Creating RESTful API’s with Grails and Spring Security

•

23 recomendaciones•20,308 vistas

In this talk I will cover how to create a REST API using Grails 2.3 to support single-page applications, exploring all the possible alternatives. Code is available at https://github.com/alvarosanchez/restful-grails-springsecurity-greach2014 I will also explain how to integrate Spring Security using the spring-security-rest plugin I recently created, to implement a stateless, token-based, RESTful authentication.

Software

Creating RESTful API’s
with Grails and Spring
Security
Álvaro Sánchez-Mariscal
Web Architect – odobo
!
@alvaro_sanchez

• HTML5 games platform for:
• Game developers.
• Casinos.
• Check out https://play.odobo.com and try
for free!

Different approaches
• Using just @Resource.
• With uri attribute.
• With explicit UrlMappings.

Different approaches
• Creating explicitly a controller and
extending RestfulController.
• Defining just the constructor.
• Implementing actions based on the URL
mappings report.

Different approaches
• Scaffolding (but don’t tell your mother).

Customizing response
• Customize default renderers.
• Register custom marshallers.
• Use Hypermedia (and fasten your seat
belts!).
• Use Dan Wood’s rest-renderers plugin.

Adding Spring Security
Motivation: we need to break down the
traditional, monolithic Grails applications, in
2 different apps:
1. A pure HTML5/Javascript frontend.
2. A mere RESTful Grails backend.

Adding Spring Security
Issue: The existing Spring Security plugins
would not work with a RESTful, browser-
based client.

REST is much
more than just
returning JSON.

RESTful is about*
Client / server.
Stateless.
Cacheable.
Layered.
* Source: Wikipedia.

Meet Spring Security REST
A stateless, token-based
authentication for your
RESTful API’s

Authentication Endpoint
• Uses the default
authenticationManager bean,
which in turn uses all the registered
authentication providers.
• Receives username and password, and
generates a customizable JSON
response.

Authentication Endpoint
• Credentials can be extracted from:
1. Request parameters.
2. A JSON payload.
3. Any custom implementation

Token Generation
• 2 strategies out-of-the-box:
1. Using java.security.SecureRandom
(default).
2. Using java.util.UUID.
• A custom implementation can be
plugged.

Token Storage
• In Memcached (default).
• Using GORM.
• Write your own.

Token Validation
• If the token header (X-Auth-Token by
default) is present, the request will be
validated.
• Otherwise, the plugin won’t participate in
the filter chain.

Token Validation
• If the passed token exists on the token
storage, the principal will be stored on
the security context.
• It can be retrieved using
springSecurityService.principal

CORS support
• Grails doesn’t support CORS (vote for
GRAILS-10914).
• This plugin comes prepackaged with cors
plugin.

DevQA: make
your testers
happier with
Groovy, Spock
and Geb
Tomorrow,
17:15

Thanks!
Álvaro Sánchez-Mariscal
Web Architect – odobooo
!
@alvaro_sanchez
alvarosanchez

Más contenido relacionado

La actualidad más candente

As the industry’s first enterprise identity bus (EIB), WSO2 Identity Server is the central backbone that connects and manages multiple identities across applications, APIs, the cloud, mobile, and Internet of Things devices, regardless of the standards on which they are based. The multi-tenant WSO2 Identity Server can be deployed directly on servers or in the cloud, and has the ability to propagate identities across geographical and enterprise borders in a connected business environment.

WSO2 Identity Server - Product Overview

WSO2

Draft: building secure applications with keycloak (oidc/jwt)

Abhishek Koserwal

Demystifying Angular Animations

Gil Fink

Angular 6 - The Complete Guide

Sam Dias

Spring cloud config

Shubhani Jain

Serverless Authentication and Authorisation for Your APIs on AWS

Amazon Web Services

Oracle APEX Social Login

msewtz

Getting Started with Spring Authorization Server

VMware Tanzu

gRPC - uma breve introdução.pdf

Matheus Donizete

Oracle APEX Cheat Sheet

Dimitri Gielis

Callbacks, promises, generators - asynchronous javascript

Łukasz Kużyński

Angular Data Binding

Jennifer Estrada

Alfresco DevCon 2019 - Alfresco Identity Services in Action

Francesco Corti

Learn nginx in 90mins

Larry Cai

Lecture 2_ Intro to laravel.pptx

SaziaRahman

OAuth 2.0 and OpenId Connect

Saran Doraiswamy

Understanding REST

Nitin Pande

Terraform modules and best-practices - September 2018

Anton Babenko

Everything as Code with Terraform

All Things Open

Node.js File system & Streams

Eyal Vardi

La actualidad más candente (20)

