, Storm, Spring Integration + Batch, Ehcache, JPA)
  • Java/JavaEE/Spring (Java 8, Java EE 7+8, Concurrent Programming)
  • Web (Play, REST, Spring MVC)
  • Alternative Languages (Groovy, Scala, Clojure)
  • Cloud (Cloud Foundry, AWS, MS Azure)
  • Agile + Tools (Git, Gradle, XP, Kanban, Continuous Delivery, Vagrant)
With this line-up of topics, attending DevNexus should be a priority - This is also the South-East’s best, yet affordable, developer conference! We, the volunteers from the Atlanta Java Users Group would be delighted to see you all at DevNexus! Learn, network and have fun -

Please register today at: http://www.devnexus.com

We would like to thank all our Sponsors that help us greatly to keep DevNexus super-affordable ($195 group-ticket / $220 regular ticket). 

Gold Sponsors:
Silver Sponsors:
Cocktail Hour Sponsor:
We are looking forward seeing you all in February!!!

PS:

If you have any question let us know at info at ajug.org and please follow us on Twitter at http://twitter.com/devnexus for news and updates.

Wednesday, November 21, 2012

DevNexus 2013 - Feb 18/19 - Registration is Open


The Atlanta Java Users Group is delighted to announce that registration for DevNexus 2013 is now open. In order to reserve your ticket, please go to:


DevNexus 2013 will be held on Monday, February 18th and Tuesday, February 19th at the Cobb Galleria Centre in Atlanta, GA. We have already confirmed many wonderful speakers, representing the who's who in our industry. They will be covering a wide array of crucial technology topics such as:
  • Java and JVM Languages (incl. Clojure + Scala)
  • Cloud, Big Data and NoSQL
  • Web (HTML5, JavaScript)
  • Mobile (Android, Hybrid, Mobile Web)
  • Methodologies, Architecture, Tools and Security
In addition to providing great content for Java/JVM developers, DevNexus is an awesome networking opportunity. This event attracts Java/JVM talent from diverse backgrounds, be it large corporations, consulting organizations or independent technology connoisseurs. You will have an opportunity to discover what other development teams are using as their favorite tools and practices.

Why should you attend DevNexus 2013:
  • Best Value$195 Early Bird price (until Jan 15) for two full days of technology immersion and camaraderie (group+student discounts available).
  • Ask questions to world-class experts and fellow developers
  • Learn how to move your applications into the cloud 
  • Learn Agile Best Practices & Tools 
  • Learn more about core Java topics as well as other languages on the JVM
  • Learn more about building rich (mobile) web-application applications using HTML5
  • Hear about the latest developments from JBoss, SpringSource and Typesafe
We have already lined-up some impressive speakers, with many more to be announced in the upcoming weeks:
  • Jeremy Deane
  • Hans Dockter
  • Ben Evans
  • Mark Fisher
  • Neil Ford
  • Andrew Fuqua
  • David Geary
  • Wesley Hales
  • Stuart Halloway
  • Ken Kousen
  • Josh Long
  • Matthew McCullough
  • Pratik Patel
  • Reza Rahman
  • Nate Schutta
  • Venkat Subramaniam
  • James Ward
Fore more details regarding speakers please visit:


We would like to welcome 2 new DevNexus sponsors

Silver Sponsors

- eHire Labs - http://ehirelabs.com/
- AppDynamics - http://www.appdynamics.com/

Cocktail Hour Sponsor

- eHire Labs - http://ehirelabs.com/

We also would like to thank our other AJUG/DevNexus sponsors for their support in making DevNexus a success. 
We hope to see you all at DevNexus, and please register as soon as possible for this incredibly valuable event at:


(We have sold out early in prior years)

Friday, October 5, 2012

What's New in Spring Integration 2.2 - JPA Support

I have just published a new blog posting, which introduces the new Java Persistence API (JPA) support that is provided with Spring Integration 2.2. This is the third part in a series of blog posts highlighting some of the new features available in Spring Integration 2.2 following the recent release of Release Candidate 1. Please head over to the SpringSource blog to get the details:

http://blog.springsource.org/2012/10/05/whats-new-in-spring-integration-2-2-part-3-jpa-support/