Spring Security Reference

Authors

Ben Alex , Luke Taylor , Rob Winch , Gunnar Hillert

4.1.2.RELEASE

Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically.


Table of Contents

I. Preface
1. Getting Started
2. Introduction
2.1. What is Spring Security?
2.2. History
2.3. Release Numbering
2.4. Getting Spring Security
2.4.1. Usage with Maven
Maven Repositories
Spring Framework Bom
2.4.2. Gradle
Gradle Repositories
Using Spring 4.0.x and Gradle
2.4.3. Project Modules
Core - spring-security-core.jar
Remoting - spring-security-remoting.jar
Web - spring-security-web.jar
Config - spring-security-config.jar
LDAP - spring-security-ldap.jar
ACL - spring-security-acl.jar
CAS - spring-security-cas.jar
OpenID - spring-security-openid.jar
Test - spring-security-test.jar
2.4.4. Checking out the Source
3. What’s New in Spring Security 4.1
3.1. Java Configuration Improvements
3.2. Web Application Security Improvements
3.3. Authorization Improvements
3.4. Crypto Module Improvements
3.5. Testing Improvements
3.6. General Improvements
4. Samples and Guides (Start Here)
5. Java Configuration
5.1. Hello Web Security Java Configuration
5.1.1. AbstractSecurityWebApplicationInitializer
5.1.2. AbstractSecurityWebApplicationInitializer without Existing Spring
5.1.3. AbstractSecurityWebApplicationInitializer with Spring MVC
5.2. HttpSecurity
5.3. Java Configuration and Form Login
5.4. Authorize Requests
5.5. Handling Logouts
5.5.1. LogoutHandler
5.5.2. LogoutSuccessHandler
5.5.3. Further Logout-Related References
5.6. Authentication
5.6.1. In Memory Authentication
5.6.2. JDBC Authentication
5.6.3. LDAP Authentication
5.6.4. AuthenticationProvider
5.6.5. UserDetailsService
5.6.6. LDAP Authentication
5.7. Multiple HttpSecurity
5.8. Method Security
5.8.1. EnableGlobalMethodSecurity
5.8.2. GlobalMethodSecurityConfiguration
5.9. Post Processing Configured Objects
6. Security Namespace Configuration
6.1. Introduction
6.1.1. Design of the Namespace
6.2. Getting Started with Security Namespace Configuration
6.2.1. web.xml Configuration
6.2.2. A Minimal <http> Configuration
6.2.3. Form and Basic Login Options
Setting a Default Post-Login Destination
6.2.4. Logout Handling
6.2.5. Using other Authentication Providers
Adding a Password Encoder
6.3. Advanced Web Features
6.3.1. Remember-Me Authentication
6.3.2. Adding HTTP/HTTPS Channel Security
6.3.3. Session Management
Detecting Timeouts
Concurrent Session Control
Session Fixation Attack Protection
6.3.4. OpenID Support
Attribute Exchange
6.3.5. Response Headers
6.3.6. Adding in Your Own Filters
Setting a Custom AuthenticationEntryPoint
6.4. Method Security
6.4.1. The <global-method-security> Element
Adding Security Pointcuts using protect-pointcut
6.5. The Default AccessDecisionManager
6.5.1. Customizing the AccessDecisionManager
6.6. The Authentication Manager and the Namespace
7. Sample Applications
7.1. Tutorial Sample
7.2. Contacts
7.3. LDAP Sample
7.4. OpenID Sample
7.5. CAS Sample
7.6. JAAS Sample
7.7. Pre-Authentication Sample
8. Spring Security Community
8.1. Issue Tracking
8.2. Becoming Involved
8.3. Further Information
II. Architecture and Implementation
9. Technical Overview
9.1. Runtime Environment
9.2. Core Components
9.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
Obtaining information about the current user
9.2.2. The UserDetailsService
9.2.3. GrantedAuthority
9.2.4. Summary
9.3. Authentication
9.3.1. What is authentication in Spring Security?
9.3.2. Setting the SecurityContextHolder Contents Directly
9.4. Authentication in a Web Application
9.4.1. ExceptionTranslationFilter
9.4.2. AuthenticationEntryPoint
9.4.3. Authentication Mechanism
9.4.4. Storing the SecurityContext between requests
9.5. Access-Control (Authorization) in Spring Security
9.5.1. Security and AOP Advice
9.5.2. Secure Objects and the AbstractSecurityInterceptor
What are Configuration Attributes?
