Architecture Deep Dive in Spring Security

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right hi everyone thanks for coming out hopefully you guys are enjoying this awesome day today well first of all my name is Joe grandia and I'm on the spring security team one of the core committers and today we're going to do an architecture deep dive on spring security my number one goal today really is for you guys to walk away to walk away from this talk and understand how spring security works underneath the covers because it's definitely I mean there's a lot of talk of magic these days right magic is beautiful no doubts right however when things kind of go astray you know you got to have those skills to troubleshoot right so the more you know what's happening underneath the covers the better you are the more efficient you are so that's my goal today is to go over the core concepts within spring security the core terminology the core filters the components and so forth so that's what we're going to do today I'm going to try to keep it I'm not going to try to go too deep because I want to be able to bring you guys back and we're going to strictly focus on you know these three key areas authentication authorization exception handling obviously we got authenticate with a secure system right we've got identify ourselves with the security system Who am I and what authorities do I have to access certain resources authorities as in what role do I belong in you know role use your role at men or finer level permissions like read write and so forth exception handling - if I try to access a protected resource that is only administrators are allowed to access but I'm a regular user you know how does that work with spring security and so forth so these are the three key areas that we're going to talk about today I'm going to do a demo first I got a demo of a simple messaging application where registered users could send a message to each other you could view your inbox your items obviously you could send messages and then there's administration site where you could actually view all the messages and ministers could view them and do whatever right so so this is a these are the three users that we have registered we have two regular users I have that belonged to the role user just regular users and then an admin user that has two roles roli role user and role admin so let's jump to that demo and I'm going to we're going to go over a few of the cases that I'm going to we're going to drill down to in the presentation with some diagrams and just kind of understand the flow that's happening so here we go this so this is a this is an eight spring boot app it's an angular app this is a public-facing site where I can log in and view my messages send messages so I'm going to show you guys show you this one first so I'm going to log in as myself I'm just a regular user I logged in there we go alright so I could see my messages here you know my sent messages and so forth the one thing I want to show you here there's a lot of different ways you could have finicky with the system it should be basic custom form log in you know token base there's a lot of different you know authentication strategies right but we're not going to we can't go over them all we're just going to go over what this sample is built with this sample the public-facing site is HTTP basic right and the administration site custom form login very common use cases so we're just going to focus on that and I want to show you here and we get Fennec ated we have the I'm going to expand this a bit and then we here we have the request header authorization basic basic be 64 encoded username and password we're going to get into this is in the in the diagrams to understand you know how that the attend occasion gets decode and ultimately gets authenticated with the system I just wanted to show you that this is how we've authenticated on the public facing so I'm using HP basic now I'm logged in as Joe grant as you can see there right and I'm just a regular user so what happens when I try to access the Adminsitration bother printing it up or anything but obviously I don't have access right so it's secure this endpoint now let's let's log out we're going to login as the administration to the administration site and this is not angular this one this is actually Thein leaf and I'm going to log in here and there we go right so now I have I could see all the users every all the all the message to rob myself and obviously my own messages right so they missed the admit the you know the min user has user and admin authorities so I should be able to also access the public site I go to public site and there you go now I'm just seeing my own messages right so this is a very basic example I'm going to sure there's a github repo on this you could you guys could easily download this and take a look at it but all I wanted to demonstrate here is because this is what we're going to talk about is the authentication and the authorization pieces and ultimately the exception having how it works when we got that forbidden all right so let's let's jump back to the presentation here okay authentication so authentication I need to identify myself with a security system let's let's move through this flow so II as most of you know and if you actually know what I wanted to gauge the audience here first before we get into this if I could get a raise of hands I'd really appreciate if you did just so I can understand where you're at with spring security is who's been using spring security for at least three four years and has used it on multiple projects okay great and how about how about let's say two years use it on a couple of projects okay and who hasn't used spring security and is dying to use it all right so k perfect so it was we've got a we got a nice balance here okay so the one thing I gonna start off with here is is this authentication filter so spring security it's all about the servlet filter there's a bunch of filters you know that are sitting in front of the actual main request handler right or the main controller if you're familiar with spring MVC and this is this is where all of this logic is happening so we have the authentication filter that's sitting you know near close to at the beginning of the chain which actually does the authentication and an ultimately leader in the Chamber's authorization checks happening and there's a bunch of other filters too we can't get into all of them we're going to focus on the thin occation authorization exception handling filter so that's what we're going to build on so let's go through this flow assuming assuming the