Full Stack Java
Module1 : Core Java
Java is the high-level, Object-Oriented, robust, secure programming language, platform-independent, high performance, Multithreaded, and portable programming language. It was developed by James Gosling in June 1991. It can also be known as the platform as it provides its own JRE and API.
There are the following features in Java Programming Language.
- Simple: Java is easy to learn. The syntax of Java is based on C++ which makes easier to write the program in it.
- Object-Oriented: Java follows the object-oriented paradigm which allows us to maintain our code as the combination of different type of objects that incorporates both data and behavior.
- Portable: Java supports read-once-write-anywhere approach. We can execute the Java program on every machine. Java program (.java) is converted to bytecode (.class) which can be easily run on every machine.
- Platform Independent: Java is a platform independent programming language. It is different from other programming languages like C and C++ which needs a platform to be executed. Java comes with its platform on which its code is executed. Java doesn’t depend upon the operating system to be executed.
- Secured: Java is secured because it doesn’t use explicit pointers. Java also provides the concept of ByteCode and Exception handling which makes it more secured.
- Robust: Java is a strong programming language as it uses strong memory management. The concepts like Automatic garbage collection, Exception handling, etc. make it more robust.
- Architecture Neutral: Java is architectural neutral as it is not dependent on the architecture. In C, the size of data types may vary according to the architecture (32 bit or 64 bit) which doesn’t exist in Java.
- Interpreted: Java uses the Just-in-time (JIT) interpreter along with the compiler for the program execution.
- High Performance: Java is faster than other traditional interpreted programming languages because Java bytecode is “close” to native code. It is still a little bit slower than a compiled language (e.g., C++).
- Multithreaded: We can write Java programs that deal with many tasks at once by defining multiple threads. The main advantage of multi-threading is that it doesn’t occupy memory for each thread. It shares a common memory area. Threads are important for multi-media, Web applications, etc.
- Distributed: Java is distributed because it facilitates users to create distributed applications in Java. RMI and EJB are used for creating distributed applications. This feature of Java makes us able to access files by calling the methods from any machine on the internet.
- Dynamic: Java is a dynamic language. It supports dynamic loading of classes. It means classes are loaded on demand. It also supports functions from its native languages, i.e., C and C++.
Java Virtual Machine is a virtual machine that enables the computer to run the Java program. JVM acts like a run-time engine which calls the main method present in the Java code. JVM is the specification which must be implemented in the computer system. The Java code is compiled by JVM to be a Bytecode which is machine independent and close to the native code.
JVM
JVM is an acronym for Java Virtual Machine; it is an abstract machine which provides the runtime environment in which Java bytecode can be executed. It is a specification which specifies the working of Java Virtual Machine. Its implementation has been provided by Oracle and other companies. Its implementation is known as JRE.
JVMs are available for many hardware and software platforms (so JVM is platform dependent). It is a runtime instance which is created when we run the Java class. There are three notions of the JVM: specification, implementation, and instance.
JRE
JRE stands for Java Runtime Environment. It is the implementation of JVM. The Java Runtime Environment is a set of software tools which are used for developing Java applications. It is used to provide the runtime environment. It is the implementation of JVM. It physically exists. It contains a set of libraries + other files that JVM uses at runtime.
JDK
JDK is an acronym for Java Development Kit. It is a software development environment which is used to develop Java applications and applets. It physically exists. It contains JRE + development tools. JDK is an implementation of any one of the below given Java Platforms released by Oracle Corporation:
- Standard Edition Java Platform
- Enterprise Edition Java Platform
- Micro Edition Java Platform
Many types:
- Class (Method) Area: Class Area stores per-class structures such as the runtime constant pool, field, method data, and the code for methods.
- Heap: It is the runtime data area in which the memory is allocated to the objects
- Stack: Java Stack stores frames. It holds local variables and partial results, and plays a part in method invocation and return. Each thread has a private JVM stack, created at the same time as the thread. A new frame is created each time a method is invoked. A frame is destroyed when its method invocation completes.
- Program Counter Register: PC (program counter) register contains the address of the Java virtual machine instruction currently being executed.
- Native Method Stack: It contains all the native methods used in the application.
