Spring Security Reference


Ben Alex , Luke Taylor , Rob Winch , Gunnar Hillert , Joe Grandja , Jay Bryant


Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically.

Table of Contents

I. Preface
1. Getting Started
2. Introduction
2.1. What is Spring Security?
2.2. History
2.3. Release Numbering
2.4. Getting Spring Security
2.4.1. Usage with Maven
Maven Repositories
Spring Framework Bom
2.4.2. Gradle
Gradle Repositories
Using Spring 4.0.x and Gradle
2.4.3. Project Modules
Core - spring-security-core.jar
Remoting - spring-security-remoting.jar
Web - spring-security-web.jar
Config - spring-security-config.jar
LDAP - spring-security-ldap.jar
OAuth 2.0 Core - spring-security-oauth2-core.jar
OAuth 2.0 Client - spring-security-oauth2-client.jar
OAuth 2.0 JOSE - spring-security-oauth2-jose.jar
ACL - spring-security-acl.jar
CAS - spring-security-cas.jar
OpenID - spring-security-openid.jar
Test - spring-security-test.jar
2.4.4. Checking out the Source
3. What’s New in Spring Security 5.0
3.1. New Features
4. Samples and Guides (Start Here)
5. Java Configuration
5.1. Hello Web Security Java Configuration
5.1.1. AbstractSecurityWebApplicationInitializer
5.1.2. AbstractSecurityWebApplicationInitializer without Existing Spring
5.1.3. AbstractSecurityWebApplicationInitializer with Spring MVC
5.2. HttpSecurity
5.3. Java Configuration and Form Login
5.4. Authorize Requests
5.5. Handling Logouts
5.5.1. LogoutHandler
5.5.2. LogoutSuccessHandler
5.5.3. Further Logout-Related References
5.6. WebFlux Security
5.6.1. Minimal WebFlux Security Configuration
5.6.2. Explicit WebFlux Security Configuration
5.7. OAuth 2.0 Login
5.7.1. Spring Boot 2.0 Sample
Initial setup
Setting the redirect URI
Configure application.yml
Boot up the application
5.7.2. ClientRegistration
5.7.3. Spring Boot 2.0 Property Mappings
5.7.4. ClientRegistrationRepository
5.7.5. CommonOAuth2Provider
5.7.6. Configuring Custom Provider Properties
5.7.7. Overriding Spring Boot 2.0 Auto-configuration
Register a ClientRegistrationRepository @Bean
Provide a WebSecurityConfigurerAdapter
Completely Override the Auto-configuration
5.7.8. Java Configuration without Spring Boot 2.0
5.7.9. OAuth2AuthorizedClient / OAuth2AuthorizedClientService
5.7.10. Additional Resources
5.8. Authentication
5.8.1. In-Memory Authentication
5.8.2. JDBC Authentication
5.8.3. LDAP Authentication
5.8.4. AuthenticationProvider
5.8.5. UserDetailsService
5.9. Multiple HttpSecurity
5.10. Method Security
5.10.1. EnableGlobalMethodSecurity
5.10.2. GlobalMethodSecurityConfiguration
5.10.3. EnableReactiveMethodSecurity
5.11. Post Processing Configured Objects
5.12. Custom DSLs
6. Security Namespace Configuration
6.1. Introduction
6.1.1. Design of the Namespace
6.2. Getting Started with Security Namespace Configuration
6.2.1. web.xml Configuration
6.2.2. A Minimal <http> Configuration
6.2.3. Form and Basic Login Options
Setting a Default Post-Login Destination
6.2.4. Logout Handling
6.2.5. Using other Authentication Providers
Adding a Password Encoder
6.3. Advanced Web Features
6.3.1. Remember-Me Authentication
6.3.2. Adding HTTP/HTTPS Channel Security
6.3.3. Session Management
Detecting Timeouts
Concurrent Session Control
Session Fixation Attack Protection
6.3.4. OpenID Support
Attribute Exchange
6.3.5. Response Headers
6.3.6. Adding in Your Own Filters
Setting a Custom AuthenticationEntryPoint
6.4. Method Security
6.4.1. The <global-method-security> Element
Adding Security Pointcuts using protect-pointcut
6.5. The Default AccessDecisionManager
6.5.1. Customizing the AccessDecisionManager
6.6. The Authentication Manager and the Namespace
7. Sample Applications
7.1. Tutorial Sample
7.2. Contacts
7.3. LDAP Sample
7.4. OpenID Sample
7.5. CAS Sample
7.6. JAAS Sample
7.7. Pre-Authentication Sample
8. Spring Security Community
8.1. Issue Tracking
8.2. Becoming Involved
8.3. Further Information
II. Architecture and Implementation
9. Technical Overview
9.1. Runtime Environment
9.2. Core Components
9.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
Obtaining information about the current user
9.2.2. The UserDetailsService
9.2.3. GrantedAuthority
9.2.4. Summary
9.3. Authentication
9.3.1. What is authentication in Spring Security?
9.3.2. Setting the SecurityContextHolder Contents Directly
9.4. Authentication in a Web Application
9.4.1. ExceptionTranslationFilter
9.4.2. AuthenticationEntryPoint
9.4.3. Authentication Mechanism
9.4.4. Storing the SecurityContext between requests
9.5. Access-Control (Authorization) in Spring Security
9.5.1. Security and AOP Advice
9.5.2. Secure Objects and the AbstractSecurityInterceptor
What are Configuration Attributes?
