For the last few months we’ve been working on a Spring Boot project and one of the more challenging aspects has been wrangling Spring’s security component. For the project, we were looking to authenticate users using a custom HTTP header that contained a token generated from a third party service. There doesn’t seem to be a whole lot of concrete examples on how to set something like this up so here’s some notes from the trenches. Note: I’m still new to Spring so if any of this is inaccurate, let me know in the comments.
Concretely, what we’re looking to do is authenticate a user by passing a value in an X-Authorization HTTP header. So for example using cURL or jQuery:
In addition to insuring that the token is valid, we also want to setup Spring Security so that we can access the user’s details using “SecurityContextHolder.getContext().getAuthentication()”. So how do you do this? Turns out, you need a couple of classes to make this work:
And finally, the last step is to wire this all up. You’ll need a class that extends WebSecurityConfigurerAdapter with two ovveridden configure methods to configure the filter and the authentication provider. For example, the following works at a bare minimum:
And then finally to access the authenticated user from a controller you’d do:
Anyway, hope this helps and as mentioned above if there’s anything inaccurate feel free to post in the comments.
Posted In: General
Labor day has come and gone so summer is officially over. We sat down with our intern Phil to chat about his time interning at Setfive.
The environment here encouraged questions, and allowed me to ask and receive answers to anything I wanted to know more about. Some of the guys would even go out of their way to send me related documentation about something if they felt that they couldn’t confidently answer it themselves.
Working under the guys here was an incredible experience, I was given the freedom to make mistakes and figure out problems on my own, but at the same time was given sufficient structure to make consistent progress. It was awesome to have the comfort of knowing I had a smart, qualified person to guide me in the right direction if I ever got too stuck on any one problem.
The most important skill that I learned was definitely an improved conceptual understanding of MVC, and that while sometimes using this pattern slows down your programming, in the long run it helps you create readable, modular code.
I also learned that installation is just the worst.
The most memorable moment of the summer was the first time we used the Txty Jukebox in the office. It didn’t quite work the first time around, however, watching people use and get enjoyment out of something that I helped to create was something that I’ will never forget.
From here I definitely want to continue building custom applications. I’ve spent the last part of the summer teaching myself objective-c, and the skills that I’ve learned here will definitely help me make the transition into developing iOS applications.
Posted In: General
This summer we have an engineering intern from Tufts University (go Jumbos) joining the team. He’ll be working on internal projects including Rotorobot and a couple of new ideas. Here’s Phil in his own words.
Sure. I’m from Haverhill, MA originally so I’d call Boston home. I’m currently attending Tufts University and pursuing a BA in both Computer Science and Cognitive Science. At Tufts, I’m also working with the linguistics department on a couple of research projects surrounding the structure of the mental lexicon.
I’ve been playing Rugby at Tufts for the past few years so probably on the pitch, or maybe relaxing in my hammock with a book and an IPA.
The hardest parts about learning Symfony2 have been recognizing how the many components of the framework fit together, and allowing the framework to take care of some of the heavy lifting. It was a leap to go from hacking away with straight PHP to designing an application, keeping both structure and modularity in mind.
The computer science curriculum at Tufts has definitely helped me make the transition into real world programming. In particular, the course: Comp20 – Introduction to Web Development has given me exposure to the many tools that are used in the creation of web applications.
This summer I’m excited to learn more about back end programming, the SQL language in particular as well as learning Bash more in depth so I can improve my use of the shell.
My favorite lunch spot so far has definitely been Orinoco in Harvard Square. I will buy some of their hot sauce by the summers end.
For the uninitiated, Orinoco has an authentic Venezuelan hot sauce which has been known to destroy even veteran hot sauce connoisseurs. Here’s Phil deciding to take the plunge:
Posted In: General
As we continue to expand in 2015 we’re looking to add another developer to our team. Currently we’re seeking a junior level engineer to join us! A few attributes of a person that we’re looking for:
A few of the perks:
For some more detailed information on the job please visit the posting. If you are, or know, a developer who is looking for a new opportunity lets connect!
Posted In: General
Recently we’ve been working with one of our clients to build application for use with AppNexus. We were faced with a challenge which required a bunch of different technologies to all come together and work together. Below I’ll try to list out how we approached it and what additional challenges we faced.
First came the obvious challenge: How to handle at least 25,000 requests per second. Our usual language of choice is PHP and knew it was not a good candidate for the project. Instead we wanted to do some benchmarks on a number of other other languages and frameworks. We looked at Rusty/Nginx/Lua, Go, Scala, and Java. After some testing it appeared that Java was the best bet for us. We initially loaded up Jetty. We knew that this had a bit more baked in than we needed, but it was also the quickest way to get up and running and could be migrated away from fairly easily. The idea overall was to keep the parsing of the request logic separate from the business logic. In our initial tests we were able to get around 20,000 requests a second using Jetty, which was good, but we wanted better.
Jetty was great at breaking down the incoming HTTP requests to easily work with, it even provided an out of the box general statistics package. However, we didn’t need much heavy lifting on the HTTP side, what we were building required very little complexity on with regards to HTTP protocol. Jetty in the end was spending too many CPU cycles for what we needed. We looked to Netty next.
Netty out of the box is not as friendly as Jetty as it is much lower level. That said, it wasn’t too much work to get Netty up and running responding to HTTP request. We ported over most of the business logic from our Jetty code and were off to the races. We did have to add our own statistics layer as Netty didn’t have an embedded one for what we were looking for. After some fine tuning with Netty we were able to start to handle over 40,000 requests per second. This part of the puzzle was solved.
On our DB side we had heard great things about Aerospike in terms of performance and some of its features. We ended up using this on the backend. When we query Aerospike we have the timeout set at 3ms. We’ll get around one or two request timeouts per second, or about 0.0025% of the time we’ll timeout, not too shabby. One of the nice features of Aerospike is the XDR function of the enterprise version. With this we can have multiple Aerospike clusters which all stay in sync from a master cluster. This lets us load our data onto one machine, which isn’t handling all the requests, and then it is replicated to the machines which are handling all the requests.
All in all we’ve had a great experience with the Netty and Aerospike integration. We’re able to consistently handle around 40,000 requests a second with the average response time (including network time) of 4ms.