100% found this document useful (4 votes)

133 views

Pro Spring Security 3rd Edition Masimo Nardone download

The document provides information about the book 'Pro Spring Security: Securing Spring Framework 6 and Boot 3-based Java Applications, Third Edition' by Massimo Nardone and Carlo Scarioni, including its ISBN numbers and copyright details. It outlines the book's structure, including chapters on security concepts, Spring Security architecture, web security, and various authentication methods. Additionally, it offers links to download the book and other related resources.

Uploaded by

silvemcheuk1a

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (4 votes)

133 views

Pro Spring Security 3rd Edition Masimo Nardone download

Uploaded by

silvemcheuk1a

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 58

Pro Spring Security 3rd Edition Masimo Nardone

download

https://textbookfull.com/product/pro-spring-security-3rd-edition-
masimo-nardone/

Download more ebook from https://textbookfull.com

We believe these products will be a great fit for you. Click
the link to download now, or visit textbookfull.com
to discover even more!

Pro Spring Security: Securing Spring Framework 5 and

Boot 2-based Java Applications 2nd Edition Carlo
Scarioni

https://textbookfull.com/product/pro-spring-security-securing-
spring-framework-5-and-boot-2-based-java-applications-2nd-
edition-carlo-scarioni/

Pro Spring MVC with WebFlux: Web Development in Spring

Framework 5 and Spring Boot 2 2nd Edition Marten Deinum

https://textbookfull.com/product/pro-spring-mvc-with-webflux-web-
development-in-spring-framework-5-and-spring-boot-2-2nd-edition-
marten-deinum/

Pro Spring MVC with WebFlux: Web Development in Spring

Framework 5 and Spring Boot 2 2nd Edition Marten Deinum

https://textbookfull.com/product/pro-spring-mvc-with-webflux-web-
development-in-spring-framework-5-and-spring-boot-2-2nd-edition-
marten-deinum-2/

Pro Spring 5: an in-depth guide to the Spring framework

and its tools Cosmina

https://textbookfull.com/product/pro-spring-5-an-in-depth-guide-
to-the-spring-framework-and-its-tools-cosmina/
Pro Spring MVC with WebFlux Web Development in Spring
Framework 5 and Spring Boot 2 Second Edition Marten
Deinum Iuliana Cosmina

https://textbookfull.com/product/pro-spring-mvc-with-webflux-web-
development-in-spring-framework-5-and-spring-boot-2-second-
edition-marten-deinum-iuliana-cosmina/

Spring Security in Action 1st Edition Laurentiu Spilca

https://textbookfull.com/product/spring-security-in-action-1st-
edition-laurentiu-spilca/

Pro Angular 6 3rd Edition Adam Freeman

https://textbookfull.com/product/pro-angular-6-3rd-edition-adam-
freeman/

Logic Pro For Dummies 3rd Edition English

https://textbookfull.com/product/logic-pro-for-dummies-3rd-
edition-english/

Spring Security Robert Winch Mick Knutson Peter

Mularien

https://textbookfull.com/product/spring-security-robert-winch-
mick-knutson-peter-mularien/
Pro Spring
Security
Securing Spring Framework 6 and
Boot 3-based Java Applications
—
Third Edition
—
Massimo Nardone
Carlo Scarioni
Pro Spring Security
Securing Spring Framework 6
and Boot 3-based Java Applications
Third Edition

Massimo Nardone
Carlo Scarioni
Pro Spring Security: Securing Spring Framework 6 and Boot 3–based Java
Applications, Third Edition
Massimo Nardone Carlo Scarioni
HELSINKI, Finland Surbiton, UK

ISBN-13 (pbk): 979-8-8688-0034-4 ISBN-13 (electronic): 979-8-8688-0035-1

https://doi.org/10.1007/979-8-8688-0035-1

Copyright © 2024 by Massimo Nardone, Carlo Scarioni

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with
every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an
editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the
trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not
identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to
proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Melissa Duffy
Development Editor: Laura Berendson
Coordinating Editor: Gryffin Winkler
Copy Editor: Kim Burton
Cover designed by eStudioCalamar
Cover image by Manuel Torres Garcia from Pixabay
Distributed to the book trade worldwide by Apress Media, LLC, 1 New York Plaza, New York, NY 10004,
U.S.A. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com, or visit
www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer
Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail booktranslations@springernature.com; for reprint,
paperback, or audio rights, please e-mail bookpermissions@springernature.com.
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook versions and
licenses are also available for most titles. For more information, reference our Print and eBook Bulk Sales
web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available to
readers on GitHub (https://github.com/Apress). For more detailed information, please visit https://www.
apress.com/gp/services/source-code.
Paper in this product is recyclable
I would like to dedicate this book to the memory of my beloved late
mother, Maria Augusta Ciniglio. Thanks, Mom, for all the great things
you have taught me, for making me a good person, for making me
study to become a computing scientist, and for the great memories you
left me. You will be loved and missed forever. I love you, Mom. RIP.
—Massimo
Table of Contents
About the Authors�� ix

About the Technical Reviewer�� xi

Acknowledgments�� xiii

Introduction��xv

Chapter 1: The Scope of Security�� 1

The Network Security Layer�� 4
The Operating System Layer�� 5
The Application Layer�� 5
Authentication�� 6
Authorization�� 7
ACLs�� 9
Authentication and Authorization: General Concepts�� 9
What to Secure�� 14
Additional Security Concerns�� 15
Java Options for Security�� 17
Summary�� 19

Chapter 2: Introducing Spring Security�� 21

What Is Spring Security?�� 21
Where Does Spring Security Fit In?�� 23
Spring Security Overview�� 26
What Is Spring Boot?�� 28
Spring Framework 6: A Quick Overview�� 29
JDK 17+ and Jakarta EE 9+ Baseline�� 30
General Core Revision�� 30

v
Table of Contents

Core Container�� 30
Data Access and Transactions�� 31
Spring Messaging�� 32
General Web Revision�� 32
Spring MVC�� 32
Spring WebFlux�� 32
Observability�� 33
Pattern Matching�� 33
Testing�� 34
Dependency Injection�� 34
Aspect-Oriented Programming�� 36
What’s New in Spring Security 6?�� 38
Summary�� 44

Chapter 3: Setting up the Scene�� 45

Setting up the Development Environment�� 45
Creating a New Java Web Application Project�� 52
Adding Spring Security 6 to the Java Project�� 57
Spring Security 6 Source�� 58
Configuring the Spring Security 6 Web Project�� 65
Summary�� 74

Chapter 4: Spring Security Architecture and Design�� 75

What Components Make up Spring Security?�� 75
The 10,000-Foot View�� 75
The 1,000-Foot View�� 76
The 100-Foot View�� 77
Good Design and Patterns in Spring Security�� 116
Strategy Pattern�� 117
Decorator Pattern�� 117
SRP�� 118
DI�� 118
Summary�� 118
vi
Table of Contents

Chapter 5: Web Security�� 121

Configuring the new Spring Security 6 Project�� 126
The Special URLs�� 142
Custom Login Form�� 143
Basic HTTP Authentication�� 150
Digest Authentication�� 152
Remember-Me Authentication�� 155
Logging Out�� 158
Session Management�� 161
Summary�� 167

Chapter 6: Configuring Alternative Authentication Providers�� 169

LDAP Authentication�� 185
Using an Embedded LDAP�� 186
X.509 Authentication�� 198
OAuth 2.0�� 200
JSON Web Token�� 201
Spring WebSocket�� 202
Java Authentication and Authorization Service�� 203
Central Authentication Service�� 203
Summary�� 204