Extending the Secure Object Model
9.6. Localization
10. Core Services
10.1. The AuthenticationManager, ProviderManager and AuthenticationProvider
10.1.1. Erasing Credentials on Successful Authentication
10.1.2. DaoAuthenticationProvider
10.2. UserDetailsService Implementations
10.2.1. In-Memory Authentication
10.2.2. JdbcDaoImpl
Authority Groups
10.3. Password Encoding
10.3.1. Password History
10.3.2. DelegatingPasswordEncoder
Password Storage Format
Password Encoding
Password Matching
Getting Started Experience
10.3.3. BCryptPasswordEncoder
10.3.4. Pbkdf2PasswordEncoder
10.3.5. SCryptPasswordEncoder
10.3.6. Other PasswordEncoders
10.4. Jackson Support
III. Testing
11. Testing Method Security
11.1. Security Test Setup
11.2. @WithMockUser
11.3. @WithAnonymousUser
11.4. @WithUserDetails
11.5. @WithSecurityContext
11.6. Test Meta Annotations
12. Spring MVC Test Integration
12.1. Setting Up MockMvc and Spring Security
12.2. SecurityMockMvcRequestPostProcessors
12.2.1. Testing with CSRF Protection
12.2.2. Running a Test as a User in Spring MVC Test
12.2.3. Running as a User in Spring MVC Test with RequestPostProcessor
Running as a User in Spring MVC Test with Annotations
12.2.4. Testing HTTP Basic Authentication
12.3. SecurityMockMvcRequestBuilders
12.3.1. Testing Form Based Authentication
12.3.2. Testing Logout
12.4. SecurityMockMvcResultMatchers
12.4.1. Unauthenticated Assertion
12.4.2. Authenticated Assertion
13. WebFlux Support
13.1. Reactive Method Security
13.2. WebTestClientSupport
13.2.1. Authentication
13.2.2. CSRF Support
IV. Web Application Security
14. The Security Filter Chain
14.1. DelegatingFilterProxy
14.2. FilterChainProxy
14.2.1. Bypassing the Filter Chain
14.3. Filter Ordering
14.4. Request Matching and HttpFirewall
14.5. Use with other Filter-Based Frameworks
14.6. Advanced Namespace Configuration
15. Core Security Filters
15.1. FilterSecurityInterceptor
15.2. ExceptionTranslationFilter
15.2.1. AuthenticationEntryPoint
15.2.2. AccessDeniedHandler
15.2.3. SavedRequest s and the RequestCache Interface
15.3. SecurityContextPersistenceFilter
15.3.1. SecurityContextRepository
15.4. UsernamePasswordAuthenticationFilter
15.4.1. Application Flow on Authentication Success and Failure
16. Servlet API integration
16.1. Servlet 2.5+ Integration
16.1.1. HttpServletRequest.getRemoteUser()
16.1.2. HttpServletRequest.getUserPrincipal()
16.1.3. HttpServletRequest.isUserInRole(String)
16.2. Servlet 3+ Integration
16.2.1. HttpServletRequest.authenticate(HttpServletRequest,HttpServletResponse)
16.2.2. HttpServletRequest.login(String,String)
16.2.3. HttpServletRequest.logout()
16.2.4. AsyncContext.start(Runnable)
16.2.5. Async Servlet Support
16.3. Servlet 3.1+ Integration
16.3.1. HttpServletRequest#changeSessionId()
17. Basic and Digest Authentication
17.1. BasicAuthenticationFilter
17.1.1. Configuration
17.2. DigestAuthenticationFilter
17.2.1. Configuration
18. Remember-Me Authentication
18.1. Overview
18.2. Simple Hash-Based Token Approach
18.3. Persistent Token Approach
18.4. Remember-Me Interfaces and Implementations
18.4.1. TokenBasedRememberMeServices
18.4.2. PersistentTokenBasedRememberMeServices
19. Cross Site Request Forgery (CSRF)
19.1. CSRF Attacks
19.2. Synchronizer Token Pattern
19.3. When to use CSRF protection