Just-In-Time (JIT) compiler: It is used to improve the performance. JIT compiles parts of the bytecode that have similar functionality at the same time, and hence reduces the amount of time needed for compilation. Here the term “compiler” refers to a translator from the instruction set of a Java virtual machine (JVM) to the instruction set of a specific CPU.
A platform is the hardware or software environment in which a piece of software is executed. There are two types of platforms, software-based and hardware-based. Java provides the software-based platform.
There are the following differences between the Java platform and other platforms.
Java is the software-based platform whereas other platforms may be the hardware platforms or software-based platforms.
Java is executed on the top of other hardware platforms whereas other platforms can only have the hardware components.
The bytecode. Java compiler converts the Java programs into the class file (Byte Code) which is the intermediate language between source code and machine code. This bytecode is not platform specific and can be executed on any computer.
Classloader is a subsystem of JVM which is used to load class files. Whenever we run the java program, it is loaded first by the classloader. There are three built-in classloaders in Java.
- Bootstrap ClassLoader: This is the first classloader which is the superclass of Extension classloader. It loads the rt.jar file which contains all class files of Java Standard Edition like java.lang package classes, java.net package classes, java.util package classes, java.io package classes, java.sql package classes, etc.
- Extension ClassLoader: This is the child classloader of Bootstrap and parent classloader of System classloader. It loads the jar files located inside $JAVA_HOME/jre/lib/ext directory.
- System/Application ClassLoader: This is the child classloader of Extension classloader. It loads the class files from the classpath. By default, the classpath is set to the current directory. You can change the classpath using “-cp” or “-classpath” switch. It is also known as Application classloader.
Yes, Java allows to save our java file by .java only, we need to compile it by javac .java and run by java classname Let’s take a simple example:
//save by .java only
class A{
public static void main(String args[]){
System.out.println(“Hello java”);
}
}
//compile by javac .java
//run by java A
- compile it by javac .java
- run it by java A
The program compiles and runs correctly because the order of specifiers doesn’t matter in Java.
In Java, access specifiers are the keywords which are used to define the access scope of the method, class, or a variable. In Java, there are four access specifiers given below.
- Public The classes, methods, or variables which are defined as public, can be accessed by any class or method.
- Protected Protected can be accessed by the class of the same package, or by the sub-class of this class, or within the same class.
- Default Default are accessible within the package only. By default, all the classes, methods, and variables are of default scope.
Private The private class, methods, or variables defined as private can be accessed within the class only.
The methods or variables defined as static are shared among all the objects of the class. The static is the part of the class and not of the object. The static variables are stored in the class area, and we do not need to create the object to access such variables. Therefore, static is used in the case, where we need to define variables or methods which are common to all the objects of the class.
For example, In the class simulating the collection of the students in a college, the name of the college is the common attribute to all the students. Therefore, the college name will be defined as static.
- There are various advantages of defining packages in Java.
- Packages avoid the name clashes.
- The Package provides easier access control.
- We can also have the hidden classes that are not visible outside and used by the package.
- It is easier to locate the related classes.
It is a programming paradigm based on objects having data and methods defined in the class to which it belongs. Object-oriented paradigm aims to incorporate the advantages of modularity and reusability. Objects are the instances of classes which interacts with one another to design applications and programs. There are the following features of the object-oriented paradigm.
- Follows the bottom-up approach in program design.
- Focus on data with methods to operate upon the object’s data
- Includes the concept like Encapsulation and abstraction which hides the complexities from the user and show only functionality.
- Implements the real-time approach like inheritance, abstraction, etc.
- The examples of the object-oriented paradigm are C++, Simula, Smalltalk, Python, C#, etc.
The Object is the real-time entity having some state and behaviour. In Java, Object is an instance of the class having the instance variables as the state of the object and the methods as the behaviour of the object. The object of a class can be created by using the new keyword.
The Object is the real-time entity having some state and behaviour. In Java, Object is an instance of the class having the instance variables as the state of the object and the methods as the behaviour of the object. The object of a class can be created by using the new keyword.
All object references are initialized to null in Java.
The constructor can be defined as the special type of method that is used to initialize the state of an object. It is invoked when the class is instantiated, and the memory is allocated for the object. Every time, an object is created using the new keyword, the default constructor of the class is called. The name of the constructor must be similar to the class name. The constructor must not have an explicit return type.
Based on the parameters passed in the constructors, there are two types of constructors in Java.
