Spring Security

Reference Documentation

Ben Alex, Luke Taylor


I. Getting Started
1. Introduction
1.1. What is Spring Security?
1.2. History
1.3. Release Numbering
1.4. Getting the Source
2. Security Namespace Configuration
2.1. Introduction
2.1.1. Design of the Namespace
2.2. Getting Started with Security Namespace Configuration
2.2.1. web.xml Configuration
2.2.2. A Minimal <http> Configuration What does auto-config Include? Form and Basic Login Options
2.2.3. Using other Authentication Providers Adding a Password Encoder
2.3. Advanced Web Features
2.3.1. Remember-Me Authentication
2.3.2. Adding HTTP/HTTPS Channel Security
2.3.3. Concurrent Session Control
2.3.4. OpenID Login
2.3.5. Adding in Your Own Filters Setting a Custom AuthenticationEntryPoint
2.3.6. Session Fixation Attack Protection
2.4. Method Security
2.4.1. The <global-method-security> Element Adding Security Pointcuts using protect-pointcut
2.4.2. The intercept-methods Bean Decorator
2.5. The Default AccessDecisionManager
2.5.1. Customizing the AccessDecisionManager
2.6. The Default Authentication Manager
3. Sample Applications
3.1. Tutorial Sample
3.2. Contacts
3.3. LDAP Sample
3.4. CAS Sample
3.5. Pre-Authentication Sample
4. Spring Security Community
4.1. Issue Tracking
4.2. Becoming Involved
4.3. Further Information
II. Overall Architecture
5. Technical Overview
5.1. Runtime Environment
5.2. Shared Components
5.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
5.2.2. The UserDetailsService
5.2.3. GrantedAuthority
5.2.4. Summary
5.3. Authentication
5.3.1. ExceptionTranslationFilter
5.3.2. AuthenticationEntryPoint
5.3.3. AuthenticationProvider
5.3.4. Setting the SecurityContextHolder Contents Directly
5.4. Secure Objects
5.4.1. Security and AOP Advice
5.4.2. AbstractSecurityInterceptor What are Configuration Attributes? RunAsManager AfterInvocationManager Extending the Secure Object Model
6. Supporting Infrastructure
6.1. Localization
6.2. Filters
6.3. Tag Libraries
6.3.1. Configuration
6.3.2. Usage
7. Channel Security
7.1. Overview
7.2. Configuration
7.3. Conclusion
III. Authentication
8. Common Authentication Services
8.1. Mechanisms, Providers and Entry Points
8.2. UserDetails and Associated Types
8.2.1. In-Memory Authentication
8.2.2. JDBC Authentication Default User Database Schema
8.3. Concurrent Session Handling
8.4. Authentication Tag Libraries
9. DAO Authentication Provider
9.1. Overview
9.2. Configuration
10. LDAP Authentication
10.1. Overview
10.2. Using LDAP with Spring Security
10.3. Configuring an LDAP Server
10.3.1. Using an Embedded Test Server
10.3.2. Using Bind Authentication
10.3.3. Loading Authorities
10.4. Implementation Classes
10.4.1. LdapAuthenticator Implementations Common Functionality BindAuthenticator PasswordComparisonAuthenticator Active Directory Authentication
10.4.2. Connecting to the LDAP Server
10.4.3. LDAP Search Objects FilterBasedLdapUserSearch
10.4.4. LdapAuthoritiesPopulator
10.4.5. Spring Bean Configuration
10.4.6. LDAP Attributes and Customized UserDetails
11. Form Authentication Mechanism
11.1. Overview
11.2. Configuration
12. BASIC Authentication Mechanism
12.1. Overview
12.2. Configuration
13. Digest Authentication
13.1. Overview
13.2. Configuration
14. Remember-Me Authentication
14.1. Overview
14.2. Simple Hash-Based Token Approach
14.3. Persistent Token Approach
14.4. Remember-Me Interfaces and Implementations
14.4.1. TokenBasedRememberMeServices
14.4.2. PersistentTokenBasedRememberMeServices
15. Java Authentication and Authorization Service (JAAS) Provider
15.1. Overview
15.2. Configuration
15.2.1. JAAS CallbackHandler
15.2.2. JAAS AuthorityGranter
16. Pre-Authentication Scenarios
16.1. Pre-Authentication Framework Classes
16.1.1. AbstractPreAuthenticatedProcessingFilter