19.3.1. CSRF protection and JSON
19.3.2. CSRF and Stateless Browser Applications
19.4. Using Spring Security CSRF Protection
19.4.1. Use proper HTTP verbs
19.4.2. Configure CSRF Protection
19.4.3. Include the CSRF Token
Form Submissions
Ajax and JSON Requests
19.5. CSRF Caveats
19.5.1. Timeouts
19.5.2. Logging In
19.5.3. Logging Out
19.5.4. Multipart (file upload)
Placing MultipartFilter before Spring Security
Include CSRF token in action
19.5.5. HiddenHttpMethodFilter
19.6. Overriding Defaults
20. CORS
21. Security HTTP Response Headers
21.1. Default Security Headers
21.1.1. Cache Control
21.1.2. Content Type Options
21.1.3. HTTP Strict Transport Security (HSTS)
21.1.4. HTTP Public Key Pinning (HPKP)
21.1.5. X-Frame-Options
21.1.6. X-XSS-Protection
21.1.7. Content Security Policy (CSP)
Configuring Content Security Policy
Additional Resources
21.1.8. Referrer Policy
Configuring Referrer Policy
21.2. Custom Headers
21.2.1. Static Headers
21.2.2. Headers Writer
21.2.3. DelegatingRequestMatcherHeaderWriter
22. Session Management
22.1. SessionManagementFilter
22.2. SessionAuthenticationStrategy
22.3. Concurrency Control
22.3.1. Querying the SessionRegistry for currently authenticated users and their sessions
23. Anonymous Authentication
23.1. Overview
23.2. Configuration
23.3. AuthenticationTrustResolver
24. WebSocket Security
24.1. WebSocket Configuration
24.2. WebSocket Authentication
24.3. WebSocket Authorization
24.3.1. WebSocket Authorization Notes
WebSocket Authorization on Message Types
WebSocket Authorization on Destinations
24.3.2. Outbound Messages
24.4. Enforcing Same Origin Policy
24.4.1. Why Same Origin?
24.4.2. Spring WebSocket Allowed Origin
24.4.3. Adding CSRF to Stomp Headers
24.4.4. Disable CSRF within WebSockets
24.5. Working with SockJS
24.5.1. SockJS & frame-options
24.5.2. SockJS & Relaxing CSRF
V. Authorization
25. Authorization Architecture
25.1. Authorities
25.2. Pre-Invocation Handling
25.2.1. The AccessDecisionManager
25.2.2. Voting-Based AccessDecisionManager Implementations
Custom Voters
25.3. After Invocation Handling
25.4. Hierarchical Roles
26. Secure Object Implementations
26.1. AOP Alliance (MethodInvocation) Security Interceptor
26.1.1. Explicit MethodSecurityInterceptor Configuration
26.2. AspectJ (JoinPoint) Security Interceptor
27. Expression-Based Access Control
27.1. Overview
27.1.1. Common Built-In Expressions
27.2. Web Security Expressions
27.2.1. Referring to Beans in Web Security Expressions
27.2.2. Path Variables in Web Security Expressions
27.3. Method Security Expressions
27.3.1. @Pre and @Post Annotations
Access Control using @PreAuthorize and @PostAuthorize
Filtering using @PreFilter and @PostFilter
27.3.2. Built-In Expressions
The PermissionEvaluator interface
Method Security Meta Annotations
VI. Additional Topics
28. Domain Object Security (ACLs)
28.1. Overview
28.2. Key Concepts
28.3. Getting Started
29. Pre-Authentication Scenarios
29.1. Pre-Authentication Framework Classes
29.1.1. AbstractPreAuthenticatedProcessingFilter
29.1.2. PreAuthenticatedAuthenticationProvider
29.1.3. Http403ForbiddenEntryPoint
29.2. Concrete Implementations
29.2.1. Request-Header Authentication (Siteminder)
Siteminder Example Configuration
29.2.2. Java EE Container Authentication
30. LDAP Authentication