Chapter 7: Business Object Security with ACLs�� 205

ACL Key Concepts�� 205
Summary�� 210

Chapter 8: Open Authorization 2.0 (OAuth 2.0) and Spring Security�� 211
An Introduction to OAuth 2.0�� 211
OAuth 2.0 Security�� 213
Integrating OAuth 2.0 with Spring Security�� 214
OAuth 2.0 Login�� 217
Summary�� 238

vii
Table of Contents

Chapter 9: JSON Web Token (JWT) Authentication�� 239

The REST API�� 239
Introduction to JSON Web Token�� 242
Summary�� 279

Index�� 281

viii
About the Authors
Massimo Nardone has more than 27 years of experience
in information and cybersecurity for IT/OT/IoT/IIoT,
web/mobile development, cloud, and IT architecture. His
true IT passions are security and Android. He has been
programming and teaching how to program with Android,
Perl, PHP, Java, VB, Python, C/C++, and MySQL for more
than 27 years. He holds an MSc degree in computing
science from the University of Salerno, Italy. Throughout
his working career, he has held various positions, starting
as a programming developer, then security teacher, PCI
QSA, auditor, assessor, lead IT/OT/SCADA/SCADA/
cloud architect, CISO, BISO, executive, program director, and OT/IoT/IIoT security
competence leader.
In his last working engagement, he worked as a seasoned cyber and information
security executive, CISO and OT, IoT and IIoT Security competence Leader, helping
many clients to develop and implement Cyber, Information, OT, and IoT security
activities.
His technical skills include security, OT/IoT/IIoT, Android, cloud, Java, MySQL,
Drupal, Cobol, Perl, web and mobile development, MongoDB, D3, Joomla!, Couchbase,
C/C++, WebGL, Python, Pro Rails, Django CMS, Jekyll, and Scratch. He has served as a
visiting lecturer and exercises supervisor at the Helsinki University of Technology (Aalto
University) Networking Laboratory.
He stays current with industry and security trends and is a board member of the
ISACA Finland chapter, ISF, the Nordic CISO Forum, and the Android Global Forum.
He holds four international patents (PKI, SIP, SAML, and Proxy areas). He currently
works as a cybersecurity freelancer for IT/OT and IoT. Massimo has reviewed more than
55 IT books for different publishers and has coauthored Pro JPA 2 in Java EE 8 (Apress,
2018), Beginning EJB in Java EE 8 (Apress, 2018), and Pro Android Games (Apress, 2015).

ix
About the Authors

Carlo Scarioni is a passionate software developer, motivated

by learning and applying innovative and interesting software
development tools, techniques, and methodologies. He
has worked in the field for more than 18 years and moved
across multiple languages, paradigms, and subject areas.
He also has many years of experience working with Java
and its ecosystem. He has been in love with Spring since
the beginning, and he is fascinated by how Spring allows
building complex applications out of discrete, focused
modules and by the clever use of decorators to add cross-
cutting functionalities. He has worked mostly with data
engineering solutions in the last few years. He has been creating solutions around the
use of modern data stack components in cloud environments while at the same time
developing software using technologies such as Spark, Python, and others.

x
About the Technical Reviewer
Mario Faliero is a telecommunication engineer and
entrepreneur. He has more than ten years of experience in
radio frequency hardware engineering. Mario has extensive
experience in numerical coding, using scripting languages
(MatLab, Python) and compiled languages (C/C++, Java).
He has been responsible for developing electromagnetic
assessment tools for space and commercial applications.
Mario received his master’s degree from the University
of Siena.

xi
Acknowledgments
Many thanks go to my wonderful family for supporting me while I was working on this
book. Luna, Leo, and Neve, you are the most beautiful reason of my life.
I want to thank my beloved late mother, Maria Augusta Ciniglio, who always
supported and loved me so much. I will love and miss you forever, my dearest mom.
Thanks to my beloved father, Giuseppe, and my brothers, Mario and Roberto, for
your endless love and for being the best dad and brothers in the world.
Many thanks to Melissa Duffy for giving me the opportunity to work as a writer on
this book, Shonmirin P. A. for doing such a great job during the editorial process and
supporting me, and Laura Berendson, development editor, for helping me to make it a
better book.
—Massimo Nardone

xiii
Introduction
Denying the impact of the Spring Framework in the Java world would be simply
impossible. Spring has brought so many advantages to Java developers that we could say
it has made us all better developers.
The previous version of this book utilized Spring Security 5. Therefore, in this new
edition of the book, it is very important to note the most important changes from version
5 to version 6.
Spring Framework 6.0 was released on November 16, 2022. It came with a Java
17+ baseline and a move to Jakarta EE 9+ (in the Jakarta namespace), focusing on
the recently released Jakarta EE 10 APIs such as Servlet 6.0 and JPA 3.1. Spring’s
current version’s core building blocks of dependency injection and aspect-oriented
programming widely apply to many business and infrastructure concerns. Certainly,
application security can benefit from these core functionalities. Even in version 6, Spring
Security is an application-level security framework built on top of the powerful Spring
Framework that deals mainly with the core security concepts of authentication and
authorization, which, also in version 6, are some of the fundamental functionalities of
Spring Security.
Spring Security aims to be a full-featured security solution for your Java applications.
Although its focus is on web applications and the Java programming language, you will
see that it goes beyond these two domains.
Because there are new things in the version, the baseline for Spring Boot 3 and
Spring Security 6 is Java 17.
Also, the WebSecurityConfigurerAdapter class to configure security settings was
deprecated in version 6, using a more component-based approach and creating a bean
of type SecurityFilterChain.
AuthorizeRequests was also deprecated and replaced with authorizeHttpRequests,
and in Spring Security 6, AntMatcher, MvcMatcher, and RegexMatcher were deprecated
and replaced by requestMatchers or securityMatchers for path-based access control.
Also, in version 6, some updates were done using OAuth 2.0 and SAML 2.0.

xv
Introduction

In writing this book, we wanted to expose some of Spring Security’s internal works
along with standard explanations of how to use certain features. The idea is to teach
beyond the basics of how to do something in particular and instead focus on the
plumbing inside the framework. This is the best way to learn something: seeing how it
is built in the core. That’s not to say that the book doesn’t cover basic setups and gives
quick, practical advice on using the framework because it certainly does. The point is
that instead of saying, “Use this to do that,” we say, “This works like this… and this allows
you to….” This is a point of view that only tools like Spring can afford (because they are
open source).
With that said, we suggest that the best way to use this book is to have the Spring
Security source code checked out on your computer and go through the examples
with both the code from the book and the code from Spring Security itself. This will
help you understand each concept as it is introduced and teach more than one good
programming trick and good practice. We recommend this approach for studying
any software whenever you have the chance. If the source code is out there, grab it.
Sometimes, a couple of lines of code teach more than a thousand words. This book
primarily introduces Spring Boot 3, analyzes Spring Framework, and develops Java web
applications with Spring Security 6 and Java 17/20.
Also, Spring Security 6 supports many different authentication mechanisms, which
are introduced and developed in this book, including the H2 and PostgreSQL databases,
LDAP, X.509, OAuth 2.0, JWT, JAAS, and CAS.

Who This Book Is For

This book is written mainly for Java developers who use Spring in their work and need to
add security to their applications in a way that leverages Spring’s proven concepts and
techniques. The book will also be helpful to developers who want to add web-layer security
to their applications, even if those applications are not fully Spring-powered at their core.
The book assumes you have knowledge of Java and some of its tools and libraries, such
as Servlet, Maven, OAuth 2.0, and JWT. It also assumes that you know what you want to
use security for and in what context you want to use it. This means, for example, we won’t
explain protocols like LDAP in depth; instead, we’ll concentrate on showing you how to
integrate Spring Security with an LDAP user store. An in-depth knowledge of Spring is not
essential because many of the concepts are introduced as we go along, but the more you
understand about Spring, the more likely you are to get out of this book.

xvi
Introduction

How This Book Is Structured

The book is divided into nine chapters that embody a progressive study of Spring
Security. Starting from a summary of basic applications and an explanation of how the
framework is structured, the content moves on to more advanced topics, such as using
Spring Security in different JVM languages. The book follows a sequence corresponding
to how this framework is normally used in real life.
The chapters in the book cover the following.
• Chapter 1 introduces security in general and how to approach
security problems at the application level.

• Chapter 2 introduces Spring Security 6, how to use it, when to use it,
and its security functionalities.

• Chapter 3 introduces Spring Security with a simple example

application that secures web access at the URL level.