WSO2 Identity Server - Product Overview

Draft: building secure applications with keycloak (oidc/jwt)

Demystifying Angular Animations

Angular 6 - The Complete Guide

Spring cloud config

Serverless Authentication and Authorisation for Your APIs on AWS

Oracle APEX Social Login

Getting Started with Spring Authorization Server

gRPC - uma breve introdução.pdf

Oracle APEX Cheat Sheet

Callbacks, promises, generators - asynchronous javascript

Angular Data Binding

Alfresco DevCon 2019 - Alfresco Identity Services in Action

Learn nginx in 90mins

Lecture 2_ Intro to laravel.pptx

OAuth 2.0 and OpenId Connect

Understanding REST

Terraform modules and best-practices - September 2018

Everything as Code with Terraform

Node.js File system & Streams

Destacado

MySQL server security

Damien Seguy

Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)

Alvaro Sanchez-Mariscal

Grails 3.1 enhances and improves the profile system introduced in Grails 3.0. One of the new profiles ease the creation and development of applications where the the front-end is an Angular JS application, and the backend is a Grails REST API. In this session, Álvaro (member of the Grails team at OCI, Grails committer and author of several plugins) will demonstrate how to use the Angular profile to create an application using Grails 3.1, Angular JS and Spring Security REST.

Creating applications with Grails, Angular JS and Spring Security - G3 Summit...

Alvaro Sanchez-Mariscal

Cqrs, event sourcing and microservices

Marcelo Cure

Kafka website activity architecture

Omid Vahdaty

Domain Driven Design (DDD)

Mauro Leal

Detecting Events on the Web in Real Time with Java, Kafka and ZooKeeper - Jam...

JAXLondon2014

Domain-Driven Design changed the way we reason about large software systems. Modern practices, tools and technologies like continuous delivery, NoSQL, and cloud-based virtualization allow the creation of fine-grained systems to solve the specific problems at hand. Having DDD in mind and technical expertise at our hands, with Microservice architectures we can build complex systems that reflect our businesses' complex realities and are easy to change at the same time. This talk will show what DDD and Microservice architectures have in common and how you can use both to create software systems that fit your domain.

DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015

Dennis Traub

Sample code available at: https://github.com/alvarosanchez/grails-angular-springsecurity-gr8days-warsaw Grails 3.1 enhances and improves the profile system introduced in Grails 3.0. One of the new profiles ease the creation and development of applications where the the front-end is an Angular JS application, and the backend is a Grails REST API. In this session, Álvaro (member of the Grails team at OCI, Grails committer and author of several plugins) will demonstrate how to use the Angular profile to create an application using Grails 3.1, Angular JS and Spring Security REST.

Creating applications with Grails, Angular JS and Spring Security

Alvaro Sanchez-Mariscal

A modern business operates 24/7 and generates data continuously. Shouldn’t we process it continuously too? A rich ecosystem of real-time data-processing frameworks, tools and systems has been forming around Apache Kafka that allows data to be processed continuously as it occurs. This talk will introduce Kafka and explain why it has become the de facto standard for streaming data. It draws on practical experience building stream-processing applications to discuss the difference between architectures and the challenges each presents. It outlines the streams API in Kafka, and explains how it helps tame some of the complexity in real-time architectures.