30.1. Overview
30.2. Using LDAP with Spring Security
30.3. Configuring an LDAP Server
30.3.1. Using an Embedded Test Server
30.3.2. Using Bind Authentication
30.3.3. Loading Authorities
30.4. Implementation Classes
30.4.1. LdapAuthenticator Implementations
Common Functionality
30.4.2. Connecting to the LDAP Server
30.4.3. LDAP Search Objects
30.4.4. LdapAuthoritiesPopulator
30.4.5. Spring Bean Configuration
30.4.6. LDAP Attributes and Customized UserDetails
30.5. Active Directory Authentication
30.5.1. ActiveDirectoryLdapAuthenticationProvider
Active Directory Error Codes
31. OAuth 2.0 Login — Advanced Configuration
31.1. OAuth 2.0 Login Page
31.2. Authorization Endpoint
31.2.1. AuthorizationRequestRepository
31.3. Redirection Endpoint
31.4. Token Endpoint
31.4.1. OAuth2AccessTokenResponseClient
31.5. UserInfo Endpoint
31.5.1. Mapping User Authorities
Using a GrantedAuthoritiesMapper
Delegation-based strategy with OAuth2UserService
31.5.2. Configuring a Custom OAuth2User
31.5.3. OAuth 2.0 UserService
31.5.4. OpenID Connect 1.0 UserService
32. JSP Tag Libraries
32.1. Declaring the Taglib
32.2. The authorize Tag
32.2.1. Disabling Tag Authorization for Testing
32.3. The authentication Tag
32.4. The accesscontrollist Tag
32.5. The csrfInput Tag
32.6. The csrfMetaTags Tag
33. Java Authentication and Authorization Service (JAAS) Provider
33.1. Overview
33.2. AbstractJaasAuthenticationProvider
33.2.1. JAAS CallbackHandler
33.2.2. JAAS AuthorityGranter
33.3. DefaultJaasAuthenticationProvider
33.3.1. InMemoryConfiguration
33.3.2. DefaultJaasAuthenticationProvider Example Configuration
33.4. JaasAuthenticationProvider
33.5. Running as a Subject
34. CAS Authentication
34.1. Overview
34.2. How CAS Works
34.2.1. Spring Security and CAS Interaction Sequence
34.3. Configuration of CAS Client
34.3.1. Service Ticket Authentication
34.3.2. Single Logout
34.3.3. Authenticating to a Stateless Service with CAS
Configuring CAS to Obtain Proxy Granting Tickets
Calling a Stateless Service Using a Proxy Ticket
34.3.4. Proxy Ticket Authentication
35. X.509 Authentication
35.1. Overview
35.2. Adding X.509 Authentication to Your Web Application
35.3. Setting up SSL in Tomcat
36. Run-As Authentication Replacement
36.1. Overview
36.2. Configuration
37. Spring Security Crypto Module
37.1. Introduction
37.2. Encryptors
37.2.1. BytesEncryptor
37.2.2. TextEncryptor
37.3. Key Generators
37.3.1. BytesKeyGenerator
37.3.2. StringKeyGenerator
37.4. Password Encoding
38. Concurrency Support
38.1. DelegatingSecurityContextRunnable
38.2. DelegatingSecurityContextExecutor
38.3. Spring Security Concurrency Classes
39. Spring MVC Integration
39.1. @EnableWebMvcSecurity
39.2. MvcRequestMatcher
39.3. @AuthenticationPrincipal
39.4. Spring MVC Async Integration
39.5. Spring MVC and CSRF Integration
39.5.1. Automatic Token Inclusion
39.5.2. Resolving the CsrfToken
VII. Spring Data Integration
40. Spring Data & Spring Security Configuration
41. Security Expressions within @Query
VIII. Appendix
42. Security Database Schema
42.1. User Schema
42.1.1. Group Authorities
42.2. Persistent Login (Remember-Me) Schema
42.3. ACL Schema
42.3.1. HyperSQL
42.3.2. PostgreSQL
42.3.3. MySQL and MariaDB
42.3.4. Microsoft SQL Server
42.3.5. Oracle Database
43. The Security Namespace
