Java Web Application Security with Java EE, Spring Security and Apache Shiro - UberConf 2015

This document compares and contrasts Java EE and Spring frameworks. It provides examples of implementing common functionality like dependency injection, transactions, scheduling and messaging using annotations and configuration files in both platforms. The document aims to demonstrate that Spring and Java EE can be used side-by-side and have similar patterns for common tasks but different implementations. It also discusses how each integrates with the other for certain features.

The document discusses Java EE 6 and its evolution over time. It outlines key features of Java EE 6 including lightweight profiles, annotations, managed beans, interceptors, and Servlets 3.0. It provides examples of using managed beans, interceptors, and the new annotations-based approach in Servlets 3.0. The document aims to educate developers on the nuts and bolts of Java EE 6.

The document is a presentation about Java EE 6 and GlassFish. It discusses how Java EE 6 and GlassFish aim to provide developers with less code and more power through features like annotations, simplified configurations, and support for newer Java technologies. It also summarizes some of the new Java EE 6 specifications and how they improve areas like web development, EJBs, JSF, JPA and more.

Java EE 8 Overview (Sept 2015). A lot of work is already done by the Expert Groups so lets have a brief look for what we can expect in the some areas. - Servlet 4 will embrace the new HTTP/2 protocol. - JSON-B will bring the same high level features of JAXB to the JSON data format. - Server-Sent Events(SSE) is the WebSocket variant where you only send data from the server to the client. - MVC will be the Action based MVC complement of the Component based MVC of JSF. - Some major restructuring of CDI so that we can use it standardised in Java SE to mention one thing. The Java EE security API will be covered in more detail. Security related things became old and dusty and needs to move away from proprietary configuration to be able to make the transition to the cloud. An introduction to JSR 375 is given, which promotes self-contained application portability across Java EE servers, and promotes the use of modern programming concepts such as Expression Language, and CDI. It will holistically attempt to simplify, standardize, and modernize the Security API across the platform in areas identified by the community.

Spring Boot is an efficient way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love. * Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot * Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/ * OIDC demo: http://bit.ly/spring-oidc-demo

JAX-RS is a Java API for building RESTful web services. It uses annotations to simplify development of RESTful resources and defines standards for request/response formats and links between resources. JAX-RS services can be deployed to Java EE servers or standalone using implementations like Jersey. The future of JAX-RS includes enhancements to the client API, support for hypermedia formats, and tighter integration with Java EE technologies.

This document provides an overview of developing RESTful web services with JAX-RS. It defines REST and compares it to SOAP, describes the principles of REST including giving resources IDs, standard methods, linking resources, content negotiation, and stateless communication. Code samples are provided to demonstrate JAX-RS annotations for resources, content negotiation, and processing form posts.

Web app security is not just authentication and authorization. It's also the things you do to protect your web app from attackers with their XSS (cross-site scripting), SQL injection, DoS/DDoS attacks, and CSRF (cross-site request forgery), to name a few. Web app security is a central component of any web-based business. The internet exposes web apps to attacks from different locations and various levels of scale and complexity. Web application security deals specifically with the security surrounding websites, web applications, and web services such as APIs. In this presentation, you'll learn seven ways to better web app security, using Spring Security for code samples. You'll also see some quick demos of Spring Boot, Angular, and JHipster with Okta.

This document discusses Clojure web development and describes a web-based project management system called Trakr that was created using Clojure. Trakr uses a MongoDB database and has a modern friendly UI. The architecture involves a Clojure HTTP server with a Ring middleware pipeline and Compojure routing to map requests to handlers. Testing is done with clojure.test and clojure.contrib.mock. Performance is around 70ms average latency.

This document provides an overview and introduction to web components. It discusses the key aspects of web components including custom elements, HTML imports, shadow DOM, and templates. It also shows how web components allow building reusable custom elements that encapsulate their styles and functionality independently of the page they are used in. The document demonstrates how to define and register a custom element for displaying activity cards and use templates and shadow DOM to encapsulate its implementation.

