My Guice Integration Adventures: Building Secure RESTful Web Application with Apache Shiro

Intro & Motivation

From my previous post, I created an Maven Archetype to bootstrap a Java Web Application. My next step was to make the Web App Secure somehow, and by recommendation I came into Apache Shiro.

RBAC and Security Management

Apache Shiro has a new way of thinking security, with its Resource Based Access Control  (RBAC, not to be mistaken with Role Based Access Control). Basically, instead of giving access to Roles, you give set access to Resources, in this case RESTful endpoints. This can be applied to all JAX-RS Resources.

Second Approach: Guice + Apache Shiro + Jersey

The way to integrate Shiro into a web application is via the web filters to attach the Security Context into the main context. But I also needed to configure Guice, so it can load the Security Manager and Shiro Realms as Singletons at bootstrap.

I also used Shiro’s AOP Module to support Annotations like @RequiresPermission, but in the long run I stuck with the default way for requesting Permissions.

My overall experience with Shiro was very successful, and I found the Permission approach very intuitive. It’s very customizable also, having the chance to modify the behavior of Sessions (or go totally Sesion-less), Permission levels and Realms to save Users, Roles and Permissions according to your existing data structure.

Finally this framework also counts with a Cryptography package, to manage your passwords in multiple formats (MD5, SHA1, SHA-256, et al.) and to encrypt any kind of data to be shared.

Code Template Project

My github example is in shiro-guice-jersey-bootstrap project. This integrates the following frameworks and libraries:

  • Servlet 2.5
  • Jersey 1.18.1
  • Guice 3.0
  • Apache Shiro 1.2.3
  • guice-persist 3.0
  • gson 2.2.4
  • joda-time 2.4
  • JUnit 4.10

I also made a Maven Archetype from this template in secure-rest-webapp-archetype project.

Conclusions

This kind of projects are very demanded nowadays because of the SaaS and MBaaS architectures, and like I said in previous post, having Jersey makes your RESTful tier compliant with JAX-RS, Guice and Dependency Injection compliant with JSR-330 and the so long standardized Servlet 2.5 spec compliant with any Java Enterprise Application Servers. This makes the app more portable in terms of code sharing/reviewing and more focused on the BackEnd business logic, allowing a more agile workflow for distributed teams.

Next Adventure

My next adventure will involve RESTEasy and Servlet 3.x spec! Stay tuned!

Cheers!

Advertisements

My Guice Integration Adventures: Building Portable RESTful Web Services Applications

Intro & Motivation

I started my journey into the depths of Google Guice last year during an Android Coursera MOOC, it was really interesting and I really enjoyed using this Framework for the MOOC.

After my previous encounters with Spring Framework (and Spring Boot features), I wanted to give another DI Framework a try, so I could learn more about this fabulous  and helpful design pattern.

Google Guice doesn’t have a logo, sorry! 😛

I wanted to build the ultimate Java Web Application skeleton, having all the necessary frameworks to start coding RESTful web services for my current projects at work and at the same time keep the integrations as simple as possible, making the application extendable without loosing common features.

I started with the standards. I found a lot of blogs and code about Jersey framework, which was developed by the Oracle guys, so I gave it a try. My experience with Jersey was very successful, in fact I had 4 projects in one year involving this framework.

My Main motivation on starting these integrations was to have a way to port all my coding experience and algorithms across different projects, with the less amount of changes as possible and leveraging all the power of the Java language and its annotations.

First Approach: Jersey + Guice

My first approach was an integration of Jersey 1.x with Google Guice 3.0.

The main benefit from this approach, was that I found the code very portable and lightweight. I didn’t know when CDI and Oracle’s implementation of JSR-330 was going to get viral, so I decided to use Google Guice’s @Inject and @Provides annotation, but the code is portable enough to use javax’s implementation of @Inject. In this page you can find Google Guice’s doc on JSR-330 and the key differences with Oracle’s Java implementation.

You can check my sample project in GitHub: jersey-guice-bootstrap

As I stated before, this kind of projects were very demanded, so I decided to do a Maven Archetype. This way I could automate my project bootstrapping.

Automate The Bootstrap Process: Maven Archetype

The Archetype is jersey-guice-webapp-archetype and it has the following frameworks integrated:

  • Servlet 2.5 provided by Guice-Servlet package
  • Jersey 1.18.1 (Update: the last 1.x version is 1.19)
  • Guice 3.0 (Update: The last version is Guice 4)
  • guice-persist 3.0
  • gson 2.2.4
  • joda-time 2.4
  • JUnit 4.10

Conclusions

With this architecture you can stay in the Back-End world with JAX-RS Compliant Endpoints, integrate more frameworks like Hibernate with Guice Persist, use GSON to serialize back and forth POJOS without touching the Jersey’s Jackson configuration. Also this allows you to host your Front-End frameworks in another server or package system, which is a pretty common practice nowadays (MBaaS and SaaS architectures) to decouple Back-End and Front-End. This last also helps when having distributed teams, and their responsibilities.

This was my first Adventure with Google Guice and Java Web Applications, but not the last.

In fact this is going to be the first post in a series of experiences I earned last year. Stay tuned for more Guice Integration Adventures.

Next Adventure: RESTEasy + Servlet 3.x

The next posts will feature Servlet 3.x Spec and RESTEasy implementation of JAX-RS library.

Cheers!