Spring Security
		Next

Spring Security

Reference Documentation

Ben Alex

Luke Taylor

3.0.8.RELEASE

Table of Contents

Preface

I. Getting Started

1. Introduction

1.1. What is Spring Security?

1.2. History

1.3. Release Numbering

1.4. Getting Spring Security

1.4.1. Project Modules
1.4.2. Checking out the Source

2. Security Namespace Configuration

2.1. Introduction

2.1.1. Design of the Namespace

2.2. Getting Started with Security Namespace Configuration

2.2.1. web.xml Configuration
2.2.2. A Minimal <http> Configuration
2.2.3. Using other Authentication Providers

2.3. Advanced Web Features

2.3.1. Remember-Me Authentication
2.3.2. Adding HTTP/HTTPS Channel Security
2.3.3. Session Management
2.3.4. OpenID Support
2.3.5. Adding in Your Own Filters

2.4. Method Security

2.4.1. The <global-method-security> Element

2.5. The Default AccessDecisionManager

2.5.1. Customizing the AccessDecisionManager

2.6. The Authentication Manager and the Namespace

3. Sample Applications

3.1. Tutorial Sample
3.2. Contacts
3.3. LDAP Sample
3.4. CAS Sample
3.5. Pre-Authentication Sample

4. Spring Security Community

4.1. Issue Tracking
4.2. Becoming Involved
4.3. Further Information

II. Architecture and Implementation

5. Technical Overview

5.1. Runtime Environment

5.2. Core Components

5.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
5.2.2. The UserDetailsService
5.2.3. GrantedAuthority
5.2.4. Summary

5.3. Authentication

5.3.1. What is authentication in Spring Security?
5.3.2. Setting the SecurityContextHolder Contents Directly

5.4. Authentication in a Web Application

5.4.1. ExceptionTranslationFilter
5.4.2. AuthenticationEntryPoint
5.4.3. Authentication Mechanism
5.4.4. Storing the SecurityContext between requests