16.1.2. AbstractPreAuthenticatedAuthenticationDetailsSource J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource
16.1.3. PreAuthenticatedAuthenticationProvider
16.1.4. PreAuthenticatedProcessingFilterEntryPoint
16.2. Concrete Implementations
16.2.1. Request-Header Authentication (Siteminder) Siteminder Example Configuration
16.2.2. J2EE Container Authentication
17. Anonymous Authentication
17.1. Overview
17.2. Configuration
18. X.509 Authentication
18.1. Overview
18.2. Adding X.509 Authentication to Your Web Application
18.3. Setting up SSL in Tomcat
19. CAS Authentication
19.1. Overview
19.2. How CAS Works
19.3. Configuration of CAS Client
20. Run-As Authentication Replacement
20.1. Overview
20.2. Configuration
21. Container Adapter Authentication
21.1. Overview
21.2. Adapter Authentication Provider
21.3. Jetty
21.4. JBoss
21.5. Resin
21.6. Tomcat
IV. Authorization
22. Common Authorization Concepts
22.1. Authorities
22.2. Pre-Invocation Handling
22.2.1. The AccessDecisionManager Voting-Based AccessDecisionManager Implementations
22.3. After Invocation Handling
22.3.1. ACL-Aware AfterInvocationProviders
22.3.2. ACL-Aware AfterInvocationProviders (old ACL module)
22.4. Authorization Tag Libraries
23. Secure Object Implementations
23.1. AOP Alliance (MethodInvocation) Security Interceptor
23.1.1. Explicit MethodSecurityIterceptor Configuration
23.2. AspectJ (JoinPoint) Security Interceptor
23.3. FilterInvocation Security Interceptor
24. Domain Object Security
24.1. Overview
24.2. Key Concepts
24.3. Getting Started
A. Security Database Schema
A.1. User Schema
A.1.1. Group Authorities
A.2. Persistent Login (Remember-Me) Schema
A.3. ACL Schema
B. The Security Namespace
B.1. Web Application Security - the <http> Element
B.1.1. <http> Attributes
B.1.1.1. servlet-api-provision
B.1.1.2. path-type
B.1.1.3. lowercase-comparisons
B.1.1.4. session-fixation-protection
B.1.1.5. realm
B.1.1.6. entry-point-ref
B.1.1.7. access-decision-manager-ref
B.1.1.8. access-denied-page
B.1.1.9. once-per-request
B.1.1.10. create-session
B.1.2. The <intercept-url> Element
B.1.2.1. pattern
B.1.2.2. method
B.1.2.3. access
B.1.2.4. requires-channel
B.1.3. The <port-mappings> Element
B.1.4. The <form-login> Element
B.1.4.1. login-page
B.1.4.2. login-processing-url
B.1.4.3. default-target-url
B.1.4.4. always-use-default-target
B.1.4.5. authentication-failure-url
B.1.5. The <http-basic> Element
B.1.6. The <remember-me> Element
B.1.6.1. data-source-ref
B.1.6.2. token-repository-ref
B.1.6.3. services-ref
B.1.6.4. token-repository-ref
B.1.6.5. The key Attribute
B.1.6.6. token-validity-seconds
B.1.6.7. user-service-ref
B.1.7. The <concurrent-session-control> Element
B.1.7.1. The max-sessions attribute
B.1.7.2. The expired-url attribute
B.1.7.3. The exception-if-maximum-exceeded attribute
B.1.7.4. The session-registry-alias and session-registry-ref attributes
B.1.8. The <anonymous> Element
B.1.9. The <x509> Element
B.1.9.1. The subject-principal-regex attribute
B.1.9.2. The user-service-ref attribute
B.1.10. The <openid-login> Element
B.1.11. The <logout> Element
B.1.11.1. The logout-url attribute
B.1.11.2. The logout-success-url attribute
B.1.11.3. The invalidate-session attribute
B.2. Authentication Services
B.2.1. The <authentication-provider> Element
B.2.2. Using <custom-authentication-provider> to register an AuthenticationProvider
B.2.3. The <authentication-manager> Element
B.3. Method Security
B.3.1. The <global-method-security> Element
B.3.1.1. The <secured-annotations> and <jsr250-annotations> Attributes
B.3.1.2. Securing Methods using <protect-pointcut>
B.3.2. LDAP Namespace Options
B.3.2.1. Defining the LDAP Server using the <ldap-server> Element
B.3.2.2. The <ldap-provider> Element
B.3.2.3. The <ldap-user-service> Element