![](https://csdnimg.cn/release/download_crawler_static/5876531/bg1.jpg)
Spring Security
Reference Documentation
Ben Alex
Luke Taylor
![](https://csdnimg.cn/release/download_crawler_static/5876531/bg2.jpg)
Spring Security: Reference Documentation
by Ben Alex and Luke Taylor
3.2.0.M2
![](https://csdnimg.cn/release/download_crawler_static/5876531/bg3.jpg)
Spring Security
3.2.0.M2 iii
Table of Contents
Preface .............................................................................................................................................. xiii
I. Getting Started .................................................................................................................................. 1
1. Introduction ............................................................................................................................. 2
1.1. What is Spring Security? ............................................................................................... 2
1.2. History .......................................................................................................................... 3
1.3. Release Numbering ........................................................................................................ 4
1.4. Getting Spring Security .................................................................................................. 4
Project Modules ........................................................................................................... 4
Core - spring-security-core.jar ............................................................. 5
Remoting - spring-security-remoting.jar ............................................. 5
Web - spring-security-web.jar ............................................................... 5
Config - spring-security-config.jar ..................................................... 5
LDAP - spring-security-ldap.jar .......................................................... 5
ACL - spring-security-acl.jar ............................................................... 5
CAS - spring-security-cas.jar ............................................................... 5
OpenID - spring-security-openid.jar .................................................... 6
Checking out the Source ............................................................................................... 6
2. What's new in Spring Security 3.1 ............................................................................................ 7
2.1. High level updates found Spring Security 3.1 .................................................................. 7
2.2. Spring Security 3.1 namespace updates ........................................................................... 7
3. Security Namespace Configuration ............................................................................................ 9
3.1. Introduction ................................................................................................................... 9
Design of the Namespace ........................................................................................... 10
3.2. Getting Started with Security Namespace Configuration ................................................. 10
web.xml Configuration ............................................................................................. 10
A Minimal <http> Configuration ............................................................................. 11
Form and Basic Login Options ................................................................................... 12
Setting a Default Post-Login Destination ............................................................. 13
Logout Handling ........................................................................................................ 14
Using other Authentication Providers .......................................................................... 14
Adding a Password Encoder ............................................................................... 15
3.3. Advanced Web Features ............................................................................................... 16
Remember-Me Authentication ..................................................................................... 16
Adding HTTP/HTTPS Channel Security ...................................................................... 16
Session Management .................................................................................................. 16
Detecting Timeouts ............................................................................................. 16
Concurrent Session Control ................................................................................. 17
Session Fixation Attack Protection ...................................................................... 18
OpenID Support ......................................................................................................... 18
Attribute Exchange ............................................................................................. 19
Adding in Your Own Filters ....................................................................................... 19
Setting a Custom AuthenticationEntryPoint ........................................... 21
3.4. Method Security .......................................................................................................... 22
![](https://csdnimg.cn/release/download_crawler_static/5876531/bg4.jpg)
Spring Security
3.2.0.M2 iv
The <global-method-security> Element ......................................................... 22
Adding Security Pointcuts using protect-pointcut ...................................... 23
3.5. The Default AccessDecisionManager ............................................................................ 23
Customizing the AccessDecisionManager .................................................................... 24
3.6. The Authentication Manager and the Namespace ........................................................... 24
4. Sample Applications ............................................................................................................... 26
4.1. Tutorial Sample ........................................................................................................... 26
4.2. Contacts ...................................................................................................................... 26
4.3. LDAP Sample ............................................................................................................. 27
4.4. OpenID Sample ........................................................................................................... 27
4.5. CAS Sample ................................................................................................................ 28
4.6. JAAS Sample .............................................................................................................. 28
4.7. Pre-Authentication Sample ........................................................................................... 28
5. Spring Security Community .................................................................................................... 29
5.1. Issue Tracking ............................................................................................................. 29
5.2. Becoming Involved ...................................................................................................... 29
5.3. Further Information ...................................................................................................... 29
II. Architecture and Implementation .................................................................................................... 30
6. Technical Overview ................................................................................................................ 31
6.1. Runtime Environment .................................................................................................. 31
6.2. Core Components ........................................................................................................ 31
