Transcription
Spring SecurityReference DocumentationBen AlexLuke Taylor
Spring Security: Reference Documentationby Ben Alex and Luke Taylor3.0.8.RELEASE
Spring SecurityTable of ContentsPreface . xI. Getting Started . 11. Introduction . 21.1. What is Spring Security? . 21.2. History . 41.3. Release Numbering . 41.4. Getting Spring Security . 5Project Modules . 5Core - spring-security-core.jar . 5Web - spring-security-web.jar . 5Config - spring-security-config.jar . 5LDAP - spring-security-ldap.jar . 5ACL - spring-security-acl.jar . 6CAS - spring-security-cas-client.jar . 6OpenID - spring-security-openid.jar . 6Checking out the Source . 62. Security Namespace Configuration . 72.1. Introduction . 7Design of the Namespace . 82.2. Getting Started with Security Namespace Configuration . 8web.xml Configuration . 8A Minimal http Configuration . 9What does auto-config Include? . 10Form and Basic Login Options . 11Using other Authentication Providers . 12Adding a Password Encoder . 132.3. Advanced Web Features . 14Remember-Me Authentication . 14Adding HTTP/HTTPS Channel Security . 14Session Management . 15Detecting Timeouts . 15Concurrent Session Control . 15Session Fixation Attack Protection . 16OpenID Support . 16Attribute Exchange . 17Adding in Your Own Filters . 17Setting a Custom AuthenticationEntryPoint . 192.4. Method Security . 19The global-method-security Element . 19Adding Security Pointcuts using protect-pointcut . 202.5. The Default AccessDecisionManager . 21Customizing the AccessDecisionManager . 212.6. The Authentication Manager and the Namespace . 223.0.8.RELEASEiii
Spring Security3. Sample Applications . 233.1. Tutorial Sample . 233.2. Contacts . 233.3. LDAP Sample . 243.4. CAS Sample . 243.5. Pre-Authentication Sample . 254. Spring Security Community . 264.1. Issue Tracking . 264.2. Becoming Involved . 264.3. Further Information . 26II. Architecture and Implementation . 275. Technical Overview . 285.1. Runtime Environment . 285.2. Core Components . 28SecurityContextHolder, SecurityContext and Authentication Objects . 28Obtaining information about the current user . 29The UserDetailsService . 29GrantedAuthority . 30Summary . 305.3. Authentication . 30What is authentication in Spring Security? . 30Setting the SecurityContextHolder Contents Directly . 325.4. Authentication in a Web Application . 33ExceptionTranslationFilter . 33AuthenticationEntryPoint . 34Authentication Mechanism . 34Storing the SecurityContext between requests . 345.5. Access-Control (Authorization) in Spring Security . 35Security and AOP Advice . 35Secure Objects and the AbstractSecurityInterceptor . 36What are Configuration Attributes? . 36RunAsManager . 36AfterInvocationManager . 37Extending the Secure Object Model . 375.6. Localization . 386. Core Services . 406.1. The AuthenticationManager, ProviderManager andAuthenticationProviders . 40DaoAuthenticationProvider . 41Erasing Credentials on Successful Authentication . 416.2. UserDetailsService Implementations . 42In-Memory Authentication . 42JdbcDaoImpl . 43Authority Groups . 436.3. Password Encoding . 433.0.8.RELEASEiv
Spring SecurityWhat is a hash? . 43Adding Salt to a Hash . 44Hashing and Authentication . 44III. Web Application Security . 457. The Security Filter Chain . 467.1. DelegatingFilterProxy . 467.2. FilterChainProxy . 46Bypassing the Filter Chain . 487.3. Filter Ordering . 487.4. Request Matching and HttpFirewall . 497.5. Use with other Filter-Based Frameworks . 508. Core Security Filters . 518.1. FilterSecurityInterceptor . 518.2. ExceptionTranslationFilter . 52AuthenticationEntryPoint . 53AccessDeniedHandler . 538.3. SecurityContextPersistenceFilter . 53SecurityContextRepository . 548.4. UsernamePasswordAuthenticationFilter . 54Application Flow on Authentication Success and Failure . 559. Basic and Digest Authentication . 579.1. BasicAuthenticationFilter . 57Configuration . 579.2. DigestAuthenticationFilter . 58Configuration . 5910. Remember-Me Authentication . 6010.1. Overview . 6010.2. Simple Hash-Based Token Approach . 6010.3. Persistent Token Approach . 6110.4. Remember-Me Interfaces and Implementations . 61TokenBasedRememberMeServices . 62PersistentTokenBasedRememberMeServices . 6211. Session Management . 6311.1. SessionManagementFilter . 6311.2. SessionAuthenticationStrategy . 6311.3. Concurrency Control . 6412. Anonymous Authentication . 6612.1. Overview . 6612.2. Configuration . 6612.3. AuthenticationTrustResolver . 67IV. Authorization . 6913. Authorization Architecture . 7013.1. Authorities . 7013.2. Pre-Invocation Handling . 70The AccessDecisionManager . 703.0.8.RELEASEv