RunAsManager
AfterInvocationManager
Extending the Secure Object Model
9.6. Localization
10. Core Services
10.1. The AuthenticationManager, ProviderManager and AuthenticationProvider
10.1.1. Erasing Credentials on Successful Authentication
10.1.2. DaoAuthenticationProvider
10.2. UserDetailsService Implementations
10.2.1. In-Memory Authentication
10.2.2. JdbcDaoImpl
Authority Groups
10.3. Password Encoding
10.3.1. What is a hash?
10.3.2. Adding Salt to a Hash
10.3.3. Hashing and Authentication
III. Testing
11. Testing Method Security
11.1. Security Test Setup
11.2. @WithMockUser
11.3. @WithAnonymousUser
11.4. @WithUserDetails
11.5. @WithSecurityContext
11.6. Test Meta Annotations
12. Spring MVC Test Integration
12.1. Setting Up MockMvc and Spring Security
12.2. SecurityMockMvcRequestPostProcessors
12.2.1. Testing with CSRF Protection
12.2.2. Running a Test as a User in Spring MVC Test
12.2.3. Running as a User in Spring MVC Test with RequestPostProcessor
Running as a User in Spring MVC Test with Annotations
12.2.4. Testing HTTP Basic Authentication
12.3. SecurityMockMvcRequestBuilders
12.3.1. Testing Form Based Authentication
12.3.2. Testing Logout
12.4. SecurityMockMvcResultMatchers
12.4.1. Unauthenticated Assertion
12.4.2. Authenticated Assertion
IV. Web Application Security
13. The Security Filter Chain
13.1. DelegatingFilterProxy
13.2. FilterChainProxy
13.2.1. Bypassing the Filter Chain
13.3. Filter Ordering
13.4. Request Matching and HttpFirewall
13.5. Use with other Filter-Based Frameworks
13.6. Advanced Namespace Configuration
14. Core Security Filters
14.1. FilterSecurityInterceptor
14.2. ExceptionTranslationFilter
14.2.1. AuthenticationEntryPoint
14.2.2. AccessDeniedHandler
14.2.3. SavedRequest s and the RequestCache Interface
14.3. SecurityContextPersistenceFilter
14.3.1. SecurityContextRepository
14.4. UsernamePasswordAuthenticationFilter
14.4.1. Application Flow on Authentication Success and Failure
15. Servlet API integration
15.1. Servlet 2.5+ Integration
15.1.1. HttpServletRequest.getRemoteUser()
15.1.2. HttpServletRequest.getUserPrincipal()
15.1.3. HttpServletRequest.isUserInRole(String)
15.2. Servlet 3+ Integration
15.2.1. HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
15.2.2. HttpServletRequest.login(String,String)
15.2.3. HttpServletRequest.logout()
15.2.4. AsyncContext.start(Runnable)
15.2.5. Async Servlet Support
15.3. Servlet 3.1+ Integration
15.3.1. HttpServletRequest#changeSessionId()
16. Basic and Digest Authentication
16.1. BasicAuthenticationFilter
16.1.1. Configuration
16.2. DigestAuthenticationFilter
16.2.1. Configuration
17. Remember-Me Authentication
17.1. Overview
17.2. Simple Hash-Based Token Approach
17.3. Persistent Token Approach
17.4. Remember-Me Interfaces and Implementations
17.4.1. TokenBasedRememberMeServices
17.4.2. PersistentTokenBasedRememberMeServices
18. Cross Site Request Forgery (CSRF)
18.1. CSRF Attacks
18.2. Synchronizer Token Pattern
18.3. When to use CSRF protection
18.3.1. CSRF protection and JSON
18.3.2. CSRF and Stateless Browser Applications
18.4. Using Spring Security CSRF Protection
18.4.1. Use proper HTTP verbs
18.4.2. Configure CSRF Protection
18.4.3. Include the CSRF Token
Form Submissions
Ajax and JSON Requests
CookieCsrfTokenRepository
18.5. CSRF Caveats
18.5.1. Timeouts
18.5.2. Logging In
18.5.3. Logging Out
18.5.4. Multipart (file upload)
Placing MultipartFilter before Spring Security
Include CSRF token in action
18.5.5. HiddenHttpMethodFilter
18.6. Overriding Defaults
19. CORS
20. Security HTTP Response Headers
20.1. Default Security Headers
20.1.1. Cache Control
20.1.2. Content Type Options
20.1.3. HTTP Strict Transport Security (HSTS)
20.1.4. HTTP Public Key Pinning (HPKP)
20.1.5. X-Frame-Options
20.1.6. X-XSS-Protection
20.1.7. Content Security Policy (CSP)
