Spring Security

Reference Documentation

Ben Alex

Luke Taylor

3.0.8.RELEASE


Table of Contents

Preface
I. Getting Started
1. Introduction
1.1. What is Spring Security?
1.2. History
1.3. Release Numbering
1.4. Getting Spring Security
1.4.1. Project Modules
1.4.2. Checking out the Source
2. Security Namespace Configuration
2.1. Introduction
2.1.1. Design of the Namespace
2.2. Getting Started with Security Namespace Configuration
2.2.1. web.xml Configuration
2.2.2. A Minimal <http> Configuration
2.2.3. Using other Authentication Providers
2.3. Advanced Web Features
2.3.1. Remember-Me Authentication
2.3.2. Adding HTTP/HTTPS Channel Security
2.3.3. Session Management
2.3.4. OpenID Support
2.3.5. Adding in Your Own Filters
2.4. Method Security
2.4.1. The <global-method-security> Element
2.5. The Default AccessDecisionManager
2.5.1. Customizing the AccessDecisionManager
2.6. The Authentication Manager and the Namespace
3. Sample Applications
3.1. Tutorial Sample
3.2. Contacts
3.3. LDAP Sample
3.4. CAS Sample
3.5. Pre-Authentication Sample
4. Spring Security Community
4.1. Issue Tracking
4.2. Becoming Involved
4.3. Further Information
II. Architecture and Implementation
5. Technical Overview
5.1. Runtime Environment
5.2. Core Components
5.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
5.2.2. The UserDetailsService
5.2.3. GrantedAuthority
5.2.4. Summary
5.3. Authentication
5.3.1. What is authentication in Spring Security?
5.3.2. Setting the SecurityContextHolder Contents Directly
5.4. Authentication in a Web Application
5.4.1. ExceptionTranslationFilter
5.4.2. AuthenticationEntryPoint
5.4.3. Authentication Mechanism
5.4.4. Storing the SecurityContext between requests
5.5. Access-Control (Authorization) in Spring Security
5.5.1. Security and AOP Advice
5.5.2. Secure Objects and the AbstractSecurityInterceptor
5.6. Localization
6. Core Services
6.1. The AuthenticationManager, ProviderManager and AuthenticationProviders
6.1.1. DaoAuthenticationProvider
6.1.2. Erasing Credentials on Successful Authentication
6.2. UserDetailsService Implementations
6.2.1. In-Memory Authentication
6.2.2. JdbcDaoImpl
6.3. Password Encoding
6.3.1. What is a hash?
6.3.2. Adding Salt to a Hash
6.3.3. Hashing and Authentication
III. Web Application Security
7. The Security Filter Chain
7.1. DelegatingFilterProxy
7.2. FilterChainProxy
7.2.1. Bypassing the Filter Chain
7.3. Filter Ordering
7.4. Request Matching and HttpFirewall
7.5. Use with other Filter-Based Frameworks
8. Core Security Filters
8.1. FilterSecurityInterceptor
8.2. ExceptionTranslationFilter
8.2.1. AuthenticationEntryPoint
8.2.2. AccessDeniedHandler
8.3. SecurityContextPersistenceFilter
8.3.1. SecurityContextRepository
8.4. UsernamePasswordAuthenticationFilter
8.4.1. Application Flow on Authentication Success and Failure
9. Basic and Digest Authentication
9.1. BasicAuthenticationFilter
9.1.1. Configuration
9.2. DigestAuthenticationFilter
9.2.1. Configuration
10. Remember-Me Authentication
10.1. Overview
10.2. Simple Hash-Based Token Approach
10.3. Persistent Token Approach
10.4. Remember-Me Interfaces and Implementations
10.4.1. TokenBasedRememberMeServices
10.4.2. PersistentTokenBasedRememberMeServices
11. Session Management
11.1. SessionManagementFilter