Distributed Stream Processing with Apache Kafka

Jay Kreps

This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro. Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server. In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too. There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation. Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system. In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Alvaro Sanchez-Mariscal

Workshop Guide: RESTful Java Web Application with Spring Boot

Fabricio Epaminondas

As presented at CJUG. Recording will be up here: http://www.meetup.com/ChicagoJUG/events/231837105/ As soon as an application becomes even moderately complex, CQRS and an Event Sourced architecture start making a lot of sense. The talk is focused on: - the challenges and tactics of separating the write model from the query model in a complex domain - how commands naturally lead to events and to an event based system, and - how events get projected into useful, eventually consistent views. Event Sourcing is one of those things that you really need to push through at the beginning (much like TDD) and that - once understood and internalized, will change the way you architect a system. This talk introduces you to the basic concepts and problem spaces to solve.

CQRS and Event Sourcing for Java Developers

Markus Eisele

In this talk we share our experiences developing and deploying a microservices-based application. You will learn about the distributed data management challenges that arise in a microservices architecture. We will describe how we solved them using event sourcing to reliably publish events that drive eventually consistent workflows and pdate CQRS-based views. You will also learn how we build and deploy the application using a Jenkins-based deployment pipeline that creates Docker images that run on Amazon EC2. This talk was given at the Berlin Microxchg conference and the Munich microservices meetup.

Building and deploying microservices with event sourcing, CQRS and Docker (Be...

Chris Richardson

This talk is about how to secure your frontend+backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Video available at https://skillsmatter.com/skillscasts/6058-stateless-authentication-for-microservices

Stateless authentication for microservices

Alvaro Sanchez-Mariscal

Microservice Architecture with CQRS and Event Sourcing

Ben Wilcock

Building Kafka-powered Activity Stream

Oleksiy Holubyev

CQRS and Event Sourcing

Jan Kronquist

Modern, cloud-native applications typically use a microservices architecture in conjunction with NoSQL and/or sharded relational databases. However, in order to successfully use this approach you need to solve some distributed data management problems including how to maintain consistency between multiple databases without using 2PC. In this talk you will learn more about these issues and how to solve them by using an event-driven architecture. We will describe how event sourcing and Command Query Responsibility Segregation (CQRS) are a great way to realize an event-driven architecture. You will learn about a simple yet powerful approach for building, modern, scalable applications.

Developing event-driven microservices with event sourcing and CQRS (svcc, sv...

Chris Richardson

Destacado (19)

MySQL server security

Workshop: Creating RESTful API’s with Grails and Spring Security (GR8Conf 2014)

Creating applications with Grails, Angular JS and Spring Security - G3 Summit...

Cqrs, event sourcing and microservices

Kafka website activity architecture

Domain Driven Design (DDD)

Detecting Events on the Web in Real Time with Java, Kafka and ZooKeeper - Jam...

DDD / Microservices @ Trivento Spring Camp, Utrecht, 2015

Creating applications with Grails, Angular JS and Spring Security

Distributed Stream Processing with Apache Kafka

Stateless authentication with OAuth 2 and JWT - JavaZone 2015

Workshop Guide: RESTful Java Web Application with Spring Boot

CQRS and Event Sourcing for Java Developers

Building and deploying microservices with event sourcing, CQRS and Docker (Be...

Stateless authentication for microservices

Microservice Architecture with CQRS and Event Sourcing

Building Kafka-powered Activity Stream

CQRS and Event Sourcing

Developing event-driven microservices with event sourcing and CQRS (svcc, sv...

Similar a Creating RESTful API’s with Grails and Spring Security

OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.

Ten Commandments of Secure Coding

Mateusz Olejarka

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

SecuRing

External JavaScript Widget Development Best Practices (updated) (v.1.1)

Volkan Özçelik

Hacking Adobe Experience Manager sites

Mikhail Egorov

Доклад Михаила Егорова на PHDays

ru_Parallels

we45 DEFCON Workshop - Building AppSec Automation with Python

Abhay Bhargav

Proactive Security AppSec Case Study

Andy Hoernecke

External JavaScript Widget Development Best Practices

Volkan Özçelik

Java scriptwidgetdevelopmentjstanbul2012

Volkan Özçelik

When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.