Configuring Content Security Policy
Additional Resources
20.2. Custom Headers
20.2.1. Static Headers
20.2.2. Headers Writer
20.2.3. DelegatingRequestMatcherHeaderWriter
21. Session Management
21.1. SessionManagementFilter
21.2. SessionAuthenticationStrategy
21.3. Concurrency Control
21.3.1. Querying the SessionRegistry for currently authenticated users and their sessions
22. Anonymous Authentication
22.1. Overview
22.2. Configuration
22.3. AuthenticationTrustResolver
23. WebSocket Security
23.1. WebSocket Configuration
23.2. WebSocket Authentication
23.3. WebSocket Authorization
23.3.1. WebSocket Authorization Notes
WebSocket Authorization on Message Types
WebSocket Authorization on Destinations
23.3.2. Outbound Messages
23.4. Enforcing Same Origin Policy
23.4.1. Why Same Origin?
23.4.2. Spring WebSocket Allowed Origin
23.4.3. Adding CSRF to Stomp Headers
23.4.4. Disable CSRF within WebSockets
23.5. Working with SockJS
23.5.1. SockJS & frame-options
23.5.2. SockJS & Relaxing CSRF
V. Authorization
24. Authorization Architecture
24.1. Authorities
24.2. Pre-Invocation Handling
24.2.1. The AccessDecisionManager
24.2.2. Voting-Based AccessDecisionManager Implementations
RoleVoter
AuthenticatedVoter
Custom Voters
24.3. After Invocation Handling
24.4. Hierarchical Roles
25. Secure Object Implementations
25.1. AOP Alliance (MethodInvocation) Security Interceptor
25.1.1. Explicit MethodSecurityInterceptor Configuration
25.2. AspectJ (JoinPoint) Security Interceptor
26. Expression-Based Access Control
26.1. Overview
26.1.1. Common Built-In Expressions
26.2. Web Security Expressions
26.2.1. Referring to Beans in Web Security Expressions
26.2.2. Path Variables in Web Security Expressions
26.3. Method Security Expressions
26.3.1. @Pre and @Post Annotations
Access Control using @PreAuthorize and @PostAuthorize
Filtering using @PreFilter and @PostFilter
26.3.2. Built-In Expressions
The PermissionEvaluator interface
Method Security Meta Annotations
VI. Additional Topics
27. Domain Object Security (ACLs)
27.1. Overview
27.2. Key Concepts
27.3. Getting Started
28. Pre-Authentication Scenarios
28.1. Pre-Authentication Framework Classes
28.1.1. AbstractPreAuthenticatedProcessingFilter
J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource
28.1.2. PreAuthenticatedAuthenticationProvider
28.1.3. Http403ForbiddenEntryPoint
28.2. Concrete Implementations
28.2.1. Request-Header Authentication (Siteminder)
Siteminder Example Configuration
28.2.2. Java EE Container Authentication
29. LDAP Authentication
29.1. Overview
29.2. Using LDAP with Spring Security
29.3. Configuring an LDAP Server
29.3.1. Using an Embedded Test Server
29.3.2. Using Bind Authentication
29.3.3. Loading Authorities
29.4. Implementation Classes
29.4.1. LdapAuthenticator Implementations
Common Functionality
BindAuthenticator
PasswordComparisonAuthenticator
29.4.2. Connecting to the LDAP Server
29.4.3. LDAP Search Objects
FilterBasedLdapUserSearch
29.4.4. LdapAuthoritiesPopulator
29.4.5. Spring Bean Configuration
29.4.6. LDAP Attributes and Customized UserDetails
29.5. Active Directory Authentication
29.5.1. ActiveDirectoryLdapAuthenticationProvider
Active Directory Error Codes
30. JSP Tag Libraries
30.1. Declaring the Taglib
30.2. The authorize Tag
30.2.1. Disabling Tag Authorization for Testing
30.3. The authentication Tag
30.4. The accesscontrollist Tag
30.5. The csrfInput Tag
30.6. The csrfMetaTags Tag
31. Java Authentication and Authorization Service (JAAS) Provider
31.1. Overview
31.2. AbstractJaasAuthenticationProvider
31.2.1. JAAS CallbackHandler
31.2.2. JAAS AuthorityGranter
31.3. DefaultJaasAuthenticationProvider
31.3.1. InMemoryConfiguration
31.3.2. DefaultJaasAuthenticationProvider Example Configuration
31.4. JaasAuthenticationProvider
31.5. Running as a Subject
32. CAS Authentication
