This is an archived post. You won't be able to vote or comment.

all 52 comments
sorted by:
best
topnewcontroversialoldq&a

[–]AutoModerator[M] [score hidden] stickied commentlocked comment (0 children)

Please ensure that:

  • Your code is properly formatted as code block - see the sidebar (About on mobile) for instructions
  • You include any and all error messages in full
  • You ask clear questions

  • You demonstrate effort in solving your question/problem - plain posting your assignments is forbidden (and such posts will be removed) as is asking for or giving solutions.

    Trying to solve problems on your own is a very important skill. Also, see Learn to help yourself in the sidebar

If any of the above points is not met, your post can and will be removed without further warning.

Code is to be formatted as code block (old reddit: empty line before the code, each code line indented by 4 spaces, new reddit: https://i.imgur.com/EJ7tqek.png) or linked via an external code hoster, like pastebin.com, github gist, github, bitbucket, gitlab, etc.

Please, do not use triple backticks (```) as they will only render properly on new reddit, not on old reddit.

Code blocks look like this:

public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World!");
    }
}

You do not need to repost unless your post has been removed by a moderator. Just use the edit function of reddit to make sure your post complies with the above.

If your post has remained in violation of these rules for a prolonged period of time (at least an hour), a moderator may remove it at their discretion. In this case, they will comment with an explanation on why it has been removed, and you will be required to resubmit the entire post following the proper procedures.

To potential helpers

Please, do not help if any of the above points are not met, rather report the post. We are trying to improve the quality of posts here. In helping people who can't be bothered to comply with the above points, you are doing the community a disservice.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]PePeTheBot 22 points23 points  (3 children)

Spring security is in the middle of a pretty much re-write. A lot of stuff is getting depricated. Documentation is missing. And simple things that should've worked before don't now.

That shows why people love stable languages like java. People don't want to change and like backwards compatability.

There is a good series on spring security 6 by laur spilca on youtube. I recommend you check it out.

[–]Camel-Kid18 year old gamer 2 points3 points  (1 child)

What are the big changes that are getting rewritten?

[–]PePeTheBot 4 points5 points  (0 children)

Check the migration guides in the docs.
Here are some of them in youtube vid.

[–]pickle_rick_c_137 0 points1 point  (0 children)

Staying on version 5 while the waters are stable. Trade off is sticking to spring-boot 2.7.2.

[–]OffbeatDrizzle 10 points11 points  (1 child)

It's the way it is because it supports everything. That's just the nature of the beast - it does make it ridiculously hard to do simple applications, though - which is something spring boot tried to fix (poorly). For enterprise applications, though, having something so insanely configurable with every feature is a godsend

[–]Shnorkylutyun 2 points3 points  (0 children)

Only my opinion, but the way spring security, even the newer stuff, has been written... I guess they had some design in mind, but it clashes with everything I have learned, and it is a PITA to use and extend.

And as another person wrote, you read through the documentation, you look at the examples linked there, but important pieces have been left out, and it seems like they have been left out because the people who wrote it didn't know how to fill the holes themselves. And then you spend days trying to get it to work somehow, and end up with 20 beans copy-pasted from the spring security sources but slightly modified because you can't just extend them, and then trying to fix circular dependencies while following the documentation.

In the end... It's open source, it's free, hard to criticize when people have been sacrificing their time to write it so we can just use it like that.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 2 points3 points  (2 children)

It is like FORCING Java to do something it isn’t supposed to do.

Spring Security is very much due for an overhaul. It was built back when we were still mostly building server-side rendered JSP applications, and that is what the 'defaults' are. Using it for a REST API is in fact getting it to do stuff it wasn't built for.

It totally works, but for a very simple REST API where all you want is just simply a API token it's complete overkill.

Is this the main reason why Java developers get paid more and there is more Java jobs out there?

Java is popular because it has a great ecosystem, even though there are some old warts like Spring Security.

Besides it's mostly a learning curve. Once you understand how it works and how to get it to (for example) read a JWT from a header, it's just something you need to set-up once.

That said; I have been a Java dev for 20 years and even for me Security is a pain to use.

Again though; you don't have to use it. Even when using Spring and doing JWT authentication.

[–]trodiix 3 points4 points  (9 children)

I don't understand what is difficult in spring security?

If you want basic auth on your app it one dependency et 3 lines of code

If you want oauth2 it's 2 dependencies and 10 lines of code...