- Default Constructor: default constructor is the one which does not accept any value. The default constructor is mainly used to initialize the instance variable with the default values. It can also be used for performing some useful task on object creation. A default constructor is invoked implicitly by the compiler if there is no constructor defined in the class.
- Parameterized Constructor: The parameterized constructor is the one which can initialize the instance variables with the given values. In other words, we can say that the constructors which can accept the arguments are called parameterized constructors.
Module 2: RDBMS
A database management system is a computerized data-keeping system for storing, retrieving, and managing data. A DBMS makes it easy for users to create, read, protect, delete, and update the data in a database.
It serves as an interface between the users and databases, ensuring consistent data access.
The most popular DBMS in enterprise database systems is RDBMS. The complete form is Relational Database Management System.
Relational database management is a set of programs and capabilities used to create, update, administer, and interact with a relational database among IT teams. A relational database stores and provides access to data points related to one another.
In RDBMS, data storage is in the form of tables, and each row within the table is a record with a unique ID called a key. The table’s columns hold the data attributes, and the record usually contains the value of each attribute, to establish the relationship among data points quickly.
The following structures exist in relational databases
Database
A database is a logical grouping of data. It contains the data associated with one application or with a group of related applications. It includes a collection of related table spaces and index spaces.
Table
A table is a logical structure made of columns and rows. Rows have no specific order, but columns follow a fixed order to retrieve the data.
Indexes
An index is nothing more than an ordered set of pointers to rows of a table. Unlike the rows of the table, the rows in the indexes maintain a specific order to retrieve data.
Keys
A key is one or more columns specified as keys when a table, index, or referential integrity is defined. The various types of keys in RDBMS include primary key, unique key, and foreign key.
There are three main types of relationships between the tables to ensure the absolute flexibility of the relational database model.
- One-to-One Relationship
Suppose a single record of table A is related to a single record of table B. In that case, it is a one-to-one relationship.
- One-to-Many Relationship
Suppose a single record of table A is related to multiple records of table B. In that case, it is a one-to-many relationship.
- Many-to-Many Relationship
Suppose multiple records of table A are related to multiple records of table B. In that case, it is a many-to-many relationship.
The following are the features of RDBMS
- Structured and Interrelated Data
Relational databases store data in an easily understandable table format.
- Multi-user access
Allows multi-user access along with the benefits that let administrators have complete control over databases and provide different levels of access to other users.
- ACID Support
Relational databases provide complete ACID support. The term “ACID” means Atomicity, Consistency, Isolation, and Durability, a well-known database property guaranteeing data validity despite errors, failures, and other possible mishaps.
A database management system supports the development and administration of database platforms. An RDBMS is an advanced version of a DBMS that saves data in a row-based table structure. The file storage used in RDBMS is different than DBMS.
Check out the table below to learn more about RDBMS vs DBMS
Parameters | DBMS | RDBMS |
Users allowed | Allows one user at a time | Multiple users at a time |
Amount of Data | Handles a small amount of data. | Takes any amount of data |
ACID Implementation | Doesn’t Support | Supports |
Database Normalization | DBMS cannot be normalized | RDBMS can be normalized |
Data redundancy | Common in this model | Doesn’t allow |
Requirements | Less software and hardware | High software and hardware |
Storage | File storage | Tabular structure |
Distributed database | DBMS will not support | RDBMS provides complete support |
Database structure | The hierarchical arrangement of data | Stores data in the form of rows and columns within tables. |
Security | Lack of security | Good data security due to several log files. |
The RDBMS supports a variety of relational operations, such as
- Union operator
- Intersection operator
- Difference operator
- Join operator
No. OODBMS stands for Object Oriented Database Management System. RDBMS is a relational database management system that stores the data as entities.
Specific properties are followed before and after each transaction to maintain database consistency. These are called ACID properties.
ACID properties in RDBMS
- Atomicity – The entire transaction occurs at once or doesn’t happen.
- Consistency – The database must be consistent before and after each transaction.
- Isolation – Multiple transactions take place individually without interference.
Durability – The chances of a successful transaction occurring even if the system fails.
Knowing the difference between a NULL value and other values, such as zero or fields with spaces, is crucial. In a table, a NULL value is in a field with no value. During the construction of a record, a field with a NULL value indicates that it was left empty.
