Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Updated contacts sample info and added information on ACL database schema and using it with Postgres.

This commit is contained in:
Luke Taylor 2009-05-06 14:34:27 +00:00
parent c6dfee69d4
commit 0d1ebfa85a
3 changed files with 295 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
src/docbkx/appendix-db-schema.xml
View File

@ -1,27 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?>
<appendix version="5.0" xml:id="appendix-schema" xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
<info>
<title>Security Database Schema</title>
</info>
<para>
There are various database schema used by the framework and this appendix
provides a single reference point to them all. You only need to
provide the tables for the areas of functonality you require.
</para>
<para>
DDL statements are given for the HSQLDB database. You can use these as a guideline for defining the
schema for the database you are using.
</para>
<para> There are various database schema used by the framework and this appendix provides a single
reference point to them all. You only need to provide the tables for the areas of functonality
you require. </para>
<para> DDL statements are given for the HSQLDB database. You can use these as a guideline for
defining the schema for the database you are using. </para>
<section>
<title>User Schema</title>
<para>
The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename> requires tables
to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
<programlisting xml:id="db_schema_users_authorities">
<para> The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename>
requires tables to load the password, account status (enabled or disabled) and a list of
authorities (roles) for the user.
<programlisting xml:id="db_schema_users_authorities">
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null,
@ -32,13 +25,10 @@
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username));
create unique index ix_auth_username on authorities (username,authority);;
</programlisting>
</para>
</programlisting></para>
<section>
<title>Group Authorities</title>
<para>
Spring Security 2.0 introduced support for group authorities
<para> Spring Security 2.0 introduced support for group authorities
<programlisting xml:id="db-schema-groups">
create table groups (
id bigint generated by default as identity(start with 0) primary key,
@ -54,33 +44,56 @@ create table group_members (
username varchar(50) not null,
group_id bigint not null,
constraint fk_group_members_group foreign key(group_id) references groups(id));
</programlisting>
</para>
</programlisting></para>
</section>
</section>
<section>
<title>Persistent Login (Remember-Me) Schema</title>
<para>
This table is used to store data used by the more secure
<link xlink:href="#remember-me-persistent-token">persistent token</link> remember-me implementation.
If you are using <classname>JdbcTokenRepositoryImpl</classname> either directly or through the namespace,
then you will need this table.
<programlisting xml:id="db-schema-remeber-me">
<para> This table is used to store data used by the more secure <link
xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
directly or through the namespace, then you will need this table.
<programlisting xml:id="db-schema-remeber-me">
create table persistent_logins (
username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null);
</programlisting>
</para>
</programlisting></para>
</section>
<section>
<section xml:id="dbschema-acl">
<title>ACL Schema</title>
<para>
The tables used by the Spring Security <link xlink:href="#domain-acls">ACL</link> implementation.
<programlisting xml:id="dbschema-acl">
<para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
>ACL</link> implementation. <orderedlist>
<listitem>
<para><literal>acl_sid</literal> stores the security identities recognised by the ACL
system. These can be unique principals or authorities which may apply to multiple
principals.</para>
</listitem>
<listitem>
<para><literal>acl_class</literal> defines the domain object types to which ACLs apply.
The <literal>class</literal> column stores the Java class name of the object. </para>
</listitem>
<listitem>
<para><literal>acl_object_identity</literal> stores the object identity definitions of
specific domai objects.</para>
</listitem>
<listitem>
<para><literal>acl_entry</literal> stores the ACL permissions which apply to a specific
object identity and security identity.</para>
</listitem>
</orderedlist></para>
<para>It is assumed that the database will auto-generate the primary keys for each of the
identities. The <literal>JdbcMutableAclService</literal> has to be able to retrieve these when
it has created a new row in the <literal>acl_sid</literal> or <literal>acl_class</literal>
tables. It has two properties which define the SQL needed to retrieve these values
<literal>classIdentityQuery</literal> and <literal>sidIdentityQuery</literal>. Both of these
default to <literal>call identity()</literal></para>
<section>
<title>Hypersonic SQL</title>
<para>The default schema works with the embedded HSQLDB database that is used in unit tests
within the
framework.<programlisting xml:id="dbschema-acl-hsql">
create table acl_sid (
id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null,
@ -112,12 +125,60 @@ create table acl_entry (
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id) );
</programlisting>
</para>
</programlisting></para>
<section>
<title>PostgreSQL</title>
<para>
<programlisting>create table acl_sid(
id bigserial not null primary key,
principal boolean not null,
sid varchar(100) not null,
constraint unique_uk_1 unique(sid,principal));
create table acl_class(
id bigserial not null primary key,
class varchar(100) not null,
constraint unique_uk_2 unique(class));
create table acl_object_identity(
id bigserial primary key,
object_id_class bigint not null,
object_id_identity bigint not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id));
create table acl_entry(
id bigserial primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id));
</programlisting>
</para>
<para>You will have to set the <literal>classIdentityQuery</literal> and
<literal>sidIdentityQuery</literal> properties of
<classname>JdbcMutableAclService</classname> to the following values, respectively: <itemizedlist>
<listitem>
<para><literal>select currval(pg_get_serial_sequence('acl_class',
'id'))</literal></para>
</listitem>
<listitem>
<para><literal>select currval(pg_get_serial_sequence('acl_sid',
'id'))</literal></para>
</listitem>
</itemizedlist></para>
</section>
</section>
</section>
</appendix>
</appendix>

180
src/docbkx/samples.xml
View File

@ -1,70 +1,50 @@
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="sample-apps">
<info>
<title xml:id="samples">Sample Applications</title>
</info>
<para>
There are several sample web applications that are available with the
project. To avoid an overly large download, only the "tutorial"
and "contacts" samples are included in the distribution zip file. You can
either build the others yourself, or you can obtain the war files
individually from the central Maven repository. We'd recommend the former.