32.1. Overview
32.2. How CAS Works
32.2.1. Spring Security and CAS Interaction Sequence
32.3. Configuration of CAS Client
32.3.1. Service Ticket Authentication
32.3.2. Single Logout
32.3.3. Authenticating to a Stateless Service with CAS
Configuring CAS to Obtain Proxy Granting Tickets
Calling a Stateless Service Using a Proxy Ticket
32.3.4. Proxy Ticket Authentication
33. X.509 Authentication
33.1. Overview
33.2. Adding X.509 Authentication to Your Web Application
33.3. Setting up SSL in Tomcat
34. Run-As Authentication Replacement
34.1. Overview
34.2. Configuration
35. Spring Security Crypto Module
35.1. Introduction
35.2. Encryptors
35.2.1. BytesEncryptor
35.2.2. TextEncryptor
35.3. Key Generators
35.3.1. BytesKeyGenerator
35.3.2. StringKeyGenerator
35.4. Password Encoding
36. Concurrency Support
36.1. DelegatingSecurityContextRunnable
36.2. DelegatingSecurityContextExecutor
36.3. Spring Security Concurrency Classes
37. Spring MVC Integration
37.1. @EnableWebMvcSecurity
37.2. MvcRequestMatcher
37.3. @AuthenticationPrincipal
37.4. Spring MVC Async Integration
37.5. Spring MVC and CSRF Integration
37.5.1. Automatic Token Inclusion
37.5.2. Resolving the CsrfToken
VII. Spring Data Integration
38. Spring Data & Spring Security Configuration
39. Security Expressions within @Query
VIII. Appendix
40. Security Database Schema
40.1. User Schema
40.1.1. Group Authorities
40.2. Persistent Login (Remember-Me) Schema
40.3. ACL Schema
40.3.1. HyperSQL
40.3.2. PostgreSQL
40.3.3. MySQL and MariaDB
40.3.4. Microsoft SQL Server
40.3.5. Oracle Database
41. The Security Namespace
41.1. Web Application Security
41.1.1. <debug>
41.1.2. <http>
<http> Attributes
Child Elements of <http>
41.1.3. <access-denied-handler>
Parent Elements of <access-denied-handler>
<access-denied-handler> Attributes
41.1.4. <cors>
<cors> Attributes
Parent Elements of <cors>
41.1.5. <headers>
<headers> Attributes
Parent Elements of <headers>
Child Elements of <headers>
41.1.6. <cache-control>
<cache-control> Attributes
Parent Elements of <cache-control>
41.1.7. <hsts>
<hsts> Attributes
Parent Elements of <hsts>
41.1.8. <hpkp>
<hpkp> Attributes
Parent Elements of <hpkp>
41.1.9. <pins>
Child Elements of <pins>
41.1.10. <pin>
<pin> Attributes
Parent Elements of <pin>
41.1.11. <content-security-policy>
<content-security-policy> Attributes
Parent Elements of <content-security-policy>
41.1.12. <frame-options>
<frame-options> Attributes
Parent Elements of <frame-options>
41.1.13. <xss-protection>
<xss-protection> Attributes
Parent Elements of <xss-protection>
41.1.14. <content-type-options>
<content-type-options> Attributes
Parent Elements of <content-type-options>
41.1.15. <header>
<header-attributes> Attributes
Parent Elements of <header>
41.1.16. <anonymous>
Parent Elements of <anonymous>
<anonymous> Attributes
41.1.17. <csrf>
Parent Elements of <csrf>
<csrf> Attributes
41.1.18. <custom-filter>
Parent Elements of <custom-filter>
<custom-filter> Attributes
41.1.19. <expression-handler>
Parent Elements of <expression-handler>
<expression-handler> Attributes
41.1.20. <form-login>
Parent Elements of <form-login>
<form-login> Attributes
41.1.21. <http-basic>
Parent Elements of <http-basic>
<http-basic> Attributes
41.1.22. <http-firewall> Element
<http-firewall> Attributes
41.1.23. <intercept-url>
Parent Elements of <intercept-url>
<intercept-url> Attributes
41.1.24. <jee>
Parent Elements of <jee>
<jee> Attributes
41.1.25. <logout>
Parent Elements of <logout>
<logout> Attributes
41.1.26. <openid-login>
Parent Elements of <openid-login>
<openid-login> Attributes
Child Elements of <openid-login>
41.1.27. <attribute-exchange>
Parent Elements of <attribute-exchange>
<attribute-exchange> Attributes
Child Elements of <attribute-exchange>
41.1.28. <openid-attribute>
Parent Elements of <openid-attribute>