Database Normalization is a process used to filter and organize data in a database. Normalization helps you to do the following:
- Eliminates redundant data, thus permitting practical usage of available memory.
- Ensures the data dependencies’ logical consistency.
- There are four primary normal forms that we need to understand
1NF or First Normal Form
We ensure that no multi-value records exist in a database when it is in the First normal form. For every attribute, there is only one value present in each record.
2NF or Second Normal Form
When a database is in the Second Normal Form state, it must adhere to all the requirements of 1NF. It is not permissible for any columns to depend partially on the primary key.
3NF of Third Normal Form
A database must be in 3NF normal form for it to be in BCNF form. You must also evaluate transitive dependency in addition to this. If the database uses BCNF, there shouldn’t be any transitive dependencies.
BCNF or Boyce Codd Normal Form
The following requirements must be satisfied for a database to be in the third normal form
- The database must be in the second normal form.
- The primary key should be a requirement for each non-primary attribute.
Module 3: Web Technologies
There have been several versions of HTML, including HTML4, XHTML, HTML5, and the upcoming HTML6. HTML5 is the latest and most widely used version.
The DOCTYPE declaration specifies the version of HTML being used in the document. It helps browsers understand how to interpret and display the web page correctly.
HTML is used for structuring and organizing the content of a web page, while CSS (Cascading Style Sheets) is used for styling and formatting the appearance of the content.
HTML elements are categorized into several types, including headings, paragraphs, lists, links, images, tables, forms, and more. Each element serves a specific purpose and has its own syntax and attributes.
HTML attributes provide additional information or properties to HTML elements. They are used to modify the behavior or appearance of the elements. Examples include the “src” attribute for specifying the source of an image or the “href” attribute for defining the destination of a link.
Inline elements do not start on a new line and only occupy the space necessary to display their content. Examples include <span> and <a>. Block elements, on the other hand, start on a new line and take up the full width available. Examples include <div> and <p>.
<div> and <span> are both generic container elements, but they have different default display properties. <div> is a block-level element that occupies the entire width of its parent container and starts on a new line. <span> is an inline element that only takes up as much space as its content and does not start on a new line.
The <div> element is a block-level element used for grouping and organizing other HTML elements. It is commonly used for layout purposes and applying CSS styles.
Both <em> and <strong> tags are used to emphasize text. However, <em> represents text with slight importance or emphasis, while <strong> represents text with strong importance or significance.
The <form> element is used to create an interactive area on a web page for collecting user input. It can contain various form elements like input fields, checkboxes, radio buttons, and submit buttons.
JavaScript is a high-level programming language primarily used for creating interactive web pages and web applications. It is supported by all modern web browsers and allows developers to add functionality, manipulate webpage content, and respond to user interactions.
In JavaScript, you can declare variables using the “var”, “let”, or “const” keywords. For example:
var x; // variable declaration with the “var” keyword
let y; // variable declaration with the “let” keyword (block-scoped)
const z = 10; // variable declaration with the “const” keyword (immutable)
“var” is function-scoped and can be redeclared and reassigned within its scope. It has hoisting behavior, meaning the variable declaration is moved to the top of the function or global scope.
“let” is block-scoped and can be reassigned within its scope but not redeclared in the same block. It does not have hoisting behavior.
“const” is also block-scoped but represents a constant value that cannot be reassigned after initialization. Like “let”, it does not have hoisting behavior and cannot be redeclared in the same block.
In JavaScript, error handling is typically done using the try…catch statement. This allows you to catch and handle runtime errors that may occur during the execution of your code. Here’s the basic syntax:
try {
// Code that may throw an error
} catch (error) {
// Code to handle the error
}
Here’s an example that demonstrates how to use try…catch:
try {
// Code that may throw an error
let result = someFunction(); // Assuming someFunction() throws an error
console.log(result); // This line will not be executed
} catch (error) {
// Code to handle the error
console.log(“An error occurred:”, error.message);
}
function reverseString(str) {
return str.split(”).reverse().join(”);
}
console.log(reverseString(‘Hello World’)); //
Output: “dlroW olleH”
function factorial(num) {
if (num === 0 || num === 1) {
return 1;
} else {
return num * factorial(num – 1);
}
}
console.log(factorial(5)); // Output: 120
In JavaScript, you can make HTTP requests using the XMLHttpRequest object or the newer fetch() API. Here’s an example using fetch():
fetch(‘https://api.example.com/data’)
.then(response => response.json())
.then(data => {
// Process the response data
console.log(data);
})
.catch(error => {
// Handle any errors
console.error(error);
});
The box model is a fundamental concept in CSS that describes how elements are rendered on a web page. It consists of four layers: content, padding, border, and margin.