You can get the source as described in <link xlink:href="#get-source">the introduction</link>
and it's easy to build the project using Maven. There is more information
on the project web site at
<link xlink:href="http://www.springframework.org/spring-security/">
http://www.springframework.org/spring-security/
</link> if you need it.
All paths referred to in this chapter are relative to the source directory, once
you have checked it out from subversion.
</para>
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" xml:id="sample-apps">
<info>
<title xml:id="samples">Sample Applications</title>
</info>
<para> There are several sample web applications that are available with the project. To avoid
an overly large download, only the "tutorial" and "contacts" samples are included in the
distribution zip file. You can either build the others yourself, or you can obtain the war
files individually from the central Maven repository. We'd recommend the former. You can get
the source as described in <link xlink:href="#get-source">the introduction</link> and it's
easy to build the project using Maven. There is more information on the project web site at
<link xlink:href="http://www.springframework.org/spring-security/">
http://www.springframework.org/spring-security/ </link> if you need it. All paths
referred to in this chapter are relative to the source directory, once you have checked it
out from subversion. </para>
<section xml:id="tutorial-sample">
<title>Tutorial Sample</title>
<para> The tutorial sample is a nice basic example to get you started. It uses
simple namespace configuration throughout. The compiled application is included in the
distribution zip file, ready to be deployed into your web container
(<filename>spring-security-samples-tutorial-2.0.x.war</filename>).
The <link xlink:href="#form">form-based</link>
authentication mechanism is used in combination with the commonly-used
<link xlink:href="#remember-me">remember-me</link>
authentication provider to automatically remember the login using
cookies.</para>
<para>We recommend you start with the tutorial sample, as the XML is
minimal and easy to follow. Most importantly, you can easily add
this one XML file (and its corresponding <literal>web.xml</literal> entries) to your existing
application. Only when this basic integration is achieved do we
suggest you attempt adding in method authorization or domain object
security.</para>
<title>Tutorial Sample</title>
<para> The tutorial sample is a nice basic example to get you started. It uses simple
namespace configuration throughout. The compiled application is included in the
distribution zip file, ready to be deployed into your web container
(<filename>spring-security-samples-tutorial-3.0.x.war</filename>). The <link
xlink:href="#form">form-based</link> authentication mechanism is used in combination
with the commonly-used <link xlink:href="#remember-me">remember-me</link> authentication
provider to automatically remember the login using cookies.</para>
<para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
follow. Most importantly, you can easily add this one XML file (and its corresponding
<literal>web.xml</literal> entries) to your existing application. Only when this
basic integration is achieved do we suggest you attempt adding in method authorization
or domain object security.</para>
</section>
<section xml:id="contacts-sample">
<title>Contacts</title>
<para>
The Contacts Sample is quite an advanced example in that it
illustrates the more powerful features of domain object access control lists
in addition to basic application security.
</para>
<para>To deploy, simply copy the WAR file from Spring
Security distribution into your containers <literal>webapps</literal>
directory. The war should be called <filename>spring-security-samples-contacts-2.0.0.war</filename>
(the appended version number will vary depending on what release you are using).
</para>
<para>After starting your container, check the application can load.