request when I was demoing there I logged in as myself Joe at example.com and what happens is it comes to this authentication filter and it's built on HTTP basic authentication filter the first thing that happens can everyone see that okay yeah okay great the first thing that happens is and as you saw the request header we had that authorization header basic basics for encoded first thing the the HP basic authentication filter does is it inspects the header CAES is there an authorization header it decodes the username and password and then ultimately creates this username password authentication token you'll see the special stereotype above that and we're going to get into that next slide because this is a central interface the authentication but for now you know it's a it's username password tokens right and thats it hence the name username password authentication token creates this creates an instance of this populates the user and password and then eventually passes it to fan acacia manager to do the actual authentication alright pretty straightforward so far we're going to dig that dig deep down into the thin acacia manager right now but before because this is key is what is the authentication object it actually represents two things when the request is coming in before I'm even authenticated with the system it's it's basically an authentication token consider it in the most simplest form it's an authentication request right I got a username password and I'm going to expand this a bit because I have a feeling how's that can you see the authentication there with the attributes principle so the principle to use your name right and then credentials is the password obviously authorities there's no authorities now because I haven't authenticated so I don't know what authorities I have and we only know that after we've authenticated and the flag is obviously I'm not authenticated these four attributes are the most cut are the core attributes of the dedication object this is a thin occation request what happens after the authentication manager returns on a successful indicator that's on a successful ident occation how does it look like this authentication object looks like this all right principles user details this is a richer object and we're going to dig even deeper into this but the user details contains the principal the credentials you know encrypted credentials and you know first name last name email address whatever your application needs is you saw my demo there I had my first name and last name on the top of the header right so whatever you have in your you know identity database whether it's database or another system we just got I just got a simple database in this case I'm storing user name password email right pretty basically you could have a lot of whatever you need right but you will always have these these four attributes but after the authentication is successful that authentication can going forward I'm going to call it the authenticated principle so we have a fennekin request authenticated principle it's the same object okay and I'm going to show you the interface here public interface authentication principle credentials and authority so authorities as I was saying could represent the role could represent the finer grained permission like read write whatever whatever however you want to structure your your your authorities within your application flexibilities there so let's dig down so the Fed acacia manager gets the synth annotation token right and it calls these authentication providers and I say providers because you could have more than one source of identity could be you could have one in you could have two different databases one could be a database another one could be a remote call to a to another service or you know possibly through an API right so ultimately you want the authentication manager to call one or more authentication providers to give it an opportunity to authenticate because it you know you might have things spread out but keeping things simple we're going to assume we have one authentication provider because we do in this example it's it's the deal with indication provider an implementation of this authentication provider interface this implementation class uses a user detail service now use your detail service what is that well it's a service that loads user details user details as details of a user like I was talking about earlier we have you know principle credentials we have authorities and an extra information first name last name email address whatever you know your user entity is right so it leverages this user detail service pretty simple interface right takes in the username which is the the login name and it returns a user details implementation oh and the user details interface again here username password and a collection of authorities again once again you know this is an interface you implement your own user details provide extra information on successful and on a successful authentication by the provider because ultimately the provider is responsible for the authentication medication manager delegates to these providers you know asking can you thinik it can you with Anna Kate and eventually in this case it's authenticated all right comes back and there we go right the principle is now user details when it was coming in it was just the username because the fennec ation provider ultimately creates another instance of this authentication sets the user details on the principle and erases the credentials because we don't want clear text passwords sitting in memory all right and ultimately the password that's in the user details it's encrypted or it better be write highly recommended all right and as you can see it loads the authorities now you know myself of the authority of the user I'm just a regular user right but this is key because this is what's used in the author and access decisioning later on as we step through this obviously and I'm a dedicated security context this sometimes you know on some feedback that I've been getting is a little bit confusing so I'm going to I'm going to you know try to explain it as simple as possible security context it's the context of security information right after a finicky you know there's secure information you know I'm going to Emma an identity I need to be able to store this somewhere because there might be other information that you know and spring security is highly flexible but right now we have a principle but you might wanna you don't have other security related information that you need to like group together and put somewhere you know in a little in a little package