SecurityContextHolder, SecurityContext and Authentication Objects ........................... 31
Obtaining information about the current user ........................................................ 32
The UserDetailsService ............................................................................................... 32
GrantedAuthority ........................................................................................................ 33
Summary .................................................................................................................... 33
6.3. Authentication ............................................................................................................. 33
What is authentication in Spring Security? ................................................................... 34
Setting the SecurityContextHolder Contents Directly .................................................... 35
6.4. Authentication in a Web Application ............................................................................ 36
ExceptionTranslationFilter .......................................................................................... 37
AuthenticationEntryPoint ............................................................................................ 37
Authentication Mechanism .......................................................................................... 37
Storing the SecurityContext between requests ..................................................... 37
6.5. Access-Control (Authorization) in Spring Security ......................................................... 38
Security and AOP Advice ........................................................................................... 38
Secure Objects and the AbstractSecurityInterceptor .................................... 39
What are Configuration Attributes? ..................................................................... 39
RunAsManager ................................................................................................... 39
AfterInvocationManager ...................................................................................... 40
Extending the Secure Object Model ..................................................................... 41
6.6. Localization ................................................................................................................. 41
7. Core Services ......................................................................................................................... 43
7.1. The AuthenticationManager, ProviderManager and
AuthenticationProviders ........................................................................................ 43
![](https://csdnimg.cn/release/download_crawler_static/5876531/bg5.jpg)
Spring Security
3.2.0.M2 v
Erasing Credentials on Successful Authentication ......................................................... 44
DaoAuthenticationProvider ........................................................................... 44
7.2. UserDetailsService Implementations .................................................................. 45
In-Memory Authentication .......................................................................................... 45
JdbcDaoImpl .......................................................................................................... 46
Authority Groups ................................................................................................ 46
7.3. Password Encoding ...................................................................................................... 46
What is a hash? .......................................................................................................... 47
Adding Salt to a Hash ................................................................................................ 47
Hashing and Authentication ....................................................................................... 48
III. Web Application Security ............................................................................................................. 49
8. The Security Filter Chain ........................................................................................................ 50
8.1. DelegatingFilterProxy ..................................................................................... 50
8.2. FilterChainProxy ................................................................................................ 50
Bypassing the Filter Chain .......................................................................................... 52
8.3. Filter Ordering ............................................................................................................. 52
8.4. Request Matching and HttpFirewall ....................................................................... 53
8.5. Use with other Filter-Based Frameworks ....................................................................... 54
8.6. Advanced Namespace Configuration ............................................................................. 54
9. Core Security Filters ............................................................................................................... 55
9.1. FilterSecurityInterceptor ............................................................................ 55
9.2. ExceptionTranslationFilter .......................................................................... 56
AuthenticationEntryPoint ............................................................................. 56
AccessDeniedHandler ........................................................................................ 57
SavedRequests and the RequestCache Interface ................................................. 57
9.3. SecurityContextPersistenceFilter ............................................................. 58
SecurityContextRepository ........................................................................... 58
9.4. UsernamePasswordAuthenticationFilter ..................................................... 59
Application Flow on Authentication Success and Failure .............................................. 59
10. Basic and Digest Authentication ............................................................................................ 61
10.1. BasicAuthenticationFilter ........................................................................... 61
Configuration ............................................................................................................. 61
10.2. DigestAuthenticationFilter ........................................................................ 61
Configuration ............................................................................................................. 63
11. Remember-Me Authentication ............................................................................................... 64
11.1. Overview ................................................................................................................... 64
11.2. Simple Hash-Based Token Approach .......................................................................... 64
11.3. Persistent Token Approach ......................................................................................... 65
11.4. Remember-Me Interfaces and Implementations ............................................................ 65
TokenBasedRememberMeServices .............................................................................. 65
PersistentTokenBasedRememberMeServices ................................................................ 66
12. Session Management ............................................................................................................ 67
12.1. SessionManagementFilter ........................................................................................... 67
12.2. SessionAuthenticationStrategy .................................................................. 67
12.3. Concurrency Control .................................................................................................. 68
- 1
- 2
- 3
- 4
- 5
- 6
前往页