<openid-attribute> Attributes
41.1.29. <port-mappings>
Parent Elements of <port-mappings>
Child Elements of <port-mappings>
41.1.30. <port-mapping>
Parent Elements of <port-mapping>
<port-mapping> Attributes
41.1.31. <remember-me>
Parent Elements of <remember-me>
<remember-me> Attributes
41.1.32. <request-cache> Element
Parent Elements of <request-cache>
<request-cache> Attributes
41.1.33. <session-management>
Parent Elements of <session-management>
<session-management> Attributes
Child Elements of <session-management>
41.1.34. <concurrency-control>
Parent Elements of <concurrency-control>
<concurrency-control> Attributes
41.1.35. <x509>
Parent Elements of <x509>
<x509> Attributes
41.1.36. <filter-chain-map>
<filter-chain-map> Attributes
Child Elements of <filter-chain-map>
41.1.37. <filter-chain>
Parent Elements of <filter-chain>
<filter-chain> Attributes
41.1.38. <filter-security-metadata-source>
<filter-security-metadata-source> Attributes
Child Elements of <filter-security-metadata-source>
41.2. WebSocket Security
41.2.1. <websocket-message-broker>
<websocket-message-broker> Attributes
Child Elements of <websocket-message-broker>
41.2.2. <intercept-message>
Parent Elements of <intercept-message>
<intercept-message> Attributes
41.3. Authentication Services
41.3.1. <authentication-manager>
<authentication-manager> Attributes
Child Elements of <authentication-manager>
41.3.2. <authentication-provider>
Parent Elements of <authentication-provider>
<authentication-provider> Attributes
Child Elements of <authentication-provider>
41.3.3. <jdbc-user-service>
<jdbc-user-service> Attributes
41.3.4. <password-encoder>
Parent Elements of <password-encoder>
<password-encoder> Attributes
Child Elements of <password-encoder>
41.3.5. <salt-source>
Parent Elements of <salt-source>
<salt-source> Attributes
41.3.6. <user-service>
<user-service> Attributes
Child Elements of <user-service>
41.3.7. <user>
Parent Elements of <user>
<user> Attributes
41.4. Method Security
41.4.1. <global-method-security>
<global-method-security> Attributes
Child Elements of <global-method-security>
41.4.2. <after-invocation-provider>
Parent Elements of <after-invocation-provider>
<after-invocation-provider> Attributes
41.4.3. <pre-post-annotation-handling>
Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>
41.4.4. <invocation-attribute-factory>
Parent Elements of <invocation-attribute-factory>
<invocation-attribute-factory> Attributes
41.4.5. <post-invocation-advice>
Parent Elements of <post-invocation-advice>
<post-invocation-advice> Attributes
41.4.6. <pre-invocation-advice>
Parent Elements of <pre-invocation-advice>
<pre-invocation-advice> Attributes
41.4.7. Securing Methods using
Parent Elements of <protect-pointcut>
<protect-pointcut> Attributes
41.4.8. <intercept-methods>
<intercept-methods> Attributes
Child Elements of <intercept-methods>
41.4.9. <method-security-metadata-source>
<method-security-metadata-source> Attributes
Child Elements of <method-security-metadata-source>
41.4.10. <protect>
Parent Elements of <protect>
<protect> Attributes
41.5. LDAP Namespace Options
41.5.1. Defining the LDAP Server using the
<ldap-server> Attributes
41.5.2. <ldap-authentication-provider>
Parent Elements of <ldap-authentication-provider>
<ldap-authentication-provider> Attributes
Child Elements of <ldap-authentication-provider>
41.5.3. <password-compare>
Parent Elements of <password-compare>
<password-compare> Attributes
Child Elements of <password-compare>
41.5.4. <ldap-user-service>
<ldap-user-service> Attributes
42. Spring Security Dependencies
42.1. spring-security-core
42.2. spring-security-remoting
42.3. spring-security-web
42.4. spring-security-ldap
42.5. spring-security-config
42.6. spring-security-acl
42.7. spring-security-cas
42.8. spring-security-openid
