Spring Security

Reference Documentation

Ben Alex

Luke Taylor


Table of Contents

I. Getting Started
1. Introduction
1.1. What is Spring Security?
1.2. History
1.3. Release Numbering
1.4. Getting Spring Security
1.4.1. Project Modules
Core - spring-security-core.jar
Remoting - spring-security-remoting.jar
Web - spring-security-web.jar
Config - spring-security-config.jar
LDAP - spring-security-ldap.jar
ACL - spring-security-acl.jar
CAS - spring-security-cas.jar
OpenID - spring-security-openid.jar
1.4.2. Checking out the Source
2. What's new in Spring Security 3.1
2.1. High level updates found Spring Security 3.1
2.2. Spring Security 3.1 namespace updates
3. Security Namespace Configuration
3.1. Introduction
3.1.1. Design of the Namespace
3.2. Getting Started with Security Namespace Configuration
3.2.1. web.xml Configuration
3.2.2. A Minimal <http> Configuration
What does auto-config Include?
3.2.3. Form and Basic Login Options
Setting a Default Post-Login Destination
3.2.4. Logout Handling
3.2.5. Using other Authentication Providers
Adding a Password Encoder
3.3. Advanced Web Features
3.3.1. Remember-Me Authentication
3.3.2. Adding HTTP/HTTPS Channel Security
3.3.3. Session Management
Detecting Timeouts
Concurrent Session Control
Session Fixation Attack Protection
3.3.4. OpenID Support
Attribute Exchange
3.3.5. Adding in Your Own Filters
Setting a Custom AuthenticationEntryPoint
3.4. Method Security
3.4.1. The <global-method-security> Element
Adding Security Pointcuts using protect-pointcut
3.5. The Default AccessDecisionManager
3.5.1. Customizing the AccessDecisionManager
3.6. The Authentication Manager and the Namespace
4. Sample Applications
4.1. Tutorial Sample
4.2. Contacts
4.3. LDAP Sample
4.4. OpenID Sample
4.5. CAS Sample
4.6. JAAS Sample
4.7. Pre-Authentication Sample
5. Spring Security Community
5.1. Issue Tracking
5.2. Becoming Involved
5.3. Further Information
II. Architecture and Implementation
6. Technical Overview
6.1. Runtime Environment
6.2. Core Components
6.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
Obtaining information about the current user
6.2.2. The UserDetailsService
6.2.3. GrantedAuthority
6.2.4. Summary
6.3. Authentication
6.3.1. What is authentication in Spring Security?
6.3.2. Setting the SecurityContextHolder Contents Directly
6.4. Authentication in a Web Application
6.4.1. ExceptionTranslationFilter
6.4.2. AuthenticationEntryPoint
6.4.3. Authentication Mechanism
6.4.4. Storing the SecurityContext between requests
6.5. Access-Control (Authorization) in Spring Security
6.5.1. Security and AOP Advice
6.5.2. Secure Objects and the AbstractSecurityInterceptor
What are Configuration Attributes?
Extending the Secure Object Model
6.6. Localization
7. Core Services
7.1. The AuthenticationManager, ProviderManager and AuthenticationProviders
7.1.1. Erasing Credentials on Successful Authentication
7.1.2. DaoAuthenticationProvider
7.2. UserDetailsService Implementations
7.2.1. In-Memory Authentication
7.2.2. JdbcDaoImpl
Authority Groups
7.3. Password Encoding
7.3.1. What is a hash?
7.3.2. Adding Salt to a Hash
7.3.3. Hashing and Authentication
III. Web Application Security
8. The Security Filter Chain
8.1. DelegatingFilterProxy
8.2. FilterChainProxy
8.2.1. Bypassing the Filter Chain
8.3. Filter Ordering
8.4. Request Matching and HttpFirewall
8.5. Use with other Filter-Based Frameworks
8.6. Advanced Namespace Configuration
9. Core Security Filters
9.1. FilterSecurityInterceptor
9.2. ExceptionTranslationFilter
9.2.1. AuthenticationEntryPoint
9.2.2. AccessDeniedHandler
9.2.3. SavedRequests and the RequestCache Interface
9.3. SecurityContextPersistenceFilter
9.3.1. SecurityContextRepository
9.4. UsernamePasswordAuthenticationFilter
9.4.1. Application Flow on Authentication Success and Failure
10. Basic and Digest Authentication
10.1. BasicAuthenticationFilter
10.1.1. Configuration
10.2. DigestAuthenticationFilter
10.2.1. Configuration
11. Remember-Me Authentication
11.1. Overview
11.2. Simple Hash-Based Token Approach
11.3. Persistent Token Approach
11.4. Remember-Me Interfaces and Implementations
11.4.1. TokenBasedRememberMeServices
11.4.2. PersistentTokenBasedRememberMeServices
12. Session Management
12.1. SessionManagementFilter
12.2. SessionAuthenticationStrategy
12.3. Concurrency Control