and that's the security context it holds security related information right as we're coming back that you know the call the call stack trace their dedication manager returns the authentication to the authentication filter now we have this affinity object that's vindicated with a principle we need to put that somewhere because the thing is is all all the spring security filters it relies on the authentication object and the security context these two interfaces are the central interfaces in spring security they're used by all the filters so and the last thing we want to do is pass security context or authentication as parameters to all these methods so how do we how do we get around that we have the security context holder which internally uses a thread local write for for those of you that are not familiar with thread local it gives you the ability to store data for the con the current thread right so obviously we have one current thread coming in the request processing thread I'm going to put that security context object in that thread local so now I can access it anywhere down the chain right that's what the security context holder is all about it probably it allows all the spring security filters and even your application code you could you could access the thin occasionally recommended either you want to you do want to you know keep you know you don't want to depend on really you know spring security api's and you shouldn't have to we got these filters sitting all in front of your controllers that do all the work but the bottom line is it is there for you to actually get the authentication and inspect it yourself so that that's that's what the security context and security context holder is in pretty simple interface right it gives you the ability to get the authentication but like I was saying earlier this is extendable you could extend this this security context implementation or interface or your implementation of security contest could store another piece of security information maybe domain-specific stuff or network relate whatever you know whatever the requirement is yes well you know what happens in yes yes the question was if you have the security context on your server are you storing some states now state is being stored on a current request processing thread for sure the security the authentication but after that call comes back when the response gets flushed out there's another filter that I'm not going to talk about today because we can only talk about so many things but there's a security context persistence filter that actually clears the authentication off that thread so that way when that thread goes back into the pool and gets reused on the next thread there is no authentication in in the thread local right that's how that's how it works right yeah that answered a question yeah okay and that's pretty much it for the thin ocation flow right and just to recap request comes in to the dedication filter then ocation filter delegates to authentication manager which ultimately delegates to one or more providers to attempt the authentication in our case we're using the user detail service although that's not a requirement then occation provider doesn't have to use a user detail service it could look the only responsibility of the thin occation provider is to return an authentication with an authenticated principle however it does that right or if it can't authenticate it throw an exception right it comes back to the filter and then the filter sets it on the security context that's the authentication that's the pattern for all authentic Asian mechanism it should be basic form login all the other authenticate that's that is the pattern right are there any questions before yes yeah the security context holder internally has a thread-local and it and that's that's where it holds the security context yeah any other questions before we move on to authorization yeah yeah ad not a good question Rob yes as far the question was as far as a talk today specifically the reactive the reactive work that's that's that's going on is so Rob winches who's the lead on spring security he's working on that piece spring security five the two big pieces they're the two big features is spring security reactive support and spring security OAuth alright although we do have spring security off now but we are doing a rewrite of that actually but we won't get into that yeah but ya know we're going to be supporting that yes coming it's possible to be of a container of the server that pallidus code it's like it coming it will drop there for RSA whatever it is and then request goes to the stream whatever the application so in case of spring so this means container is not doing anything a big festival spring automatically the Spring Framework no the contain no the container ultimately the container ultimately creates that filter chain right now your application you're configuring filters now if you're using spring security one of those filters is the well-known spring security filter chain but there's other filters usually right that are targeted to a specific application through whether it's WebEx and all job configuration right but ultimately the container when the request comes in it determines okay for this request what if filters what filters do I need to apply all right one of them will be spring security they'll create this filter chain of a set of filters ordered then that filter chain gets invoked then each of those filters get applied and eventually hits the spring security filter chain and spring security filter chain is a special filter it's not just one filter it's it's a it's a filter of filters that might be a little bit confusing and I got a diagram at the end of this to show that but typically you know filter is a filter does it processor yeah yeah no no no I'm gonna get yeah I'm actually going to get to that next right because the exception handling part of the part of the presentation is it the authenticate unauthenticated flow what happens all right we're going to get to that kay authorization so we're going to jump to authorization right now filter security interceptor this is the you know one of the most I mean they're all important but this is the filter that you know protects your application from unsecured access whether if you're not authenticated it throws an authentication exception if you're denied access because you don't belong because you're not in a specific role like myself I can't go to the main site this filter security interceptor throws access denied ultimately through its collaborators so we're going to dig into that so dedication filter request