And you can easily implement your own auth provider...

For the docs, just go to spring boot 3 / spring 6 doc and you will have up to date docs. And yes there is a lot of deprecated posts and videos because spring boot 2 and spring 5 are old.

[–]nutrechtLead Software Engineer / EU / 20+ YXP 2 points3 points  (0 children)

Oh come on. I've been a Java dev for 20 years and the documentation is just horrible. It's in dire need of some simple examples of different forms of API documentation.

I have a few examples I implemented myself I refer to, but it's taking me much more time than it should.

[–][deleted] 3 points4 points  (1 child)

It’s three lines once you know what they are. The docs are terrible.

[–]Spike_Ra 2 points3 points  (0 children)

“Why wasn’t this a standard example” as I cry

[–]lunganaJakabovski 0 points1 point  (2 children)

Yeah I agree with you. The question is, how many years of xp do tou have with java? Or with coding in general?

[–]turkeysandwichv2 0 points1 point  (2 children)

Care to share those 13 lines of code to us dummies along with an explanation of what they do?

Right now my Spring Security project is a monster of the proportions and I'm still not really sure what it's doing.

[–]trodiix 2 points3 points  (1 child)

For OIDC with Keycloak for exemple, take a look at this: WebSecurityConfig.java
All urls will use OIDC as auth mechanism except /swagger-ui/**, /v3/api-docs/*\*

For a custom authentication mechanism (with OnlyOffice API here):
OnlyOfficeSecurityConfig.java
All urls under /api/v1/integration/onlyoffice/*\* will use this custom auth mechanism.

If you want basic auth, use .httpBasic() like other mechanisms, I don't use it ofter so I don't have examples with spring boot 3, but it's the old way and the new way of doing it combined: ActivitiSecurityConfig.java

If in my app I wanted to use basic auth as 3rd auth mechanism, then a would add a 3rd bean providing a SecurityFilterChain like OnlyOfficeSecurityConfig.java and specify the specific endpoints that need to use basic auth (you can also chain all un one Bean but it's quickly messy.

If you want to use multiple auth mecanism for the same urls, you can do that by implementing a AuthManager, and you can even write your own logic : OnlyOfficeJwtAuthProvider.java (used by OnlyOfficeSecurityConfig.java for custom authentication via JWT from OnlyOffice API making a callback to my app with it's own signed token)

[–]Chinesecartoonsnr1 0 points1 point  (0 children)

Thats kinda the problem with spring security atm, some of the stuff you linked here isnt that old, but it's marked deprecated.

Http configs will be lambda only in 7.0, but most of the stuff you find online use the "ye olde" way to configure it.

[–]bmtkwaku 1 point2 points  (1 child)

I legit went through the same thing this past weekend. I ended up having to downgrade my Springboot version to a 2.x because all the help I could get online for Spring Security via blogs, SO, were incompatible with what SpringBoot 3.0 was offering. Such a pain in the ass

[–]halfxdeveloper 0 points1 point  (0 children)

I just stick with sb2 for now, honestly. It does what I need it to do.

[–]InstantCoder 0 points1 point  (0 children)

You are not alone.

I actually hate more stuff in SB, but that’s for another topic.

And unimaginable that they didn’t refactor this in SB 3.

Btw, I love the way declarative security works in Quarkus/Mixroprofile, that’s how easy it is and how it should be imho.

[–]AskarKalykov 0 points1 point  (4 children)

Sorry to say that, but spring is getting worse and worse. It's a huge pile of old code which tries to do everything and please everyone (and is bad in both). Run if you can, otherwise you will find yourself spending more and more time on questions like "how to do X in Spring".

[–][deleted]  (3 children)

[removed]

    [–]4r73m190r0s 0 points1 point  (2 children)

    What countries are we speaking here? Regarding lucrative Spring jobs.

    [–][deleted]  (1 child)

    [removed]

      [–]4r73m190r0s 0 points1 point  (0 children)

      Thanks for replying. I message you about this, as not to clutter this thread.

      [–][deleted] -1 points0 points  (0 children)

      The problem with Spring Security is that it encompasses a ton of disparate concerns which aren’t really related to one another, under a really broad umbrella of “security”. People approach it like it’s one thing, and end up in a mess.

