Spring Security Reference Documentation Ben Alex Luke Taylor Spring Security: Reference Documentation by Ben Alex and Luke Taylor 3.0.8.RELEASE Spring Security Table of Contents Preface ...................................................................................................................................... x I. Getting Started ....................................................................................................................... 1 1. Introduction ................................................................................................................... 2 1.1. What is Spring Security? ..................................................................................... 2 1.2. History ................................................................................................................ 4 1.3. Release Numbering ............................................................................................. 4 1.4. Getting Spring Security ....................................................................................... 5 Project Modules ................................................................................................. 5 Core - spring-security-core.jar .................................................. 5 Web - spring-security-web.jar ..................................................... 5 Config - spring-security-config.jar ........................................... 5 LDAP - spring-security-ldap.jar ................................................ 5 ACL - spring-security-acl.jar .................................................... 6 CAS - spring-security-cas-client.jar ..................................... 6 OpenID - spring-security-openid.jar .......................................... 6 Checking out the Source .................................................................................... 6 2. Security Namespace Configuration .................................................................................. 7 2.1. Introduction ......................................................................................................... 7 Design of the Namespace ................................................................................... 8 2.2. Getting Started with Security Namespace Configuration ......................................... 8 web.xml Configuration .................................................................................... 8 A Minimal <http> Configuration ..................................................................... 9 What does auto-config Include? ......................................................... 10 Form and Basic Login Options ................................................................. 11 Using other Authentication Providers ................................................................ 12 Adding a Password Encoder ..................................................................... 13 2.3. Advanced Web Features .................................................................................... 14 Remember-Me Authentication ........................................................................... 14 Adding HTTP/HTTPS Channel Security ............................................................ 14 Session Management ........................................................................................ 15 Detecting Timeouts .................................................................................. 15 Concurrent Session Control ....................................................................... 15 Session Fixation Attack Protection ............................................................ 16 OpenID Support ............................................................................................... 16 Attribute Exchange ................................................................................... 17 Adding in Your Own Filters ............................................................................. 17 Setting a Custom AuthenticationEntryPoint ................................. 19 2.4. Method Security ................................................................................................ 19 The <global-method-security> Element ............................................... 19 Adding Security Pointcuts using protect-pointcut ............................ 20 2.5. The Default AccessDecisionManager .................................................................. 21 Customizing the AccessDecisionManager .......................................................... 21 2.6. The Authentication Manager and the Namespace ................................................. 22 3.0.8.RELEASE iii Spring Security 3. Sample Applications ..................................................................................................... 23 3.1. Tutorial Sample ................................................................................................. 23 3.2. Contacts ............................................................................................................ 23 3.3. LDAP Sample ................................................................................................... 24 3.4. CAS Sample ..................................................................................................... 24 3.5. Pre-Authentication Sample ................................................................................. 25 4. Spring Security Community .......................................................................................... 26 4.1. Issue Tracking ................................................................................................... 26 4.2. Becoming Involved ............................................................................................ 26 4.3. Further Information ........................................................................................... 26 II. Architecture and Implementation .......................................................................................... 27 5. Technical Overview ...................................................................................................... 28 5.1. Runtime Environment ........................................................................................ 28 5.2. Core Components .............................................................................................. 28 SecurityContextHolder, SecurityContext and Authentication Objects ................. 28 Obtaining information about the current user ............................................. 29 The UserDetailsService ..................................................................................... 29 GrantedAuthority .............................................................................................. 30 Summary ......................................................................................................... 30 5.3. Authentication ................................................................................................... 30 What is authentication in Spring Security? ......................................................... 30 Setting the SecurityContextHolder Contents Directly .......................................... 32 5.4. Authentication in a Web Application .................................................................. 33 ExceptionTranslationFilter ................................................................................ 33 AuthenticationEntryPoint .................................................................................. 34 Authentication Mechanism ................................................................................ 34 Storing the SecurityContext between requests ........................................... 34 5.5. Access-Control (Authorization) in Spring Security ............................................... 35 Security and AOP Advice ................................................................................. 35 Secure Objects and the AbstractSecurityInterceptor .......................... 36 What are Configuration Attributes? ........................................................... 36 RunAsManager ........................................................................................ 36 AfterInvocationManager ........................................................................... 37 Extending the Secure Object Model .......................................................... 37 5.6. Localization ....................................................................................................... 38 6. Core Services ............................................................................................................... 40 6.1. The AuthenticationManager, ProviderManager and AuthenticationProviders .............................................................................. 40 DaoAuthenticationProvider ................................................................. 41 Erasing Credentials on Successful Authentication ............................................... 41 6.2. UserDetailsService Implementations ........................................................ 42 In-Memory Authentication ................................................................................ 42 JdbcDaoImpl ............................................................................................... 43 Authority Groups ..................................................................................... 43 6.3. Password Encoding ...........................................................................................