42.9. spring-security-taglibs
43. Spring Security FAQ
43.1. General Questions
43.1.1. Will Spring Security take care of all my application security requirements?
43.1.2. Why not just use web.xml security?
43.1.3. What Java and Spring Framework versions are required?
43.1.4. I’m new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I’ve copied some configuration files I found but it doesn’t work. What could be wrong?
43.2. Common Problems
43.2.1. When I try to log in, I get an error message that says "Bad Credentials". What’s wrong?
43.2.2. My application goes into an "endless loop" when I try to login, what’s going on?
43.2.3. I get an exception with the message "Access is denied (user is anonymous);". What’s wrong?
43.2.4. Why can I still see a secured page even after I’ve logged out of my application?
43.2.5. I get an exception with the message "An Authentication object was not found in the SecurityContext". What’s wrong?
43.2.6. I can’t get LDAP authentication to work. What’s wrong with my configuration?
43.2.7. Session Management
43.2.8. I’m using Spring Security’s concurrent session control to prevent users from logging in more than once at a time. When I open another browser window after logging in, it doesn’t stop me from logging in again. Why can I log in more than once?
43.2.9. Why does the session Id change when I authenticate through Spring Security?
43.2.10. I’m using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn’t work - I just end up back at the login page after authenticating.
43.2.11. I’m not switching between HTTP and HTTPS but my session is still getting lost
43.2.12. I’m trying to use the concurrent session-control support but it won’t let me log back in, even if I’m sure I’ve logged out and haven’t exceeded the allowed sessions.
43.2.13. Spring Security is creating a session somewhere, even though I’ve configured it not to, by setting the create-session attribute to never.
43.2.14. I get a 403 Forbidden when performing a POST
43.2.15. I’m forwarding a request to another URL using the RequestDispatcher, but my security constraints aren’t being applied.
43.2.16. I have added Spring Security’s <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don’t seem to have an effect.
43.2.17. I have a user who has definitely been authenticated, but when I try to access the SecurityContextHolder during some requests, the Authentication is null. Why can’t I see the user information?
43.2.18. The authorize JSP Tag doesn’t respect my method security annotations when using the URL attribute.
43.3. Spring Security Architecture Questions
43.3.1. How do I know which package class X is in?
43.3.2. How do the namespace elements map to conventional bean configurations?
43.3.3. What does "ROLE_" mean and why do I need it on my role names?
43.3.4. How do I know which dependencies to add to my application to work with Spring Security?
43.3.5. What dependencies are needed to run an embedded ApacheDS LDAP server?
43.3.6. What is a UserDetailsService and do I need one?
43.4. Common "Howto" Requests
43.4.1. I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?
43.4.2. How do I apply different intercept-url constraints where only the fragment value of the requested URLs differs (e.g./foo#bar and /foo#blah?
43.4.3. How do I access the user’s IP Address (or other web-request data) in a UserDetailsService?
43.4.4. How do I access the HttpSession from a UserDetailsService?
43.4.5. How do I access the user’s password in a UserDetailsService?
43.4.6. How do I define the secured URLs within an application dynamically?
43.4.7. How do I authenticate against LDAP but load user roles from a database?
43.4.8. I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it. What can I do short of abandoning namespace use?
44. Migrating from 3.x to 4.x