Spring Security Reference
Next
Spring Security Reference
Authors
Ben
Alex
,
Luke
Taylor
,
Rob
Winch
Table of Contents
I. Preface
II. Getting Started
1. Introduction
1.1. What is Spring Security?
1.2. History
1.3. Release Numbering
1.4. Getting Spring Security
1.4.1. Usage with Maven
Maven Repositories
Spring Framework Bom
1.4.2. Gradle
Gradle Repositories
Using Spring 4.0.x and Gradle
1.4.3. Project Modules
Core - spring-security-core.jar
Remoting - spring-security-remoting.jar
Web - spring-security-web.jar
Config - spring-security-config.jar
LDAP - spring-security-ldap.jar
ACL - spring-security-acl.jar
CAS - spring-security-cas.jar
OpenID - spring-security-openid.jar
1.4.4. Checking out the Source
2. What’s new in Spring Security 3.2
3. Java Configuration
3.1. Hello Web Security Java Configuration
3.1.1. AbstractSecurityWebApplicationInitializer
3.1.2. AbstractSecurityWebApplicationInitializer without Existing Spring
3.1.3. AbstractSecurityWebApplicationInitializer with Spring MVC
3.2. HttpSecurity
3.3. Java Configuration and Form Login
3.4. Authorize Requests
3.5. Authentication
3.5.1. In Memory Authentication
3.5.2. JDBC Authentication
3.5.3. LDAP Authentication
3.6. Multiple HttpSecurity
3.7. Method Security
3.7.1. EnableGlobalMethodSecurity
3.7.2. GlobalMethodSecurityConfiguration
3.8. Post Processing Configured Objects
4. Security Namespace Configuration
4.1. Introduction
4.1.1. Design of the Namespace
4.2. Getting Started with Security Namespace Configuration
4.2.1. web.xml Configuration
4.2.2. A Minimal <http> Configuration
4.2.3. Form and Basic Login Options
Setting a Default Post-Login Destination
4.2.4. Logout Handling
4.2.5. Using other Authentication Providers
Adding a Password Encoder
4.3. Advanced Web Features
4.3.1. Remember-Me Authentication
4.3.2. Adding HTTP/HTTPS Channel Security
4.3.3. Session Management
Detecting Timeouts
Concurrent Session Control
Session Fixation Attack Protection
4.3.4. OpenID Support
Attribute Exchange
4.3.5. Response Headers
4.3.6. Adding in Your Own Filters
Setting a Custom AuthenticationEntryPoint
4.4. Method Security
4.4.1. The <global-method-security> Element
Adding Security Pointcuts using protect-pointcut
4.5. The Default AccessDecisionManager
4.5.1. Customizing the AccessDecisionManager
4.6. The Authentication Manager and the Namespace
5. Sample Applications
5.1. Tutorial Sample
5.2. Contacts
5.3. LDAP Sample
5.4. OpenID Sample
5.5. CAS Sample
5.6. JAAS Sample
5.7. Pre-Authentication Sample
6. Spring Security Community
6.1. Issue Tracking
6.2. Becoming Involved
6.3. Further Information
III. Architecture and Implementation
7. Technical Overview
7.1. Runtime Environment
7.2. Core Components
7.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
Obtaining information about the current user
7.2.2. The UserDetailsService
7.2.3. GrantedAuthority
7.2.4. Summary
7.3. Authentication
7.3.1. What is authentication in Spring Security?
7.3.2. Setting the SecurityContextHolder Contents Directly
7.4. Authentication in a Web Application
7.4.1. ExceptionTranslationFilter
7.4.2. AuthenticationEntryPoint
7.4.3. Authentication Mechanism
7.4.4. Storing the SecurityContext between requests
7.5. Access-Control (Authorization) in Spring Security
7.5.1. Security and AOP Advice
7.5.2. Secure Objects and the AbstractSecurityInterceptor
What are Configuration Attributes?