• Chapter 4 provides a full introduction to the architecture of Spring

Security, including the main components and how they interact with
each other.

• Chapter 5 gives in-depth coverage of the web-layer security options

available in Spring Security.

• Chapter 6 covers a wide array of authentication providers, including

H2 DB, LDAP, and JASS, which can be plugged into Spring Security.

• Chapter 7 covers access control lists (ACLs), which are used to

secure individual domain objects, and how they fit into the general
security concerns.
• Chapter 8 explains how to develop an application using Open
Authorization 2.0 (OAuth 2.0) Login and Spring Security
Customization.

• Chapter 9 shows how to integrate Spring Security into JSON Web

Token (JWT) authentication.

xvii
Introduction

Prerequisites
The examples in this book are all built with Java 17 and Maven 3.9.2. The latest Spring
versions are used if possible. Spring Security 6 is the version used throughout the book.
Tomcat Web Server 10 is used for the different web applications in the book, mainly
through its Maven plugin. The laptop is a ThinkPad Yoga 360 with 8 GB of RAM. All the
projects were developed using IntelliJ IDEA Ultimate 2023.2.
You are free to use your own tools and operating system. Because everything is Java-
based, you should be able to compile your programs on any platform without problems.

Downloading the Code

Any source code or other supplementary material referenced by the author in this book
is available to readers on GitHub (https://github.com/Apress). For more detailed
information, please visit www.apress.com/gp/services/source-code.

Contacting the Authors

You are more than welcome to send us any feedback regarding this book or any other
subject we might help you with. You can contact Massimo Nardone via email at
massimonardonedevchannel@gmail.com and Carlo Scarioni via his blog at http://
cscarioni.blogspot.com, or you can send him email at carlo.scarioni@gmail.com.

xviii
CHAPTER 1

The Scope of Security

Security. It is an incredibly overloaded word in the IT, OT, and IoT world. It means so
many different things in many different contexts, but in the end, it is all about protecting
sensitive and valuable resources against malicious usage.
IT has many layers of infrastructure and code that can be subject to malicious
attacks, and arguably, you should ensure that all these layers get the appropriate levels of
protection.
In operational technology (OT), where generally the systems were isolated from
the external networks and operated independently, the increasing connectivity and
integration of OT systems with information technology (IT) networks and the Internet,
the risk of cyberattacks targeting these systems has significantly grown. OT security aims
to address these risks and protect against threats that could disrupt operations, cause
physical damage, or impact public safety.
In the Internet of Things (IoT), security refers to the measures and practices
implemented to protect the interconnected devices, networks, and data associated with
IoT systems, such as networks of physical objects or “things” embedded with sensors,
software, and connectivity to exchange data and perform various tasks. These objects
range from household appliances and wearable devices to industrial machinery and
infrastructure. Given the proliferation of IoT devices and their increasing integration into
various domains, securing IoT systems is critical to mitigate potential risks and protect
the privacy, integrity, and availability of their data and services.
The growth of the Internet and the pursuit of reaching more people with our
applications have opened more doors to cyber criminals trying to access these
applications illegitimately.
It is also true that good care is not always taken to ensure that a properly secured set
of services is offered to the public. And sometimes, even when good care is taken, some
hackers are still smart enough to overcome security barriers that, superficially, appear
adequate.
The first step is to define a defense-in-depth strategy and security layers.

1
© Massimo Nardone, Carlo Scarioni 2024
M. Nardone and C. Scarioni, Pro Spring Security, https://doi.org/10.1007/979-8-8688-0035-1_1
Chapter 1 The Scope of Security

Defense in depth (also known as DiD) is a security strategy that involves

implementing multiple layers of defense to protect a system or network from
potential threats. It aims to provide a comprehensive and resilient security posture by
incorporating various security measures at different levels, such as physical, technical,
and administrative controls.
The defense-in-depth concept recognizes that no single security measure is fool-
proof, and relying on a single layer of defense can leave vulnerabilities. By employing
multiple layers, other layers can still provide protection even if one is breached or
compromised.
In practice, a defense-in-depth strategy can include a combination of measures such
as firewalls, intrusion detection systems, encryption, access controls, strong authentication
mechanisms, security awareness training, regular system updates and patching, network
segmentation, and physical security measures like locked doors and security cameras.
These layers collectively create a more robust and resilient security infrastructure.
The goal of a defense-in-depth strategy is to increase the difficulty for attackers,
making it harder for them to penetrate a system and move deeper into the network.
Requiring attackers to overcome multiple barriers increases the likelihood of detection
and mitigation, reducing the potential impact of a successful attack. Overall, it is a
proactive approach to security that emphasizes multiple layers of protection, reducing
the risk of successful attacks and minimizing the potential damage they can cause.
In general, a defense-in-depth strategy is a way to define how to develop the
cybersecurity of the IT infrastructure by defining how all the defensive mechanisms are
layered to protect and secure data and information. A failing or weak defense-in-depth
strategy might result from a cybersecurity attack on the IT infrastructure.
Let’s try to understand a bit more about defense-in-depth mechanisms. First, there
are three major controls.

• Physical controls are security measures that aim to protect the

physical infrastructure and assets. They include surveillance
cameras, access controls (such as locks and biometric systems),
perimeter fencing, security guards, and intrusion detection systems.

• Perimeter security focuses on securing the boundary between the

internal network and the external environment. It involves firewalls,
intrusion prevention systems (IPS), and demilitarized zones (DMZs)
to filter and monitor network traffic, control access, and prevent
unauthorized entry.

2
Chapter 1 The Scope of Security

• Network security measures aim to protect the internal network

infrastructure. They include technologies such as network
segmentation, virtual private networks (VPNs), intrusion detection
systems (IDS), and IPS to detect and prevent unauthorized access,
monitor network traffic, and detect and respond to potential threats.

• Identity and access management (IAM) controls ensure that only

authorized individuals can access systems and resources. This
includes strong authentication mechanisms like passwords, two-
factor authentication (2FA), multi-factor authentication, access
control policies, and privilege management to enforce least privilege
principles.

• Application security focuses on securing the software and

applications used within an organization. This involves
implementing secure coding practices, regular vulnerability
assessments and penetration testing, web application firewalls
(WAFs), and application-level authentication and authorization
mechanisms.

• Data encryption protects data by transforming it into a secure format

that can only be accessed with the correct decryption key. It is used
to secure data at rest (stored data) and in transit (data transmitted
over networks).

• Security monitoring and incident response involve continuous

monitoring of systems and networks, which is crucial to detecting
and responding to security incidents. This includes using security
information and event management (SIEM) tools, log analysis,
IDS, and incident response plans to promptly identify and mitigate
potential threats.

• Security awareness and training includes educating employees

and users about security best practices and potential threats is vital.
Regular security awareness training helps individuals understand
their role in maintaining a secure environment and enables them to
identify and report suspicious activities.

3
Chapter 1 The Scope of Security

By combining these major controls, organizations can establish a multi-layered

defense-in-depth security approach that provides and increases overall resilience
against various threats.
Figure 1-1 shows typical defense-in-depth mechanisms defining IT infrastructure
security layers.

Figure 1-1. Defense-in-depth mechanisms and IT infrastructure layers

The three major security layers in an IT infrastructure are the network, the operating
system (part of the endpoint security layer), and the application itself.

The Network Security Layer

The network security layer is probably the most familiar one in the IT world. When
people talk about IT security, they normally think of network-level security—in
particular, security that uses firewalls.
Even though people often associate security with the network level, this is only a
very limited layer of protection against attackers. Generally speaking, it can do no more
than defend IP addresses and filter network packets addressed to certain ports in certain
machines in the network.

4
Chapter 1 The Scope of Security

This is not enough in most cases, as traffic at this level is normally allowed to enter
the publicly open ports of your various exposed services without restriction. Different
attacks can be targeted at these open services, as attackers can execute arbitrary
commands that could compromise your security constraints. Tools like the popular nmap
(http://nmap.org/) can scan a machine to find open ports. Using such tools is an easy
first step in preparing an attack because well-known attacks can be used against such
open ports if they are not properly secured.
A very important part of the network-layer security, in the case of web applications,
is the use of Secure Sockets Layer (SSL) to encode all sensitive information sent along
the wire, but this is related more to the network protocol at the application level than to
the network physical level at which firewalls operate.