43.1. Web Application Security
43.1.1. <debug>
43.1.2. <http>
<http> Attributes
Child Elements of <http>
43.1.3. <access-denied-handler>
Parent Elements of <access-denied-handler>
<access-denied-handler> Attributes
43.1.4. <cors>
<cors> Attributes
Parent Elements of <cors>
43.1.5. <headers>
<headers> Attributes
Parent Elements of <headers>
Child Elements of <headers>
43.1.6. <cache-control>
<cache-control> Attributes
Parent Elements of <cache-control>
43.1.7. <hsts>
<hsts> Attributes
Parent Elements of <hsts>
43.1.8. <hpkp>
<hpkp> Attributes
Parent Elements of <hpkp>
43.1.9. <pins>
Child Elements of <pins>
43.1.10. <pin>
<pin> Attributes
Parent Elements of <pin>
43.1.11. <content-security-policy>
<content-security-policy> Attributes
Parent Elements of <content-security-policy>
43.1.12. <referrer-policy>
<referrer-policy> Attributes
Parent Elements of <referrer-policy>
43.1.13. <frame-options>
<frame-options> Attributes
Parent Elements of <frame-options>
43.1.14. <xss-protection>
<xss-protection> Attributes
Parent Elements of <xss-protection>
43.1.15. <content-type-options>
<content-type-options> Attributes
Parent Elements of <content-type-options>
43.1.16. <header>
<header-attributes> Attributes
Parent Elements of <header>
43.1.17. <anonymous>
Parent Elements of <anonymous>
<anonymous> Attributes
43.1.18. <csrf>
Parent Elements of <csrf>
<csrf> Attributes
43.1.19. <custom-filter>
Parent Elements of <custom-filter>
<custom-filter> Attributes
43.1.20. <expression-handler>
Parent Elements of <expression-handler>
<expression-handler> Attributes
43.1.21. <form-login>
Parent Elements of <form-login>
<form-login> Attributes
43.1.22. <http-basic>
Parent Elements of <http-basic>
<http-basic> Attributes
43.1.23. <http-firewall> Element
<http-firewall> Attributes
43.1.24. <intercept-url>
Parent Elements of <intercept-url>
<intercept-url> Attributes
43.1.25. <jee>
Parent Elements of <jee>
<jee> Attributes
43.1.26. <logout>
Parent Elements of <logout>
<logout> Attributes
43.1.27. <openid-login>
Parent Elements of <openid-login>
<openid-login> Attributes
Child Elements of <openid-login>
43.1.28. <attribute-exchange>
Parent Elements of <attribute-exchange>
<attribute-exchange> Attributes
Child Elements of <attribute-exchange>
43.1.29. <openid-attribute>
Parent Elements of <openid-attribute>
<openid-attribute> Attributes
43.1.30. <port-mappings>
Parent Elements of <port-mappings>
Child Elements of <port-mappings>
43.1.31. <port-mapping>
Parent Elements of <port-mapping>
<port-mapping> Attributes
43.1.32. <remember-me>
Parent Elements of <remember-me>
<remember-me> Attributes
43.1.33. <request-cache> Element
Parent Elements of <request-cache>
<request-cache> Attributes
43.1.34. <session-management>
Parent Elements of <session-management>
<session-management> Attributes
Child Elements of <session-management>
43.1.35. <concurrency-control>
Parent Elements of <concurrency-control>
<concurrency-control> Attributes
43.1.36. <x509>
Parent Elements of <x509>
<x509> Attributes
43.1.37. <filter-chain-map>
<filter-chain-map> Attributes
Child Elements of <filter-chain-map>
43.1.38. <filter-chain>
Parent Elements of <filter-chain>
<filter-chain> Attributes
43.1.39. <filter-security-metadata-source>
<filter-security-metadata-source> Attributes