dedication filter does the authentication request now proceeds to the next filter in the chain it's not the filter securities that are this is the last one in the chain but we're jumping ahead request comes in let's say the request is for messages inbox all right security metadata source so it's metadata related to your security configuration now I've configured I've configured in my web security configuration I've configured all this for this specific request pattern messages slash star star star and anything below only role user you know I did a an authenticated principle right that has the role user is allowed access all right so the filter security interceptor has this internal list of security metadata it matches on the current request so the current request here we have is messages slash inbox and the pattern is messages so that's a match right it matches that and then it returns the role user right so that's that's our security data that comes back from the security metadata source and then we get the this is where the security context holder comes in again so you be able to access the current authentication we we call the security context holder to get the authentication and as you can see here it's it's myself role user all right and then these three pieces of information get passed into the access decision manager the security metadata the current request and the authentication to be able to make the access decision let's jump to that let's drill down to the access decision manager once again we have these three pieces of information coming in in the access decision manager this is one of the coroners this is an interface same thing with the access to decision voter so an access decision manager collaborates with one or more access decision voters voters decide to grant access deny access or abstain from the actual vote right there's a lot of sophistication here four different axes we're going to keep it simple we're just going to talk about the one of the implementations the role voter it just votes on roles all right as you can see that's coming up coming in here the current authentication I have the role user the security metadata that's coming in is allowing role users to access this protected resource so ultimately the access decision voter here will send back granted right and and this is the happy flow right so this returns back and and like like I was talking about earlier now spring security filter the filter security interceptor here is allowing access and it's allowing the request to proceed now so now the next filter if there is another filter and the chain goes through if not it ultimately hits that controller and your business logic executes and so forth all right so that's what happens in this case now so just just do a quick recap here filter security interceptor three pieces of information the security data that's Matt security metadata that's mapped to the current request who's allowed to access protected resource which authorities the current authentication right and obviously the current request object it also gets the response and filter chain but we won't get into that and it ultimately delegates to the access this is your manager its associated voters decides whether it's granted access denied or abstain the abstain is a special case if all voters abstain there's there's some configuration we're not going to get into that there's a lot to go over we're just going to keep things simple here Before we jump into the exception handling when you know the the not-so-happy cases are there any questions on how what's happening here with the filter security interceptor yes makes sense exposed for extending that's like having custom voters making custom decisions for other indicators that really something that is an excellent question the question was the the axis decision decision voter is it an extension point definitely seem same with the axis decision manager as well from a really high level there's three three out-of-the-box access issues you managers you had affirmative based at least one voter votes yes you're granted unanimous base all of them have to vote yes then you're granted and then consensus based majority all right so those are the three implementation that you'll see reviews cases however the access decision voter depending how you set up your security metadata like I mean this is roll that's pretty common but you might have some very special case of how you want to set up your security metadata and that's where the access decision vote is an implementation of that understands your security metadata all right so that's definitely excellent question and and in most use cases you usually don't have to but that's an extension point for sure for special cases and see someone who's extended extended voters it would need to be like as no I wouldn't say that no I wouldn't say that I would definitely look at the current implementations of access decision manager and access decision boater see if there's something that suits your requirements and if it doesn't then you know but I haven't seen that too often you there's definitely a lot of out-of-the-box implementations there that that would suit your requirements but no it's not a smell I mean if you got really special requirements then that's that's an extension point yeah any other questions yes the filter security interceptor just I made my man listen but he's that filter itself yes it is yeah yeah that's yeah yes sorry I keep forgetting the question was is the filter security interceptor is it a filter yes it is from the system perspective entity so perverse not have to be quite a bit so this is a saying put that picture there separator no same filters yeah he the data that's in the response body right whether it's soap or JSON or doesn't really matter right the key piece of information here's the authentication of Reeth indicated right and I have authorities there and then the metadata the web web security metadata that we configured our web security configure adapter you know the request patterns for this request pattern role in man role user or fully authenticated and so forth right so let's let's jump to exception handling the cases where I'm not authenticated or I'm not authorized to access a protected resource so access tonight let's let's talk about that first and I demonstrated that when I logged in as myself role user and then I try to type in slash admin try together the min site and we saw we got 403 or bit and what happens underneath the covers there and we have another filter the exception translation filter this filter is always sitting in front or behind however you want