spring-security/src/docbkx/springsecurity.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
        "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<book xmlns:xi="http://www.w3.org/2001/XInclude">
  <bookinfo>
    <title>Spring Security</title>

    <subtitle>Reference Documentation</subtitle>

    <releaseinfo>2.0-SNAPSHOT</releaseinfo>

    <authorgroup>
      <author>
        <firstname>Ben</firstname>
        <surname>Alex</surname>
      </author>
    </authorgroup>
  </bookinfo>

  <toc></toc>

  <preface id="preface">
    <title>Preface</title>

    <para>Spring Security provides a comprehensive security solution for
    J2EE-based enterprise software applications. As you will discover as you
    venture through this reference guide, we have tried to provide you a
    useful and highly configurable security system.</para>

    <para>Security is an ever-moving target, and it's important to pursue a
    comprehensive, system-wide approach. In security circles we encourage you
    to adopt "layers of security", so that each layer tries to be as secure as
    possible in its own right, with successive layers providing additional
    security. The "tighter" the security of each layer, the more robust and
    safe your application will be. At the bottom level you'll need to deal
    with issues such as transport security and system identification, in order
    to mitigate man-in-the-middle attacks. Next you'll generally utilise
    firewalls, perhaps with VPNs or IP security to ensure only authorised
    systems can attempt to connect. In corporate environments you may deploy a
    DMZ to separate public-facing servers from backend database and
    application servers. Your operating system will also play a critical part,
    addressing issues such as running processes as non-privileged users and
    maximising file system security. An operating system will usually also be
    configured with its own firewall. Hopefully somewhere along the way you'll
    be trying to prevent denial of service and brute force attacks against the
    system. An intrusion detection system will also be especially useful for
    monitoring and responding to attacks, with such systems able to take
    protective action such as blocking offending TCP/IP addresses in
    real-time. Moving to the higher layers, your Java Virtual Machine will
    hopefully be configured to minimize the permissions granted to different
    Java types, and then your application will add its own problem
    domain-specific security configuration. Spring Security makes this latter
    area - application security - much easier.</para>

    <para>Of course, you will need to properly address all security layers
    mentioned above, together with managerial factors that encompass every
    layer. A non-exhaustive list of such managerial factors would include
    security bulletin monitoring, patching, personnel vetting, audits, change
    control, engineering management systems, data backup, disaster recovery,
    performance benchmarking, load monitoring, centralised logging, incident
    response procedures etc.</para>

    <para>With Spring Security being focused on helping you with the
    enterprise application security layer, you will find that there are as
    many different requirements as there are business problem domains. A
    banking application has different needs from an ecommerce application. An
    ecommerce application has different needs from a corporate sales force
    automation tool. These custom requirements make application security
    interesting, challenging and rewarding.</para>

    <para>This reference guide has been largely restructured for the 1.0.0
    release of Spring Security (then called Acegi Security). Please read Part
    I, <link linkend="overall-architecture">Overall Architecture</link>, in
    its entirety. The remaining parts of the reference guide are structured in
    a more traditional reference style, designed to be read on an as-required
    basis.</para>

    <para>We hope that you find this reference guide useful, and we welcome
    your feedback and <link linkend="jira">suggestions</link>.</para>

    <para>Finally, welcome to the Spring Security <link linkend="community" >community</link>.
    </para>
  </preface>

  <part id="overall-architecture">
    <title>Overall Architecture</title>

    <partintro>
      <para>Like most software, Spring Security has certain central
      interfaces, classes and conceptual abstractions that are commonly used
      throughout the framework. In this part of the reference guide we will
      introduce Spring Security, before examining these central elements that
      are necessary to successfully planning and executing a Spring Security
      integration.</para>
    </partintro>

    <xi:include href="introduction.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="technical-overview.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>

    <xi:include href="supporting-infrastructure.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="channel-security.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="taglibs.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
 
  </part>

  <part id="authentication">
    <title>Authentication</title>

    <partintro>
      <para>In this part of the reference guide we will examine individual
      authentication mechanisms and their corresponding
      <literal>AuthenticationProvider</literal>s. We'll also look at how to
      configure authentication more generally, including if you have several
      authentication approaches that need to be chained together.</para>
    </partintro>

    <xi:include href="common-auth-services.xml" />

    <xi:include href="dao-auth-provider.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>    

    <xi:include href="jaas-auth-provider.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="siteminder-auth-provider.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>

    <xi:include href="runas-auth-provider.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="form-authentication.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="basic-authentication.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="digest-authentication.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>
    
    <xi:include href="remember-me-authentication.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>    
    
    <xi:include href="anon-auth-provider.xml" xmlns:xi="http://www.w3.org/2001/XInclude"/>    

    <xi:include href="x509-auth-provider.xml"/>

    <xi:include href="ldap-auth-provider.xml"/>

    <xi:include href="cas-auth-provider.xml"/>

    <xi:include href="container-adapters.xml"/>

  </part>

  <part id="authorization">
    <title>Authorization</title>

    <partintro>
      <para>The advanced authorization capabilities within Spring Security
      represent one of the most compelling reasons for its popularity.
      Irrespective of how you choose to authenticate - whether using a Spring
      Security-provided mechanism and provider, or integrating with a
      container or other non-Spring Security authentication authority - you
      will find the authorization services can be used within your application
      in a consistent and simple way.</para>

      <para>In this part we'll explore the different
      <literal>AbstractSecurityInterceptor</literal> implementations, which
      were introduced in Part I. We then move on to explore how to fine-tune
      authorization through use of domain access control lists.</para>
    </partintro>

    <xi:include href="authorization-common.xml"/>    

    <xi:include href="secured-objects.xml"/>
    
    <xi:include href="domain-acls.xml"/>
    
    <xi:include href="domain-acls-old.xml"/>
    
  </part>

  <part id="resources">
    <title>Other Resources</title>

    <partintro>
      <para>In addition to this reference guide, a number of other resources
      exist to help you learn how to use Spring Security. These resources are
      discussed in this section.</para>
    </partintro>

    <xi:include href="samples.xml"/>
    
    <xi:include href="community.xml"/>    
 
  </part>
</book>