Matt Raible compares the Java web frameworks Micronaut, Quarkus, and Spring Boot for building REST APIs. He demonstrates how to quickly get started with each framework, secure APIs with OAuth 2.1 and JWTs, build Docker images, and go native with GraalVM. Performance tests show Quarkus has the fastest startup time while Spring Boot has the largest community support in areas like Stack Overflow questions, GitHub stars, and jobs on Indeed.

The document discusses using Angular Schematics to simplify development tasks. It covers creating a basic schematic, adding templates, testing schematics, publishing to NPM, and integrating with Angular CLI. Schematics can generate code and files and are useful for tasks like authentication, routing, and application shell generation. The document provides examples of building schematics that generate components and applications.

The document is a presentation about front end development for back end Java developers. It discusses topics like JavaScript, TypeScript, build tools, CSS frameworks, front end performance, and progressive web apps. It also provides introductions and comparisons of popular JavaScript frameworks like Angular, React, and Vue. The presentation encourages attendees to learn new front end skills and try building something with a front end framework.

You might’ve heard of Angular Schematics, but do you know what they do? Learn how you can use this powerful tool to develop workflows and simplify configurations for your Angular projects. Blog post: https://developer.okta.com/blog/2019/02/13/angular-schematics Source code: https://github.com/oktadeveloper/okta-angular-schematics-example Screencast: https://youtu.be/ANwZIt3Ni2s

Comparing JVM Web Frameworks Presentation from The Rich Web Experience 2010. Compares many different JVM-based web frameworks, ranks them based on 20 different criteria and compares the Pros, Cons and other stats of the top 5.

A simple application called cvdb is used to illustrate best practices in combining AngularJS as a client browser technology with a Spring based Java server. The server architecture utilizes the new Spring Boot module that was introduced with Spring 4 together with other Spring modules like Spring Data, Spring Security, Spring MVC. QueryDSL is used to access a H2 in memory database.

Tips and criteria for selecting a web presentation framework. The focus is on Java-based frameworks, but the criteria are valid for any platform. From a panel discussion at the Seattle Java User Group (SeaJUG)

Apache Camel is an integration framework that allows you to define routing and mediation rules in a number of domain-specific languages. This presentation shows how I used Apache Camel to replace IBM Message Broker on a project. It includes information on how routes were developed using Camel’s Java API and how Camel can be integrated with Spring Boot. It also covers unit, integration and load testing (using Gatling) of these services. Finally, it touches on monitoring with hawtio and New Relic.

Many Spring projects exist that leverage XML for their configuration and bean definitions. Most Java web applications use a web.xml to configure their servlets, filters and listeners. This session shows you how you can eliminate XML by configuring your Spring beans with JavaConfig and annotations. It also shows how you can remove your web.xml and configure your web components with Java.

My presentation as delivered at the Denver Java User Group on April 8, 2015. Building a modern web (or mobile) application requires a lot of tools, frameworks and techniques. This session shows how JHipster unites popular frameworks like AngularJS, Spring Boot and Bootstrap. Using Yeoman, a scaffolding tool for modern webapps, JHipster will generate a project for you and allow you to use Java 7 or 8, SQL or NoSQL databases, Spring profiles, Maven or Gradle, Grunt or Gulp.js, WebSockets and BrowserSync. It also supports a number of different authentication mechanisms: classic session-based auth, OAuth 2.0, or token-based authentication. For cloud deployments, JHipster includes out-of-the-box support for Cloud Foundry, Heroku and Openshift.

JavaScript MVC Frameworks are all the rage these days. They’ve taken the web development world by storm. This session explores the various features of the three hottest JavaScript MVC frameworks: AngularJS, Ember.js and React.js. It also compares client-side templating vs. server-side templating and how well each framework supports Isomorphic JavaScript (code that can run both client-side and server-side). Finally, it ranks each framework on 10 different criteria using Yevgeniy Brikman’s framework scorecard. Video on InfoQ: https://www.infoq.com/presentations/comparing-angular-ember-react

Presentation from Angular Summit Keynote in September 2015. http://angularsummit.com/conference/boston/2015/09/session?id=34212 AngularJS is one of today's hottest JavaScript MVC Frameworks. In this session, we'll explore many concepts it brings to the world of client-side development: dependency injection, directives, filters, routing and two-way data binding. We'll also look at its recommended testing tools and build systems.

