Spring Security Reference 4.2.6.RELEASE Ben Alex , Luke Taylor , Rob Winch , Gunnar Hillert Copyright © 2004-2015 Copies of this document may be made for your own use and for distribution to others, provided that you do not charge any fee for such copies and further provided that each copy contains this Copyright Notice, whether distributed in print or electronically. Spring Security Reference Table of Contents .............................................................................................................................................. xvii I. Preface ................................................................................................................................... 1 1. Getting Started ............................................................................................................... 3 2. Introduction .................................................................................................................... 4 2.1. What is Spring Security? ..................................................................................... 4 2.2. History ................................................................................................................ 6 2.3. Release Numbering ............................................................................................. 6 2.4. Getting Spring Security ........................................................................................ 7 Usage with Maven ............................................................................................. 7 Maven Repositories .................................................................................... 7 Spring Framework Bom .............................................................................. 8 Gradle ............................................................................................................... 8 Gradle Repositories .................................................................................... 8 Using Spring 4.0.x and Gradle .................................................................... 9 Project Modules ................................................................................................. 9 Core - spring-security-core.jar ..................................................................... 9 Remoting - spring-security-remoting.jar ...................................................... 10 Web - spring-security-web.jar .................................................................... 10 Config - spring-security-config.jar .............................................................. 10 LDAP - spring-security-ldap.jar .................................................................. 10 ACL - spring-security-acl.jar ...................................................................... 10 CAS - spring-security-cas.jar ..................................................................... 10 OpenID - spring-security-openid.jar ............................................................ 10 Test - spring-security-test.jar ..................................................................... 10 Checking out the Source .................................................................................. 10 3. What’s New in Spring Security 4.2 ................................................................................ 12 3.1. Web Improvements ............................................................................................ 12 3.2. Configuration Improvements ............................................................................... 12 3.3. Miscellaneous .................................................................................................... 12 4. Samples and Guides (Start Here) ................................................................................. 14 5. Java Configuration ....................................................................................................... 15 5.1. Hello Web Security Java Configuration ............................................................... 15 AbstractSecurityWebApplicationInitializer ........................................................... 16 AbstractSecurityWebApplicationInitializer without Existing Spring ......................... 16 AbstractSecurityWebApplicationInitializer with Spring MVC ................................. 17 5.2. HttpSecurity ....................................................................................................... 17 5.3. Java Configuration and Form Login .................................................................... 18 5.4. Authorize Requests ........................................................................................... 19 5.5. Handling Logouts ............................................................................................... 20 LogoutHandler .................................................................................................. 21 LogoutSuccessHandler ..................................................................................... 21 Further Logout-Related References ................................................................... 21 5.6. Authentication .................................................................................................... 22 In-Memory Authentication ................................................................................. 22 JDBC Authentication ......................................................................................... 22 LDAP Authentication ......................................................................................... 22 AuthenticationProvider ...................................................................................... 23 4.2.6.RELEASE Spring Security iii Spring Security Reference UserDetailsService ........................................................................................... 23 LDAP Authentication ......................................................................................... 24 5.7. Multiple HttpSecurity .......................................................................................... 24 5.8. Method Security ................................................................................................ 25 EnableGlobalMethodSecurity ............................................................................. 25 GlobalMethodSecurityConfiguration ................................................................... 26 5.9. Post Processing Configured Objects ................................................................... 26 5.10. Custom DSLs .................................................................................................. 27 6. Security Namespace Configuration ................................................................................ 29 6.1. Introduction ....................................................................................................... 29 Design of the Namespace ................................................................................ 30 6.2. Getting Started with Security Namespace Configuration ....................................... 30 web.xml Configuration ...................................................................................... 30 A Minimal <http> Configuration ......................................................................... 31 Form and Basic Login Options .......................................................................... 32 Setting a Default Post-Login Destination .................................................... 33 Logout Handling ............................................................................................... 33 Using other Authentication Providers ................................................................. 33 Adding a Password Encoder ..................................................................... 34 6.3. Advanced Web Features .................................................................................... 35 Remember-Me Authentication ........................................................................... 35 Adding HTTP/HTTPS Channel Security ............................................................. 35 Session Management ....................................................................................... 35 Detecting Timeouts ................................................................................... 35 Concurrent Session Control ...................................................................... 36 Session Fixation Attack Protection ............................................................. 37 OpenID Support ............................................................................................... 37 Attribute Exchange ................................................................................... 38 Response Headers ........................................................................................... 38 Adding in Your Own Filters ............................................................................... 38 Setting a Custom AuthenticationEntryPoint ................................................ 40 6.4. Method Security ................................................................................................ 40 The <global-method-security> Element .............................................................. 40 Adding Security Pointcuts using protect-pointcut ......................................... 42 6.5. The Default AccessDecisionManager .................................................................