Spring Security
		Next

Spring Security

Reference Documentation

Ben Alex

Luke Taylor

3.1.7.RELEASE

Table of Contents

Preface

I. Getting Started

1. Introduction

1.1. What is Spring Security?

1.2. History

1.3. Release Numbering

1.4. Getting Spring Security

1.4.1. Project Modules

Core - spring-security-core.jar
Remoting - spring-security-remoting.jar
Web - spring-security-web.jar
Config - spring-security-config.jar
LDAP - spring-security-ldap.jar
ACL - spring-security-acl.jar
CAS - spring-security-cas.jar
OpenID - spring-security-openid.jar

1.4.2. Checking out the Source

2. What's new in Spring Security 3.1

2.1. High level updates found Spring Security 3.1
2.2. Spring Security 3.1 namespace updates

3. Security Namespace Configuration

3.1. Introduction

3.1.1. Design of the Namespace

3.2. Getting Started with Security Namespace Configuration

3.2.1. web.xml Configuration

3.2.2. A Minimal <http> Configuration

What does auto-config Include?

3.2.3. Form and Basic Login Options

Setting a Default Post-Login Destination

3.2.4. Logout Handling

3.2.5. Using other Authentication Providers

Adding a Password Encoder

3.3. Advanced Web Features

3.3.1. Remember-Me Authentication

3.3.2. Adding HTTP/HTTPS Channel Security

3.3.3. Session Management

Detecting Timeouts
Concurrent Session Control
Session Fixation Attack Protection

3.3.4. OpenID Support

Attribute Exchange

3.3.5. Adding in Your Own Filters

Setting a Custom AuthenticationEntryPoint

3.4. Method Security

3.4.1. The <global-method-security> Element

Adding Security Pointcuts using protect-pointcut

3.5. The Default AccessDecisionManager

3.5.1. Customizing the AccessDecisionManager

3.6. The Authentication Manager and the Namespace

4. Sample Applications

4.1. Tutorial Sample
4.2. Contacts
4.3. LDAP Sample
4.4. OpenID Sample
4.5. CAS Sample
4.6. JAAS Sample
4.7. Pre-Authentication Sample

5. Spring Security Community

5.1. Issue Tracking
5.2. Becoming Involved
5.3. Further Information

II. Architecture and Implementation

6. Technical Overview

6.1. Runtime Environment

6.2. Core Components

6.2.1. SecurityContextHolder, SecurityContext and Authentication Objects

Obtaining information about the current user

6.2.2. The UserDetailsService

6.2.3. GrantedAuthority

6.2.4. Summary

6.3. Authentication

6.3.1. What is authentication in Spring Security?
6.3.2. Setting the SecurityContextHolder Contents Directly

6.4. Authentication in a Web Application

6.4.1. ExceptionTranslationFilter
6.4.2. AuthenticationEntryPoint
6.4.3. Authentication Mechanism
6.4.4. Storing the SecurityContext between requests

6.5. Access-Control (Authorization) in Spring Security

6.5.1. Security and AOP Advice

6.5.2. Secure Objects and the AbstractSecurityInterceptor

What are Configuration Attributes?
RunAsManager
AfterInvocationManager
Extending the Secure Object Model