The Operating System Layer

The operating system layer is probably the most important one in the whole security
schema, as a properly secured operating system (OS) environment can at least prevent a
whole host machine from going down if a particular application is compromised.
If an attacker is somehow allowed to have unsecured access to the operating system,
they can basically do whatever they want—from spreading viruses to stealing passwords
or deleting your whole server’s data and making it unusable. Even worse, they could
take control of your computer without you even noticing and use it to perform other
malicious acts as part of a botnet. This layer can include the deployment model of the
applications since you need to know your operating system’s permission scheme to
ensure that you don’t give your applications unnecessary privileges over your machine.
Applications should run as isolated as possible from the other components of the host
machine.

The Application Layer

The primary focus of this book is on the application layer. The application security layer
refers to all the constraints you establish in your applications to make sure that only the
right people can do the right things when working through the application.

5
Chapter 1 The Scope of Security

Applications, by default, are open to countless avenues of attack. An improperly

secured application can allow an attacker to steal information from the application,
impersonate other users, execute restricted operations, corrupt data, gain access to the
operating system level, and perform many other malicious acts.
This book covers application-level security, which is the domain of Spring Security.
Application-level security is achieved by implementing several techniques, and there
are a few concepts that help you understand better what the book covers. They are
the main concerns that Spring Security addresses to provide your applications with
comprehensive protection against threats. The following three subsections introduce
authentication, authorization, and ACLs.

Authentication
Authentication is the process of verifying the identity of a user or entity attempting
to access an application. It ensures that the user is who they claim to be. Common
authentication methods include the following.

• Username and password: Users provide a unique username and

corresponding password.

• Multi-factor authentication (MFA): Users provide multiple forms of

identification, such as a password and a one-time verification code
sent to their mobile device.

• Biometric authentication: Users verify their identity using unique

physical characteristics, such as fingerprints, facial recognition, or
iris scans.

The authentication process allows an application to validate that a particular

user is who they claim they are. In the authentication process, a user presents the
application with information about herself (normally, a username and a password) that
no one else knows. The application takes this information and tries to match it against
the information stored—normally, in a database or LDAP1 (Lightweight Directory
Access Protocol) server. If the information the user provides matches a record in the
authentication server, the user is successfully authenticated. The application normally

1
LDAP is explained in some detail in Chapter 8, where various authentication providers are
covered.

6
Chapter 1 The Scope of Security

creates an internal abstraction representing this authenticated user in the system.

Figure 1-2 shows the authentication mechanism.

Figure 1-2. Simple, standard authentication mechanism

Authorization
Authorization determines what actions or resources a user can access within an
application. Once a user is authenticated, authorization mechanisms control their
permissions based on predefined rules and policies. This ensures that users can only
access the features and data they are authorized to use. Authorization can be role-based,
attribute-based, or rule-based.

• Role-based access control (RBAC): Users are assigned roles,

and permissions are granted based on those roles. For example, a
manager role may access certain administrative features, while a
regular user role may only access basic functionalities.

• Attribute-based access control (ABAC): Access is granted based

on specific attributes or characteristics of the user, such as job title,
department, or location.

7
Chapter 1 The Scope of Security

• Rule-based access control: Access control rules are defined based

on predefined conditions or criteria. For example, granting access
during specific timeframes or based on certain data conditions.

When a user is authenticated, that only means that the user is known to the system
and has been recognized by it. It doesn’t mean that the user is free to do whatever she
wants in said system. The next logical step in securing an application is determining
which actions the user can perform and which resources she can access. If the user
doesn’t have the proper permissions, she cannot carry out that particular action. This
is the work of the authorization process. In the most common case, the authorization
process compares the user’s set of permissions against the permissions required
to execute a particular action in the application, and if a match is found, access is
granted. On the other hand, if no match is found, access is denied. Figure 1-3 shows the
authorization mechanism.

Figure 1-3. Simple authorization process: the authenticated user tries to access a
secured resource

8
Chapter 1 The Scope of Security

ACLs
An access control list (ACL) manages access rights and permissions to specific resources
or objects within an application. It is typically used in conjunction with authorization.
An ACL defines who has access to a particular resource and what actions they can
perform on that resource. It consists of a list of users or groups and their corresponding
permissions (read, write, execute, etc.) for specific resources.
ACLs are part of the authorization process explained in the previous section. The key
difference is that ACLs normally work at a finer-grained level in the application. ACLs
are a collection of mappings between resources, users, and permissions. With ACLs, you
can establish rules like “User John has administrative permission on the blog post X” or
“User Luis has read permission on blog post X.” You can see the three elements: user,
permission, and resource. Figure 1-3 shows how ACLs work; they are just a special case
of the general authorization process.

Authentication and Authorization: General Concepts

This section introduces and explains fundamental security concepts that you will come
across frequently in the book.

• User: The first step in securing a system from malicious attackers is

identifying legitimate users and allowing access to them alone. User
abstractions are created in the system and given their own identity.
They are the users that are later allowed to use the system.

• Credentials: Credentials are the way a user proves who they are.
Normally, in the shape of passwords (certificates are also a common
way of presenting credentials), they are data that only the owner of
it knows.

• Role: In an application security context, a role can be seen as a logical

grouping of users. This logical grouping is normally done so the
grouped users share a set of permissions in the application to access
certain resources. For example, all users with the admin role have the
same access and permissions to the same resources. Roles are a way
to group permissions to execute determined actions, making users
with those roles inherit such permissions.

9
Chapter 1 The Scope of Security

• Resource: Any part of the application you want to access that needs
to be properly secured against unauthorized access—for example, a
URL, a business method, or a particular business object.

• Permissions: The access level needed to access a particular

resource. For example, two users may be allowed to read a particular
document, but only one can write to it. Permissions can apply to
individual users or users that share a particular role.

• Encryption: It allows you to encrypt sensible information (normally

passwords, but it can be something else, like cookies) to make
it incomprehensible to attackers even if they get access to the
encrypted version. The idea is that you never store the plain text
version of a password but instead store an encrypted version so that
nobody but the owner knows the original one.

The following describes types of encryption algorithms.

• One-way encryption: These algorithms, referred to as hashing

algorithms, take an input string and generate an output number
known as the message digest. This output number cannot be
converted back into the original string. This is why the technique is
referred to as one-way encryption.

For example, let’s suppose the requesting client encrypts a string and
sends the encrypted string to the server. The server may have access
to the original information from a previous registration process, for
example, and if it does, it can apply the same hash function. Then, it
compares the output from this hashing to the value sent by the client.
If they match, the server validates the information.

Figure 1-4 shows this scheme. Usually, the server doesn’t even need
the original data. It can simply store the hashed version and then
compare it with the incoming hash from the client.

10
Chapter 1 The Scope of Security

Figure 1-4. One-way encryption or hashing

• Symmetric encryption: These algorithms provide two functions:

encrypt and decrypt. A string of text is converted into an encrypted
form and then can be converted back to the original string. In this
scheme, a sender and a receiver share the same keys to encrypt and
decrypt messages on both ends of the communication. One problem
with this scheme is how to share the key between the endpoints of
the communication. A common approach is to use a parallel secure
channel to send the keys.

• Key: Symmetric encryption uses a single shared secret key for

encryption and decryption. This means that both the sender and
the recipient use the same key.

11
Chapter 1 The Scope of Security

• Speed: Symmetric encryption algorithms are generally faster and

more efficient than asymmetric encryption algorithms.

• Use case: Symmetric encryption is commonly used for securing

large amounts of data, such as file encryption or secure
communication between two parties who already share a
secret key.

• Figure 1-5 shows symmetric encryption at work.