OWASP SF - Reviewing Modern JavaScript Applications

Lewis Ardern

Selenium Tips & Tricks, presented at the Tel Aviv Selenium Meetup

Dave Haeffner

Everyone heard about Kubernetes. Everyone wants to use this tool. However, sometimes we forget about security, which is essential throughout the container lifecycle. Therefore, our journey with Kubernetes security should begin in the build stage when writing the code becomes the container image. Kubernetes provides innate security advantages, and together with solid container protection, it will be invincible. During the sessions, we will review all those features and highlight which are mandatory to use. We will discuss the main vulnerabilities which may cause compromising your system. Contacts: LinkedIn - https://www.linkedin.com/in/vshynkar/ GitHub - https://github.com/sqerison ------------------------------------------------------------------------------------- Materials from the video: The policies and docker files examples: https://gist.github.com/sqerison/43365e30ee62298d9757deeab7643a90 The repo with the helm chart used in a demo: https://github.com/sqerison/argo-rollouts-demo Tools that showed in the last section: https://github.com/armosec/kubescape https://github.com/aquasecurity/kube-bench https://github.com/controlplaneio/kubectl-kubesec https://github.com/Shopify/kubeaudit#installation https://github.com/eldadru/ksniff Further learning. A book released by CISA (Cybersecurity and Infrastructure Security Agency): https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF O`REILLY Kubernetes Security: https://kubernetes-security.info/ O`REILLY Container Security: https://info.aquasec.com/container-security-book Thanks for watching!

Kubernetes and container security

Volodymyr Shynkar

Today’s cutting-edge companies have software release cycles measured in days instead of months. This agility is enabled by the DevOps practice of continuous delivery, which automates building, testing, and deploying all code changes. This automation helps you catch bugs sooner and accelerates developer productivity. In this session, we’ll share the processes that Amazon’s engineers use to practice DevOps and discuss how you can bring these processes to your company by using a new set of AWS tools (AWS CodePipeline and AWS CodeDeploy). These services were inspired by Amazon's own internal developer tools and DevOps culture.

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Amazon Web Services

[OWASP Poland Day] Saving private token

OWASP

Android pentesting the hackers-meetup

kunwaratul hax0r

Android lessons you won't learn in school

Michael Galpin

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Amazon Web Services

Getting Started with Selenium

Dave Haeffner

How to use selenium successfully

TEST Huddle

By Jorge Hidalgo & Vicente Gonzalez, September 21st, 2016. Automating tests of Java web applications should not be hard. Selenium is a well-known open source tool for automating user interactions within a browser that enables you to run the same test scripts across multiple browser types and operating systems unmodified. This session presents several recipes for working effectively with Selenium: multibrowser selectable tests, patterns for working with asynchronous calls, the page object pattern, and others. Armed with these recipes, developers will increase their proficiency in Selenium test automation and become even more productive in their day-to-day job.

JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook

Jorge Hidalgo

Similar a Creating RESTful API’s with Grails and Spring Security (20)

Ten Commandments of Secure Coding

Ten Commandments of Secure Coding - OWASP Top Ten Proactive Controls

External JavaScript Widget Development Best Practices (updated) (v.1.1)

Hacking Adobe Experience Manager sites

Доклад Михаила Егорова на PHDays

we45 DEFCON Workshop - Building AppSec Automation with Python

Proactive Security AppSec Case Study

External JavaScript Widget Development Best Practices

Java scriptwidgetdevelopmentjstanbul2012

OWASP SF - Reviewing Modern JavaScript Applications

Selenium Tips & Tricks, presented at the Tel Aviv Selenium Meetup

Kubernetes and container security

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

[OWASP Poland Day] Saving private token

Android pentesting the hackers-meetup

Android lessons you won't learn in school

DevOps on AWS: Deep Dive on Continuous Delivery and the AWS Developer Tools

Getting Started with Selenium

How to use selenium successfully

JavaOne 2016 - CON3080 - Testing Java Web Applications with Selenium: A Cookbook

Más de Alvaro Sanchez-Mariscal

Server-less architectures where as a developer you deploy functions that are fully managed by the Cloud environment and are executed in ephemeral processes require a unique approach. Traditional frameworks like Grails and Spring are not really suitable since low memory consumption and fast startup time are critical and the Function as a Service (FaaS) server will typically spin up your function for a period using a cold start and then keep it warm. This session introduces Micronaut’s compile-time approach: fast startup time and low-memory footprint which make it a great candidate for using as a framework for developing functions. In fact, Micronaut features dedicated support for developing and deploying functions to AWS Lambda and any FaaS system that supports running functions as containers (such as OpenFaaS, Rift, or Fn).