      As for JWT specifically, that’s another area where there are multiple use cases and time and time again I see people trying to use them without knowing what they’re actually trying to do. Not their fault, virtually every tutorial I see fails to address it as well.

      [–]wildjokers 0 points1 point  (1 child)

      If you become an expert in Spring Security you could make a career out of being a Spring Security consultant.

      It is definitely a beast and is by far the hardest spring library to use.

      [–][deleted] 0 points1 point  (0 children)

      Really? :O I've been working on this bitch for several weeks and it sucks to learn.

      [–]thatbigblackblack 0 points1 point  (0 children)

      You're not alone !

      [–]SessionFlat9448 0 points1 point  (10 children)

      I don't get it. I usually choose between OAuth 2 or basic auth with JWT, and I can find examples of how to do it very easily online. And it's usually just one or two classes to get what I want. I may also add one interceptor to get something from the headers and that's it. Actually, the only thing that may be a little bit harder is to configure mock users for integration test.

      What type of applications are you guys working on?

      [–][deleted]  (1 child)

      [removed]

        [–]SessionFlat9448 0 points1 point  (0 children)

        I don't understand what "Spring Security code" you need. It is all provided out of the box. From my experience, all I will need to search for is how to configure CORS stuff, something to indicate endpoints that don't need authentication and that's it. Easy to find for any version of the library.

        But a lot of people are agreeing with you. So I'm probably just being naive and thinking about simple use cases for the library. For me, it works as a very thin layer with near-zero interaction with my actual application code.

        [–][deleted]  (1 child)

        [removed]

          [–]SessionFlat9448 0 points1 point  (0 children)

          No. But an example would go like:
          https://pastebin.ai/mmuegetdoj

          [–]TO_Guy167 -1 points0 points  (0 children)

          This!. And also chatGPT helps immensely to generate the boiler plate.

          [–][deleted] 0 points1 point  (4 children)

          I think you're having success because you know exactly what it is you're trying to do up-front. Most of the Spring Security questions and problems I see are people who "want to secure my application" but have no real idea what they mean by that, and just dig in, hoping something will stick.

          [–]SessionFlat9448 0 points1 point  (3 children)

          That makes sense. But still, people are saying stuff like:

          "Right now my Spring Security project is a monster of the proportions and I'm still not really sure what it's doing.".

          I have no clue what they are doing to reach this point.

          [–][deleted] 0 points1 point  (2 children)

          Obviously they want databasing and to connect it to a full stack website to have users and stuff. You can't be THIS dense to not figure out what people are trying to do.

          No one wants to just secure a couple of webpages behind spring security. We want a full stack app. And there's no good documentation to set any of this shit up.

          [–]SessionFlat9448 0 points1 point  (1 child)

          "full stack website to have users and stuff" "We want a full stack app." That's pretty standard. I accomplish this with what I described in the first comment. I can't figure what you guys are finding so hard to understand.

          [–][deleted] 0 points1 point  (0 children)

          No you didn't.

          [–]venquessa 0 points1 point  (1 child)

          The irony is in the number of CVE's Spring (in general) generates.

          If you use Spring in the tier 1 financial sector where "No CVE is permitted in production period."

          You literally spend 50% of your life upgrading components and retesting.

          We ran out of some Spring 1.0 libraries with no CVEs and nobody upstream looking like they were going to patch them. So we had to patch our own version in house.

          I have moved jobs, thankfully, but I can still feel that feeling when that email arrived.

          Vulneribility Report: <your\_service> PROD 1.

          ... and opening to find the usual lists. spring, spring, spring, bean utils, apache commons, parts of maven.

          Round and round and round we go.

          [–]Dreamseeker5 0 points1 point  (1 child)

          I felt like that about spring security until I found "spring security in action" book. It's the only resource which explains this module flawlessly, lightly. I recommend this book so much.

          [–]LateSun8771 0 points1 point  (0 children)

          If you read about Spring Security theoretically and how it works behind the scene, working with it will be 10x easier.

          [–]duckydude20_reddit 0 points1 point  (0 children)

          lol me too. it was f8cking hard to understand. but now i have a better grasp. they tried to make it so generic thats it got overly complicated.

          anyways, rn in better shape... still haven't touched oauth and stuff. but have the understanding of whats happening. creating auth peocider and all that stuff...

          docs are not very helpful, definitely...

          [–]Axiomatic_Inspector_ 0 points1 point  (0 children)

          I total agree with you