Child Elements of <filter-security-metadata-source>
43.2. WebSocket Security
43.2.1. <websocket-message-broker>
<websocket-message-broker> Attributes
Child Elements of <websocket-message-broker>
43.2.2. <intercept-message>
Parent Elements of <intercept-message>
<intercept-message> Attributes
43.3. Authentication Services
43.3.1. <authentication-manager>
<authentication-manager> Attributes
Child Elements of <authentication-manager>
43.3.2. <authentication-provider>
Parent Elements of <authentication-provider>
<authentication-provider> Attributes
Child Elements of <authentication-provider>
43.3.3. <jdbc-user-service>
<jdbc-user-service> Attributes
43.3.4. <password-encoder>
Parent Elements of <password-encoder>
<password-encoder> Attributes
43.3.5. <user-service>
<user-service> Attributes
Child Elements of <user-service>
43.3.6. <user>
Parent Elements of <user>
<user> Attributes
43.4. Method Security
43.4.1. <global-method-security>
<global-method-security> Attributes
Child Elements of <global-method-security>
43.4.2. <after-invocation-provider>
Parent Elements of <after-invocation-provider>
<after-invocation-provider> Attributes
43.4.3. <pre-post-annotation-handling>
Parent Elements of <pre-post-annotation-handling>
Child Elements of <pre-post-annotation-handling>
43.4.4. <invocation-attribute-factory>
Parent Elements of <invocation-attribute-factory>
<invocation-attribute-factory> Attributes
43.4.5. <post-invocation-advice>
Parent Elements of <post-invocation-advice>
<post-invocation-advice> Attributes
43.4.6. <pre-invocation-advice>
Parent Elements of <pre-invocation-advice>
<pre-invocation-advice> Attributes
43.4.7. Securing Methods using
Parent Elements of <protect-pointcut>
<protect-pointcut> Attributes
43.4.8. <intercept-methods>
<intercept-methods> Attributes
Child Elements of <intercept-methods>
43.4.9. <method-security-metadata-source>
<method-security-metadata-source> Attributes
Child Elements of <method-security-metadata-source>
43.4.10. <protect>
Parent Elements of <protect>
<protect> Attributes
43.5. LDAP Namespace Options
43.5.1. Defining the LDAP Server using the
<ldap-server> Attributes
43.5.2. <ldap-authentication-provider>
Parent Elements of <ldap-authentication-provider>
<ldap-authentication-provider> Attributes
Child Elements of <ldap-authentication-provider>
43.5.3. <password-compare>
Parent Elements of <password-compare>
<password-compare> Attributes
Child Elements of <password-compare>
43.5.4. <ldap-user-service>
<ldap-user-service> Attributes
44. Spring Security Dependencies
44.1. spring-security-core
44.2. spring-security-remoting
44.3. spring-security-web
44.4. spring-security-ldap
44.5. spring-security-config
44.6. spring-security-acl
44.7. spring-security-cas
44.8. spring-security-openid
44.9. spring-security-taglibs
45. Proxy Server Configuration
46. Spring Security FAQ
46.1. General Questions
46.1.1. Will Spring Security take care of all my application security requirements?
46.1.2. Why not just use web.xml security?
46.1.3. What Java and Spring Framework versions are required?
46.1.4. I’m new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I’ve copied some configuration files I found but it doesn’t work. What could be wrong?
46.2. Common Problems
46.2.1. When I try to log in, I get an error message that says "Bad Credentials". What’s wrong?