Figure 1-5. Symmetric encryption: the two endpoints share the same encryption/
decryption key

• Public key cryptography: These techniques are based on

asymmetric cryptography. In this scheme, a different key is used
for encryption than for decryption. These two keys are referred
to as the public key, which is used to encrypt messages, and the
private key, which is used to decrypt messages. The advantage of
this approach over symmetric encryption is that there is no need
to share the decryption key, so no one but the intended receiver of
the information can decrypt the message. The following describes a
normal scenario.

• The intended recipient of messages shares her public key with

everyone interested in sending information to her.

• A sender encrypts the information with the receiver’s public key

and sends a message.

12
Chapter 1 The Scope of Security

• The receiver uses her private key to decrypt the message.

• No one else can decrypt the message because they don’t have the
receiver’s private key.

The following defines the key, speed, and use case for asymmetric or PKI encryption.

• Key: Asymmetric encryption uses a pair of keys—a public key and

a private key. The public key is freely available to anyone, while the
owner keeps the private key secret.

• Encryption and decryption: The public key is used for encryption,

while the private key is used for decryption. This means the data
encrypted with the public key can only be decrypted with the
corresponding private key.

• Security: Asymmetric encryption provides a higher level of security

because the private key is not shared or transmitted.

• Use case: Asymmetric encryption is commonly used for secure key

exchange, digital signatures, and secure communication between
parties who don’t have a pre-shared secret key.

Figure 1-6 shows the public key cryptography scheme.

Figure 1-6. Public key cryptography

The use of encryption achieves, among other things, two other security goals.
• Confidentiality: Potentially sensitive information belonging to one
user or group of users should be accessible only to this user or group.
Encryption algorithms are the main helpers in achieving this goal.

13
Random documents with unrelated
content Scribd suggests to you:
THE TRANSFERENCE OF WOODCUTS IN
THE FIFTEENTH AND SIXTEENTH
CENTURIES[5]
GRANOLLACHS' 'LUNARE.' FLORENCE: L. MORGIANI FOR P. PACINI, 1496. IMITATED FROM THE NAPLES
EDITION OF 1485

D ESPITE some efforts to prove the contrary, there can be little

doubt that the art of taking clichés of woodcuts, or of cuts
engraved on soft metal treated in the same way as wood, was quite
unknown during the fifteenth and sixteenth centuries. If one printer
or publisher desired the use of a set of cuts in possession of another,
it was open to him to try to borrow or buy them, and failing this to
have them copied as best he could, on the theory of artistic
copyright having as yet been broached. In the present paper, after a
few words on the simpler processes of borrowing and buying, I
propose to bring together some typical instances of the different
methods in which cuts designed in one country or district were
copied in another, and incidentally, perhaps, to throw a little new
light on the relations of designers and woodcutters in these early
days of book-illustration.
As to borrowing, there is not much to be said. I believe a few
instances of it may be found, e.g. Matthaeus Cerdonis tells us
distinctly that he printed an edition of a 'Cheiromantia' (Padua,
1484) 'Erhardi Ratdolt instrumentis.' But it was undoubtedly, and for
obvious reasons, very rare, and where it existed mostly indicates
some specially close relations between the two firms. Thus Jacob
Bellaert at Haarlem appears to have borrowed some of Leeu's cuts
for a 'Lijden ons Heeren,' printed in December 1483, but on
Bellaert's disappearance in 1486 most of his cuts and types are
found in the possession of Leeu, and it is doubtful if we should not
look on his press rather as a branch establishment of Leeu's than as
altogether independent. We have also to be very careful in our
examination of cuts before building any theories of borrowing, or
special relations between different firms, as in some cases, notably
in many of Vérard's 'Horae,' in which we seem at first sight to find
cuts from the editions of Philippe Pigouchet, we are really confronted
with copies so closely imitated that it requires a minute comparison
to show that they are printed from different blocks.
When we pass from borrowing to buying we open up an endless
field for investigation, and one rich in small surprises.
Mr. Falconer Madan showed me some years ago, in a Civil War Tract
in the Thomason Collection at the British Museum, a very worn cut,
French in appearance, representing S. John the Evangelist and the
eagle by which he is symbolised. It puzzled me at the time, but I
soon afterwards identified it with the printer's device of Robert Wyer,
in use by him more than a hundred years earlier. Almost as great an
age was probably attained by a head-piece of terminal archers, with
rabbits, etc., which I first noticed in the 1598 edition of Sidney's
'Arcadia,' and found still retained in the fourteenth edition, dated
1670. The interval between these two editions of itself exceeds the
threescore and ten years which ought to suffice for the life of a
wood-block as of a man, but I have since found the same head-
piece in a prayer book, printed about 1585, and as it is in no way
appropriate to this, have no doubt that its original appearance was
even earlier.
In another rather amusing series of migrations my pride as a
discoverer has been tempered by the verdict of a lynx-eyed friend
that the blocks in question at one period of their career have been
recut, but their history is still curious. If any one will turn to the
1575 edition of 'A Ryght pithy pleasaunt and merie Comédie.
Intytuled Gammer Gurton's Needle. Played on stage, not longe ago
in Christes Colledge in Cambridge,' he will see that the title-page of
this our second printed comedy, 'made by Mr. S—— Mr. of Art,' and
'imprinted at London in Fleete streat beneth the Conduit at the sign
of S. John Evangelist by Thomas Colwel,' is surrounded by a kind of
garland supported by two fat little boys; and if we turn next to the
last leaf of the 'Champfleury,' that most pedantical treatise, written
and published by the French artist-printer, Geoffroy Tory in 1529,
there the same not very beautiful design will confront us. The
concatenation of the 'Champfleury' and 'Gammer Gurton's Needle' is
of itself delightful, but chance has enabled me to add two additional
incongruities, for I have found it again in a copy of the 'Christiani
Hominis Institutio,' by Stephanus Paris, printed in 1552 by Michael
Fezandat for Vivantius Gaulterot, who had published the second
edition of the 'Champfleury' three years earlier, and once more in
William Copland's edition, dated 1553, of Bishop Douglas's 'xii. Bukes
of Eneados.' Thus we know within a few months the date at which
this block, which had previously been recut, crossed the Channel,
and there is some reason to believe that some more of Tory's old
designs came over with it, for I have lately noticed three fragments
of borders used in Tory's 'Horae' of 1525 reappearing in a 'Letter to
Reginald Pole,' by Tunstall and Stokesley, printed by Wolfe in 1560.
Like the larger design, these fragments have been recut, but with
considerable skill, so that we may be sure that the recutting was
done in France, and at no very long interval after 1525, the lines in
the original blocks being so fine that they would soon need
replacing.

FROM GEOFFROY TORY'S 'CHAMPFLEURY,' 1529.