6.6. Localization

7. Core Services

7.1. The AuthenticationManager, ProviderManager and AuthenticationProviders

7.1.1. Erasing Credentials on Successful Authentication
7.1.2. DaoAuthenticationProvider

7.2. UserDetailsService Implementations

7.2.1. In-Memory Authentication

7.2.2. JdbcDaoImpl

Authority Groups

7.3. Password Encoding

7.3.1. What is a hash?
7.3.2. Adding Salt to a Hash
7.3.3. Hashing and Authentication

III. Web Application Security

8. The Security Filter Chain

8.1. DelegatingFilterProxy

8.2. FilterChainProxy

8.2.1. Bypassing the Filter Chain

8.3. Filter Ordering

8.4. Request Matching and HttpFirewall

8.5. Use with other Filter-Based Frameworks

8.6. Advanced Namespace Configuration

9. Core Security Filters

9.1. FilterSecurityInterceptor

9.2. ExceptionTranslationFilter

9.2.1. AuthenticationEntryPoint
9.2.2. AccessDeniedHandler
9.2.3. SavedRequests and the RequestCache Interface

9.3. SecurityContextPersistenceFilter

9.3.1. SecurityContextRepository

9.4. UsernamePasswordAuthenticationFilter

9.4.1. Application Flow on Authentication Success and Failure

10. Basic and Digest Authentication

10.1. BasicAuthenticationFilter

10.1.1. Configuration

10.2. DigestAuthenticationFilter

10.2.1. Configuration

11. Remember-Me Authentication

11.1. Overview

11.2. Simple Hash-Based Token Approach

11.3. Persistent Token Approach

11.4. Remember-Me Interfaces and Implementations

11.4.1. TokenBasedRememberMeServices
11.4.2. PersistentTokenBasedRememberMeServices

12. Session Management

12.1. SessionManagementFilter

12.2. SessionAuthenticationStrategy

12.3. Concurrency Control

12.3.1. Querying the SessionRegistry for currently authenticated users and their sessions

13. Anonymous Authentication

13.1. Overview
13.2. Configuration
13.3. AuthenticationTrustResolver

IV. Authorization

14. Authorization Architecture

14.1. Authorities

14.2. Pre-Invocation Handling

14.2.1. The AccessDecisionManager

14.2.2. Voting-Based AccessDecisionManager Implementations

RoleVoter
AuthenticatedVoter
Custom Voters

14.3. After Invocation Handling

14.4. Hierarchical Roles

15. Secure Object Implementations

15.1. AOP Alliance (MethodInvocation) Security Interceptor

15.1.1. Explicit MethodSecurityInterceptor Configuration

15.2. AspectJ (JoinPoint) Security Interceptor

16. Expression-Based Access Control

16.1. Overview

16.1.1. Common Built-In Expressions

16.2. Web Security Expressions

16.3. Method Security Expressions

16.3.1. @Pre and @Post Annotations

Access Control using @PreAuthorize and @PostAuthorize
Filtering using @PreFilter and @PostFilter

16.3.2. Built-In Expressions

The PermissionEvaluator interface

V. Additional Topics

17. Domain Object Security (ACLs)

17.1. Overview
17.2. Key Concepts
17.3. Getting Started

18. Pre-Authentication Scenarios

18.1. Pre-Authentication Framework Classes

18.1.1. AbstractPreAuthenticatedProcessingFilter

J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource

18.1.2. PreAuthenticatedAuthenticationProvider

18.1.3. Http403ForbiddenEntryPoint

18.2. Concrete Implementations

18.2.1. Request-Header Authentication (Siteminder)

Siteminder Example Configuration

18.2.2. J2EE Container Authentication

19. LDAP Authentication

19.1. Overview

19.2. Using LDAP with Spring Security

19.3. Configuring an LDAP Server

19.3.1. Using an Embedded Test Server
19.3.2. Using Bind Authentication
19.3.3. Loading Authorities

19.4. Implementation Classes

19.4.1. LdapAuthenticator Implementations

Common Functionality
BindAuthenticator
PasswordComparisonAuthenticator

19.4.2. Connecting to the LDAP Server

19.4.3. LDAP Search Objects

FilterBasedLdapUserSearch

19.4.4. LdapAuthoritiesPopulator

19.4.5. Spring Bean Configuration

19.4.6. LDAP Attributes and Customized UserDetails

19.5. Active Directory Authentication

19.5.1. ActiveDirectoryLdapAuthenticationProvider

Active Directory Error Codes

20. JSP Tag Libraries

20.1. Declaring the Taglib

20.2. The authorize Tag

20.2.1. Disabling Tag Authorization for Testing

20.3. The authenticationTag

20.4. The accesscontrollist Tag

21. Java Authentication and Authorization Service (JAAS) Provider

21.1. Overview

21.2. AbstractJaasAuthenticationProvider

21.2.1. JAAS CallbackHandler
21.2.2. JAAS AuthorityGranter

21.3. DefaultJaasAuthenticationProvider

21.3.1. InMemoryConfiguration
21.3.2. DefaultJaasAuthenticationProvider Example Configuration

21.4. JaasAuthenticationProvider

21.5. Running as a Subject

22. CAS Authentication

22.1. Overview

22.2. How CAS Works

22.2.1. Spring Security and CAS Interaction Sequence

22.3. Configuration of CAS Client

22.3.1. Service Ticket Authentication

22.3.2. Single Logout

22.3.3. Authenticating to a Stateless Service with CAS

Configuring CAS to Obtain Proxy Granting Tickets
Calling a Stateless Service Using a Proxy Ticket