Content: It is the actual content of the element, such as text or images.
Padding: The space between the content and the element’s border.
Border: The border that surrounds the padding and content.
Margin: The space between the element’s border and neighboring elements.
The width and height of an element in CSS includes the content, padding, and border but excludes the margin. The box model allows you to control the dimensions and spacing of elements on a web page.
CSS can be included in an HTML document in three ways: inline, internal, and external.
Inline CSS: Inline styles are applied directly to individual HTML elements using the “style” attribute.
For example:
<p style=”color: blue;”>This is a blue paragraph.</p>.
Internal CSS: Internal styles are defined within the HTML document using the <style> tag within the <head> section.
For example:
<head>
<style>
p {
color: blue;
}
</style>
</head>
External CSS: External styles are stored in separate CSS files and linked to the HTML document using the <link> tag within the <head> section.
For example:
<head>
<link rel=”stylesheet” type=”text/css” href=”styles.css”>
</head>
Module 4: Servlet
- Servlet is loaded
- servlet is instantiated
- servlet is initialized
- service the request
- servlet is destroyed
The web container or servlet container.
At the time of first request.
PrintWriter is a character-stream class where as ServletOutputStream is a byte-stream class. The PrintWriter class can be used to write only character-based information whereas ServletOutputStream class can be used to write primitive values as well as character-based information.
The GenericServlet is protocol independent whereas HttpServlet is HTTP protocol specific. HttpServlet provides additional functionalities such as state management etc.
When one servlet communicates to another servlet, it is known as servlet collaboration. There are many ways of servlet collaboration:
- RequestDispacher interface
- sendRedirect() method etc.
The RequestDispacher interface provides the facility of dispatching the request to another resource it may be html, servlet or jsp. This interceptor can also be used to include the content of antoher resource.
Yes, one of the way is RequestDispatcher interface for example:
RequestDispatcher rd=request.getRequestDispatcher(“/login.jsp”);
rd.forward(request,response);
The container creates object of ServletConfig for each servlet whereas object of ServletContext is created for each web application.
Session simply means a particular interval of time.
Session Tracking is a way to maintain state of an user.Http protocol is a stateless protocol.Each time user requests to the server, server treats the request as the new request.So we need to maintain the state of an user to recognize to particular user.
A cookie is a small piece of information that is persisted between the multiple client requests. A cookie has a name, a single value, and optional attributes such as a comment, path and domain qualifiers, a maximum age, and a version number.
Cookie works at client side whereas HttpSession works at server side.
It will not work if cookie is disabled from the browser.
One of the way is by MultipartRequest class provided by third party.
The load-on-startup element of servlet in web.xml is used to load the servlet at the time of deploying the project or server start. So it saves time for the response of first request.
A war (web archive) file specifies the web elements. A servlet or jsp project can be converted into a war file. Moving one servlet project from one place to another will be fast as it is combined into a single file.
The war file can be created using jar tool found in jdk/bin directory. If you are using Eclipse or Netbeans IDE, you can export your project as a war file.
To create war file from console, you can write following code.
jar -cvf abc.war *
Now all the files of current directory will be converted into abc.war file.
ServletContextEvent.
HttpSessionEvent.
Module 5: JSP
JSP stands for Java Server Pages. This technology is used to create dynamic web pages in the form of HyperText Markup Language (HTML). They have embedded Java code pieces in them. They are an extension to the Servlet Technology and generate Servlet from a page. It is common to use both servlets and JSP pages in the same web apps.