to look at it but you know the request flows there exception translation filter all it really does is move the request forward but it wraps itself on a try-catch block because it's a result responsibility is to catch exceptions from the filter security interceptor unauthenticated access denied exceptions ultimately translate the exception to determine what flow is it going to go is it going to start the authentication process or access time already authenticated access denied 403 right that's literally the sole responsibility exception translation filter so as we like you're basically checking the authorization over there yeah no but at the same time like I was saying earlier there's the authentication manager can have one or more providers and it tries to ask the providers can you authenticate right it's possible that none of them did none of them authenticate and that's like okay let's I'm going to backtrack let's let's say I try to get you know access you know protected resource without authenticating all right so the authentication filter doesn't have a basic authorization header there's nothing there so the basic authentication filter doesn't do anything right because there is no authorization header so proceed now I'm authenticated right so ultimately the filter security receptor it needs to check is there a current authentication right because it's possible there that I haven't authenticated at this point does that answer the question yeah honest antiquated flows and authorization yes and we're I'm actually going to go through those flows right now so let's go through the use case I logged in I logged in with rural user and I try to access the Adminsitration ocation roll user the security metadata is different here right because the the the requester is admit messages in my web security configuration that have configured is for request pattern slash admin slash star star only route only allow roll admin right so once again X this is your manager gets all these three pieces of information and then it's denied right because there's no match right I'm role user only role in man is allowed in access decision manager throws this access denied exception and this is where the exception translator translator filter catches that exception and it determines okay is this is this access denied like I'm a fennec ated but I'm not allowed access to this protected resource this is that flow we're going to talk about the an authenticated flow next and the exception translation filter has this access denied handler cut this the interface down here takes in the request the response and the exception this is another one of those plugging points coming from a bank you know you probably would want to implement your own access denied handler that the some strict security are logging so you could ultimately audit this information at a later point right so that's that would be your typical use case the default implementation of the access to deny handler it simply just returns 403 status as if you saw there with the white label page 403 so that's the case where I'm unauthorized now let's go through the case where I'm not authenticated I'm trying to access a protected resource so once again we got we got this we're trying to access messages inbox public facing site I have an authenticated I've literally went into the URL and type messages inbox right I'm not authenticated as you can see anonymous user security metadata same role user we progress down you know access the access is your manager voter denies and this is this is the difference here it still throws in access denied exception right and you can jump in head there and then the active exception translator filter that's why it's called exception translator translation filter because it translates different types of exceptions and navigates the flow this flow is different am unauthenticated so what happens here is it delegates to this attend ocation entry point another core interface and the interface is right here we have this commenced methods similar to the access denied an alert takes in to request the response and the and the exception and because we have HP HP basic configured for login the associated then' occation entry point implementation is the HP basic and it simply returns 401 unauthorized with the WWF etiquette header well no it is an access denied it is an access denied exception actually and it translates it yeah it's alright and it actually translates it because it determines there's a check in there is anonymous user or is there is yeah yeah yeah there definitely is one of those voters this example I'm just kind of driving on the role voter all right but given the fact that it you know anonymous user does that check it throws this and then it commences the authentication process which the authentication and entry point the implementation of that starts that in this case sets the response header as you know / HP basic protocol and any Gator pop-up box you didn't see the pop-up box here because I got angular handling 401 and then it just loads the client-side template there with the Adminsitration of the fennec asian entry point it does a redirect sends back a 302 redirect to the login page so let's do a recap here with exception handling so if I'm not authorized the exception translation filter delegates the access denied handler by default the default implementation out of the Box sends 403 if I'm not authenticated for HT basic login configuration that we have set up it sends back a 401 and then a WWI fennec aid is there are there any questions on the exception handling scenarios yep like that's the guy who's going to decide what to tell the client what he should do to be on yeah the question was is the authentication entry point is that what is going to instruct the client how to initiate the attend ocation process yeah that's totally correct it's literally like it's the entry point to the authentication process versus if if you if you need to change your password yeah so what we were trying to what we've done is say that that's a you are nothing like you have an education problem right or like an authorization problem and then and then sit back to the client that that they need to authenticate with a different scheme you have to you know change your password order like we need with this be involved in like all exceptions so that I could you could do you could do whatever you want right because this Afeni keishon entry point interface I could just get to it you got the requests you got the response you get the exception you could literally write do anything you want with the response right just curious if this guy