As an appendix to this section of my paper, it occurred to me to look
at the cuts in some of the Roxburghe Ballads, and a glance through
the first volume yielded some curious results. Thus a ballad entitled
'Friendly Counsaile,' by C. R. [Charles Records?], printed for J.
W[right], the younger, about 1630, has two cuts, the first of Christ
teaching the twelve Apostles, which can be traced back through the
'Kalender of Sheppards' to Vérard's 'Art de bien vivre et de bien
mourir' of 1492; the second of two of the three gay cavaliers, who
met their own corpses as they hunted (les trois vifs et les trois
morts), which occurs in French Horae of about the same date.
Another ballad entitled 'Christmas' Lamentation for the losse of his
Acquaintance, showing how he is forst to leave the country and
come to London,' is headed by a little figure of a man, which I first
saw in the verso of the title of Wynkyn de Worde's edition of 'Hycke
Scorner,'[6] where it is labelled 'Pyte.' This also is ultimately French,
and was also originally first cut for Vérard's French Terence. 'Doctor
Dogood's directions to cure many diseases' has in the first part half
of a cut from the 'Art de bien vivre,' representing Aaron and the
Israelites going to meet, not, as in the original, Moses, who bears
the Tables of the Law, but two English gentlemen, who are joined on
in a block of much smaller size. The second part has also an old cut,
which appears to be imitated from the Dutch. Another Dutch
fifteenth-century design is used in the second part of 'The
Discontented Married Man,' and there are two more fifteenth-century
blocks (recut) in the 'Jovial Broom-man,' a cut from a French 'Æsop'
in 'A New Medley, or a Messe altogether,' and a piece of an Augsburg
block in 'The praise of our country Barley Brake.' Besides these we
may note the presence at the head of a ballad called 'Solomon's
Sacrifice,' printed for Henry Gosson, of the cut of a printing-press
which occurs in 'The Ordinarie of Christians,' printed by Scoloker
about 1548. Of other cuts I only suspect the history, and the
instances I have quoted are sufficient to show the long life these
designs enjoyed in England.
Like some other branches of natural history, 'bibliology,' to use an
absurd word, would be very dull if it could all be mapped out and
tabulated ready to our hand, but in cut-hunting, as in fox-hunting,
there is pleasure to be gained from pursuit, if not from attainment,
and especially in English books of the sixteenth century there is
never any difficulty in finding a promising cut to hunt. It may be
said, indeed, that whoever attempts to write the history of wood-
engraving in England during this period will need to be quite as well
acquainted with the productions of the French press as of the
English. Unfortunately this is no easy matter, for except for a
magnificent collection of Vérards mostly from the old Royal Library,
and a goodly number of Horae, the British Museum is by no means
rich in early French books, and I know of no other English library
which can do much to supply its deficiencies. But the fact remains
that between the large importation of French blocks, the direct
imitation of many others, and the probable presence of French
woodcutters working in England, the field for any one desirous of
tracing a native school of wood-engraving, if such a school can be
said to have existed, is full of pitfalls, from which only a very wide
knowledge of the cuts in contemporary French books (and to a less
extent also of Dutch and German ones) can offer deliverance.
The backwardness of England in the pictorial arts made it possible
for old wood blocks to enjoy here an unusually long life. In other
countries their career was cut short by decisive changes of taste.
Thus the sudden inroad of the Renaissance into Germany at the
close of the fifteenth century swept away almost the whole of the
delightfully simple work produced between 1470 and 1490. One
curious case of survival is perhaps worth mentioning. In an edition
of Wyle's 'Translation oder Deutschungen etlicher Bücher,' printed at
Augsburg in 1536, the cuts to all the stories but one show
contemporary work of the usual kind. The exception is the tale of
Guiscard and Sigismund, the illustrations to which must be quite half
a century earlier, and exhibit all the simplicity of feeling and
workmanship of the artists of Augsburg, in their best days.
In France we have the same tale, for it is impossible to conceive not
merely of the Estiennes, but of a popular publisher like Jean de
Tournes, decorating his books with the simple cuts we find in books
by Vérard or Trepperel. In the Horae the publisher's needs were
sometimes too imperative to be resisted, and amid the coarse and
realistic engravings which, to the destruction of the charm of these
books, came into vogue about 1505, the old designs from the
editions of Pigouchet and Vérard are often found for some ten years
longer. Italy is in somewhat a different position, for there, in the
fifteenth century, the distinction between the books of the people
and the books of the rich had been unusually clearly marked, and
while the tastes of the rich changed the popular literature was far
more conservative. The little Florentine cuts, of which examples are
given in another article, are by far the most striking example of this
stability of the popular taste. It is probable that no new ones were
designed after 1520 at the latest, but the old designs continued in
use for more than sixty years after this date, battered by successive
editions till their borders were knocked to pieces, but still retaining
much of their old beauty, and occasionally, by some lucky chance,
finding a printer who did them justice. When the old blocks became
unusable, the designs were recut, and it is sometimes possible to
trace them through as many as three different stages of successive
deterioration. In Venice the little vignettes, so popular between 1490
and 1500, enjoyed a similar, but much shorter, extension of life, the
preference for the heavier style of engraving which came in with the
turn of the century driving them down into the chap-books, where
their original delicacy of line soon procured their destruction at the
hands of hasty printers.
Though the vagaries of fashion were thus slightly tempered at the
great centres of printing in Italy, fashion interfered with the
borrowing of blocks in another way in this country. Germany and
France were each fairly homogeneous in art matters. We may trace
different schools, but their differences are not very strongly marked,
and their followers were probably not very keenly conscious of them.
In Italy the artistic individuality of every district was clearly defined,
and though, as we shall see, the printers of one town made free use
of the illustrations in the books of those of another, there was
scarcely any interchange of blocks. In the 'De Structura
compositionis' of Ferrettus, printed at Forli in 1495, both of the two
illustrations are of Venetian origin, that of Theseus and the Minotaur
being taken from the 'Plutarch' of 1491, and that of the lecture-hall
from the 'Epigrammata Cantalycii' of 1493. But this is an almost
unique instance of direct borrowing, the rule being that while
designs were freely imitated, they were, almost invariably, recast in
the style of art of the district in which they were to appear.
FROM THE NAPLES EDITION OF THE 'ARTE DE ASTROLOGIA' OR 'LUNARE' OF GRANOLLACHS, FOR THE
YEAR 1485. (REDUCED.)

Passing now from the purchase of woodcuts to their imitation, we

may look, first of all, at the simplest and easiest form in which a
design could be reproduced. The impression from a woodcut is, of
course, a reversal of the design as it appears on the block, and an
artist not very confident of his own skill would naturally shrink from
the rather difficult task of copying the printed cut in reverse in order
that his own sketch might print in the same way as its original. He
preferred to copy the printed cut as he saw it before him, with the
result that in the impressions from his copy everything is reversed,
the right becoming left, and the left right. Thus simplified his task
was easy, and it was even possible to avoid altogether the need of
copying, by merely pasting the illustration on the block, and cutting
the wood through the paper. When Antoine Vérard desired to bring
out a French edition of the 'Metamorphoses,' his wood-cutters
treated the designs in the edition by Colard Mansion in this way, and
as the originals were but poor work the injury to them was not very
great. It was the first of these designs, that of Saturn devouring his
children, which Vérard, a year or two later, printed in his edition on
vellum of the 'Miroir Historial' of Vincent de Beauvais, to serve as a
ground-plan to his illuminator, who, by painting out Saturn's scythe,
and the child in his mouth, and some other objectionable details,
turned it into a very moderately edifying picture of the Holy Family.
But this after-use is beside our point, nor are the cuts in either
Mansion's edition, or that of Vérard, worth reproducing here. As an
instance of this practice we will rather show the original and a copy
in reverse of the frontispiece of the 'Nobilissima Arte de Astrologia,'
by Granollachs, an astronomer of Barcelona, printed at Naples, with
the calculations made for the year 1485, when it was presumably
intended to be issued. That this is really its date we have strong
confirmatory evidence in the style, both of the design and the
cutting, which corresponds very closely to that of the cuts to the life
of Æsop prefixed to the Italian edition brought out at Naples in the
same year, 1485, by the jurist-publisher, Francisco de Tuppo, and
probably printed for him by Matthias Moravus. The designer was a
man of skill and imagination, and we may notice in this picture the
Saracenic type which he has given to the man whom we see at the
window, to suit with the presumably Moorish descent of its author.

FROM THE 'LUNARE' OF GRANOLLACHS FOR 1493. PRINTED AT ROME BY PLANNCK. REVERSED FROM THE
NAPLES EDITION. (REDUCED.)

