Forward Everyday

I have created a post to describe Reactive programming supports in Spring 5 and its subprojects, all codes of this article are updated the latest Spring 5 RELEASE, check spring-reactive-sample under my Github account. In this post, I will create a simple blog system, including: A user can sign in and sign out. An authenticated user can create a post. An authenticated user can update a post. Only the user who has ADMIN role can delete a post. All users(including anonymous users) can view post list and post details. An authenticated user can add his comments to a certain post. The backend will be built with the latest Spring 5 reactive stack, including: Spring Boot 2.0, at the moment the latest version is 2.0.0.M7 Spring Data MongoDB supports reactive operations for MongoDB Spring Session adds reactive support for WebSession Spring Security 5 aligns with Spring 5 reactive stack The frontend is an Angular based SPA and it will be generated by Angular CLI. The so...

SecurityContext In Java EE 7 or earlier versions, other specfications, such as Servelt, EJB, JAX-RS, JAX-WS, etc. have their own specific APIs to query current security context. Servlet - HttpServletRequest#getUserPrincipal, HttpServletRequest#isUserInRole EJB - EJBContext#getCallerPrincipal, EJBContext#isCallerInRole JAX-WS - WebServiceContext#getUserPrincipal, WebServiceContext#isUserInRole JAX-RS - SecurityContext#getUserPrincipal, SecurityContext#isUserInRole JSF - ExternalContext#getUserPrincipal, ExternalContext#isUserInRole CDI - @Inject Principal WebSockets - Session#getUserPrincipal In Java EE 8, you can use the new SecurityContext introduced in Java EE Security 1.0 instead. A default implementation should be available at runime, you can inject it in CDI beans. @Inject SecurityContext securityContext; The new SecurityContext provides similiar methods with the one in other specfications. Principal getCallerPrincipal(); <T extends Principal> Se...

There are two built-in IdentityStore implementations provided in Glassfish v5, Database or Ldap. An example of using built-in @DatabaseIdentityStoreDefinition to setup database based IdentityStore . @DatabaseIdentityStoreDefinition ( dataSourceLookup = " ${'java:global/MyDS'} " , callerQuery = " #{'select password from caller where name = ?'} " , groupsQuery = " select group_name from caller_groups where caller_name = ? " , hashAlgorithm = Pbkdf2PasswordHash . class, priorityExpression = " #{100} " , hashAlgorithmParameters = { " Pbkdf2PasswordHash.Iterations=3072 " , " ${applicationConfig.dyna} " } // just for test / example ) @ApplicationScoped @Named public class ApplicationConfig { public String [] getDyna () { return new String []{ " Pbkdf2PasswordHash.Algorithm=PBKDF2WithHmacSHA512 " , " Pbkdf2PasswordH...

HTTP authentication HttpAuthenticationMechanism allow customsize your own HTTP authentication mechanism. An examples for custom HttpAuthenticationMechanism . @ApplicationScoped public class TestAuthenticationMechanism implements HttpAuthenticationMechanism { @Inject private IdentityStoreHandler identityStoreHandler; @Override public AuthenticationStatus validateRequest ( HttpServletRequest request , HttpServletResponse response , HttpMessageContext httpMessageContext ) throws AuthenticationException { final String name = request . getParameter( " name " ); final String pwd = request . getParameter( " password " ); if (name != null && pwd != null ) { // Get the (caller) name and password from the request // NOTE: This is for the smallest possible example only. In practice // putting the password in a request query parameter is highly ...