Web app security

Principal

• User, device or system that performs an action

Authentication

• Establishing that a principal's credential's are valid
• You are who you say you are? If so, you should know your password!

Authorization

• Deciding if a principal is allowed to perform an action? 
• Are you allowed to see this page? ( "to authorize" is to define access policy)

Secured item

• Resource that is being secured

Confidentiality (data privacy)

• Ensuring that an eavesdropper can’t read an HTTP message being sent from the client to the container

Data integrity

• Ensuring that a hacker can’t alter the contents of an HTTP message while it is in transit from the container to a client.

Spring web configuration

Configuration in web.xml

<!-- Loading Spring Application Context in web application-->
<context-param>
    <description>spring context</description>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/myApp-spring-web.xml</param-value>
or
    <param-value>classpath:/applicationContext-web.xml</param-value>
</context-param>

<listener>
    <description>fetch spring configuration file</description>
    <listener-class>
           org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

Integration with JSF

Configuration in faces-config.xml

<application>

<!-- Enables injecting Spring beans as Faces managed properties -->

<el-resolver>org.springframework.web.jsf.el.SpringBeanFacesELResolver</el-resolver>

</application>

Spring with Hibernate configuration

Loads object from the data source

<bean id="someRepository">

    <property name="sessionFactory" ref="sessionFactory"/>

</bean>

Instructs the container to look for beans with @Transactional and decorate them

<tx:annotation-driven transaction-manager="transactionManager"/>

A Hibernate SessionFactory for mapping entities from object to relation tables

<bean id="sessionFactory" class="org.springframework.orm.hibernate3.annotation.AnnotationSessionFactoryBean">

   <property name="dataSource" ref="dataSource"/>

   <property name="annotatedClasses">

      <list>

         <value>package.Entity1</value>

         <value>package.Entity2</value>

      </list>

   </property>

   <property name="hibernateProperties">

      <value>

         hibernate.format_sql=true

         hibernate.show_sql=true

      </value>

   </property>

</bean>

A transaction manager for working with Hibernate SessionFactories

<bean id="transactionManager"  

    class="org.springframework.orm.hibernate3.HibernateTransactionManager">

    <property name="sessionFactory" ref="sessionFactory" />

</bean>

Transparent Exception Handling

Annotate classes with @Repository

Define a Spring-provided BeanPostProcessor (eg. <context:annotation-config/> or context:component-scan)


Ref:
https://spring.io/blog/2012/04/06/migrating-to-spring-3-1-and-hibernate-4-1
http://sethuramanmurali.wordpress.com/2013/09/15/difference-between-and-annotation-config-and-component-scan/

Transactions

Motivated by two independent requirements:

• Cuncurrent database access
• Resilience to system failures

A transaction is a sequence of one or more SQL operations treated as a unit.

ACID (atomicity, consistency, isolation, durability) is a set of properties that guarantee database transactions are processed reliably. In the context of databases, a single logical operation on the data is called a transaction. For example, a transfer of funds from one bank account to another, even though that might involve multiple changes (such as debiting one account and crediting another), is a single transaction.


Atomic
   Each unit of work is an all or nothing operation. (logging)
Consistent
   Database integrity constraints are never violated.
   It ensures the truthfulness of the database.
Isolated
   Isolating transactions from each other.
   Serializability - Operations may be interleaved, but execution must be equivalent to some sequential (serial) order of all transactions.
Durable
   Committed changes are permanent.
   (If system crashes after transaction commits, all effects of transaction remain in database.)


IMPLEMENTING
in class:
   @Transactional
(uses "transactionManager" by default)

By default, a transaction is rolled back if a RuntimeException has been thrown!
Default settings can be overridden with rollbackFor/noRollbackFor attributes.
After checked exception occurs transaction is commited.

in config file (xml):

<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource"/>
</bean>

<tx:annotation-driven transaction-manager="transactionManager"/>
(Instructs the container to look for beans with @Transactional and decorate them)


Using transactions when only reading data allows Spring to optimize the transaction resources
e.g. 2 sql will be executed in 1 connection, prevents Hibernate from flushing its session, Oracle accepts only SELECT statements