Spring Security
Reference Documentation
Ben Alex
Luke Taylor
Spring Security: Reference Documentation
by Ben Alex and Luke Taylor
3.0.7.RELEASE
Spring Security
3.0.7.RELEASE iii
Table of Contents
Preface ...................................................................................................................................... x
I. Getting Started ....................................................................................................................... 1
1. Introduction ................................................................................................................... 2
1.1. What is Spring Security? ..................................................................................... 2
1.2. History ................................................................................................................ 4
1.3. Release Numbering ............................................................................................. 4
1.4. Getting Spring Security ....................................................................................... 5
Project Modules ................................................................................................. 5
Core - spring-security-core.jar .................................................. 5
Web - spring-security-web.jar ..................................................... 5
Config - spring-security-config.jar ........................................... 5
LDAP - spring-security-ldap.jar ................................................ 5
ACL - spring-security-acl.jar .................................................... 6
CAS - spring-security-cas-client.jar ..................................... 6
OpenID - spring-security-openid.jar .......................................... 6
Checking out the Source .................................................................................... 6
2. Security Namespace Configuration .................................................................................. 7
2.1. Introduction ......................................................................................................... 7
Design of the Namespace ................................................................................... 8
2.2. Getting Started with Security Namespace Configuration ......................................... 8
web.xml Configuration .................................................................................... 8
A Minimal <http> Configuration ..................................................................... 9
What does auto-config Include? ......................................................... 10
Form and Basic Login Options ................................................................. 11
Using other Authentication Providers ................................................................ 12
Adding a Password Encoder ..................................................................... 13
2.3. Advanced Web Features .................................................................................... 14
Remember-Me Authentication ........................................................................... 14
Adding HTTP/HTTPS Channel Security ............................................................ 14
Session Management ........................................................................................ 15
Detecting Timeouts .................................................................................. 15
Concurrent Session Control ....................................................................... 15
Session Fixation Attack Protection ............................................................ 16
OpenID Support ............................................................................................... 16
Attribute Exchange ................................................................................... 17
Adding in Your Own Filters ............................................................................. 17
Setting a Custom AuthenticationEntryPoint ................................. 19
2.4. Method Security ................................................................................................ 19
The <global-method-security> Element ............................................... 19
Adding Security Pointcuts using protect-pointcut ............................ 20
2.5. The Default AccessDecisionManager .................................................................. 21
Customizing the AccessDecisionManager .......................................................... 21
2.6. The Authentication Manager and the Namespace ................................................. 22
Spring Security
3.0.7.RELEASE iv
3. Sample Applications ..................................................................................................... 23
3.1. Tutorial Sample ................................................................................................. 23
3.2. Contacts ............................................................................................................ 23
3.3. LDAP Sample ................................................................................................... 24
3.4. CAS Sample ..................................................................................................... 24
3.5. Pre-Authentication Sample ................................................................................. 25
4. Spring Security Community .......................................................................................... 26
4.1. Issue Tracking ................................................................................................... 26
4.2. Becoming Involved ............................................................................................ 26
4.3. Further Information ........................................................................................... 26
II. Architecture and Implementation .......................................................................................... 27
5. Technical Overview ...................................................................................................... 28
5.1. Runtime Environment ........................................................................................ 28
5.2. Core Components .............................................................................................. 28
SecurityContextHolder, SecurityContext and Authentication Objects ................. 28
Obtaining information about the current user ............................................. 29
The UserDetailsService ..................................................................................... 29
GrantedAuthority .............................................................................................. 30
Summary ......................................................................................................... 30
5.3. Authentication ................................................................................................... 30
What is authentication in Spring Security? ......................................................... 30
Setting the SecurityContextHolder Contents Directly .......................................... 32
5.4. Authentication in a Web Application .................................................................. 33
ExceptionTranslationFilter ................................................................................ 33
AuthenticationEntryPoint .................................................................................. 34
Authentication Mechanism ................................................................................ 34
Storing the SecurityContext between requests ........................................... 34
5.5. Access-Control (Authorization) in Spring Security ............................................... 35
Security and AOP Advice ................................................................................. 35
Secure Objects and the AbstractSecurityInterceptor .......................... 36
What are Configuration Attributes? ........................................................... 36
RunAsManager ........................................................................................ 36
AfterInvocationManager ........................................................................... 37
Extending the Secure Object Model .......................................................... 37
5.6. Localization ....................................................................................................... 37
6. Core Services ............................................................................................................... 39
6.1. The AuthenticationManager, ProviderManager and
AuthenticationProviders .............................................................................. 39
DaoAuthenticationProvider ................................................................. 40
Erasing Credentials on Successful Authentication ............................................... 40
6.2. UserDetailsService Implementations ........................................................ 41
In-Memory Authentication ................................................................................ 41
JdbcDaoImpl ............................................................................................... 42
Authority Groups ..................................................................................... 42
6.3. Password Encoding ............................................................................................ 42
Spring Security
3.0.7.RELEASE v
What is a hash? ............................................................................................... 42
Adding Salt to a Hash ...................................................................................... 43
Hashing and Authentication ............................................................................. 43
III. Web Application Security ................................................................................................... 44
7. The Security Filter Chain ............................................................................................. 45
7.1. DelegatingFilterProxy ........................................................................... 45
7.2. FilterChainProxy ...................................................................................... 45
Bypassing the Filter Chain ................................................................................ 47
7.3. Filter Ordering .................................................................................................. 47
7.4. Request Matching and HttpFirewall ............................................................ 48
7.5. Use with other Filter-Based Frameworks ............................................................. 49
8. Core Security Filters .................................................................................................... 50
8.1. FilterSecurityInterceptor .................................................................. 50
8.2. ExceptionTranslationFilter ................................................................ 51
AuthenticationEntryPoint ................................................................... 52
AccessDeniedHandler .............................................................................. 52
8.3. SecurityContextPersistenceFilter ................................................... 52
SecurityContextRepository ................................................................. 53
8.4. UsernamePasswordAuthenticationFilter .......................................... 53
Application Flow on Authentication Success and Failure .................................... 54
9. Basic and Digest Authentication .................................................................................... 56
9.1. BasicAuthenticationFilter .................................................................. 56
Configuration ................................................................................................... 56
9.2. DigestAuthenticationFilter ................................................................ 57
Configuration ................................................................................................... 58
10. Remember-Me Authentication ..................................................................................... 59
10.1. Overview ......................................................................................................... 59
10.2. Simple Hash-Based Token Approach ................................................................ 59
10.3. Persistent Token Approach ............................................................................... 60
10.4. Remember-Me Interfaces and Implementations .................................................. 60
TokenBasedRememberMeServices .................................................................... 61
PersistentTokenBasedRememberMeServices ...................................................... 61
11. Session Management .................................................................................................. 62
11.1. SessionManagementFilter ................................................................................. 62
11.2. SessionAuthenticationStrategy ........................................................ 62
11.3. Concurrency Control ........................................................................................ 63
12. Anonymous Authentication ......................................................................................... 65
12.1. Overview ......................................................................................................... 65
12.2. Configuration ................................................................................................... 65
12.3. AuthenticationTrustResolver ............................................................ 66
IV. Authorization ..................................................................................................................... 68
13. Authorization Architecture .......................................................................................... 69
13.1. Authorities ....................................................................................................... 69
13.2. Pre-Invocation Handling ................................................................................... 69
The AccessDecisionManager ............................................................................ 69