The 'Arte de Astrologia' of Granollachs became popular, and in 1493

Plannck, a great printer of cheap books at Rome, brought out an
edition of it there under the altered title 'Lunare.' That it might not
go unillustrated, he seems to have commissioned his office-boy to
reproduce the Naples woodcut, and the result was the remarkable
work of art which is here set face to face with its original. By and by
we shall see how a Florentine artist fared when the same task was
set him.
Reproduction in reverse was undoubtedly the refuge of the
incompetent, but we must remember that it was also the restoration
of the design as originally drawn on the wood, and the most skilful
artists did not disdain to save themselves trouble in this way. They
had no objection to copying another man's work, but their aim was
not to see how closely they could copy, but to make a pretty picture
with the least expenditure of pains, and if it looked as well when the
rights and lefts were reversed there was no fault to be found. Hence
we shall find this method employed in many cases where the second
artist was no whit inferior to the first. Examples of the servile
reproduction of woodcuts by other printers, without reversal, are
hardly as numerous as we should expect, and are naturally not very
interesting. They group themselves chiefly round a few popular
books, such as the 'Fasciculus Temporum' of Rolewinck, Steinhowel's
'Æsop' and Brant's 'Ship of Fools.' The home of the 'Fasciculus
Temporum' seems to have been Cologne, but the cuts in the editions
which we find printed in other towns of Germany, at Venice by Walch
and Ratdolt, and in Spain, all follow the same lines very closely. Of
the 'Æsop,' which started either from Sorg's press at Augsburg, or
from that of Knoblochzer at Strasburg, no less than eleven editions
were printed in different towns in Germany during the fifteenth
century, the cuts in all of which are on the same model, while the
actual blocks used by Sorg afterwards passed into the possession of
Gerard Leeu at Antwerp, and were again imitated by Christian
Snellaert at Delft. The cuts in the 'Narrenschiff' enjoyed no less
widespread a popularity.
A few single cuts, which from their subjects might be used as title-
cuts to a great variety of books, also attracted the attention of the
more pedestrian copyists. Thus in educational books printed in
Germany towards the close of the fifteenth century there are a
bewildering number of variants of a woodcut of a master and
scholars with the legend 'Accipies tanti doctoris dogmata sancti,' and
while a good many French cuts found their way into England on their
original blocks others were copied for English use with the servility
we should expect. Among the few instances of direct copying in
Italy, one of the most noteworthy is the reproduction at the
beginning of the 'Supplementum Chronicorum' of Foresti, printed by
Bernardino de Benaliis at Venice in 1486, of the pictures of the
Creation, the Fall, and the Sacrifices of Cain and Abel, from the large
Bible printed by Quentel at Cologne about six years earlier. On the
other hand, in my monograph on 'Italian Book-Illustrations'
(Portfolio, No. xii. Dec. 1894), I have already alluded to a curious
instance of the direct copying of Italian ornamental initials by a
German. In 1484, in a 'Boethius' printed by Oliverius Servius at
Rome, we find three very fine initials, and we can trace back the set
to which they belong to Sixtus Riessinger, who used some of them in
his edition of a 'Tractatus Solemnis,' by Philippus de Barberiis in
1480. This is simple enough. But, when we find what looks like the
same set in the possession of Johann Müller at Nuremberg about
1473, we ask in some surprise how initials distinctively Italian should
appear first at Nuremberg and afterwards find their way back to
Rome? The answer to the puzzle is arrived at by tracing both the
Nuremberg and the Roman initials to a set cut for Sweynheym and
Pannartz, but used by them only in certain copies of a few books
(e.g. the Rylands copy of the 'Suetonius' of 1472) whose purchasers
preferred them to be ornamented thus rather than by illumination.
One of these copies must have fallen into the hands of Müller, who
imitated the designs remarkably closely, but with some minute
differences, notably the addition of a thick line to the left of the
initials, which in the originals are left unfinished on this side, so that
they might be attached at pleasure to an ornamental border running
down the margin. Thus the initials used by Müller are copies, while
those of Riessinger and Servius are from the original blocks, which
must have passed to them from Sweynheym and Pannartz. The
difficulty in clearing up the little mystery lay in the fact that it is
possible to possess a copy of every book Sweynheym and Pannartz
ever printed without finding a single volume in which the initials
occur.
A well-known example of the close copying of a decorative border is
the conveyance by Joannes Paulus Brissensis of a border used by
Edward Whitchurch for the first prayer book of Edward vi., published
in 1549. Five years later a close imitation of this, even to the
retention of the initials E. W., appears on the title-page of a
commentary on Aristotle ('Dialectica Resolutio cum textu'), published
by Brissensis in Mexico.
We come now to the last and most interesting section of our subject,
the cuts in which one artist has borrowed the design of another, but
whether imitating it freely or closely has introduced modifications in
technical treatment which make it his own, harmonising it so closely
with the work of his own city or country that it easily takes its place
with purely native designs until by some chance its real origin is
discovered. For various reasons these transformations are almost,
though not entirely, confined to Italy. Thus it would be idle to expect
them in England because there was no English school of design or
engraving of sufficient individuality to modify the style of the cuts it
borrowed. In Germany, on the other hand, the native school was
immensely productive, and had a long start of France and Italy in
point of time. Very shortly after 1470 we find illustrated books at
Augsburg and Ulm of a simple excellence which could not be
bettered. In France and Italy we get a few good books about 1480,
but woodcuts do not become common till ten years later. One of the
few very early illustrated books of Italy, the 'Valturius,' printed at
Verona in 1472, was indeed copied in Germany, the cuts being
reproduced in reverse in an undated 'Vegetius,' probably printed at
Augsburg about 1475 by Johann Wiener, though it should be
mentioned that Dr. Muther, like a true Teuton, tries to claim priority
for his countrymen by bringing back the 'Vegetius' to about 1470.
But this is a solitary instance, which belongs, moreover, to an earlier
section of our subject, and, until Mr. Redgrave communicated to the
Bibliographical Society his paper on the early illustrated books of
Oppenheim, I knew of nothing more apposite. In that paper,
however, Mr. Redgrave showed how both the border of the
'Calendar,' printed by Ratdolt at Venice in 1476, and some of
Ratdolt's ornamental initials, were closely imitated by Johann Köbel,
in an undated 'Passio Domini.' The two books were separated by an
interval of quite thirty years, and Köbel in imitating Ratdolt was not
content with his delicate outline, but put in a heavy background
which does not improve it. Some late German prayer-books show
traces of the influence of the French 'Horae,' but beyond these I
know of nothing.
The case of Holland is somewhat similar to that of Germany. In the
last decade of the fifteenth century, the Dutch woodcutters imitated
closely, or directly borrowed, from the French 'Horae,' but the best
work, which is also the earliest, was entirely original.
In the sixteenth century the popular printers, like John of
Doesborgh, no doubt obtained their haphazard illustrations whence
and how they could. In the editions of 'Le Chevalier Délibéré,' by
Olivier de la Marche, printed at Antwerp in French and Spanish, in
1547, etc., I thought, at first, that I had found an instance of artistic
copying of a very interesting nature, for there is a close connection
in design between these highly-finished cuts and the rude yet
striking work in the edition printed at Gouda, by Gottfried van Os,
shortly after 1486. Inasmuch, however, as La Marche had given
elaborate directions for the illumination of his poem, it is obvious
that by following these directions any two designers would obtain
fairly similar results, without any direct imitation of one by the other.
As far as my own information goes, the French wood-cutters trusted
almost entirely to their own imagination during the fifteenth century,
and, when they took to borrowing for their 'Horae,' borrowed
outright without any attempt at adaptation. One famous example of
copying of a later date deserves mention. In 1545 the younger Aldus
printed at Venice a second edition of the famous 'Hypnerotomachia,'
and either this or the original of 1499 attracted the attention of
Gohorry, who made a translation which was revised by Jean Martin
and printed by Jacques Kerver in 1546. The cuts to this translation
have been variously attributed to Jean Goujon and Jean Cousin, but
a moment's glance at the book will show that they are not all by the
same hand. The majority of the illustrations show wretched work,
and are very clumsily cut, but those at the beginning and a few in
the latter part of the volume are fine examples of artistic translation
into a different manner. I give here the scene of Poliphilo by the river
bank from both the original and the copy, and old favourite as the
Venetian cut justly is, I think that the French cut attains almost
equal excellence in another style. No finer example of free
adaptation could easily be found.

CUT FROM THE 'POLIPHILO' OF VENICE, 1499. (REDUCED)

When we come to Italy we find a wholly different set of conditions.

