Spring Security - Spring Security Tutorial

Spring Security  - spring security tutorial

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.

Spring Security  - spring security tutorial
Authentication flow

Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.

Spring Security  - spring security tutorial
Key authentication features

  • LDAP (using both bind-based and password comparison strategies) for centralization of authentication information.
  • Single sign-on capabilities using the popular Central Authentication Service.
  • Java Authentication and Authorization Service (JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.
  • Basic access authentication as defined through the IETF Request for Comments 1945 standard.
  • Digest access authentication as defined through the IETF Request for Comments 2617 and RFC 2069 standard.
  • X.509 client certificate presentation over the Secure Sockets Layer standard.
  • CA, Inc SiteMinder for authentication (a popular commercial access management product).
  • Su (Unix)-like support for switching principal identity over a HTTP or HTTPS connection.
  • Run-as replacement, which enables an operation to assume a different security identity.
  • Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
  • Container adapter (custom realm) support for Apache Tomcat, Resin, JBoss and Jetty (web server).
  • Windows NTLM to enable browser integration (experimental).
  • Web form authentication, similar to the Servlet container specification.
  • "Remember-me" support via HTTP Cookies.
  • Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
  • Full support for customization and plugging in custom authentication implementations.

Spring Security  - spring security tutorial
Key authorization features

  • AspectJ method invocation authorization.
  • HTTP authorization of web request URLs using a choice of Apache Ant paths or regular expressions.

Spring Security  - spring security tutorial
Instance-based security features

  • Used for specifying Access control lists applicable to domain objects.
  • Spring Security offers a repository for storing, retrieving, and modifying ACLs in a database.
  • Authorization features are provided to enforce policies before and after method invocations.

Spring Security  - spring security tutorial
Other features

  • Software localization so user interface messages can be in any language.
  • Channel security, to automatically switch between HTTP and HTTPS upon meeting particular rules.
  • Caching in all database-touching areas of the framework.
  • Publishing of messages to facilitate event-driven programming.
  • Support for performing integration testing via JUnit.
  • Spring Security itself has comprehensive JUnit isolation tests.
  • Several sample applications, detailed JavaDocs and a reference guide.
  • Web framework independence.

Spring Security  - spring security tutorial
References

Spring Security  - spring security tutorial
External links

  • Official website
  • Introducing Spring Security by Ben Alex
  • Spring Security 3

0 komentar: