Spring Security

Reference Documentation

Authors

Ben Alex , Luke Taylor

3.2.0.CI-SNAPSHOT


Table of Contents

Preface
I. Getting Started
1. Introduction
1.1. What is Spring Security?
1.2. History
1.3. Release Numbering
1.4. Getting Spring Security
1.4.1. Project Modules
Core - spring-security-core.jar
Remoting - spring-security-remoting.jar
Web - spring-security-web.jar
Config - spring-security-config.jar
LDAP - spring-security-ldap.jar
ACL - spring-security-acl.jar
CAS - spring-security-cas.jar
OpenID - spring-security-openid.jar
1.4.2. Checking out the Source
2. What's new in Spring Security 3.1
2.1. High level updates found Spring Security 3.1
2.2. Spring Security 3.1 namespace updates
3. Security Namespace Configuration
3.1. Introduction
3.1.1. Design of the Namespace
3.2. Getting Started with Security Namespace Configuration
3.2.1. web.xml Configuration
3.2.2. A Minimal <http> Configuration
3.2.3. Form and Basic Login Options
Setting a Default Post-Login Destination
3.2.4. Logout Handling
3.2.5. Using other Authentication Providers
Adding a Password Encoder
3.3. Advanced Web Features
3.3.1. Remember-Me Authentication
3.3.2. Adding HTTP/HTTPS Channel Security
3.3.3. Session Management
Detecting Timeouts
Concurrent Session Control
Session Fixation Attack Protection
3.3.4. OpenID Support
Attribute Exchange
3.3.5. Response Headers
3.3.6. Adding in Your Own Filters
Setting a Custom AuthenticationEntryPoint
3.4. Method Security
3.4.1. The <global-method-security> Element
Adding Security Pointcuts using protect-pointcut
3.5. The Default AccessDecisionManager
3.5.1. Customizing the AccessDecisionManager
3.6. The Authentication Manager and the Namespace
4. Sample Applications
4.1. Tutorial Sample
4.2. Contacts
4.3. LDAP Sample
4.4. OpenID Sample
4.5. CAS Sample
4.6. JAAS Sample
4.7. Pre-Authentication Sample
5. Spring Security Community
5.1. Issue Tracking
5.2. Becoming Involved
5.3. Further Information
II. Architecture and Implementation
6. Technical Overview
6.1. Runtime Environment
6.2. Core Components
6.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
Obtaining information about the current user
6.2.2. The UserDetailsService
6.2.3. GrantedAuthority
6.2.4. Summary
6.3. Authentication
6.3.1. What is authentication in Spring Security?
6.3.2. Setting the SecurityContextHolder Contents Directly
6.4. Authentication in a Web Application
6.4.1. ExceptionTranslationFilter
6.4.2. AuthenticationEntryPoint
6.4.3. Authentication Mechanism
6.4.4. Storing the SecurityContext between requests
6.5. Access-Control (Authorization) in Spring Security
6.5.1. Security and AOP Advice
6.5.2. Secure Objects and the AbstractSecurityInterceptor
What are Configuration Attributes?
RunAsManager
AfterInvocationManager
Extending the Secure Object Model
6.6. Localization
7. Core Services
7.1. The AuthenticationManager, ProviderManager and AuthenticationProviders
7.1.1. Erasing Credentials on Successful Authentication
7.1.2. DaoAuthenticationProvider
7.2. UserDetailsService Implementations
7.2.1. In-Memory Authentication
7.2.2. JdbcDaoImpl
Authority Groups
7.3. Password Encoding
7.3.1. What is a hash?
7.3.2. Adding Salt to a Hash
7.3.3. Hashing and Authentication
III. Web Application Security
8. The Security Filter Chain
8.1. DelegatingFilterProxy
8.2. FilterChainProxy
8.2.1. Bypassing the Filter Chain
8.3. Filter Ordering
8.4. Request Matching and HttpFirewall
8.5. Use with other Filter-Based Frameworks
8.6. Advanced Namespace Configuration
9. Core Security Filters
9.1. FilterSecurityInterceptor
9.2. ExceptionTranslationFilter
9.2.1. AuthenticationEntryPoint
9.2.2. AccessDeniedHandler
9.2.3. SavedRequests and the RequestCache Interface
9.3. SecurityContextPersistenceFilter
9.3.1. SecurityContextRepository
9.4. UsernamePasswordAuthenticationFilter
9.4.1. Application Flow on Authentication Success and Failure
10. Servlet API integration
10.1. Servlet 2.5+ Integration
10.1.1. HttpServletRequest.getRemoteUser()
10.1.2. HttpServletRequest.getUserPrincipal()
10.1.3. HttpServletRequest.isUserInRole(String)
10.2. Servlet 3+ Integration
10.2.1. HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
10.2.2. HttpServletRequest.login(String,String)
10.2.3. HttpServletRequest.logout()
10.2.4. AsyncContext.start(Runnable)
10.2.5. Async Servlet Support
10.3. Servlet 3.1+ Integration
10.3.1. HttpServletRequest#changeSessionId()
11. Basic and Digest Authentication
11.1. BasicAuthenticationFilter
11.1.1. Configuration
11.2. DigestAuthenticationFilter
11.2.1. Configuration
12. Remember-Me Authentication
12.1. Overview
12.2. Simple Hash-Based Token Approach
12.3. Persistent Token Approach
12.4. Remember-Me Interfaces and Implementations
12.4.1. TokenBasedRememberMeServices
12.4.2. PersistentTokenBasedRememberMeServices
13. Cross Site Request Forgery (CSRF)
13.1. CSRF Attacks
13.2. Synchronizer Token Pattern
13.3. When to use CSRF protection
13.3.1. CSRF protection and JSON
13.3.2. CSRF and Stateless Browser Applications
13.4. Using Spring Security CSRF Protection
13.4.1. Use proper HTTP verbs
13.4.2. Configure CSRF Protection
13.4.3. Include the CSRF Token
Form Submissions
Ajax and JSON Requests
13.5. CSRF Caveats
13.5.1. Timeouts
13.5.2. Logging In
13.5.3. Logging Out
13.5.4. Multipart (file upload)
Placing MultipartFilter before Spring Security
Include CSRF token in action
13.5.5. HiddenHttpMethodFilter
13.6. Overriding Defaults
14. Security Headers
14.1. Default Security Headers
14.1.1. Cache Control
14.1.2. Content Type Options
14.1.3. HTTP Strict Transport Security (HSTS)
14.1.4. X-Frame-Options
14.1.5. X-XSS-Protection
14.2. Custom Headers
14.2.1. Static Headers
14.2.2. Headers Writer
14.2.3. DelegatingRequestMatcherHeaderWriter
15. Session Management
15.1. SessionManagementFilter
15.2. SessionAuthenticationStrategy
15.3. Concurrency Control
15.3.1. Querying the SessionRegistry for currently authenticated users and their sessions
16. Anonymous Authentication
16.1. Overview
16.2. Configuration
16.3. AuthenticationTrustResolver
IV. Authorization
17. Authorization Architecture
17.1. Authorities
17.2. Pre-Invocation Handling
17.2.1. The AccessDecisionManager
17.2.2. Voting-Based AccessDecisionManager Implementations
RoleVoter
AuthenticatedVoter
Custom Voters
17.3. After Invocation Handling
17.4. Hierarchical Roles
18. Secure Object Implementations
18.1. AOP Alliance (MethodInvocation) Security Interceptor
18.1.1. Explicit MethodSecurityInterceptor Configuration
18.2. AspectJ (JoinPoint) Security Interceptor
19. Expression-Based Access Control
19.1. Overview
19.1.1. Common Built-In Expressions
19.2. Web Security Expressions
19.3. Method Security Expressions
19.3.1. @Pre and @Post Annotations
Access Control using @PreAuthorize and @PostAuthorize
Filtering using @PreFilter and @PostFilter
19.3.2. Built-In Expressions
The PermissionEvaluator interface