Serverless functions with Micronaut

Alvaro Sanchez-Mariscal

Grails offers a number of options for implementing asynchronous and event-driven applications, from the low-level Servlet 3.0 async support to the Promise API abstraction, which supports GPars, RxJava 1 & 2. At the GORM level, there is also the async namespace, and RxGORM. Finally, a brand new events API shipped with Grails 3.3, which moves off Reactor, will help users to implement event-driven applications. In this session, the speaker will walk the audience through such options.

Asynchronous and event-driven Grails applications

Alvaro Sanchez-Mariscal

6 things you need to know about GORM 6

Alvaro Sanchez-Mariscal

Micronaut is a modern, JVM-based, full stack Micro Services framework designed for building modular, easily testable Micro Service applications. Particle is developed by the creators of Grails and takes inspiration from lessons learnt over the years building real-world applications from monoliths to Micro Services using Spring, Spring Boot and Grails. This session covers the current features of Micronaut for building microservices, such as: Dependency Injection and Inversion of Control (IoC). Configuration system. HTTP services. Cloud and serverless deployments. Management & Monitoring.

Reactive microservices with Micronaut - GR8Conf EU 2018

Alvaro Sanchez-Mariscal

Micronaut is a modern, JVM-based, full stack microservices framework designed for building modular, easily testable microservice applications. Micronaut is developed by the creators of Grails and takes inspiration from lessons learnt over the years building real-world applications from monoliths to microservices using Spring, Spring Boot and Grails. This session covers the current features of Particle for building microservices, such as: – Dependency Injection and Inversion of Control (IoC). – Configuration system. – HTTP services. – Cloud and serverless deployments. – Management & Monitoring.

Reactive microservices with Micronaut - Greach 2018

Alvaro Sanchez-Mariscal

Spring Cloud es uno de los proyectos más importantes de Pivotal, donde introducen el concepto de aplicaciones cloud native: una disciplina que fomenta buenas prácticas en sistemas distribuidos (gestión de la configuración, service discovery, circuit breakers, intelligent routing, micro-proxy, control bus, one-time tokens, global locks, leadership election, distributed sessions, cluster state). Esta charla explica los distintos componentes del ecosistema Spring Cloud, mostrando cómo usarlos en Spring Boot. En particular, el foco estará en: Configuración distribuida. Service Discovery. Log correlation.

Practical Spring Cloud

Alvaro Sanchez-Mariscal

With Grails 3, the plugin development experience changes a little bit compared to that of Grails 2. In this talk, Álvaro (member of the Grails team at OCI, Grails committer and author of several plugins) will cover several topics to understand how plugins work in Grails 3, focusing on best practices. The session is structured as a set of tips and tricks with code samples in the following areas: modularisation, build system, testing and publishing.

Mastering Grails 3 Plugins - G3 Summit 2016

Alvaro Sanchez-Mariscal

Grails 3.1 mejora el sistema de profiles introducido en Grails 3.0. Uno de los nuevos profiles facilita la creación y el desarrollo de aplicaciones donde el front-end es una aplicación Angular JS, y el backend un API REST hecho con Grails. En este taller, Álvaro (miembro del equipo de Grails en OCI, comitter de Grails y autor de varios plugins) los asistentes podrán crear paso a paso una aplicación usando Grails 3.1, Angular JS y Spring Security REST. El workshop está publicado en http://alvarosanchez.github.io/grails-angularjs-springsecurity-workshop/. Si quieres asistir al taller, deberías tener instalado previamente lo siguiente: JDK 7 or 8. Git. Gradle 2.9+. Grails 3.1.6.

Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security

Alvaro Sanchez-Mariscal

Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...

Alvaro Sanchez-Mariscal

Mastering Grails 3 Plugins - GR8Conf US 2016

Alvaro Sanchez-Mariscal

Mastering Grails 3 Plugins - GR8Conf EU 2016

Alvaro Sanchez-Mariscal

Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...