Visit
<literal>http://localhost:8080/contacts</literal>
(or whichever URL is appropriate for your web container and the WAR
you deployed). </para>
<para>Next, click "Debug". You will be prompted to authenticate, and a
series of usernames and passwords are suggested on that page. Simply
authenticate with any of these and view the resulting page. It should
contain a success message similar to the following:
<literallayout>
<title>Contacts</title>
<para> The Contacts Sample is an advanced example in that it illustrates the more powerful
features of domain object access control lists (ACLs) in addition to basic application
security. The application provides an interface with which the users are able to
administer a simple database of contacts (the domain objects).</para>
<para>To deploy, simply copy the WAR file from Spring Security distribution into your
containers <literal>webapps</literal> directory. The war should be called
<filename>spring-security-samples-contacts-3.0.x.war</filename> (the appended
version number will vary depending on what release you are using). </para>
<para>After starting your container, check the application can load. Visit
<literal>http://localhost:8080/contacts</literal> (or whichever URL is appropriate
for your web container and the WAR you deployed). </para>
<para>Next, click "Debug". You will be prompted to authenticate, and a series of usernames
and passwords are suggested on that page. Simply authenticate with any of these and view
the resulting page. It should contain a success message similar to the following:
<literallayout>
Authentication object is of type: org.springframework.security.providers.UsernamePasswordAuthenticationToken
Authentication object as a String:
@ -83,21 +63,17 @@
ROLE_USER (getAuthority(): ROLE_USER)
SUCCESS! Your web filters appear to be properly configured!
</literallayout>
</para>
<para>Once you successfully receive the above message, return to the
sample application's home page and click "Manage". You can then try
out the application. Notice that only the contacts available to the
currently logged on user are displayed, and only users with
<literal>ROLE_SUPERVISOR</literal> are granted access to delete their
contacts. Behind the scenes, the
<classname>MethodSecurityInterceptor</classname> is securing the business
objects. </para>
<para>The application allows you to modify the access control lists associated
with different contacts. Be sure to give this a try and understand how
it works by reviewing the application context XML files.</para>
<!--
</literallayout></para>
<para>Once you successfully receive the above message, return to the sample application's
home page and click "Manage". You can then try out the application. Notice that only the
contacts available to the currently logged on user are displayed, and only users with
<literal>ROLE_SUPERVISOR</literal> are granted access to delete their contacts.
Behind the scenes, the <classname>MethodSecurityInterceptor</classname> is securing the
business objects. </para>
<para>The application allows you to modify the access control lists associated with
different contacts. Be sure to give this a try and understand how it works by reviewing
the application context XML files.</para>
<!--
TODO: Reintroduce standalone client example.
<para>The Contacts sample application also includes a
<literal>client</literal> directory. Inside you will find a small
@ -110,40 +86,32 @@
and the password to use. Note that you may need to edit
<literal>client.properties</literal> to use a different target
URL.</para>
-->
-->
</section>
<section xml:id="ldap-sample">
<title>LDAP Sample</title>
<para>
The LDAP sample application provides a basic configuration and sets up both a namespace configuration
and an equivalent configuration using traditional beans, both in the same application context file.
This means there are actually two identical authentication providers configured in this application.
</para>
<para> The LDAP sample application provides a basic configuration and sets up both a
namespace configuration and an equivalent configuration using traditional beans, both in
the same application context file. This means there are actually two identical
authentication providers configured in this application. </para>
</section>
<section xml:id="cas-sample">
<title>CAS Sample</title>
<para>
The CAS sample requires that you run both a CAS server and CAS client. It isn't included in the distribution so you should check out
the project code as described in <link xlink:href="get-source">the introduction</link>. You'll find the relevant files under the
<filename>sample/cas</filename> directory. There's also a <filename>Readme.txt</filename> file in there which explains how to run
both the server and the client directly from the source tree, complete with SSL support. You have to download the CAS Server web application
(a war file) from the CAS site and drop it into the <filename>samples/cas/server</filename> directory.
</para>
<para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
included in the distribution so you should check out the project code as described in
<link xlink:href="get-source">the introduction</link>. You'll find the relevant
files under the <filename>sample/cas</filename> directory. There's also a
<filename>Readme.txt</filename> file in there which explains how to run both the
server and the client directly from the source tree, complete with SSL support. You have
to download the CAS Server web application (a war file) from the CAS site and drop it
into the <filename>samples/cas/server</filename> directory. </para>
</section>
<section xml:id="preauth-sample">
<title>Pre-Authentication Sample</title>
<para>
This sample application demonstrates how to wire up beans from the <link xlink:href="#preauth">pre-authentication</link>
framework to make use of login information from a J2EE container. The user name and roles are those setup by the container.
</para>
<para>
The code is in <filename>samples/preauth</filename> .
