Spring Security

Reference Documentation

Ben Alex, Luke Taylor

2.0.x


Table of Contents

Preface
I. Getting Started
1. Introduction
What is Spring Security?
History
Release Numbering
Getting the Source
2. Security Namespace Configuration
Introduction
Design of the Namespace
Getting Started with Security Namespace Configuration
web.xml Configuration
A Minimal <http> Configuration
Using other Authentication Providers
Advanced Web Features
Remember-Me Authentication
Adding HTTP/HTTPS Channel Security
Concurrent Session Control
OpenID Login
Adding in Your Own Filters
Session Fixation Attack Protection
Method Security
The <global-method-security> Element
The intercept-methods Bean Decorator
The Default AccessDecisionManager
Customizing the AccessDecisionManager
The Default Authentication Manager
3. Sample Applications
Tutorial Sample
Contacts
LDAP Sample
CAS Sample
Pre-Authentication Sample
4. Spring Security Community
Issue Tracking
Becoming Involved
Further Information
II. Overall Architecture
5. Technical Overview
Runtime Environment
Shared Components
SecurityContextHolder, SecurityContext and Authentication Objects
The UserDetailsService
GrantedAuthority
Summary
Authentication
ExceptionTranslationFilter
AuthenticationEntryPoint
AuthenticationProvider
Setting the SecurityContextHolder Contents Directly
Secure Objects
Security and AOP Advice
AbstractSecurityInterceptor
6. Supporting Infrastructure
Localization
Filters
Tag Libraries
Configuration
Usage
7. Channel Security
Overview
Configuration
Conclusion
III. Authentication
8. Common Authentication Services
Mechanisms, Providers and Entry Points
UserDetails and Associated Types
In-Memory Authentication
JDBC Authentication
Concurrent Session Handling
Authentication Tag Libraries
9. DAO Authentication Provider
Overview
Configuration
10. LDAP Authentication
Overview
Using LDAP with Spring Security
Configuring an LDAP Server
Using an Embedded Test Server
Using Bind Authentication
Loading Authorities
Implementation Classes
LdapAuthenticator Implementations
Connecting to the LDAP Server
LDAP Search Objects
LdapAuthoritiesPopulator
Spring Bean Configuration
LDAP Attributes and Customized UserDetails
11. Form Authentication Mechanism
Overview
Configuration
12. BASIC Authentication Mechanism
Overview
Configuration
13. Digest Authentication
Overview
Configuration
14. Remember-Me Authentication
Overview
Simple Hash-Based Token Approach
Persistent Token Approach
Remember-Me Interfaces and Implementations
TokenBasedRememberMeServices
PersistentTokenBasedRememberMeServices
15. Java Authentication and Authorization Service (JAAS) Provider
Overview
Configuration
JAAS CallbackHandler
JAAS AuthorityGranter
16. Pre-Authentication Scenarios
Pre-Authentication Framework Classes
AbstractPreAuthenticatedProcessingFilter
AbstractPreAuthenticatedAuthenticationDetailsSource
PreAuthenticatedAuthenticationProvider
PreAuthenticatedProcessingFilterEntryPoint
Concrete Implementations
Request-Header Authentication (Siteminder)
J2EE Container Authentication
17. Anonymous Authentication
Overview
Configuration
18. X.509 Authentication
Overview
Adding X.509 Authentication to Your Web Application
Setting up SSL in Tomcat
19. CAS Authentication
Overview
How CAS Works
Configuration of CAS Client
20. Run-As Authentication Replacement
Overview
Configuration
21. Container Adapter Authentication
Overview
Adapter Authentication Provider
Jetty
JBoss
Resin
Tomcat
IV. Authorization
22. Common Authorization Concepts
Authorities
Pre-Invocation Handling
The AccessDecisionManager
After Invocation Handling
ACL-Aware AfterInvocationProviders
ACL-Aware AfterInvocationProviders (old ACL module)
Authorization Tag Libraries
23. Secure Object Implementations
AOP Alliance (MethodInvocation) Security Interceptor
Explicit MethodSecurityIterceptor Configuration
AspectJ (JoinPoint) Security Interceptor
FilterInvocation Security Interceptor
24. Domain Object Security
Overview
Key Concepts
Getting Started
A. Security Database Schema
User Schema
Group Authorities
Persistent Login (Remember-Me) Schema
ACL Schema
B. The Security Namespace
Web Application Security - the <http> Element
<http> Attributes
The <intercept-url> Element
The <port-mappings> Element
The <form-login> Element
The <http-basic> Element
The <remember-me> Element
The <concurrent-session-control> Element
The <anonymous> Element
The <x509> Element
The <openid-login> Element
The <logout> Element
Authentication Services
The <authentication-provider> Element
Using <custom-authentication-provider> to register an AuthenticationProvider
The <authentication-manager> Element
Method Security
The <global-method-security> Element
LDAP Namespace Options

List of Figures

5.1. The key "secure object" model
22.1. Voting Decision Manager
22.2. After Invocation Implementation

List of Tables

2.1. Standard Filter Aliases and Ordering