Alvaro Sanchez-Mariscal

Mastering Grails 3 Plugins - Greach 2016

Alvaro Sanchez-Mariscal

Ratpack is a set of libraries for developing fast, efficient, evolvable and well tested HTTP applications written in Java 8 or any alternative JVM language that plays well with Java, such as Groovy. The session will start with an introduction about Ratpack, and what makes it different from other popular frameworks like Grails or Vert.x, to name a few. Then, it will cover the fundamentals of the async programming model used in Ratpack applications, as well as other core concepts like handlers and the registry. Also, some of of the core modules ("plug-ins") will be described. Finally, it will cover how to test Ratpack applications using Groovy and Spock.

Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016

Alvaro Sanchez-Mariscal

Ratpack is a set of libraries for writing fast, efficient, evolvable and well tested HTTP applications written in Java 8 or any alternative JVM language that plays well with Java, such as Groovy. The session will start with an introduction about Ratpack, and what makes it different from other popular frameworks like Grails or Vert.x, to name a few. Then, it will cover the fundamentals of the async programming model used in Ratpack applications, as well as other core concepts like handlers and the registry. Also, some of of the core modules ("plug-ins") will be described. Finally, it will cover how to test Ratpack applications using Groovy and Spock.

Efficient HTTP applications on the JVM with Ratpack - JDD 2015

Alvaro Sanchez-Mariscal

Stateless authentication for microservices - GR8Conf 2015

Alvaro Sanchez-Mariscal

Ratpack 101 - GR8Conf 2015

Alvaro Sanchez-Mariscal

Ratpack 101 - GeeCON 2015

Alvaro Sanchez-Mariscal

http://www.springio.net/stateless-authentication-for-microservices/ This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorization using Spring Security in Grails. More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.

Stateless authentication for microservices - Spring I/O 2015

Alvaro Sanchez-Mariscal

Stateless authentication for microservices - Greach 2015

Alvaro Sanchez-Mariscal

Más de Alvaro Sanchez-Mariscal (20)

Serverless functions with Micronaut

Asynchronous and event-driven Grails applications

6 things you need to know about GORM 6

Reactive microservices with Micronaut - GR8Conf EU 2018

Reactive microservices with Micronaut - Greach 2018

Practical Spring Cloud

Mastering Grails 3 Plugins - G3 Summit 2016

Desarrollo de aplicaciones con Grails 3, Angular JS y Spring Security

Creating applications with Grails, Angular JS and Spring Security - GR8Conf U...

Mastering Grails 3 Plugins - GR8Conf US 2016

Mastering Grails 3 Plugins - GR8Conf EU 2016

Creating applications with Grails, Angular JS and Spring Security - GR8Conf E...

Mastering Grails 3 Plugins - Greach 2016

Efficient HTTP applications on the JVM with Ratpack - Voxxed Days Berlin 2016

Efficient HTTP applications on the JVM with Ratpack - JDD 2015

Stateless authentication for microservices - GR8Conf 2015

Ratpack 101 - GR8Conf 2015

Ratpack 101 - GeeCON 2015

Stateless authentication for microservices - Spring I/O 2015

Stateless authentication for microservices - Greach 2015

Último

Document contains steps to getting ups and running quickly with MyTimeClock Employee Scheduling and Time Keeping Cloud Software as a Service Solution, Web version. Try MyTimeClock or any of our other software packages risk-free by registering for a FREE ACCOUNT at https://register.myintellisource.com/. If you would like more information about our company or its software, follow us on Facebook, Instagram, LinkedIn, Twitter, or YouTube, visit our home page at https://www.myintellisource.com/, or send us an email at cs@myintellisource.com. Take care and have a great day.

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...

MyIntelliSource, Inc.