11.2. SessionAuthenticationStrategy
11.3. Concurrency Control
12. Anonymous Authentication
12.1. Overview
12.2. Configuration
12.3. AuthenticationTrustResolver
IV. Authorization
13. Authorization Architecture
13.1. Authorities
13.2. Pre-Invocation Handling
13.2.1. The AccessDecisionManager
13.2.2. Voting-Based AccessDecisionManager Implementations
13.3. After Invocation Handling
14. Secure Object Implementations
14.1. AOP Alliance (MethodInvocation) Security Interceptor
14.1.1. Explicit MethodSecurityInterceptor Configuration
14.2. AspectJ (JoinPoint) Security Interceptor
15. Expression-Based Access Control
15.1. Overview
15.1.1. Common Built-In Expressions
15.2. Web Security Expressions
15.3. Method Security Expressions
15.3.1. @Pre and @Post Annotations
15.3.2. Built-In Expressions
V. Additional Topics
16. Domain Object Security (ACLs)
16.1. Overview
16.2. Key Concepts
16.3. Getting Started
17. Pre-Authentication Scenarios
17.1. Pre-Authentication Framework Classes
17.1.1. AbstractPreAuthenticatedProcessingFilter
17.1.2. AbstractPreAuthenticatedAuthenticationDetailsSource
17.1.3. PreAuthenticatedAuthenticationProvider
17.1.4. Http403ForbiddenEntryPoint
17.2. Concrete Implementations
17.2.1. Request-Header Authentication (Siteminder)
17.2.2. J2EE Container Authentication
18. LDAP Authentication
18.1. Overview
18.2. Using LDAP with Spring Security
18.3. Configuring an LDAP Server
18.3.1. Using an Embedded Test Server
18.3.2. Using Bind Authentication
18.3.3. Loading Authorities
18.4. Implementation Classes
18.4.1. LdapAuthenticator Implementations
18.4.2. Connecting to the LDAP Server
18.4.3. LDAP Search Objects
18.4.4. LdapAuthoritiesPopulator
18.4.5. Spring Bean Configuration
18.4.6. LDAP Attributes and Customized UserDetails
19. JSP Tag Libraries
19.1. Declaring the Taglib
19.2. The authorize Tag
19.3. The authenticationTag
19.4. The accesscontrollist Tag
20. Java Authentication and Authorization Service (JAAS) Provider
20.1. Overview
20.2. Configuration
20.2.1. JAAS CallbackHandler
20.2.2. JAAS AuthorityGranter
21. CAS Authentication
21.1. Overview
21.2. How CAS Works
21.3. Configuration of CAS Client
22. X.509 Authentication
22.1. Overview
22.2. Adding X.509 Authentication to Your Web Application
22.3. Setting up SSL in Tomcat
23. Run-As Authentication Replacement
23.1. Overview
23.2. Configuration
A. Security Database Schema
A.1. User Schema
A.1.1. Group Authorities
A.2. Persistent Login (Remember-Me) Schema
A.3. ACL Schema
A.3.1. Hypersonic SQL
B. The Security Namespace
B.1. Web Application Security - the <http> Element
B.1.1. <http> Attributes
B.1.2. <access-denied-handler>
B.1.3. The <intercept-url> Element
B.1.4. The <port-mappings> Element
B.1.5. The <form-login> Element
B.1.6. The <http-basic> Element
B.1.7. The <remember-me> Element
B.1.8. The <session-management> Element
B.1.9. The <concurrency-control> Element
B.1.10. The <anonymous> Element
B.1.11. The <x509> Element
B.1.12. The <openid-login> Element
B.1.13. The <logout> Element
B.1.14. The <custom-filter> Element
B.1.15. The request-cache Element
B.1.16. The <http-firewall> Element
B.2. Authentication Services
B.2.1. The <authentication-manager> Element
B.3. Method Security
B.3.1. The <global-method-security> Element
B.3.2. LDAP Namespace Options