46.2.2. My application goes into an "endless loop" when I try to login, what’s going on?
46.2.3. I get an exception with the message "Access is denied (user is anonymous);". What’s wrong?
46.2.4. Why can I still see a secured page even after I’ve logged out of my application?
46.2.5. I get an exception with the message "An Authentication object was not found in the SecurityContext". What’s wrong?
46.2.6. I can’t get LDAP authentication to work. What’s wrong with my configuration?
46.2.7. Session Management
46.2.8. I’m using Spring Security’s concurrent session control to prevent users from logging in more than once at a time. When I open another browser window after logging in, it doesn’t stop me from logging in again. Why can I log in more than once?
46.2.9. Why does the session Id change when I authenticate through Spring Security?
46.2.10. I’m using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn’t work - I just end up back at the login page after authenticating.
46.2.11. I’m not switching between HTTP and HTTPS but my session is still getting lost
46.2.12. I’m trying to use the concurrent session-control support but it won’t let me log back in, even if I’m sure I’ve logged out and haven’t exceeded the allowed sessions.
46.2.13. Spring Security is creating a session somewhere, even though I’ve configured it not to, by setting the create-session attribute to never.
46.2.14. I get a 403 Forbidden when performing a POST
46.2.15. I’m forwarding a request to another URL using the RequestDispatcher, but my security constraints aren’t being applied.
46.2.16. I have added Spring Security’s <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don’t seem to have an effect.
46.2.17. I have a user who has definitely been authenticated, but when I try to access the SecurityContextHolder during some requests, the Authentication is null. Why can’t I see the user information?
46.2.18. The authorize JSP Tag doesn’t respect my method security annotations when using the URL attribute.
46.3. Spring Security Architecture Questions
46.3.1. How do I know which package class X is in?
46.3.2. How do the namespace elements map to conventional bean configurations?
46.3.3. What does "ROLE_" mean and why do I need it on my role names?
46.3.4. How do I know which dependencies to add to my application to work with Spring Security?
46.3.5. What dependencies are needed to run an embedded ApacheDS LDAP server?
46.3.6. What is a UserDetailsService and do I need one?
46.4. Common "Howto" Requests
46.4.1. I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?
46.4.2. How do I apply different intercept-url constraints where only the fragment value of the requested URLs differs (e.g./foo#bar and /foo#blah?
46.4.3. How do I access the user’s IP Address (or other web-request data) in a UserDetailsService?
46.4.4. How do I access the HttpSession from a UserDetailsService?
46.4.5. How do I access the user’s password in a UserDetailsService?
46.4.6. How do I define the secured URLs within an application dynamically?
46.4.7. How do I authenticate against LDAP but load user roles from a database?
46.4.8. I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it. What can I do short of abandoning namespace use?