Hand gesture recognition PROJECT PPT.pptx

bodapatigopi8531

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

How To Troubleshoot Collaboration Apps for the Modern Connected Worker

ThousandEyes

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

kalichargn70th171

How To Use Server-Side Rendering with Nuxt.js

Andolasoft Inc

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

Investing in AI transformation today The modern business advantage: Uncovering deep insights with AI Organizations around the world have come to recognize AI as the transformative technology that enables them to gain real business advantage. AI’s ability to organize vast quantities of data allows those who implement it to uncover deep business insights, augment human expertise, drive operational efficiency, transform their products, and better serve their customers

Microsoft AI Transformation Partner Playbook.pdf

Willy Marroquin (WillyDevNET)

Model Call Girl Services in Delhi reach out to us at 🔝 9953056974 🔝✔️✔️ Our agency presents a selection of young, charming call girls available for bookings at Oyo Hotels. Experience high-class escort services at pocket-friendly rates, with our female escorts exuding both beauty and a delightful personality, ready to meet your desires. Whether it's Housewives, College girls, Russian girls, Muslim girls, or any other preference, we offer a diverse range of options to cater to your tastes. We provide both in-call and out-call services for your convenience. Our in-call location in Delhi ensures cleanliness, hygiene, and 100% safety, while our out-call services offer doorstep delivery for added ease. We value your time and money, hence we kindly request pic collectors, time-passers, and bargain hunters to refrain from contacting us. Our services feature various packages at competitive rates: One shot: ₹2000/in-call, ₹5000/out-call Two shots with one girl: ₹3500/in-call, ₹6000/out-call Body to body massage with sex: ₹3000/in-call Full night for one person: ₹7000/in-call, ₹10000/out-call Full night for more than 1 person: Contact us at 🔝 9953056974 🔝. for details Operating 24/7, we serve various locations in Delhi, including Green Park, Lajpat Nagar, Saket, and Hauz Khas near metro stations. For premium call girl services in Delhi 🔝 9953056974 🔝. Thank you for considering us!

CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE

9953056974 Low Rate Call Girls In Saket, Delhi NCR

Foundation models are machine learning models which are easily capable of performing variable tasks on large and huge datasets. FMs have managed to get a lot of attention due to this feature of handling large datasets. It can do text generation, video editing to protein folding and robotics. In case we believe that FMs can help the hospitals and patients in any way, we need to perform some important evaluations, tests to test these assumptions. In this review, we take a walk through Fms and their evaluation regimes assumed clinical value. To clarify on this topic, we reviewed no less than 80 clinical FMs built from the EMR data. We added all the models trained on structured and unstructured data. We are referring to this combination of structured and unstructured EMR data or clinical data.

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...

harshavardhanraghave

5 Signs You Need a Fashion PLM Software.pdf

Wave PLM

A great deal of attention in medical devices has shifted towards cybersecurity with the ratification of section 524B of the FD&C act. This new law enables the FDA to enforce cybersecurity controls in any medical device that is capable of networked communications or that has software. In this webinar we will recap the process for managing vulnerabilities, identify categories of vulnerabilities and solutions and more.

The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...

ICS

SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI

ABDERRAOUF MEHENNI

Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...

OnePlan Solutions

Introducing MyIntelliAccount™ Cloud Accounting Software as a Service (SaaS) , the complete system for simplifying business accounting needs. MyIntelliAccount Cloud Accounting SaaS is an easy to understand and easy to use application and system designed for the Web with supporting applications for iOS and Android devices. Designed to work like a natural extension of your web browser, the user interface for MyIntelliAccount Cloud Accounting SaaS is intuitive and thoughtfully organized to help you easily navigate and access your business accounting information. Because our company takes the time to research, study, and understand the applications we develop, we are confident that once you use MyIntelliAccount Cloud Accounting SaaS , you will be asking yourself how you ever got along without it.

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...

MyIntelliSource, Inc.

Diamond Application Development Crafting Solutions with Precision

SolGuruz

Conference: Engage2024 in Antwerp Type: Workshop Speakers: Florian Vogler, Henning Kunz, Christoph Adler Title: Navigating the Future with The Hitchhiker's Guide to Notes and Domino 14 Abstract: Embark on an exhilarating journey with industry trailblazers Florian Vogler, Henning Kunz, and Christoph Adler in this not-to-be-missed workshop at the forefront of the tech universe. Get ready for a thrilling kick-off as we navigate the current state of the HCL universe, setting the stage for an exploration of the groundbreaking Notes and Domino 14. Discover the latest enhancements and revolutionary features that will redefine your experience. In this interactive session, unlock a treasure trove of tips and tricks to elevate your utilization of version 14, both with and without the game-changing panagenda MarvelClient. Brace yourself for also diving into Nomad, Nomad Web, and VoltMX, expanding your horizons in the expansive HCL landscape. Be a part of this exclusive opportunity to stay ahead in the ever-evolving world of HCL technologies. Your journey to mastering Notes and Domino 14 begins here. And remember, in the spirit of intergalactic exploration, don't forget to bring your towel!

