I was given a copy of Spring Security 3.1 by Robert Winch and Peter Mularien to review on my blog. A few disclaimers to get out of the way first:
- I was/am a Spring Security committer (I think I still technically have access but don't actively develop right now)
- My copy of the book was free (electronic version, compatible with Kindle)
- Speaking of Kindle, I do work for Amazon/Audible, however, my opinions here are my own.
- I was the technical reviewer for the Spring Security 3 version (but not for 3.1)
- I am a committer and member of the steering committee for Jasig CAS
To make this easier, I want to get the non-content comments out of the way first. I read this on a Kindle Fire (non-HD version), meaning I believe the screen is about 7 inches. This is rather small for many of the tables unless you want to rotate the screen when viewing the table. Tables get cut off in portrait mode with no real way scroll to the right. Attempting to zoom in on some of the images also causes all sorts of weirdness (things actually seemed to get smaller), though I don't know if that was an artifact of the book or the Kindle itself. I found the flow diagrams to be a bit amateurish in design. Finally, I did notice a few typos in some of the content, but for the most part the text or style was not distracting. None of this, minus the grammar/typos would affect readers or larger tablets or the paper edition.
With that said, let's just straight into a review of the content. The book covers the basics of Spring security, authentication (CAS, LDAP, X.509, OpenID, JDBC, etc.), authorization (ACLs, RBAC, etc.), and some of the features specific to Spring Security (its session-fixation support, etc.). The first question that always comes up is who is the target audience for this? I read pretty much the whole book (I will admit I did skip a few XML definitions), and its definitely geared towards people who want a broad overview, and then want to jump straight into integrating the security they need (whether it be LDAP, X.509, etc.). If you're familiar with Spring, and don't care about the details or heavy customization, you could just straight to the specific chapter you're looking for and be done. I guess that makes this in many ways more of a cookbook style. They do go in-depth on some of the harder/less straightforward sections (i.e. authorization, ACLs, etc.).
Its very clear that the authors did significant research on each topic they presented (I was particularly impressed with their section on Jasig CAS). You never left a chapter thinking that they left something unexplored. On the other hand, sometimes the amount of information was overwhelming because its not something you would normally need. The authors sometimes struggled with the level of detail that they needed to provide, going in-depth on topics that would have been better left to the reader to use their favorite search engine to find more information about. In some instances, they overwhelmed the user with details on the harder way of doing something, when just introducing the simpler way would have been better.
Each chapter on authentication did a good job of giving a decent explanation of the authentication method itself (which is conceptually independent from Spring Security), the architecture of the feature, and how to configure it. If you were not reading this as a cookbook (i.e. just jumping to relevant chapters), but as a book to learn security concepts, I feel like it would be a decent primer on many of the various authentication methods, when they are useful, and their pros/cons.
The book does a good job of explaining some of the other features of Spring Security, detailing the myriad of options, trade-offs, and extension points. Reading the chapters on session fixation, remember-me, ACLs, I felt that I gained a good understanding on how they worked, how to configure them, and their trade-offs. The ACLs chapter was a bit overwhelming, but then that feature has been a bit of a mess since day 1. I have no plans on ever using JSF, so I skipped that section :-).
The one thing that did disappoint me on the book was that if you were a previous owner of the Spring Security 3 book, I didn't see much to make you want to go out and purchase this new book. I didn't find the appendix in the back of the book to be a compelling enough reason.
- In-depth coverage of each Spring Security topic, providing an overview, architecture, and configuration
- The details can help you make relevant/educated decisions beyond just Spring Security configuration
- Formatting issues in Kindle edition
- Sometimes the information is too overwhelming/irrelevant to learning Spring Security; could Google/Bing it if really wanted more information
- No compelling reason for Spring Security 3 owners to upgrade that I could see
Bottom line: if the Spring Security 3.1 reference guide published by SpringSource is not cutting it for you or you need some basic guidance on authentication/authorization techniques, this is probably your best choice. If you've already got an infrastructure in place, and you just need some basic copy/pasting of configuration, then this may be overkill.