RunAsManager
AfterInvocationManager
Extending the Secure Object Model
7.6. Localization
8. Core Services
8.1. The AuthenticationManager, ProviderManager and AuthenticationProvider
8.1.1. Erasing Credentials on Successful Authentication
8.1.2. DaoAuthenticationProvider
8.2. UserDetailsService Implementations
8.2.1. In-Memory Authentication
8.2.2. JdbcDaoImpl
Authority Groups
8.3. Password Encoding
8.3.1. What is a hash?
8.3.2. Adding Salt to a Hash
8.3.3. Hashing and Authentication
IV. Web Application Security
9. The Security Filter Chain
9.1. DelegatingFilterProxy
9.2. FilterChainProxy
9.2.1. Bypassing the Filter Chain
9.3. Filter Ordering
9.4. Request Matching and HttpFirewall
9.5. Use with other Filter-Based Frameworks
9.6. Advanced Namespace Configuration
10. Core Security Filters
10.1. FilterSecurityInterceptor
10.2. ExceptionTranslationFilter
10.2.1. AuthenticationEntryPoint
10.2.2. AccessDeniedHandler
10.2.3. SavedRequest s and the RequestCache Interface
10.3. SecurityContextPersistenceFilter
10.3.1. SecurityContextRepository
10.4. UsernamePasswordAuthenticationFilter
10.4.1. Application Flow on Authentication Success and Failure
11. Servlet API integration
11.1. Servlet 2.5+ Integration
11.1.1. HttpServletRequest.getRemoteUser()
11.1.2. HttpServletRequest.getUserPrincipal()
11.1.3. HttpServletRequest.isUserInRole(String)
11.2. Servlet 3+ Integration
11.2.1. HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
11.2.2. HttpServletRequest.login(String,String)
11.2.3. HttpServletRequest.logout()
11.2.4. AsyncContext.start(Runnable)
11.2.5. Async Servlet Support
11.3. Servlet 3.1+ Integration
11.3.1. HttpServletRequest#changeSessionId()
12. Basic and Digest Authentication
12.1. BasicAuthenticationFilter
12.1.1. Configuration
12.2. DigestAuthenticationFilter
12.2.1. Configuration
13. Remember-Me Authentication
13.1. Overview
13.2. Simple Hash-Based Token Approach
13.3. Persistent Token Approach
13.4. Remember-Me Interfaces and Implementations
13.4.1. TokenBasedRememberMeServices
13.4.2. PersistentTokenBasedRememberMeServices
14. Cross Site Request Forgery (CSRF)
14.1. CSRF Attacks
14.2. Synchronizer Token Pattern
14.3. When to use CSRF protection
14.3.1. CSRF protection and JSON
14.3.2. CSRF and Stateless Browser Applications
14.4. Using Spring Security CSRF Protection
14.4.1. Use proper HTTP verbs
14.4.2. Configure CSRF Protection
14.4.3. Include the CSRF Token
Form Submissions
Ajax and JSON Requests
14.5. CSRF Caveats
14.5.1. Timeouts
14.5.2. Logging In
14.5.3. Logging Out
14.5.4. Multipart (file upload)
Placing MultipartFilter before Spring Security
Include CSRF token in action
14.5.5. HiddenHttpMethodFilter
14.6. Overriding Defaults
15. Security HTTP Response Headers
15.1. Default Security Headers
15.1.1. Cache Control
15.1.2. Content Type Options
15.1.3. HTTP Strict Transport Security (HSTS)
15.1.4. X-Frame-Options
15.1.5. X-XSS-Protection
15.2. Custom Headers
15.2.1. Static Headers
15.2.2. Headers Writer
15.2.3. DelegatingRequestMatcherHeaderWriter
16. Session Management
16.1. SessionManagementFilter
16.2. SessionAuthenticationStrategy
16.3. Concurrency Control
16.3.1. Querying the SessionRegistry for currently authenticated users and their sessions
17. Anonymous Authentication
17.1. Overview
17.2. Configuration
17.3. AuthenticationTrustResolver
V. Authorization
18. Authorization Architecture
18.1. Authorities
18.2. Pre-Invocation Handling
18.2.1. The AccessDecisionManager
18.2.2. Voting-Based AccessDecisionManager Implementations
RoleVoter
AuthenticatedVoter
Custom Voters
18.3. After Invocation Handling
18.4. Hierarchical Roles
19. Secure Object Implementations
19.1. AOP Alliance (MethodInvocation) Security Interceptor
19.1.1. Explicit MethodSecurityInterceptor Configuration
19.2. AspectJ (JoinPoint) Security Interceptor
20. Expression-Based Access Control
20.1. Overview
20.1.1. Common Built-In Expressions
20.2. Web Security Expressions
20.3. Method Security Expressions
20.3.1. @Pre and @Post Annotations
Access Control using @PreAuthorize and @PostAuthorize
Filtering using @PreFilter and @PostFilter
20.3.2. Built-In Expressions
The PermissionEvaluator interface
VI. Additional Topics
21. Domain Object Security (ACLs)
21.1. Overview
21.2. Key Concepts
21.3. Getting Started
22. Pre-Authentication Scenarios
22.1. Pre-Authentication Framework Classes