Spring SecurityVoting-Based AccessDecisionManager Implementations .RoleVoter .AuthenticatedVoter .Custom Voters .13.3. After Invocation Handling .14. Secure Object Implementations .14.1. AOP Alliance (MethodInvocation) Security Interceptor .Explicit MethodSecurityInterceptor Configuration .14.2. AspectJ (JoinPoint) Security Interceptor .15. Expression-Based Access Control .15.1. Overview .Common Built-In Expressions .15.2. Web Security Expressions .15.3. Method Security Expressions .@Pre and @Post Annotations .Access Control using @PreAuthorize and @PostAuthorize .Filtering using @PreFilter and @PostFilter .Built-In Expressions .The PermissionEvaluator interface .V. Additional Topics .16. Domain Object Security (ACLs) .16.1. Overview .16.2. Key Concepts .16.3. Getting Started .17. Pre-Authentication Scenarios .17.1. Pre-Authentication Framework Classes .AbstractPreAuthenticatedProcessingFilter ce Source .PreAuthenticatedAuthenticationProvider .Http403ForbiddenEntryPoint .17.2. Concrete Implementations .Request-Header Authentication (Siteminder) .Siteminder Example Configuration .J2EE Container Authentication .18. LDAP Authentication .18.1. Overview .18.2. Using LDAP with Spring Security .18.3. Configuring an LDAP Server .Using an Embedded Test Server .Using Bind Authentication .Loading Authorities .18.4. Implementation Classes .LdapAuthenticator Implementations .Common Functionality EASEvi
Spring SecurityBindAuthenticator . 95PasswordComparisonAuthenticator . 95Active Directory Authentication . 95Connecting to the LDAP Server . 95LDAP Search Objects . 95FilterBasedLdapUserSearch . 96LdapAuthoritiesPopulator . 96Spring Bean Configuration . 96LDAP Attributes and Customized UserDetails . 9719. JSP Tag Libraries . 9919.1. Declaring the Taglib . 9919.2. The authorize Tag . 9919.3. The authenticationTag . 10019.4. The accesscontrollist Tag . 10020. Java Authentication and Authorization Service (JAAS) Provider . 10120.1. Overview . 10120.2. Configuration . 101JAAS CallbackHandler . 101JAAS AuthorityGranter . 10221. CAS Authentication . 10321.1. Overview . 10321.2. How CAS Works . 10321.3. Configuration of CAS Client . 10322. X.509 Authentication . 10622.1. Overview . 10622.2. Adding X.509 Authentication to Your Web Application . 10622.3. Setting up SSL in Tomcat . 10723. Run-As Authentication Replacement . 10823.1. Overview . 10823.2. Configuration . 108A. Security Database Schema . 110A.1. User Schema . 110Group Authorities . 110A.2. Persistent Login (Remember-Me) Schema . 111A.3. ACL Schema . 111Hypersonic SQL . 111PostgreSQL . 112B. The Security Namespace . 114B.1. Web Application Security - the http Element . 114 http Attributes . 114servlet-api-provision . 114path-type . 115lowercase-comparisons . 115realm . 115entry-point-ref . 1153.0.8.RELEASEvii
Spring Securityaccess-decision-manager-ref .access-denied-page .once-per-request .create-session .use-expressions .disable-url-rewriting . access-denied-handler .The intercept-url Element .pattern .method .access .requires-channel .filters .The port-mappings Element .The form-login Element .login-page .login-processing-url .default-target-url .always-use-default-target .authentication-failure-url .authentication-success-handler-ref .authentication-failure-handler-ref .The http-basic Element .The remember-me Element .data-source-ref .token-repository-ref .services-ref .token-repository-ref .The key Attribute .token-validity-seconds .user-service-ref .The session-management Element .session-fixation-protection .The concurrency-control Element .The max-sessions attribute .The expired-url attribute .The error-if-maximum-exceeded attribute .The session-registry-alias and session-registry-refattributes .The anonymous Element .The x509 Element .The subject-principal-regex attribute .The user-service-ref attribute .The openid-login Element .The logout Element 9119119119119119120120120120120120120121121121viii
Spring SecurityThe logout-url attribute .The logout-success-url attribute .The invalidate-session attribute .The custom-filter Element .The request-cache Element .The http-firewall Element .B.2. Authentication Services .The authentication-manager Element .The authentication-provider Element .
Security is an ever-moving target, and it's important to pursue a comprehensive, system-wide approach. In security circles we encourage you to adopt "layers of security", so that each layer tries to be as secure as possible in its own right, with successive layers providing additional security. The "tighter"
