Skip to content

Spring Lemon Commons Web Guide

Jump to bottom
Sanjay Patel edited this page Nov 18, 2018 · 10 revisions

Under construction ..

spring-lemon-commons-web includes spring-lemon-commons, and adds Spring MVC (non-reactive web) application development features, which are discussed below.

Suffixing JSON responses with ")]}',\n"

To prevent some JSON attacks, many APIs like to suffix all their JSON responses with )]}',\n. Spring Lemon will do that for you if you just provide a property lemon.enabled.json-prefix, e.g. add this to your application.properties:

lemon.enabled.json-prefix=true

Exception Handling

The com.naturalprogrammer.spring.lemon.commonsweb.exceptions package contains classes that catch exceptions and then delegate the handling to the spring-lemon-exceptions module. Specifically, it has a controller advice, as well as overridden ErrorAttribute and ErrorController classes. Refer this for a detailed discussion.

Security Configuration

Security configurations of Spring Lemon web applications are coded in the LemonWebSecurityConfig bean. So, unless you provide your own LemonWebSecurityConfig implementation, your application will have the following:

  1. Statelessness
  2. No /logout endpoint (we are stateless)
  3. Responding with 403 Forbidden in case of authorization errors
  4. Bearer token authentication
  5. CSRF disabled (we are stateless)
  6. CORS configured as per the given properties. Defaults are given below, which you can of course override in your application.yml: 
    lemon:
    cors:

        # Comma separated values of CORS allowedOrigins
        # If this property is not given, CORS is not configured
        allowed-origins: http://localhost:9000

        # To override anything below, uncomment and update
        # allowed-methods: GET,HEAD,POST,PUT,DELETE,TRACE,OPTIONS,PATCH
        # allowed-headers: Accept,Accept-Encoding,Accept-Language,Cache-Control,Connection,Content-Length,Content-Type,Cookie,Host,Origin,Pragma,Referer,User-Agent,x-requested-with,Authorization
        # exposed-headers: Cache-Control,Connection,Content-Type,Date,Expires,Pragma,Server,Set-Cookie,Transfer-Encoding,X-Content-Type-Options,X-XSS-Protection,X-Frame-Options,X-Application-Context,Lemon-Authorization
        # max-age: 3600
  7. URL based authorization configuration to expose all endpoints to everyone (.mvcMatchers("/**").permitAll()). Spring Lemon expects that you'll secure your service layer by using method security. For examples, see LemonService and LemonReactiveService.

You can override any of the above configurations. To do so, subclass LemonWebSecurityConfig, override the methods you want, and configure that as a component.

Clone this wiki locally