Spring Security Reference Documentation 2.0.x Copyright © 2005-2007 Preface ............................................................................................................................................vi I. Getting Started ..............................................................................................................................1 1. Introduction ..........................................................................................................................2 1.1. What is Spring Security? ............................................................................................ 2 1.2. History ......................................................................................................................3 1.3. Release Numbering .................................................................................................... 4 1.4. Getting the Source ...................................................................................................... 4 2. Security Namespace Configuration ........................................................................................ 5 2.1. Introduction ............................................................................................................... 5 2.1.1. Design of the Namespace ................................................................................. 5 2.2. Getting Started with Security Namespace Configuration ............................................... 6 2.2.1. web.xml Configuration ..................................................................................... 6 2.2.2. A Minimal <http> Configuration ..................................................................... 7 2.2.3. Using other Authentication Providers ................................................................ 9 2.3. Advanced Web Features ........................................................................................... 10 2.3.1. Remember-Me Authentication ........................................................................ 10 2.3.2. Adding HTTP/HTTPS Channel Security ......................................................... 10 2.3.3. Concurrent Session Control ............................................................................ 11 2.3.4. OpenID Login ............................................................................................... 11 2.3.5. Adding in Your Own Filters ........................................................................... 11 2.3.6. Session Fixation Attack Protection ................................................................. 13 2.4. Method Security ....................................................................................................... 13 2.4.1. The <global-method-security> Element ...................................................... 14 2.4.2. The intercept-methods Bean Decorator ........................................................ 14 2.5. The Default AccessDecisionManager ........................................................................ 15 2.5.1. Customizing the AccessDecisionManager ....................................................... 15 2.6. The Default Authentication Manager ......................................................................... 15 3. Sample Applications ........................................................................................................... 17 3.1. Tutorial Sample ....................................................................................................... 17 3.2. Contacts .................................................................................................................. 17 3.3. LDAP Sample .......................................................................................................... 18 3.4. CAS Sample ............................................................................................................ 18 3.5. Pre-Authentication Sample ....................................................................................... 18 4. Spring Security Community ................................................................................................. 19 4.1. Issue Tracking ......................................................................................................... 19 4.2. Becoming Involved .................................................................................................. 19 4.3. Further Information .................................................................................................. 19 II. Overall Architecture ................................................................................................................... 20 5. Technical Overview ............................................................................................................ 21 5.1. Runtime Environment .............................................................................................. 21 5.2. Shared Components .................................................................................................. 21 5.2.1. SecurityContextHolder, SecurityContext and Authentication Objects ................ 21 5.2.2. The UserDetailsService ................................................................................. 22 5.2.3. GrantedAuthority .......................................................................................... 22 5.2.4. Summary ...................................................................................................... 23 5.3. Authentication ......................................................................................................... 23 5.3.1. ExceptionTranslationFilter ............................................................................. 24 5.3.2. AuthenticationEntryPoint ............................................................................... 24 5.3.3. AuthenticationProvider .................................................................................. 24 5.3.4. Setting the SecurityContextHolder Contents Directly ....................................... 25 5.4. Secure Objects ......................................................................................................... 25 5.4.1. Security and AOP Advice .............................................................................. 25 Spring Security (2.0.x) ii Spring Security 5.4.2. AbstractSecurityInterceptor ............................................................................ 25 6. Supporting Infrastructure ..................................................................................................... 28 6.1. Localization ............................................................................................................. 28 6.2. Filters ...................................................................................................................... 28 6.3. Tag Libraries ........................................................................................................... 31 6.3.1. Configuration ................................................................................................ 31 6.3.2. Usage ........................................................................................................... 31 7. Channel Security ................................................................................................................. 32 7.1. Overview ................................................................................................................. 32 7.2. Configuration ........................................................................................................... 32 7.3. Conclusion .............................................................................................................. 33 III. Authentication .......................................................................................................................... 34 8. Common Authentication Services ........................................................................................ 35 8.1. Mechanisms, Providers and Entry Points ................................................................... 35 8.2. UserDetails and Associated Types ............................................................................. 37 8.2.1. In-Memory Authentication ............................................................................. 38 8.2.2. JDBC Authentication ..................................................................................... 38 8.3. Concurrent Session Handling .................................................................................... 39 8.4. Authentication Tag Libraries ..................................................................................... 40 9. DAO Authentication Provider .............................................................................................. 41 9.1. Overview ................................................................................................................. 41 9.2. Configuration ........................................................................................................... 41 10. LDAP Authentication ........................................................................................................ 43 10.1. Overview ............................................................................................................... 43 10.2. Using LDAP with Spring Security ........................................................................... 43 10.3. Configuring