22.1.1. AbstractPreAuthenticatedProcessingFilter
J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource
22.1.2. PreAuthenticatedAuthenticationProvider
22.1.3. Http403ForbiddenEntryPoint
22.2. Concrete Implementations
22.2.1. Request-Header Authentication (Siteminder)
Siteminder Example Configuration
22.2.2. Java EE Container Authentication
23. LDAP Authentication
23.1. Overview
23.2. Using LDAP with Spring Security
23.3. Configuring an LDAP Server
23.3.1. Using an Embedded Test Server
23.3.2. Using Bind Authentication
23.3.3. Loading Authorities
23.4. Implementation Classes
23.4.1. LdapAuthenticator Implementations
Common Functionality
BindAuthenticator
PasswordComparisonAuthenticator
23.4.2. Connecting to the LDAP Server
23.4.3. LDAP Search Objects
FilterBasedLdapUserSearch
23.4.4. LdapAuthoritiesPopulator
23.4.5. Spring Bean Configuration
23.4.6. LDAP Attributes and Customized UserDetails
23.5. Active Directory Authentication
23.5.1. ActiveDirectoryLdapAuthenticationProvider
Active Directory Error Codes
24. JSP Tag Libraries
24.1. Declaring the Taglib
24.2. The authorize Tag
24.2.1. Disabling Tag Authorization for Testing
24.3. The authentication Tag
24.4. The accesscontrollist Tag
24.5. The csrfInput Tag
24.6. The csrfMetaTags Tag
25. Java Authentication and Authorization Service (JAAS) Provider
25.1. Overview
25.2. AbstractJaasAuthenticationProvider
25.2.1. JAAS CallbackHandler
25.2.2. JAAS AuthorityGranter
25.3. DefaultJaasAuthenticationProvider
25.3.1. InMemoryConfiguration
25.3.2. DefaultJaasAuthenticationProvider Example Configuration
25.4. JaasAuthenticationProvider
25.5. Running as a Subject
26. CAS Authentication
26.1. Overview
26.2. How CAS Works
26.2.1. Spring Security and CAS Interaction Sequence
26.3. Configuration of CAS Client
26.3.1. Service Ticket Authentication
26.3.2. Single Logout
26.3.3. Authenticating to a Stateless Service with CAS
Configuring CAS to Obtain Proxy Granting Tickets
Calling a Stateless Service Using a Proxy Ticket
26.3.4. Proxy Ticket Authentication
27. X.509 Authentication
27.1. Overview
27.2. Adding X.509 Authentication to Your Web Application
27.3. Setting up SSL in Tomcat
28. Run-As Authentication Replacement
28.1. Overview
28.2. Configuration
29. Spring Security Crypto Module
29.1. Introduction
29.2. Encryptors
29.2.1. BytesEncryptor
29.2.2. TextEncryptor
29.3. Key Generators
29.3.1. BytesKeyGenerator
29.3.2. StringKeyGenerator
29.4. Password Encoding
30. Concurrency Support
30.1. DelegatingSecurityContextRunnable
30.2. DelegatingSecurityContextExecutor
30.3. Spring Security Concurrency Classes
31. Spring MVC Integration
31.1. @EnableWebMvcSecurity
31.2. @AuthenticationPrincipal
31.3. Spring MVC Async Integration
31.4. Spring MVC and CSRF Integration
VII. Appendix
32. Security Database Schema
32.1. User Schema
32.1.1. Group Authorities
32.2. Persistent Login (Remember-Me) Schema
32.3. ACL Schema
32.3.1. HyperSQL
32.3.2. PostgreSQL
32.3.3. MySQL and MariaDB
32.3.4. Microsoft SQL Server
32.3.5. Oracle Database
33. The Security Namespace
33.1. Web Application Security
33.1.1. <debug>
33.1.2. <http>
<http> Attributes
Child Elements of <http>
33.1.3. <access-denied-handler>
Parent Elements of <access-denied-handler>
<access-denied-handler> Attributes
33.1.4. <headers>
<headers> Attributes
Parent Elements of <headers>
Child Elements of <headers>
33.1.5. <cache-control>
Parent Elements of <cache-control>
33.1.6. <hsts>
<hsts> Attributes
Parent Elements of <hsts>
33.1.7. <frame-options>
<frame-options> Attributes
Parent Elements of <frame-options>
33.1.8. <xss-protection>
<xss-protection> Attributes
Parent Elements of <xss-protection>
33.1.9. <content-type-options>
Parent Elements of <content-type-options>
33.1.10. <header>
<header-attributes> Attributes
Parent Elements of <header>
33.1.11. <anonymous>
Parent Elements of <anonymous>
<anonymous> Attributes
33.1.12. <csrf>
Parent Elements of <csrf>
<csrf> Attributes
33.1.13. <custom-filter>
Parent Elements of <custom-filter>
<custom-filter> Attributes
33.1.14. <expression-handler>
Parent Elements of <expression-handler>
<expression-handler> Attributes
33.1.15. <form-login>
Parent Elements of <form-login>
<form-login> Attributes
33.1.16. <http-basic>
Parent Elements of <http-basic>
<http-basic> Attributes
33.1.17. <http-firewall> Element
<http-firewall> Attributes