</para>
<para> This sample application demonstrates how to wire up beans from the <link
xlink:href="#preauth">pre-authentication</link> framework to make use of login
information from a J2EE container. The user name and roles are those setup by the
container. </para>
<para> The code is in <filename>samples/preauth</filename> . </para>
</section>
</chapter>
</chapter>

307
src/docbkx/springsecurity.xml
View File

@ -1,229 +1,150 @@
<?xml version="1.0" encoding="UTF-8"?>
<book version="5.0" xml:id="spring-security-reference-guide" xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude">
<info>
<title>Spring Security</title>
<subtitle>Reference Documentation</subtitle>
<author>
<personname>Ben Alex, Luke Taylor</personname>
</author>
<releaseinfo>2.0.x</releaseinfo>
</info>
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
<info><title>Spring Security</title><subtitle>Reference Documentation</subtitle><author>
<personname>Ben Alex, Luke Taylor</personname>
</author>
<releaseinfo>2.0.x</releaseinfo>
</info>
<toc/>
<preface xml:id="preface">
<title>Preface</title>
<para>Spring Security provides a comprehensive security solution for
J2EE-based enterprise software applications. As you will discover as you
venture through this reference guide, we have tried to provide you a
useful and highly configurable security system.</para>
<para>Security is an ever-moving target, and it's important to pursue a
comprehensive, system-wide approach. In security circles we encourage you
to adopt "layers of security", so that each layer tries to be as secure as
possible in its own right, with successive layers providing additional
security. The "tighter" the security of each layer, the more robust and
safe your application will be. At the bottom level you'll need to deal
with issues such as transport security and system identification, in order
to mitigate man-in-the-middle attacks. Next you'll generally utilise
firewalls, perhaps with VPNs or IP security to ensure only authorised
systems can attempt to connect. In corporate environments you may deploy a
DMZ to separate public-facing servers from backend database and
application servers. Your operating system will also play a critical part,
addressing issues such as running processes as non-privileged users and
maximising file system security. An operating system will usually also be
configured with its own firewall. Hopefully somewhere along the way you'll
be trying to prevent denial of service and brute force attacks against the
system. An intrusion detection system will also be especially useful for
monitoring and responding to attacks, with such systems able to take
protective action such as blocking offending TCP/IP addresses in
real-time. Moving to the higher layers, your Java Virtual Machine will
hopefully be configured to minimize the permissions granted to different
Java types, and then your application will add its own problem
domain-specific security configuration. Spring Security makes this latter
area - application security - much easier.
</para>
<para>Of course, you will need to properly address all security layers
mentioned above, together with managerial factors that encompass every
layer. A non-exhaustive list of such managerial factors would include
security bulletin monitoring, patching, personnel vetting, audits, change
control, engineering management systems, data backup, disaster recovery,
performance benchmarking, load monitoring, centralised logging, incident
response procedures etc.</para>
<para>With Spring Security being focused on helping you with the
enterprise application security layer, you will find that there are as
many different requirements as there are business problem domains. A
banking application has different needs from an ecommerce application. An
ecommerce application has different needs from a corporate sales force
automation tool. These custom requirements make application security
interesting, challenging and rewarding.
</para>
<para>Please read <xref linkend="getting-started"/>, in
its entirety to begin with. This will introduce you to the framework and the namespace-based
configuration system with which you can get up and running quite quickly. To get more of an understanding
of an in-depth understaning of how Spring Security works, and some of the classes you might
need to use, you should then read <xref linkend="overall-architecture"/>.
The remaining parts of this guide are structured in a more traditional reference style,
designed to be read on an as-required basis. We'd also recommend that you read up as much as
possible on application security issues in general. Spring Security is not a panacea which will
solve all security issues. It is important that the application is designed with security in
mind from the start. Attempting to retrofit it is not a good idea.
In particular, if you are building a web application, you should be aware of the many potential
vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should
be taking into account from the start. The OWASP web site (http://www.owasp.org/) maintains a
top ten list of web application vulnerabilities as well as a lot of useful reference information.
</para>
<para>We hope that you find this reference guide useful, and we welcome
your feedback and <link xlink:href="#jira">suggestions</link>.
</para>
<para>Finally, welcome to the Spring Security <link xlink:href="#community" >community</link>.
<para>Spring Security provides a comprehensive security solution for J2EE-based enterprise
software applications. As you will discover as you venture through this reference guide, we
have tried to provide you a useful and highly configurable security system.</para>
<para>Security is an ever-moving target, and it's important to pursue a comprehensive,
system-wide approach. In security circles we encourage you to adopt "layers of security", so
that each layer tries to be as secure as possible in its own right, with successive layers
providing additional security. The "tighter" the security of each layer, the more robust and
safe your application will be. At the bottom level you'll need to deal with issues such as
transport security and system identification, in order to mitigate man-in-the-middle attacks.
