The Spring Experience 2007: Day 3

Last day of the conference and with some very specific sessions that I want to attend. The first one on What's New In Spring Security 2 with Ben Alex, the founder of the "It's not called Acegi anymore" framework for securing Spring based applications. Having first hand experience with the framework I wanted to see what's in the pipeline for version 2 (I think the final version is scheduled for March 2008). The first big noticeable enhancement is in the configuration side of things. While any Spring based XML based configuration file can be very verbose, it is particularly the case in version 1 of the framework where just about everything has to be set. In version 2 a lot of the security behaviour is set by default. Using a Spring XML schema DSL a typical Spring Security 2 configuration file is a lot more concise. Other noticeable changes that will be useful to us is the out of the box support for NTLM. I'll come back to Spring Security when I cover the Securing Portlet session later on.

The next session was on RESTful Web Services. Arjen Poutsma who is heading the Spring WS project covered the basics behind restful web applications. Unfortunately the echo in the room coupled with his accent made it very difficult to understand what he said from the back. But the presentation slides where clear enough to get a good overview of restful applications. It certainly confirmed to me why it is a good idea to decouple XSD form WSDL in web services projects so that it is easy to migrate a traditional SOAP web service into a restful one. Having said that the presentation didn't really cover REST web services from the point of view of the Spring WS project, more from a Spring MVC point of view (with annotations).

The first afternoon session was on Spring OSGi, with an overview of OSGi and then on the Spring Dynamic Modules project. You can easily detect when there is buzz behind new technology by just looking at the attendance numbers and the room was packed with some people having to standup, showing how interested in OSGi Spring developers are. There is certainly a lot of interesting technology there and it was demonstrated how a simple service object can be made an OSGi compliant service. The service was then injected in another Spring object. The proxy to the OSGi service can detect when the bundle is stopped/restarted and effectively waits until the backend service is ready to serve the call. It was an impressive demonstration when a simple web application could be patched without having to restart anything (not even the whole webapp itself so it is a lot more powerful than just a war hot deploy). All the Spring modules in Spring 2.5 are already OSGi compliant. My only concern is the level of adoption for OSGi in the container market place but I think that Spring itself will be the drive for its adoption.

The last session was on Securing Portlets with Spring Security by John Lewis. There where no more than 20 people attending and I wasn't sure whether it was because it was the last session slot and people where trying to catch their flight or whether it was a reflection of usage/interest in the community. But John was giving a very confident and clear presentation and I got the chance to ask some questions in the Q&A section. Our requirements, to separate the portal system from a backend service system, both potentially running on different boxes, was a familiar one to him. Yet it remains possibly the biggest challenge in implementing Security across the various tiers as credentials have to be passed around in an SSO type environment. We use Liferay and Jboss, both separate systems, and have had to configure Liferay authentication so that the SSO token can be passed through out as part of the SecurityContext lifecycle. Not very straightforward when it is not guaranteed that the SSO token can be infered from the Portlet session. So I got to talk to John and Ben on all that at the end of the session.

With the conference ending and no sign of a free iPhone to take back with me I still had plenty else, both in terms of freebies (a cool book from the No Fluff Just Stuff guys) and experience. I got to think about integration and clustering and I have got lots of cool ideas I'd like to prototype and implement when I'm back. But more than anything I got to meet some really cool people, that I will keep in touch with, and I got to realise how much penetration Spring now has in the enterprise and how it is just the beginning.

Will I come back to the Spring Experience? Hell yes, if I can!