Skip to content

Spring Lemon Commons Web Guide

Jump to bottom
Sanjay Patel edited this page Nov 18, 2018 · 10 revisions

Under construction ..

spring-lemon-commons-web includes spring-lemon-commons, and adds Spring MVC (non-reactive web) application development features, which are discussed below.

Suffixing JSON responses with ")]}',\n"

To prevent some JSON attacks, many APIs like to suffix all their JSON responses with )]}',\n. Spring Lemon will do that for you if you just provide a property lemon.enabled.json-prefix, e.g. add this to your application.properties:

lemon.enabled.json-prefix=true

Exception Handling

The com.naturalprogrammer.spring.lemon.commonsweb.exceptions package contains classes that catch exceptions and then delegate the handling to the spring-lemon-exceptions module. Specifically, it has a controller advice, as well as overridden ErrorAttribute and ErrorController classes. Refer this for a detailed discussion.

Security Configuration

Security configurations of Spring Lemon web applications are coded in the LemonWebSecurityConfig bean. So, your application will have the following by default:

  1. Statelessness
  2. No /logout endpoint (we are stateless)
  3. Responding with 403 Forbidden in case of authorization errors
  4. Bearer token authentication. More on it follows.
  5. CSRF disabled (we are stateless)
  6. CORS configured as per the given properties. Defaults are given below, which you can of course override in your application.yml: 
    lemon:
    cors:

        # Comma separated values of CORS allowedOrigins
        # If this property is not given, CORS is not configured
        allowed-origins: http://localhost:9000

        # To override anything below, uncomment and update
        # allowed-methods: GET,HEAD,POST,PUT,DELETE,TRACE,OPTIONS,PATCH
        # allowed-headers: Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Content-Length,Content-Type,Cookie,Host,Origin,Pragma,Referer,User-Agent,x-requested-with,Authorization
        # exposed-headers: Cache-Control,Connection,Content-Type,Date,Expires,Pragma,Server,Set-Cookie,Transfer-Encoding,X-Content-Type-Options,X-XSS-Protection,X-Frame-Options,X-Application-Context,Lemon-Authorization
        # max-age: 3600
  7. URL based authorization configuration to expose all endpoints to everyone (.mvcMatchers("/**").permitAll()). Spring Lemon expects that you'll secure your service layer by using method security. For examples, see LemonService and LemonReactiveService.

You can override any of the above configurations. To do so, subclass LemonWebSecurityConfig, override the methods you want, and configure that as a component.

Bearer Token Authentication

For token authentication, Spring Lemon comes with LemonCommonsWebTokenAuthenticationFilter. It tries to parse a userDto out of the token. If not found, it calls a protected fetchUserDto method. fetchUserDto just throws an exception, but it's overridden in the spring-lemon-jpa and spring-lemon-reactive modules (which we'll discuss later), which fetch the userDto from database. So, a token creation/usage pattern – say in a microservices architecture – could be

  1. Let the auth-service use spring-lemon-jpa or spring-lemon-reactive (which would fetch the userDto from its database).
  2. Let other services use spring-lemon-commons-web or spring-lemon-commons-reactive, which expect the userDto embedded in the token.
  3. When someone logs in, issue a JWT with username as the subject, but without any userDto claim
  4. When a request comes with the above authorization token, build a full-token (with the userDto embedded) in the gateway service, and use that token when forwarding the request to the services.

Confused? See our demo microservices to get clarity.

Clone this wiki locally