V. Additional Topics
20. Domain Object Security (ACLs)
20.1. Overview
20.2. Key Concepts
20.3. Getting Started
21. Pre-Authentication Scenarios
21.1. Pre-Authentication Framework Classes
21.1.1. AbstractPreAuthenticatedProcessingFilter
J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource
21.1.2. PreAuthenticatedAuthenticationProvider
21.1.3. Http403ForbiddenEntryPoint
21.2. Concrete Implementations
21.2.1. Request-Header Authentication (Siteminder)
Siteminder Example Configuration
21.2.2. J2EE Container Authentication
22. LDAP Authentication
22.1. Overview
22.2. Using LDAP with Spring Security
22.3. Configuring an LDAP Server
22.3.1. Using an Embedded Test Server
22.3.2. Using Bind Authentication
22.3.3. Loading Authorities
22.4. Implementation Classes
22.4.1. LdapAuthenticator Implementations
Common Functionality
BindAuthenticator
PasswordComparisonAuthenticator
22.4.2. Connecting to the LDAP Server
22.4.3. LDAP Search Objects
FilterBasedLdapUserSearch
22.4.4. LdapAuthoritiesPopulator
22.4.5. Spring Bean Configuration
22.4.6. LDAP Attributes and Customized UserDetails
22.5. Active Directory Authentication
22.5.1. ActiveDirectoryLdapAuthenticationProvider
Active Directory Error Codes
23. JSP Tag Libraries
23.1. Declaring the Taglib
23.2. The authorize Tag
23.2.1. Disabling Tag Authorization for Testing
23.3. The authenticationTag
23.4. The accesscontrollist Tag
24. Java Authentication and Authorization Service (JAAS) Provider
24.1. Overview
24.2. AbstractJaasAuthenticationProvider
24.2.1. JAAS CallbackHandler
24.2.2. JAAS AuthorityGranter
24.3. DefaultJaasAuthenticationProvider
24.3.1. InMemoryConfiguration
24.3.2. DefaultJaasAuthenticationProvider Example Configuration
24.4. JaasAuthenticationProvider
24.5. Running as a Subject
25. CAS Authentication
25.1. Overview
25.2. How CAS Works
25.2.1. Spring Security and CAS Interaction Sequence
25.3. Configuration of CAS Client
25.3.1. Service Ticket Authentication
25.3.2. Single Logout
25.3.3. Authenticating to a Stateless Service with CAS
Configuring CAS to Obtain Proxy Granting Tickets
Calling a Stateless Service Using a Proxy Ticket
25.3.4. Proxy Ticket Authentication
26. X.509 Authentication
26.1. Overview
26.2. Adding X.509 Authentication to Your Web Application
26.3. Setting up SSL in Tomcat
27. Run-As Authentication Replacement
27.1. Overview
27.2. Configuration
28. Spring Security Crypto Module
28.1. Introduction
28.2. Encryptors
28.2.1. BytesEncryptor
28.2.2. TextEncryptor
28.3. Key Generators
28.3.1. BytesKeyGenerator
28.3.2. StringKeyGenerator
28.4. Password Encoding
A. Security Database Schema
A.1. User Schema
A.1.1. Group Authorities
A.2. Persistent Login (Remember-Me) Schema
A.3. ACL Schema
A.3.1. Hypersonic SQL
A.3.2. PostgreSQL
B. The Security Namespace
B.1. Web Application Security
B.1.1. <debug>
B.1.2. <http>
<http> Attributes
Child Elements of <http>
B.1.3. <access-denied-handler>
Parent Elements of <access-denied-handler>
<access-denied-handler> Attributes
B.1.4. <headers>
Parent Elements of <headers>
Child Elements of <headers>
B.1.5. <cache-control>
Parent Elements of <cache-control>
B.1.6. <hsts>
<hsts> Attributes
Parent Elements of <hsts>
B.1.7. <frame-options>
<frame-options> Attributes
Parent Elements of <frame-options>
B.1.8. <xss-protection>
Parent Elements of <xss-protection>
B.1.9. <content-type-options>
Parent Elements of <content-type-options>
B.1.10. <header>
<header-attributes> Attributes
Parent Elements of <header>
B.1.11. <anonymous>
Parent Elements of <anonymous>
<anonymous> Attributes
B.1.12. <csrf>
Parent Elements of <csrf>
<csrf> Attributes
B.1.13. <custom-filter>
Parent Elements of <custom-filter>
<custom-filter> Attributes
B.1.14. <expression-handler>
Parent Elements of <expression-handler>
<expression-handler> Attributes
B.1.15. <form-login>
Parent Elements of <form-login>
<form-login> Attributes
B.1.16. <http-basic>
Parent Elements of <http-basic>
<http-basic> Attributes
B.1.17. <http-firewall> Element
<http-firewall> Attributes
B.1.18. <intercept-url>
Parent Elements of <intercept-url>
<intercept-url> Attributes
B.1.19. <jee>
Parent Elements of <jee>
