Spring Security

Reference Documentation

Ben Alex

Luke Taylor

3.0.0.RC1


Table of Contents

Preface
I. Getting Started
1. Introduction
1.1. What is Spring Security?
1.2. History
1.3. Release Numbering
1.4. Getting Spring Security
1.4.1. Project Modules
1.4.2. Checking out the Source
2. Security Namespace Configuration
2.1. Introduction
2.1.1. Design of the Namespace
2.2. Getting Started with Security Namespace Configuration
2.2.1. web.xml Configuration
2.2.2. A Minimal <http> Configuration
2.2.3. Using other Authentication Providers
2.3. Advanced Web Features
2.3.1. Remember-Me Authentication
2.3.2. Adding HTTP/HTTPS Channel Security
2.3.3. Session Management
2.3.4. OpenID Login
2.3.5. Adding in Your Own Filters
2.4. Method Security
2.4.1. The <global-method-security> Element
2.5. The Default AccessDecisionManager
2.5.1. Customizing the AccessDecisionManager
2.6. The Authentication Manager and the Namespace
3. Sample Applications
3.1. Tutorial Sample
3.2. Contacts
3.3. LDAP Sample
3.4. CAS Sample
3.5. Pre-Authentication Sample
4. Spring Security Community
4.1. Issue Tracking
4.2. Becoming Involved
4.3. Further Information
II. Architecture and Implementation
5. Technical Overview
5.1. Runtime Environment
5.2. Core Components
5.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
5.2.2. The UserDetailsService
5.2.3. GrantedAuthority
5.2.4. Summary
5.3. Authentication
5.3.1. What is authentication in Spring Security?
5.4. Authentication in a Web Application
5.4.1. ExceptionTranslationFilter
5.4.2. AuthenticationEntryPoint
5.4.3. Authentication Mechanism
5.4.4. Storing the SecurityContext between requests
5.5. Access-Control (Authorization) in Spring Security
5.5.1. Security and AOP Advice
5.5.2. Secure Objects and the AbstractSecurityInterceptor
5.6. Localization
6. Core Services
6.1. The AuthenticationManager, ProviderManager and AuthenticationProviders
6.1.1. DaoAuthenticationProvider
6.2. UserDetailsService Implementations
6.2.1. In-Memory Authentication
6.2.2. JdbcDaoImpl
III. Web Application Security
7. The Security Filter Chain
7.1. DelegatingFilterProxy
7.2. FilterChainProxy
7.2.1. Bypassing the Filter Chain
7.3. Filter Ordering
7.4. Use with other Filter-Based Frameworks
8. Core Security Filters
8.1. FilterSecurityInterceptor
8.2. ExceptionTranslationFilter
8.2.1. AuthenticationEntryPoint
8.2.2. AccessDeniedHandler
8.3. SecurityContextPersistenceFilter
8.3.1. SecurityContextRepository
8.4. UsernamePasswordAuthenticationFilter
8.4.1. Application Flow on Authentication Success and Failure
9. Basic and Digest Authentication
9.1. BasicAuthenticationFilter
9.1.1. Configuration
9.2. DigestAuthenticationFilter
9.2.1. Configuration
10. Remember-Me Authentication
10.1. Overview
10.2. Simple Hash-Based Token Approach
10.3. Persistent Token Approach
10.4. Remember-Me Interfaces and Implementations
10.4.1. TokenBasedRememberMeServices
10.4.2. PersistentTokenBasedRememberMeServices
11. Session Management
11.1. SessionManagementFilter
11.2. SessionAuthenticationStrategy
11.3. Concurrency Control
12. Anonymous Authentication
12.1. Overview
12.2. Configuration
12.3. AuthenticationTrustResolver
IV. Authorization
13. Common Authorization Concepts
13.1. Authorities
13.2. Pre-Invocation Handling
13.2.1. The AccessDecisionManager
13.3. After Invocation Handling
13.3.1. ACL-Aware AfterInvocationProviders
13.4. Authorization Tag Libraries
14. Secure Object Implementations
14.1. AOP Alliance (MethodInvocation) Security Interceptor
14.1.1. Explicit MethodSecurityIterceptor Configuration
14.2. AspectJ (JoinPoint) Security Interceptor
V. Advanced Topics
15. Domain Object Security (ACLs)
15.1. Overview
15.2. Key Concepts
15.3. Getting Started
16. Pre-Authentication Scenarios
16.1. Pre-Authentication Framework Classes
16.1.1. AbstractPreAuthenticatedProcessingFilter
16.1.2. AbstractPreAuthenticatedAuthenticationDetailsSource
16.1.3. PreAuthenticatedAuthenticationProvider
16.1.4. Http403ForbiddenEntryPoint
16.2. Concrete Implementations
16.2.1. Request-Header Authentication (Siteminder)
16.2.2. J2EE Container Authentication
17. LDAP Authentication
17.1. Overview
17.2. Using LDAP with Spring Security
17.3. Configuring an LDAP Server
17.3.1. Using an Embedded Test Server
17.3.2. Using Bind Authentication
17.3.3. Loading Authorities
17.4. Implementation Classes
17.4.1. LdapAuthenticator Implementations
17.4.2. Connecting to the LDAP Server
17.4.3. LDAP Search Objects
17.4.4. LdapAuthoritiesPopulator
17.4.5. Spring Bean Configuration
17.4.6. LDAP Attributes and Customized UserDetails
18. Java Authentication and Authorization Service (JAAS) Provider
18.1. Overview
18.2. Configuration
18.2.1. JAAS CallbackHandler
18.2.2. JAAS AuthorityGranter
19. CAS Authentication
19.1. Overview
19.2. How CAS Works
19.3. Configuration of CAS Client
20. X.509 Authentication
20.1. Overview
20.2. Adding X.509 Authentication to Your Web Application
20.3. Setting up SSL in Tomcat
21. Run-As Authentication Replacement
21.1. Overview
21.2. Configuration
A. Security Database Schema
A.1. User Schema
A.1.1. Group Authorities
A.2. Persistent Login (Remember-Me) Schema
A.3. ACL Schema
A.3.1. Hypersonic SQL
B. The Security Namespace
B.1. Web Application Security - the <http> Element
B.1.1. <http> Attributes
B.1.2. access-denied-handler
B.1.3. The <intercept-url> Element
B.1.4. The <port-mappings> Element
B.1.5. The <form-login> Element
B.1.6. The <http-basic> Element
B.1.7. The <remember-me> Element
B.1.8. The <session-management> Element
B.1.9. The <concurrency-control> Element
B.1.10. The <anonymous> Element
B.1.11. The <x509> Element
B.1.12. The <openid-login> Element
B.1.13. The <logout> Element
B.2. Authentication Services
B.2.1. The <authentication-manager> Element
B.3. Method Security
B.3.1. The <global-method-security> Element
B.3.2. LDAP Namespace Options