12.3.1. Querying the SessionRegistry for currently authenticated users and their sessions
13. Anonymous Authentication
13.1. Overview
13.2. Configuration
13.3. AuthenticationTrustResolver
IV. Authorization
14. Authorization Architecture
14.1. Authorities
14.2. Pre-Invocation Handling
14.2.1. The AccessDecisionManager
14.2.2. Voting-Based AccessDecisionManager Implementations
Custom Voters
14.3. After Invocation Handling
14.4. Hierarchical Roles
15. Secure Object Implementations
15.1. AOP Alliance (MethodInvocation) Security Interceptor
15.1.1. Explicit MethodSecurityInterceptor Configuration
15.2. AspectJ (JoinPoint) Security Interceptor
16. Expression-Based Access Control
16.1. Overview
16.1.1. Common Built-In Expressions
16.2. Web Security Expressions
16.3. Method Security Expressions
16.3.1. @Pre and @Post Annotations
Access Control using @PreAuthorize and @PostAuthorize
Filtering using @PreFilter and @PostFilter
16.3.2. Built-In Expressions
The PermissionEvaluator interface
V. Additional Topics
17. Domain Object Security (ACLs)
17.1. Overview
17.2. Key Concepts
17.3. Getting Started
18. Pre-Authentication Scenarios
18.1. Pre-Authentication Framework Classes
18.1.1. AbstractPreAuthenticatedProcessingFilter
18.1.2. PreAuthenticatedAuthenticationProvider
18.1.3. Http403ForbiddenEntryPoint
18.2. Concrete Implementations
18.2.1. Request-Header Authentication (Siteminder)
Siteminder Example Configuration
18.2.2. J2EE Container Authentication
19. LDAP Authentication
19.1. Overview
19.2. Using LDAP with Spring Security
19.3. Configuring an LDAP Server
19.3.1. Using an Embedded Test Server
19.3.2. Using Bind Authentication
19.3.3. Loading Authorities
19.4. Implementation Classes
19.4.1. LdapAuthenticator Implementations
Common Functionality
19.4.2. Connecting to the LDAP Server
19.4.3. LDAP Search Objects
19.4.4. LdapAuthoritiesPopulator
19.4.5. Spring Bean Configuration
19.4.6. LDAP Attributes and Customized UserDetails
19.5. Active Directory Authentication
19.5.1. ActiveDirectoryLdapAuthenticationProvider
Active Directory Error Codes
20. JSP Tag Libraries
20.1. Declaring the Taglib
20.2. The authorize Tag
20.2.1. Disabling Tag Authorization for Testing
20.3. The authenticationTag
20.4. The accesscontrollist Tag
21. Java Authentication and Authorization Service (JAAS) Provider
21.1. Overview
21.2. AbstractJaasAuthenticationProvider
21.2.1. JAAS CallbackHandler
21.2.2. JAAS AuthorityGranter
21.3. DefaultJaasAuthenticationProvider
21.3.1. InMemoryConfiguration
21.3.2. DefaultJaasAuthenticationProvider Example Configuration
21.4. JaasAuthenticationProvider
21.5. Running as a Subject
22. CAS Authentication
22.1. Overview
22.2. How CAS Works
22.2.1. Spring Security and CAS Interaction Sequence
22.3. Configuration of CAS Client
22.3.1. Service Ticket Authentication
22.3.2. Single Logout
22.3.3. Authenticating to a Stateless Service with CAS
Configuring CAS to Obtain Proxy Granting Tickets
Calling a Stateless Service Using a Proxy Ticket
22.3.4. Proxy Ticket Authentication
23. X.509 Authentication
23.1. Overview
23.2. Adding X.509 Authentication to Your Web Application
23.3. Setting up SSL in Tomcat
24. Run-As Authentication Replacement
24.1. Overview
24.2. Configuration
25. Spring Security Crypto Module
25.1. Introduction
25.2. Encryptors
25.2.1. BytesEncryptor
25.2.2. TextEncryptor
25.3. Key Generators
25.3.1. BytesKeyGenerator
25.3.2. StringKeyGenerator
25.4. Password Encoding
A. Security Database Schema
A.1. User Schema
A.1.1. Group Authorities
A.2. Persistent Login (Remember-Me) Schema
A.3. ACL Schema
A.3.1. Hypersonic SQL
A.3.2. PostgreSQL
B. The Security Namespace
B.1. Web Application Security
B.1.1. <debug>
B.1.2. <http>
<http> Attributes
Child Elements of <http>
B.1.3. <access-denied-handler>
Parent Elements of <access-denied-handler>
<access-denied-handler> Attributes
B.1.4. <anonymous>
Parent Elements of <anonymous>
<anonymous> Attributes
B.1.5. <custom-filter>
Parent Elements of <custom-filter>
<custom-filter> Attributes
B.1.6. <expression-handler>
Parent Elements of <expression-handler>
<expression-handler> Attributes
B.1.7. <form-login>
Parent Elements of <form-login>
<form-login> Attributes
B.1.8. <http-basic>
Parent Elements of <http-basic>
<http-basic> Attributes
B.1.9. <http-firewall> Element