<jee> Attributes
B.1.20. <logout>
Parent Elements of <logout>
<logout> Attributes
B.1.21. <openid-login>
Parent Elements of <openid-login>
<openid-login> Attributes
Child Elements of <openid-login>
B.1.22. <attribute-exchange>
Parent Elements of <attribute-exchange>
<attribute-exchange> Attributes
Child Elements of <attribute-exchange>
B.1.23. <openid-attribute>
Parent Elements of <openid-attribute>
<openid-attribute> Attributes
B.1.24. <port-mappings>
Parent Elements of <port-mappings>
Child Elements of <port-mappings>
B.1.25. <port-mapping>
Parent Elements of <port-mapping>
<port-mapping> Attributes
B.1.26. <remember-me>
Parent Elements of <remember-me>
<remember-me> Attributes
B.1.27. <request-cache> Element
Parent Elements of <request-cache>
<request-cache> Attributes
B.1.28. <session-management>
Parent Elements of <session-management>
<session-management> Attributes
Child elements of <session-management>
B.1.29. <concurrency-control>
Parent Elements of <concurrency-control>
<concurrency-control> Attributes
B.1.30. <x509>
Parent Elements of <x509>
<x509> Attributes
B.1.31. <filter-chain-map>
<filter-chain-map> Attributes
Child Elements of <filter-chain-map>
B.1.32. <filter-chain>
Parent Elements of <filter-chain>
<filter-chain> Attributes
B.1.33. <filter-invocation-definition-source>
<filter-invocation-definition-source> Attributes
Child Elements of <filter-invocation-definition-source>
B.1.34. <filter-security-metadata-source>
<filter-security-metadata-source> Attributes
Child Elements of <filter-security-metadata-source>
B.2. Authentication Services
B.2.1. <authentication-manager>
<authentication-manager> Attributes
Child Elements of <authentication-manager>
B.2.2. <authentication-provider>
Parent Elements of <authentication-provider>
<authentication-provider> Attributes
Child Elements of <authentication-provider>
B.2.3. <jdbc-user-service>
<jdbc-user-service> Attributes
B.2.4. <password-encoder>
Parent Elements of <password-encoder>
<password-encoder> Attributes
Child Elements of <password-encoder>
B.2.5. <salt-source>
Parent Elements of <salt-source>
<salt-source> Attributes
B.2.6. <user-service>
<user-service> Attributes
Child Elements of <user-service>
B.2.7. <user>
Parent Elements of <user>
<user> Attributes
B.3. Method Security
B.3.1. <global-method-security>
<global-method-security> Attributes
Child Elements of <global-method-security>
B.3.2. <after-invocation-provider>
Parent Elements of <after-invocation-provider>
<after-invocation-provider> Attributes
B.3.3. <pre-post-annotation-handling>
Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>
B.3.4. <invocation-attribute-factory>
Parent Elements of <invocation-attribute-factory>
<invocation-attribute-factory> Attributes
B.3.5. <post-invocation-advice>
Parent Elements of <post-invocation-advice>
<post-invocation-advice> Attributes
B.3.6. <pre-invocation-advice>
Parent Elements of <pre-invocation-advice>
<pre-invocation-advice> Attributes
B.3.7. Securing Methods using <protect-pointcut>
Parent Elements of <protect-pointcut>
<protect-pointcut> Attributes
B.3.8. <intercept-methods>
<intercept-methods> Attributes
Child Elements of <intercept-methods>
B.3.9. <method-security-metadata-source>
<method-security-metadata-source> Attributes
Child Elements of <method-security-metadata-source>
B.3.10. <protect>
Parent Elements of <protect>
<protect> Attributes
B.4. LDAP Namespace Options
B.4.1. Defining the LDAP Server using the <ldap-server> Element
<ldap-server> Attributes
B.4.2. <ldap-authentication-provider>
Parent Elements of <ldap-authentication-provider>
<ldap-authentication-provider> Attributes
Child Elements of <ldap-authentication-provider>
B.4.3. <password-compare>
Parent Elements of <password-compare>
<password-compare> Attributes
Child Elements of <password-compare>
B.4.4. <ldap-user-service>
<ldap-user-service> Attributes
C. Spring Security Dependencies
C.1. spring-security-core
C.2. spring-security-remoting
C.3. spring-security-web
C.4. spring-security-ldap
C.5. spring-security-config
C.6. spring-security-acl
C.7. spring-security-cas
C.8. spring-security-openid
C.9. spring-security-taglibs