5.5. Access-Control (Authorization) in Spring Security

5.5.1. Security and AOP Advice
5.5.2. Secure Objects and the AbstractSecurityInterceptor

5.6. Localization

6. Core Services

6.1. The AuthenticationManager, ProviderManager and AuthenticationProviders

6.1.1. DaoAuthenticationProvider
6.1.2. Erasing Credentials on Successful Authentication

6.2. UserDetailsService Implementations

6.2.1. In-Memory Authentication
6.2.2. JdbcDaoImpl

6.3. Password Encoding

6.3.1. What is a hash?
6.3.2. Adding Salt to a Hash
6.3.3. Hashing and Authentication

III. Web Application Security

7. The Security Filter Chain

7.1. DelegatingFilterProxy

7.2. FilterChainProxy

7.2.1. Bypassing the Filter Chain

7.3. Filter Ordering

7.4. Request Matching and HttpFirewall

7.5. Use with other Filter-Based Frameworks

8. Core Security Filters

8.1. FilterSecurityInterceptor

8.2. ExceptionTranslationFilter

8.2.1. AuthenticationEntryPoint
8.2.2. AccessDeniedHandler

8.3. SecurityContextPersistenceFilter

8.3.1. SecurityContextRepository

8.4. UsernamePasswordAuthenticationFilter

8.4.1. Application Flow on Authentication Success and Failure

9. Basic and Digest Authentication

9.1. BasicAuthenticationFilter

9.1.1. Configuration

9.2. DigestAuthenticationFilter

9.2.1. Configuration

10. Remember-Me Authentication

10.1. Overview

10.2. Simple Hash-Based Token Approach

10.3. Persistent Token Approach

10.4. Remember-Me Interfaces and Implementations

10.4.1. TokenBasedRememberMeServices
10.4.2. PersistentTokenBasedRememberMeServices

11. Session Management

11.1. SessionManagementFilter
11.2. SessionAuthenticationStrategy
11.3. Concurrency Control

12. Anonymous Authentication

12.1. Overview
12.2. Configuration
12.3. AuthenticationTrustResolver

IV. Authorization

13. Authorization Architecture

13.1. Authorities

13.2. Pre-Invocation Handling

13.2.1. The AccessDecisionManager
13.2.2. Voting-Based AccessDecisionManager Implementations

13.3. After Invocation Handling

14. Secure Object Implementations

14.1. AOP Alliance (MethodInvocation) Security Interceptor

14.1.1. Explicit MethodSecurityInterceptor Configuration

14.2. AspectJ (JoinPoint) Security Interceptor

15. Expression-Based Access Control

15.1. Overview

15.1.1. Common Built-In Expressions

15.2. Web Security Expressions

15.3. Method Security Expressions

15.3.1. @Pre and @Post Annotations
15.3.2. Built-In Expressions

V. Additional Topics

16. Domain Object Security (ACLs)

16.1. Overview
16.2. Key Concepts
16.3. Getting Started

17. Pre-Authentication Scenarios

17.1. Pre-Authentication Framework Classes

17.1.1. AbstractPreAuthenticatedProcessingFilter
17.1.2. AbstractPreAuthenticatedAuthenticationDetailsSource
17.1.3. PreAuthenticatedAuthenticationProvider
17.1.4. Http403ForbiddenEntryPoint

17.2. Concrete Implementations

17.2.1. Request-Header Authentication (Siteminder)
17.2.2. J2EE Container Authentication

18. LDAP Authentication

18.1. Overview

18.2. Using LDAP with Spring Security

18.3. Configuring an LDAP Server

18.3.1. Using an Embedded Test Server
18.3.2. Using Bind Authentication
18.3.3. Loading Authorities

18.4. Implementation Classes

18.4.1. LdapAuthenticator Implementations
18.4.2. Connecting to the LDAP Server
18.4.3. LDAP Search Objects
18.4.4. LdapAuthoritiesPopulator
18.4.5. Spring Bean Configuration
18.4.6. LDAP Attributes and Customized UserDetails

19. JSP Tag Libraries

19.1. Declaring the Taglib
19.2. The authorize Tag
19.3. The authenticationTag
19.4. The accesscontrollist Tag

20. Java Authentication and Authorization Service (JAAS) Provider

20.1. Overview

20.2. Configuration

20.2.1. JAAS CallbackHandler
20.2.2. JAAS AuthorityGranter

21. CAS Authentication

21.1. Overview
21.2. How CAS Works
21.3. Configuration of CAS Client

22. X.509 Authentication

22.1. Overview
22.2. Adding X.509 Authentication to Your Web Application
22.3. Setting up SSL in Tomcat

23. Run-As Authentication Replacement

23.1. Overview
23.2. Configuration

A. Security Database Schema

A.1. User Schema

A.1.1. Group Authorities

A.2. Persistent Login (Remember-Me) Schema

A.3. ACL Schema

A.3.1. Hypersonic SQL

B. The Security Namespace

B.1. Web Application Security - the <http> Element

B.1.1. <http> Attributes
B.1.2. <access-denied-handler>
B.1.3. The <intercept-url> Element
B.1.4. The <port-mappings> Element
B.1.5. The <form-login> Element
B.1.6. The <http-basic> Element
B.1.7. The <remember-me> Element
B.1.8. The <session-management> Element
B.1.9. The <concurrency-control> Element
B.1.10. The <anonymous> Element
B.1.11. The <x509> Element
B.1.12. The <openid-login> Element
B.1.13. The <logout> Element
B.1.14. The <custom-filter> Element
B.1.15. The request-cache Element
B.1.16. The <http-firewall> Element

B.2. Authentication Services

B.2.1. The <authentication-manager> Element

B.3. Method Security

B.3.1. The <global-method-security> Element
B.3.2. LDAP Namespace Options

		Next
		Preface