Here book-illustration started late, but during the twenty years from
1490 to 1510 its vogue was enormous, and great as was the fertility
of the Italian designers it was natural that in face of the demands
made upon them by the publishers they should seek help whereever
they could find it. But in Italy at this period every craftsman was an
artist, and whether he sought his inspiration in the paintings which
he saw around him, in the engravings on copper which had
flourished long before book-illustration became popular, in the cuts
in foreign books, or in those published in other districts of his own
country, the Italian woodcutter always put his own individuality into
his work and made the design he was copying his own. I am
unfortunately unacquainted with the pictures to which Dr. Lippmann
and Dr. Kristeller have traced three or four of the Venetian and
Florentine woodcuts,[7] but the examples of translation from
engravings on copper to woodcuts in the Venetian 'Petrarch' of 1490,
in the second Florentine edition of Bettini's 'Monte Sancto di Dio'
(1491), and in the illustration of the works of mercy in the 'Libro delli
Comandamente di Dio' of Fra Marco del Monte Sancta Maria
(Florence, 1496), are extremely interesting, and show how well the
workmen, especially those of Florence, understood the principle of
artistic selection.

THE SAME CUT AS REDRAWN IN THE FRENCH EDITION OF THE 'POLIPHILO,' 1546. (RATHER MORE
REDUCED)

No more characteristic example of free imitation can be found than

in the use made of the cuts in the Latin and German Bibles, printed
by Quentell at Cologne about 1480, by the illustrator of the Malermi
Bible ten years later. The German cuts are large and clumsy
(measuring about 7½ x 5 in.), overcrowded with figures, and with
the rudest ideas of perspective and arrangement. The little Italian
vignettes, on the other hand, are gracefully and delicately designed,
and it is only from the presence of some purely fanciful accessory,
such as the pond and the swan swimming in it in the examples here
given, that we are compelled to recognise the debt of the Venetian
artist to his German predecessor.

CUT FROM THE QUENTELL BIBLE. (COLOGNE, C. 1480. MUCH REDUCED)

ADAPTATION OF THE COLOGNE CUT FOR THE MALERMI BIBLE. (VENICE, 1490)

Another, though a less interesting example of the adaptation of large

and rather clumsy cuts to the scale of the little Venetian vignettes is
the imitation in the 'Terence,' published by Simon de Luere at Venice
in 1497, of the illustrations in Trechsel's edition which had appeared
at Lyons four years earlier. Again, if, as I believe, we should attribute
the first illustrated Italian edition of the 'Ars Moriendi,' printed in
1490, 'co li figure accomodati per Johanne clein & Piero himel de
alamanis,' to Venice rather than to Lyons, we may claim the majority
of the cuts in this as additional examples of intelligent, if not very
original, adaptation by Venetian artists, the originals, in this case,
being the designs first used in the German block-books, imitated
again two years later, by Vérard at Paris.
It is true that after 1496 Cleyn was printing at Lyons, and that there
is a Lyonnese book with the probably erroneous date 1478 by him,
but we have no evidence, I believe, of his whereabouts in 1490, and
there is one cut in the book, for which, as far as I know, the artist
drew entirely on his own imagination, and this appears to me to be
much more Venetian in its character than Lyonnese.[8] I give this cut
from a copy in the British Museum which has unluckily been heavily
coloured, so that the reproduction was no easy matter. It comes
within our subject, not only as evidence for the Venetian origin of
the edition, but as the original of the little cut on the title of the
'Omnis Mortalium Cura' of S. Antonino, printed for Pacini in 1507;
the differences between the copy and the original being
characteristic of the alteration in tone always introduced by
Florentine artists when dealing with foreign work. The border has
been simplified and at the same time given the usual black
background. The recesses of the church are in unrelieved black
instead of merely shaded. The figures are slighter and more
graceful, and good taste is shown in the removal of the whispering
devils, one of whom bears a scroll with the words 'nolo dire,' while
the other inscription contains the word 'vergogna' (shame),
preceded by some other letters which I cannot decipher in the
Museum copy. It will be noticed that the Florentine artist has
reversed the positions of the figures, but not the little altar-piece.
The other cuts in the 1490 'Arte del Morire' also found Florentine
imitators, as I cannot doubt that it was through them that the
illustrator of the Florentine editions of c. 1495 and 1513 obtained his
knowledge of the German designs which he followed in ten of his
cuts. Some of the designs are copied in reverse, others directly, but
in nearly every instance we find that by a number of small touches
the cut has been made to assume a distinctly Florentine appearance.

ILLUSTRATION ON THE BACK OF THE TITLE-PAGE OF THE 'ARTE DEL BEN MORIRE,' PRINTED IN 1490 BY
JOHANN CLEYN AND PIERO HIMEL, PROBABLY AT VENICE
FLORENTINE ADAPTATION OF THE SAME CUT USED ON THE TITLE-PAGE OF THE SOMMA 'OMNIS
MORTALIUM CURA' OF S. ANTONINO. PACINI, 1507

Among other books in which Florence followed the lead of Venice

the 'Meditazioni' of San Bonaventura and the 'Fior di Virtù' are
perhaps the most important. For my frontispiece to this article,
however, I have preferred to hark back to the 'Lunare' of
Granollachs, the Florentine edition of which (1496) is as good an
instance of artistic imitation of that of Naples, as is the Roman (see
page 83) of incompetent servility.
I have already written at greater length than I intended, and am
conscious that all I have said is dry, fragmentary, and disjointed.
There is, however, still one point which I should like to put forward
in connection with these different styles of copying. In 'The Masters
of Wood-Engraving' Mr. Linton has endeavoured to limit our idea of
the work of the early woodcutters to the mere faithful cutting on the
wood the lines marked down for them by the designer. In this theory
Mr. Linton stands at the opposite extreme to Sir W. M. Conway, who,
in 'The Woodcutters of the Netherlands,' hardly made sufficient
allowance for the differences in cutting which might be produced by
different designs. Of the two, however, Sir W. M. Conway seems to
me to be the nearer to the truth, and I think these instances in
which we have both the design and the woodcutter's copy before us
help us to understand the method of work. No one can believe that
the hand of any artist intervened between the Naples 'Granollachs'
and its Roman interpreter, and I feel tolerably sure myself that in the
two Florentine cuts I have given, the differences of treatment are
also due to the craftsman. In the Venetian translation from the cuts
in the Cologne Bible and in the French adaptation of the
'Hypnerotomachia' we have, of course, a different set of conditions,
and we must not try to ignore them. But until positive evidence to
the contrary is produced, it is reasonable to believe that the
craftsman often supplied his own designs, and the artist was often
his own woodcutter, and the examples of imitation at which we have
been looking seem to me to strengthen this theory.
ES TU SCHOLARIS?[9]

I N the following pages I propose to offer a little picture of school-

life four hundred years ago, culled from an old Latin dialogue
book which was published anonymously in the fifteenth century
under the title 'Es tu scholaris?' and went through many editions in
different countries. All through the Middle Ages boys were supposed
to speak Latin in school, and this with some reason, since if they
meant to be scholars when they grew up, to be able to speak and
write Latin fluently would be far more useful to them than the
acquisition of any single modern language. But no doubt it did not
come easily to them, and our anonymous author seems to have
thought that it might not come quite easily to their masters to show
them how to do it, since, as we shall see, he wrote his book for use
in the humbler kind of schools, where the master himself might be a
man of no great learning. In fact he begins by pointing out the
inconvenience of a master not being able to answer his boys'
questions, and to obviate this offers some ready-made dialogues on
what he considered suitable topics.
All the earlier dialogues begin with the words from which the book
takes its title—Are you a scholar? 'Es tu scholaris?' says the master.
'Sum,' says the boy, ('knowing the language'), and then begin the
variations.
FROM THE FLORES POETARUM, S.A.

The cruellest of these is a kind of 'fool's mate' (to borrow a term

from chess), in which the master asks, 'What gender is sum?' and it
is to be hoped used his victory mercifully if his victim fell into the
trap. When the first variations are exhausted we come to a 'Where
are you a scholar?' to which the correct answer is 'Here and
everywhere, and in all honest places,' honest places being
subsequently defined as of four kinds, that is to say, at church, at
school, at home with one's parents and in the company of able men
(ecclesia, scola, domus propria circa parentes et convivium
peritorum virorum). Of a sudden the master waxes humorous and
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.