33.1.18. <intercept-url>
Parent Elements of <intercept-url>
<intercept-url> Attributes
33.1.19. <jee>
Parent Elements of <jee>
<jee> Attributes
33.1.20. <logout>
Parent Elements of <logout>
<logout> Attributes
33.1.21. <openid-login>
Parent Elements of <openid-login>
<openid-login> Attributes
Child Elements of <openid-login>
33.1.22. <attribute-exchange>
Parent Elements of <attribute-exchange>
<attribute-exchange> Attributes
Child Elements of <attribute-exchange>
33.1.23. <openid-attribute>
Parent Elements of <openid-attribute>
<openid-attribute> Attributes
33.1.24. <port-mappings>
Parent Elements of <port-mappings>
Child Elements of <port-mappings>
33.1.25. <port-mapping>
Parent Elements of <port-mapping>
<port-mapping> Attributes
33.1.26. <remember-me>
Parent Elements of <remember-me>
<remember-me> Attributes
33.1.27. <request-cache> Element
Parent Elements of <request-cache>
<request-cache> Attributes
33.1.28. <session-management>
Parent Elements of <session-management>
<session-management> Attributes
Child Elements of <session-management>
33.1.29. <concurrency-control>
Parent Elements of <concurrency-control>
<concurrency-control> Attributes
33.1.30. <x509>
Parent Elements of <x509>
<x509> Attributes
33.1.31. <filter-chain-map>
<filter-chain-map> Attributes
Child Elements of <filter-chain-map>
33.1.32. <filter-chain>
Parent Elements of <filter-chain>
<filter-chain> Attributes
33.1.33. <filter-security-metadata-source>
<filter-security-metadata-source> Attributes
Child Elements of <filter-security-metadata-source>
33.2. Message/WebSocket Security
33.2.1. <messages>
<messages> Attributes
Child Elements of <messages>
33.2.2. <message-interceptor>
Parent Elements of <message-interceptor>
<message-interceptor> Attributes
33.3. Authentication Services
33.3.1. <authentication-manager>
<authentication-manager> Attributes
Child Elements of <authentication-manager>
33.3.2. <authentication-provider>
Parent Elements of <authentication-provider>
<authentication-provider> Attributes
Child Elements of <authentication-provider>
33.3.3. <jdbc-user-service>
<jdbc-user-service> Attributes
33.3.4. <password-encoder>
Parent Elements of <password-encoder>
<password-encoder> Attributes
Child Elements of <password-encoder>
33.3.5. <salt-source>
Parent Elements of <salt-source>
<salt-source> Attributes
33.3.6. <user-service>
<user-service> Attributes
Child Elements of <user-service>
33.3.7. <user>
Parent Elements of <user>
<user> Attributes
33.4. Method Security
33.4.1. <global-method-security>
<global-method-security> Attributes
Child Elements of <global-method-security>
33.4.2. <after-invocation-provider>
Parent Elements of <after-invocation-provider>
<after-invocation-provider> Attributes
33.4.3. <pre-post-annotation-handling>
Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>
33.4.4. <invocation-attribute-factory>
Parent Elements of <invocation-attribute-factory>
<invocation-attribute-factory> Attributes
33.4.5. <post-invocation-advice>
Parent Elements of <post-invocation-advice>
<post-invocation-advice> Attributes
33.4.6. <pre-invocation-advice>
Parent Elements of <pre-invocation-advice>
<pre-invocation-advice> Attributes
33.4.7. Securing Methods using
Parent Elements of <protect-pointcut>
<protect-pointcut> Attributes
33.4.8. <intercept-methods>
<intercept-methods> Attributes
Child Elements of <intercept-methods>
33.4.9. <method-security-metadata-source>
<method-security-metadata-source> Attributes
Child Elements of <method-security-metadata-source>
33.4.10. <protect>
Parent Elements of <protect>
<protect> Attributes
33.5. LDAP Namespace Options
33.5.1. Defining the LDAP Server using the
<ldap-server> Attributes
33.5.2. <ldap-authentication-provider>
Parent Elements of <ldap-authentication-provider>
<ldap-authentication-provider> Attributes
Child Elements of <ldap-authentication-provider>
33.5.3. <password-compare>
Parent Elements of <password-compare>
<password-compare> Attributes
Child Elements of <password-compare>
33.5.4. <ldap-user-service>
<ldap-user-service> Attributes
34. Spring Security Dependencies
34.1. spring-security-core
34.2. spring-security-remoting
34.3. spring-security-web
34.4. spring-security-ldap
34.5. spring-security-config
34.6. spring-security-acl
34.7. spring-security-cas
34.8. spring-security-openid
34.9. spring-security-taglibs