was invoked like on any exception not just like access to know know the thin ocation entry point is only invoked when your unattended and you're trying to access a protected resource often ski with a different scheme before another action this know you can access tonight under they say 15 to 30 residents there's only what you do you send the 403 maybe it's really to get to the next yeah yeah what's that we have five minutes did that does that answer a question if you want to talk to me after no problem we could you know like a gave you get into more details for sure so uh so I'm going to so just to recap everything we demonstrated n acacia needs to be basic with the public facing site a custom form login with the administration site try to access the administration site when I math indicated as a rural user access denied try to access the site unauthenticated brings me back to the thin occasion entry points the authentic the login right that's pretty much it we got five minutes but I got this extra slide here and well you know what I'm going to ask I'll answer your question first okay instructors yeah as a matter of fact the public facing site it's an angular app that talks to wrest controllers the administration site is a thym leaf application right so yeah you know I'm actually you know this is actually the if you wanted to take a look at the sample that this is built on that's the URI and you could download it play around with it and so forth as he all the micro service security yeah yeah yeah was that one um one of you I got a little bit of time and I was hoping I would because I want to show you this this is a pretty this could clear up a lot of things when you're playing around with with let's look at this yeah let's look at somehow it's okay you're gonna win okay so this is my security configuration that you're familiar with if you're using Java configuration right I have app security config and then admin security config alright I'm not going to get too much into the details of the complete configuration I just want you guys to have a high-level view of how the spring security filter chain looks like like the architecture of the filter of filters right you're familiar with web security configure adapter right you're extending that to provide your custom configuration and typically in a lot of use cases you only have one right but I got two here now I could have made this into one but I want to demonstrate how this looks like underneath the covers right so I have app security config notice this one line here HTTP ant matcher slash admin ant matcher right that's that specific configuration there says for any calls to admin slash star star hit this set of filters right but as you can see on the top one there it doesn't have that right we just get into the filter configuration by default it's any request all right but the key thing to look at here is I have order to order one because the most specific matches you want first and it min is most specific all right so looking at that looking at web security configure adapter now let's look at this diagram here look at this diagram spring security filter chain the well-known spring security filter chain that's actually the name in an application context the implementation class is filter chain proxy right now this is what I've got configured right I have two security filter chains another core interface and a security security filter enter chain matches on a request and as you can see the request pattern star star star basic authentication filter that's the public-facing sites we got three filters here there's a lot more but those are the ones we're focusing on today and then we have the admin set of filters request pattern admin star star probably should have reversed diagrams because that's literally the order right that that that the filter chain proxy determines okay what set of security filter chains am I going to run through right but that's that's the special thing of the spring security filter chain it's not one filter it's a filter of filters and a lot of cases in a complex setup you could have you know five security filter chains with many filters in each of those chains right so it's pretty pretty sophisticated but I wanted to give that you know that 100-foot view of what the spring security field chain looks like any other questions before I wrap up when you configure the spring security so it's like using like a matchers and all their stuff is there possibility of actually like configuring configuring part of the security directly on the controllers itself instead of having to like you know ensure that my paths are are correct within the configuration or like my matches are matching up to what my controller well okay so the question was is do you have the ability to convey or I I think the quite correct me if I'm wrong the question was is always you wants to be he wants to be able to make sure that the security configuration matches with the controller handler mappings right so the funny asked that because in the latest release we have this MVC matchers instead of ant matchers it's MVC matchers so if you're using spring MVC right you want to use this MVC mattress because because there's some special cases that spring MVC you know slashing and slash messages actually maps the main message of slash HTML you know slightly is there's deviations of that pattern right so yeah look into the MVC matches or we could talk about that more after to you know yeah yeah you know there's definitely a lot more like we got method level security for your services but you could even get more finer grain and have domain object security but that's like another two talks today oh is literally just focusing on a web web layer right before it even hits the controller but spring security confirms the you know defense-in-depth right as in web layer security layer domain object access layer right but like I said that's we could keep going on and on about that and I think I'm up now thank you very much for coming out everyone you you

Info

Channel: SpringDeveloper

Views: 43,589

Rating: 4.8200002 out of 5

Keywords: Web Development (Interest), spring, pivotal, Web Application (Industry) Web Application Framework (Software Genre), Java (Programming Language), Spring Framework, Software Developer (Project Role), Java (Software), Weblogic, IBM WebSphere Application Server (Software), IBM WebSphere (Software), WildFly (Software), JBoss (Venture Funded Company), spring security, apache shiro, OAUTH, LDAP, authentication, authorization

Id: AdsnM6OTepc

Channel Id: undefined

Length: 47min 44sec (2864 seconds)

Published: Thu Nov 03 2016