W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...

panagenda

In the realm of real-time applications, Large Language Models (LLMs) have long dominated language-centric tasks, while tools like OpenCV have excelled in the visual domain. However, the future (maybe) lies in the fusion of LLMs and deep learning, giving birth to the revolutionary concept of Large Action Models (LAMs). Imagine a world where AI not only comprehends language but mimics human actions on technology interfaces. For example, the Rabbit r1 device presented at CES 2024, driven by an AI operating system and LAM, brings this vision to life. It executes complex commands, leveraging GUIs with unprecedented ease. In this presentation, join me on a journey as a software engineer tinkering with WebRTC, Janus, and LLM/LAMs. Together, we’ll evaluate the current state of these AI technologies, unraveling the potential they hold for shaping the future of real-time applications.

Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications

Alberto González Trastoy

Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...

kellynguyen01

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

Creating RESTful API’s with Grails and Spring Security

1. Creating RESTful API’s with Grails and Spring Security Álvaro Sánchez-Mariscal Web Architect – odobo ! @alvaro_sanchez

2. About me • Passionate software developer. • Founded Salenda in 2005. • Co-founded Escuela de Groovy in 2009. • Groovy/Grails lover since 2007. • Working now at Odobo as Web Architect.

3. • HTML5 games platform for: • Game developers. • Casinos. • Check out https://play.odobo.com and try for free!

4. Different approaches • Using just @Resource. • With uri attribute. • With explicit UrlMappings.

5. Demo step1 … step2

6. Different approaches • Creating explicitly a controller and extending RestfulController. • Defining just the constructor. • Implementing actions based on the URL mappings report.

7. Demo step3 … step4

8. Different approaches • Scaffolding (but don’t tell your mother).

9. Customizing response • Customize default renderers. • Register custom marshallers. • Use Hypermedia (and fasten your seat belts!). • Use Dan Wood’s rest-renderers plugin.

10. Demo step5 … step7

11. Adding Spring Security Motivation: we need to break down the traditional, monolithic Grails applications, in 2 different apps: 1. A pure HTML5/Javascript frontend. 2. A mere RESTful Grails backend.

12. Adding Spring Security Issue: The existing Spring Security plugins would not work with a RESTful, browser- based client.

13. REST is much more than just returning JSON.

14. RESTful is about* Client / server. Stateless. Cacheable. Layered. * Source: Wikipedia.

15. Meet Spring Security REST A stateless, token-based authentication for your RESTful API’s

16. Authentication

17. Demo

18. Invoking a protected resource

19. Demo

20. Authentication Endpoint • Uses the default authenticationManager bean, which in turn uses all the registered authentication providers. • Receives username and password, and generates a customizable JSON response.

21. Authentication Endpoint • Credentials can be extracted from: 1. Request parameters. 2. A JSON payload. 3. Any custom implementation

22. Token Generation • 2 strategies out-of-the-box: 1. Using java.security.SecureRandom (default). 2. Using java.util.UUID. • A custom implementation can be plugged.

23. Token Storage • In Memcached (default). • Using GORM. • Write your own.

24. Token Storage

25. Token Validation • If the token header (X-Auth-Token by default) is present, the request will be validated. • Otherwise, the plugin won’t participate in the filter chain.

26. Token Validation • If the passed token exists on the token storage, the principal will be stored on the security context. • It can be retrieved using springSecurityService.principal

27. CORS support • Grails doesn’t support CORS (vote for GRAILS-10914). • This plugin comes prepackaged with cors plugin.

28. Demo

29. OAuth support

30. OAuth support

31. Demo

32. DevQA: make your testers happier with Groovy, Spock and Geb Tomorrow, 17:15

33. Thanks! Álvaro Sánchez-Mariscal Web Architect – odobooo ! @alvaro_sanchez alvarosanchez