<http-firewall> Attributes
B.1.10. <intercept-url>
Parent Elements of <intercept-url>
<intercept-url> Attributes
B.1.11. <jee>
Parent Elements of <jee>
<jee> Attributes
B.1.12. <logout>
Parent Elements of <logout>
<logout> Attributes
B.1.13. <openid-login>
Parent Elements of <openid-login>
<openid-login> Attributes
Child Elements of <openid-login>
B.1.14. <attribute-exchange>
Parent Elements of <attribute-exchange>
<attribute-exchange> Attributes
Child Elements of <attribute-exchange>
B.1.15. <openid-attribute>
Parent Elements of <openid-attribute>
<openid-attribute> Attributes
B.1.16. <port-mappings>
Parent Elements of <port-mappings>
Child Elements of <port-mappings>
B.1.17. <port-mapping>
Parent Elements of <port-mapping>
<port-mapping> Attributes
B.1.18. <remember-me>
Parent Elements of <remember-me>
<remember-me> Attributes
B.1.19. <request-cache> Element
Parent Elements of <request-cache>
<request-cache> Attributes
B.1.20. <session-management>
Parent Elements of <session-management>
<session-management> Attributes
Child elements of <session-management>
B.1.21. <concurrency-control>
Parent Elements of <concurrency-control>
<concurrency-control> Attributes
B.1.22. <x509>
Parent Elements of <x509>
<x509> Attributes
B.1.23. <filter-chain-map>
<filter-chain-map> Attributes
Child Elements of <filter-chain-map>
B.1.24. <filter-chain>
Parent Elements of <filter-chain>
<filter-chain> Attributes
B.1.25. <filter-invocation-definition-source>
<filter-invocation-definition-source> Attributes
Child Elements of <filter-invocation-definition-source>
B.1.26. <filter-security-metadata-source>
<filter-security-metadata-source> Attributes
Child Elements of <filter-security-metadata-source>
B.2. Authentication Services
B.2.1. <authentication-manager>
<authentication-manager> Attributes
Child Elements of <authentication-manager>
B.2.2. <authentication-provider>
Parent Elements of <authentication-provider>
<authentication-provider> Attributes
Child Elements of <authentication-provider>
B.2.3. <jdbc-user-service>
<jdbc-user-service> Attributes
B.2.4. <password-encoder>
Parent Elements of <password-encoder>
<password-encoder> Attributes
Child Elements of <password-encoder>
B.2.5. <salt-source>
Parent Elements of <salt-source>
<salt-source> Attributes
B.2.6. <user-service>
<user-service> Attributes
Child Elements of <user-service>
B.2.7. <user>
Parent Elements of <user>
<user> Attributes
B.3. Method Security
B.3.1. <global-method-security>
<global-method-security> Attributes
Child Elements of <global-method-security>
B.3.2. <after-invocation-provider>
Parent Elements of <after-invocation-provider>
<after-invocation-provider> Attributes
B.3.3. <pre-post-annotation-handling>
Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>
B.3.4. <invocation-attribute-factory>
Parent Elements of <invocation-attribute-factory>
<invocation-attribute-factory> Attributes
B.3.5. <post-invocation-advice>
Parent Elements of <post-invocation-advice>
<post-invocation-advice> Attributes
B.3.6. <pre-invocation-advice>
Parent Elements of <pre-invocation-advice>
<pre-invocation-advice> Attributes
B.3.7. Securing Methods using <protect-pointcut>
Parent Elements of <protect-pointcut>
<protect-pointcut> Attributes
B.3.8. <intercept-methods>
<intercept-methods> Attributes
Child Elements of <intercept-methods>
B.3.9. <method-security-metadata-source>
<method-security-metadata-source> Attributes
Child Elements of <method-security-metadata-source>
B.3.10. <protect>
Parent Elements of <protect>
<protect> Attributes
B.4. LDAP Namespace Options
B.4.1. Defining the LDAP Server using the <ldap-server> Element
<ldap-server> Attributes
B.4.2. <ldap-authentication-provider>
Parent Elements of <ldap-authentication-provider>
<ldap-authentication-provider> Attributes
Child Elements of <ldap-authentication-provider>
B.4.3. <password-compare>
Parent Elements of <password-compare>
<password-compare> Attributes
Child Elements of <password-compare>
B.4.4. <ldap-user-service>
<ldap-user-service> Attributes
C. Spring Security Dependencies
C.1. spring-security-core
C.2. spring-security-remoting
C.3. spring-security-web
C.4. spring-security-ldap
C.5. spring-security-config
C.6. spring-security-acl
C.7. spring-security-cas
C.8. spring-security-openid
C.9. spring-security-taglibs