During this presentation, you'll learn how to implement authentication in your Java web applications using good ol' Java EE 6 Security, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL. After learning how to integrate security, I'll show how to use Zed Attack Proxy to pentest your app and fix vulnerabilities.

This document discusses the JHipster project, which is a development tool that uses Spring Boot and AngularJS to generate and scaffold Java web applications. It highlights features of JHipster like authentication, metrics dashboards, and support for SQL and NoSQL databases. The document also demos generating a sample blog application using JHipster and shows how much code is generated for entities and the user interface. It promotes staying up to date with trends in Java and web development.

HTML5, CSS3, JavaScript, jQuery, Angular JS, Bootstrap, Mobile, CoffeeScript, GitHub, functional programming, Page Speed, Apache, JSON with Jackson, caching, REST, Security, load testing, profiling, Wro4j, Heroku, Cloudbees, AWS. These are just some of the buzzwords that a Java web developer hears on a daily basis. This talk is designed to expose you to a plethora of technologies that you might've heard about, but haven't learned yet. We'll concentrate on the most important web developer skills, as well as UI tips and tricks to make you a better front-end engineer. Some of the most valuable engineers these days have front-end JS/CSS skills, as well as backend Java skills.

HTML5, CSS3, JavaScript, jQuery, Angular JS, Bootstrap, Mobile, CoffeeScript, GitHub, functional programming, Page Speed, Apache, JSON with Jackson, caching, REST, Security, load testing, profiling, Wro4j, Heroku, Cloudbees, AWS. These are just some of the buzzwords that a Java web developer hears on a daily basis. This talk is designed to expose you to a plethora of technologies that you might've heard about, but haven't learned yet. We'll concentrate on the most important web developer skills, as well as UI tips and tricks to make you a better front-end engineer. Some of the most valuable engineers these days have front-end JS/CSS skills, as well as backend Java skills.

Angular is one of today's hottest JavaScript MVC Frameworks. In this session, we explore its next version: Angular 2. You'll see how to build and test Angular 2 components with TypeScript, as well as how to develop forms with validation. Finally, you'll learn about related Angular 2 projects and be on your way to becoming an Angular 2 Artist!

Building a modern web (or mobile) application requires a lot of tools, frameworks and techniques. This session shows how JHipster unites popular frameworks like AngularJS, Spring Boot and Bootstrap. Using Yeoman, a scaffolding tool for modern webapps, JHipster will generate a project that uses Java 8, SQL or NoSQL databases, Spring profiles, Maven or Gradle, Gulp.js, WebSockets and BrowserSync. It also supports a number of different authentication mechanisms: classic session-based auth, OAuth 2.0, or token-based authentication. For cloud deployments, JHipster includes out-of-the-box support for Cloud Foundry and Heroku.

The document promotes the JHipster development tool for generating Spring Boot and AngularJS projects and provides an overview of its features such as entity generation, authentication, deployment options, and testing tools. It also demonstrates generating a blog application using JHipster and discusses how JHipster can help developers stay on top of the latest trends in Java and web development.

AngularJS is one of today's hottest JavaScript MVC Frameworks. In this session, we explore its next version: Angular 2. You'll see how to build and test Angular 2 components with TypeScript, as well as how to develop forms with validation. Finally, you'll learn about related Angular 2 projects and be on your way to becoming an Angular 2 Artist!

HTML5, CSS3, JavaScript, jQuery, Angular JS, Bootstrap, Mobile, CoffeeScript, GitHub, functional programming, Page Speed, Apache, JSON with Jackson, caching, REST, Security, load testing, profiling, Wro4j, Heroku, Cloudbees, AWS. These are just some of the buzzwords that a Java web developer hears on a daily basis. This talk is designed to expose you to a plethora of technologies that you might've heard about, but haven't learned yet. We'll concentrate on the most important web developer skills, as well as UI tips and tricks to make you a better front-end engineer. Some of the most valuable engineers these days have front-end JS/CSS skills, as well as backend Java skills. This presentation is from the University session I delivered at Devoxx 2013, in Antwerp. http://devoxx.be/dv13-matt-raible.html?presId=3648

A comparison on JVM Web Frameworks. Includes strategies for choosing and results from research by InfoQ and devrates.com. Also, lots of pretty graphs. See blog post about this presentation at http://raibledesigns.com/rd/entry/devoxx_france_a_great_conference and video recording at http://raibledesigns.com/rd/entry/video_of_comparing_jvm_web

Presentation originally given at the Devoxx4Kids Meetup in Denver, CO by Tack Mobile with Assembly Workspace.