22.3.4. Proxy Ticket Authentication

23. X.509 Authentication

23.1. Overview
23.2. Adding X.509 Authentication to Your Web Application
23.3. Setting up SSL in Tomcat

24. Run-As Authentication Replacement

24.1. Overview
24.2. Configuration

25. Spring Security Crypto Module

25.1. Introduction

25.2. Encryptors

25.2.1. BytesEncryptor
25.2.2. TextEncryptor

25.3. Key Generators

25.3.1. BytesKeyGenerator
25.3.2. StringKeyGenerator

25.4. Password Encoding

A. Security Database Schema

A.1. User Schema

A.1.1. Group Authorities

A.2. Persistent Login (Remember-Me) Schema

A.3. ACL Schema

A.3.1. Hypersonic SQL
A.3.2. PostgreSQL

B. The Security Namespace

B.1. Web Application Security

B.1.1. <debug>

B.1.2. <http>

<http> Attributes
Child Elements of <http>

B.1.3. <access-denied-handler>

Parent Elements of <access-denied-handler>
<access-denied-handler> Attributes

B.1.4. <anonymous>

Parent Elements of <anonymous>
<anonymous> Attributes

B.1.5. <custom-filter>

Parent Elements of <custom-filter>
<custom-filter> Attributes

B.1.6. <expression-handler>

Parent Elements of <expression-handler>
<expression-handler> Attributes

B.1.7. <form-login>

Parent Elements of <form-login>
<form-login> Attributes

B.1.8. <http-basic>

Parent Elements of <http-basic>
<http-basic> Attributes

B.1.9. <http-firewall> Element

<http-firewall> Attributes

B.1.10. <intercept-url>

Parent Elements of <intercept-url>
<intercept-url> Attributes

B.1.11. <jee>

Parent Elements of <jee>
<jee> Attributes

B.1.12. <logout>

Parent Elements of <logout>
<logout> Attributes

B.1.13. <openid-login>

Parent Elements of <openid-login>
<openid-login> Attributes
Child Elements of <openid-login>

B.1.14. <attribute-exchange>

Parent Elements of <attribute-exchange>
<attribute-exchange> Attributes
Child Elements of <attribute-exchange>

B.1.15. <openid-attribute>

Parent Elements of <openid-attribute>
<openid-attribute> Attributes

B.1.16. <port-mappings>

Parent Elements of <port-mappings>
Child Elements of <port-mappings>

B.1.17. <port-mapping>

Parent Elements of <port-mapping>
<port-mapping> Attributes

B.1.18. <remember-me>

Parent Elements of <remember-me>
<remember-me> Attributes

B.1.19. <request-cache> Element

Parent Elements of <request-cache>
<request-cache> Attributes

B.1.20. <session-management>

Parent Elements of <session-management>
<session-management> Attributes
Child elements of <session-management>

B.1.21. <concurrency-control>

Parent Elements of <concurrency-control>
<concurrency-control> Attributes

B.1.22. <x509>

Parent Elements of <x509>
<x509> Attributes

B.1.23. <filter-chain-map>

<filter-chain-map> Attributes
Child Elements of <filter-chain-map>

B.1.24. <filter-chain>

Parent Elements of <filter-chain>
<filter-chain> Attributes

B.1.25. <filter-invocation-definition-source>

<filter-invocation-definition-source> Attributes
Child Elements of <filter-invocation-definition-source>

B.1.26. <filter-security-metadata-source>

<filter-security-metadata-source> Attributes
Child Elements of <filter-security-metadata-source>

B.2. Authentication Services

B.2.1. <authentication-manager>

<authentication-manager> Attributes
Child Elements of <authentication-manager>

B.2.2. <authentication-provider>

Parent Elements of <authentication-provider>
<authentication-provider> Attributes
Child Elements of <authentication-provider>

B.2.3. <jdbc-user-service>

<jdbc-user-service> Attributes

B.2.4. <password-encoder>

Parent Elements of <password-encoder>
<password-encoder> Attributes
Child Elements of <password-encoder>

B.2.5. <salt-source>

Parent Elements of <salt-source>
<salt-source> Attributes

B.2.6. <user-service>

<user-service> Attributes
Child Elements of <user-service>

B.2.7. <user>

Parent Elements of <user>
<user> Attributes

B.3. Method Security

B.3.1. <global-method-security>

<global-method-security> Attributes
Child Elements of <global-method-security>

B.3.2. <after-invocation-provider>

Parent Elements of <after-invocation-provider>
<after-invocation-provider> Attributes

B.3.3. <pre-post-annotation-handling>

Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>

B.3.4. <invocation-attribute-factory>

Parent Elements of <invocation-attribute-factory>
<invocation-attribute-factory> Attributes

B.3.5. <post-invocation-advice>

Parent Elements of <post-invocation-advice>
<post-invocation-advice> Attributes

B.3.6. <pre-invocation-advice>

Parent Elements of <pre-invocation-advice>
<pre-invocation-advice> Attributes

B.3.7. Securing Methods using <protect-pointcut>

Parent Elements of <protect-pointcut>
<protect-pointcut> Attributes

B.3.8. <intercept-methods>

<intercept-methods> Attributes
Child Elements of <intercept-methods>

B.3.9. <method-security-metadata-source>

<method-security-metadata-source> Attributes
Child Elements of <method-security-metadata-source>

B.3.10. <protect>

Parent Elements of <protect>
<protect> Attributes

B.4. LDAP Namespace Options

B.4.1. Defining the LDAP Server using the <ldap-server> Element

<ldap-server> Attributes

B.4.2. <ldap-authentication-provider>

Parent Elements of <ldap-authentication-provider>
<ldap-authentication-provider> Attributes
Child Elements of <ldap-authentication-provider>

B.4.3. <password-compare>

Parent Elements of <password-compare>
<password-compare> Attributes
Child Elements of <password-compare>

B.4.4. <ldap-user-service>

<ldap-user-service> Attributes

C. Spring Security Dependencies

C.1. spring-security-core
C.2. spring-security-remoting
C.3. spring-security-web
C.4. spring-security-ldap
C.5. spring-security-config
C.6. spring-security-acl
C.7. spring-security-cas
C.8. spring-security-openid
C.9. spring-security-taglibs

		Next
		Preface