The JSP container has a special servlet called the page compiler. All HTTP requests with URLs that match the .jsp file extension are forwarded to this page compiler by the configuration of the servlet container. The servlet container is turned into a JSP container with this page compiler. When a .jsp page is first called, the page compiler parses and compiles the .jsp page into a servlet class. The JSP servlet class is loaded into memory on the successful compilation. For the subsequent calls, the servlet class for that .jsp page is already in memory. Hence, the page compiler servlet will always compare the timestamp of the JSP servlet with the JSP page. If the .jsp page is more current, recompilation is necessary. With this process, once deployed, JSP pages only go through the time-consuming compilation process once
When a container loads a JSP, it invokes the jspInit() method before servicing any requests.
public void jspInit(){
// Initialization code…
}
Earlier, Common Gateway Interface (CGI) was the only tool for developing dynamic web content and was not very efficient. The web server has to create a new operating system process, load an interpreter and a script, execute the script, and then tear it all down again, for every request that comes in. This is taxing for the server and doesn’t scale well when the number of traffic increases.
Alternatives such as ISAPI from Microsoft, and Java Servlets from Sun Microsystems, offer better performance and scalability. However, they generate web pages by embedding HTML directly in programming language code. Java Server Pages (JSP) changes all of that.
- Better performance and quality as JSP is a specification and not a product.
- JSP pages can be used in combination with servlets.
- JSP is an integral part of J2EE, a complete platform for Enterprise-class applications.
- JSP supports both scripting and element-based dynamic content
A Java servlet template engine is a technology for separating presentation from processing. Template engines have been developed as open-source products to help get HTML out of the servlets. These template engines are intended to be used together with pure code components (servlets) and use only web pages with scripting code for the presentation part.
JSP is a server-side scripting language as it runs on the server. Whereas, JavaScript runs on the client. Commonly, JSP is more used to change the content of a webpage, and JavaScript for the presentation. Both are quite commonly used on the same page.
Expression Language (EL) was introduced in JSP 2.0. It is a mechanism that simplifies the accessibility of the data stored in Java bean components and other objects like request, session, and application, etc. There are many operators in JSP that are used in EL like arithmetic and logical operators to perform an expression.
JavaBeans component is a Java class that complies with certain coding conventions. JSP elements often work with JavaBeans. For information that describes application entities, JavaBeans are typically used as containers
JSP is used to handle the form data parsing automatically. It dies so by using the following methods depending on the situation:
- getParameter() − To get the value of a form parameter, call the request.getParameter() method.
- getParameterValues() − If a parameter appears more than once and it returns multiple values, call this method.
- getParameterNames() − This method is used if, in the current request, you want a complete list of all parameters.
- getInputStream() − This method is used for reading binary data streams from the client.
Module 6: Spring
Spring is a powerful open-source, loosely coupled, lightweight, java framework meant for reducing the complexity of developing enterprise-level applications. This framework is also called the “framework of frameworks” as spring provides support to various other important frameworks like JSF, Hibernate, Structs, EJB, etc.
There are around 20 modules which are generalized into the following types:
- Core Container
- Data Access/Integration
- Web
- AOP (Aspect Oriented Programming)
- Instrumentation
- Messaging
- Test
Spring framework follows layered architecture pattern that helps in the necessary components selection along with providing a robust and cohesive framework for J2EE applications development.
The AOP (Aspect Oriented Programming) part of Spring supports unified development by ensuring separation of application’s business logic from other system services.
Spring provides highly configurable MVC web application framework which has the ability to switch to other frameworks easily.
Provides provision of creation and management of the configurations and defining the lifecycle of application objects.
Spring has a special design principle which is known as IoC (Inversion of Control) that supports objects to give their dependencies rather than looking for creating dependent objects.
Spring is a lightweight, java based, loosely coupled framework.
Spring provides generic abstraction layer for transaction management that is also very useful for container-less environments.
Spring provides a convenient API to translate technology-specific exceptions (thrown by JDBC, Hibernate or other frameworks) into consistent, unchecked exceptions. This introduces abstraction and greatly simplifies exception handling.
A Spring configuration file is basically an XML file that mainly contains the classes information and describes how those classes are configured and linked to each other. The XML configuration files are verbose and cleaner.
Spring container forms the core of the Spring Framework. The Spring container uses Dependency Injection (DI) for managing the application components by creating objects, wiring them together along with configuring and managing their overall life cycles. The instructions for the spring container to do the tasks can be provided either by XML configuration, Java annotations, or Java code.
Spring Security 3.0 and 3.1 require at least JDK 1.5 and also require Spring 3.0.3 as a minimum. Ideally you should be using the latest release versions to avoid problems.
