-
Notifications
You must be signed in to change notification settings - Fork 183
Spring Lemon Commons Guide
spring-lemon-commons is second in the Spring Lemon module hierarchy. It includes spring-lemon-exceptions and adds some common features that are useful in other modules, which are discussed below.
Spring Lemon comes with LemonJwsService and LemonJweService, which are used for creating and parsing JWS and JWE tokens respectively. They use Nimbus JOSE + JWT under the hood.
LemonJwsService and LemonJweService aren't used directly in Spring Lemon. Instead, BlueTokenService and GreenTokenService, two interfaces implemented by LemonJwsService and LemonJweService respectively, are used.
Spring Lemon uses BlueTokenService for creating/parsing authorization tokens, and GreenTokenService for creating/parsing other tokens (like forgot-password token). They are defined as beans in LemonCommonsAutoConfiguration, as below:
@Bean
@ConditionalOnMissingBean(BlueTokenService.class)
public BlueTokenService blueTokenService(LemonProperties properties) throws JOSEException {
return new LemonJwsService(properties.getJwt().getSecret());
}
@Bean
@ConditionalOnMissingBean(GreenTokenService.class)
public GreenTokenService greenTokenService(LemonProperties properties) throws KeyLengthException {
return new LemonJweService(properties.getJwt().getSecret());
}Noticed the @ConditionalOnMissingBean annotations above? So, if you want to replace the implementations, just define your beans.
Do you know that Spring Security provides a hasPermission expression, which can be used as below:
@PreAuthorize("hasPermission(#fooParam, 'xyz')")
public void doSomething(Foo fooParam) {The above would ensure that the current user has xyz permission for the fooParam object – otherwise an AccessDeniedException would be thrown.
But for this to work, you'll need to provide an implementation of the PermissionEvaluator interface.
LemonPermissionEvaluator is such an implementation that Spring Lemon comes with, which delegates the task to a hasPermission method of the object under check. So, the object under check (Foo in the above case) should have implemented PermissionEvaluatorEntity, thus having a hasPermission method.
For more details, look at the source code of LemonPermissionEvaluator, as well as AbstractUser.hasPermission and AbstractDocument.hasPermission methods.
LemonPrincipal is the class that holds the Spring Security principal. To be able to support both form as well as OAuth2/OIDC logins, it implements both UserDetails and OidcUser.
UserDto is meant for holding current user data. It's also used as the return value in some of the Spring Lemon endpoints.
All Spring Lemon related properties are injected into the LemonProperties bean.
AbstractAuditorAware is a base implementation of Spring Data's AuditorAware, which is sub-classed in specific modules.
Notice that it expects an IdConverter bean, which as well is provided those specific modules.
Spring Lemon Commons comes with a bunch of exception handlers, which are coded in the com.naturalprogrammer.spring.lemon.commons.exceptions.handlers package.
Spring Lemon sends mails by using a bean that implements its MailSender interface. It comes with a couple of implementations, viz. MockMailSender and SmtpMailSender. These are configured in LemonCommonsAutoConfiguration, as below:
@Bean
@ConditionalOnMissingBean(MailSender.class)
@ConditionalOnProperty(name="spring.mail.host", havingValue="foo", matchIfMissing=true)
public MailSender<?> mockMailSender() {
return new MockMailSender();
}
@Bean
@ConditionalOnMissingBean(MailSender.class)
@ConditionalOnProperty("spring.mail.host")
public MailSender<?> smtpMailSender(JavaMailSender javaMailSender) {
return new SmtpMailSender(javaMailSender);
}So, providing SMTP configuration properties in your application will have the SmtpMailSender configured. Otherwise the MockMailSender will be configured, which just writes the mail to the log.
As like most other Spring Lemon beans, providing your own will replace Spring Lemon's.
Spring Lemon supports Google reCAPTCHA v2 validation by providing a @Captcha constraint, which can be used in a command object as below:
public class SignupForm {
...
@Captcha
private String captchaResponse;
}
To understand how it works, have a look at CaptchaValidator, AbstractUser and the demo projects.
Spring Lemon Commons also comes with a couple of more validation constraints, viz. @Password and @RetypePassword. To know more, peep inside the com.naturalprogrammer.spring.lemon.commons.validation package.
Last but not the least, do have a look at the LecUtils class! It has many handy utility methods.