My Comparing JVM Web Frameworks talk as presented at Denver's Open Source User Group (@dosug) and vJUG (@virtualjug). Covers the history of web frameworks as well as various methods for choosing one. Video on YouTube at https://www.youtube.com/watch?v=ygW8fJVlDxQ.

Spring Boot and Spring Cloud provide an easier and more productive framework for building cloud-native microservices compared to Java EE. Spring Boot simplifies the development, deployment, and management of microservices. Spring Cloud adds helpful capabilities for service discovery, external configuration, load balancing, and monitoring that are missing from Java EE. While Java EE adoption is declining, the use of Spring Boot and Spring Cloud is growing rapidly among developers.

From AlphaCSP's Java conference - JavaEdge09. The presentation of myself and Evgeny Borisov about 'Java Indexing and Searching' In this session we discussed the need of Full Test Search (as opposed to regular textual/SQL search) , Lucene and it's OO mismatches, the solution that Hibernate Search provides to those mismatches and then a bit about Lucene's scoring algorithm.

Java provides security capabilities that have evolved over time. Version 1.0 used a sandbox model but allowed unlimited access to local applications. Version 1.1 added digital signatures to optionally grant full trust to signed applets. Version 1.2 introduced fine-grained access control policies that can grant specific privileges based on code source and signatures. Java implements security through mechanisms like class loaders, bytecode verification, security managers, and protection domains.

This document provides an overview of adding login functionality to a web application using Spring Security. It discusses configuring Spring Security to require authentication for certain requests and implementing a custom UserDetailsService to retrieve user details from a database. Code samples are provided for entities like User and UserDetails, as well as configuring Spring Security and implementing the UserDetailsService. The goal is to authenticate users by username and password and make user details available throughout the request.

Spring Security is a framework that focuses on providing both authentication and authorization. It intercepts requests, validates credentials against a database, and validates roles for authorization. Thymeleaf Security provides functionality to display data based on authentication rules, such as showing content to administrators based on their roles or displaying the logged in username using the principal object.

This document discusses authentication methods in Java EE 8, including improvements and new features. It begins with an overview of traditional Java EE authentication using JAAS LoginModules and web.xml configuration. It then covers the new Java EE 8 Security API which defines IdentityStores and HttpAuthenticationMechanisms to provide authentication in a container-agnostic way. The document also discusses token-based authentication using JSON Web Tokens and how this can be implemented with a JwtAuthenticationMechanism. It concludes with an example of role-based access control in a sample application.

This document discusses using Spring Security and Spring Boot to add authentication to a web application. It introduces Spring Boot, which allows applications to "just run", and Spring Security which provides comprehensive authentication and authorization support. It then demonstrates adding login functionality to a sample web application called "Gaebal-ja" using Spring Security, including implementing a UserDetailsService to retrieve user information from a database. Authentication is handled using Spring Security filters.

Remember the choose your own adventure books that you used to read as a kid? This session is a reincarnation of a choose your own adventure book as a conference talk! You'll learn about Spring Boot, Docker, and Kubernetes in this talk, along with the choices you make in the following areas: * What kind of application architecture to build? Monolith or microservices? * Would you like to use Java or Kotlin? * MySQL, PostgreSQL, or MongoDB? * Spring MVC or Spring WebFlux? * Angular, React, or Vue.js? * PWA or mobile app? * Istio with Kubernetes or Kubernetes without Istio? GitHub repos of demos: * Monolith: https://github.com/mraible/healthy-hipster * Microservices: https://github.com/mraible/djug-microservices