Spring Security 2.0.x requires a minimum JDK version of 1.4 and is built against Spring 2.0.x. It should also be compatible with applications using Spring 2.5.x.
Let’s assume you’re developing an enterprise application based on Spring. There are four security concerns you typically need to address: authentication, web request security, service layer security (i.e. your methods that implement business logic), and domain object instance security (i.e. different domain objects have different permissions). With these typical requirements in mind:
- Authentication: The servlet specification provides an approach to authentication. However, you will need to configure the container to perform authentication which typically requires editing of container-specific “realm” settings. This makes a non-portable configuration, and if you need to write an actual Java class to implement the container’s authentication interface, it becomes even more non-portable. With Spring Security you achieve complete portability – right down to the WAR level. Also, Spring Security offers a choice of production-proven authentication providers and mechanisms, meaning you can switch your authentication approaches at deployment time. This is particularly valuable for software vendors writing products that need to work in an unknown target environment.
- Web request security: The servlet specification provides an approach to secure your request URIs. However, these URIs can only be expressed in the servlet specification’s own limited URI path format. Spring Security provides a far more comprehensive approach. For instance, you can use Ant paths or regular expressions, you can consider parts of the URI other than simply the requested page (e.g. you can consider HTTP GET parameters) and you can implement your own runtime source of configuration data. This means your web request security can be dynamically changed during the actual execution of your webapp.
- Service layer and domain object security: The absence of support in the servlet specification for services layer security or domain object instance security represent serious limitations for multi-tiered applications. Typically developers either ignore these requirements, or implement security logic within their MVC controller code (or even worse, inside the views).
There are serious disadvantages with this approach:
- Separation of concerns: Authorization is a crosscutting concern and should be implemented as such. MVC controllers or views implementing authorization code makes it more difficult to test both the controller and authorization logic, more difficult to debug, and will often lead to code duplication.
- Support for rich clients and web services: If an additional client type must ultimately be supported, any authorization code embedded within the web layer is non-reusable. It should be considered that Spring remoting exporters only export service layer beans (not MVC controllers). As such authorization logic needs to be located in the services layer to support a multitude of client types.
- Layering issues: An MVC controller or view is simply the incorrect architectural layer to implement authorization decisions concerning services layer methods or domain object instances. Whilst the Principal may be passed to the services layer to enable it to make the authorization decision, doing so would introduce an additional argument on every services layer method. A more elegant approach is to use a ThreadLocal to hold the Principal, although this would likely increase development time to a point where it would become more economical (on a cost-benefit basis) to simply use a dedicated security framework.
- Authorisation code quality: It is often said of web frameworks that they “make it easier to do the right things, and harder to do the wrong things”. Security frameworks are the same, because they are designed in an abstract manner for a wide range of purposes. Writing your own authorization code from scratch does not provide the “design check” a framework would offer, and in-house authorization code will typically lack the improvements that emerge from widespread deployment, peer review and new versions.
For simple applications, servlet specification security may just be enough. Although when considered within the context of web container portability, configuration requirements, limited web request security flexibility, and non-existent services layer and domain object instance security, it becomes clear why developers often look to alternative solutions.
Realistically, you need an understanding of the technolgies you are intending to use before you can successfully build applications with them. Security is complicated. Setting up a simple configuration using a login form and some hard-coded users using Spring Security’s namespace is reasonably straightforward. Moving to using a backed JDBC database is also easy enough. But if you try and jump straight to a complicated deployment scenario like this you will almost certainly be frustrated. There is a big jump in the learning curve required to set up systems like CAS, configure LDAP servers and install SSL certificates properly. So you need to take things one step at a time.
From a Spring Security perspective, the first thing you should do is follow the “Getting Started” guide on the web site. This will take you through a series of steps to get up and running and get some idea of how the framework operates. If you are using other technologies which you aren’t familiar with then you should do some research and try to make sure you can use them in isolation before combining them in a complex system.
The most common reason for this is that your browser has cached the page and you are seeing a copy which is being retrieved from the browsers cache. Verify this by checking whether the browser is actually sending the request (check your server access logs, the debug log or use a suitable browser debugging plugin such as “Tamper Data” for Firefox). This has nothing to do with Spring Security and you should configure your application or server to set the appropriate Cache-Control response headers. Note that SSL requests are never cached.