Next you'll generally utilise firewalls, perhaps with VPNs or IP security to ensure only
authorised systems can attempt to connect. In corporate environments you may deploy a DMZ to
separate public-facing servers from backend database and application servers. Your operating
system will also play a critical part, addressing issues such as running processes as
non-privileged users and maximising file system security. An operating system will usually
also be configured with its own firewall. Hopefully somewhere along the way you'll be trying
to prevent denial of service and brute force attacks against the system. An intrusion
detection system will also be especially useful for monitoring and responding to attacks, with
such systems able to take protective action such as blocking offending TCP/IP addresses in
real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured
to minimize the permissions granted to different Java types, and then your application will
add its own problem domain-specific security configuration. Spring Security makes this latter
area - application security - much easier. </para>
<para>Of course, you will need to properly address all security layers mentioned above, together
with managerial factors that encompass every layer. A non-exhaustive list of such managerial
factors would include security bulletin monitoring, patching, personnel vetting, audits,
change control, engineering management systems, data backup, disaster recovery, performance
benchmarking, load monitoring, centralised logging, incident response procedures etc.</para>
<para>With Spring Security being focused on helping you with the enterprise application security
layer, you will find that there are as many different requirements as there are business
problem domains. A banking application has different needs from an ecommerce application. An
ecommerce application has different needs from a corporate sales force automation tool. These
custom requirements make application security interesting, challenging and rewarding. </para>
<para>Please read <xref linkend="getting-started"/>, in its entirety to begin with. This will
introduce you to the framework and the namespace-based configuration system with which you can
get up and running quite quickly. To get more of an understanding of an in-depth understaning
of how Spring Security works, and some of the classes you might need to use, you should then
read <xref linkend="overall-architecture"/>. The remaining parts of this guide are structured
in a more traditional reference style, designed to be read on an as-required basis. We'd also
recommend that you read up as much as possible on application security issues in general.
Spring Security is not a panacea which will solve all security issues. It is important that
the application is designed with security in mind from the start. Attempting to retrofit it is
not a good idea. In particular, if you are building a web application, you should be aware of
the many potential vulnerabilities such as cross-site scripting, request-forgery and
session-hijacking which you should be taking into account from the start. The OWASP web site
(http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as
a lot of useful reference information. </para>
<para>We hope that you find this reference guide useful, and we welcome your feedback and <link
xlink:href="#jira">suggestions</link>. </para>
<para>Finally, welcome to the Spring Security <link xlink:href="#community">community</link>.
</para>
</preface>
<part xml:id="getting-started">
<title>Getting Started</title>
<partintro>
<para>The later parts of this guide provide an in-depth discussion of the
framework architecture and implementation classes, an understanding of which is important
if you need to do any serious customization. In this part, we'll introduce Spring Security 2.0,
give a brief overview of the project's history and take a slightly
gentler look at how to get started using the framework.
In particular, we'll look at namespace configuration which provides a much simpler way of securing
your application compared to the traditional Spring bean approach where you had to wire up all the
implementation classes individually.
</para>
<para>
We'll also take a look at the sample applications that are available. It's worth trying to run
these and experimenting with them a bit even before you read the later sections - you can dip back into them
as your understanding of the framework increases.
</para>
<para>The later parts of this guide provide an in-depth discussion of the framework
architecture and implementation classes, an understanding of which is important if you need
to do any serious customization. In this part, we'll introduce Spring Security 2.0, give a
brief overview of the project's history and take a slightly gentler look at how to get
started using the framework. In particular, we'll look at namespace configuration which
provides a much simpler way of securing your application compared to the traditional Spring
bean approach where you had to wire up all the implementation classes individually. </para>
<para> We'll also take a look at the sample applications that are available. It's worth trying
to run these and experimenting with them a bit even before you read the later sections - you
can dip back into them as your understanding of the framework increases. </para>
</partintro>
<xi:include href="introduction.xml" />
<xi:include href="namespace-config.xml" />
<xi:include href="introduction.xml"/>
<xi:include href="namespace-config.xml"/>
<xi:include href="samples.xml"/>
<xi:include href="community.xml"/>
<xi:include href="community.xml"/>
</part>
<part xml:id="overall-architecture">
<title>Overall Architecture</title>
<partintro>
<para>Like most software, Spring Security has certain central
interfaces, classes and conceptual abstractions that are commonly used
throughout the framework. In this part of the reference guide we will
introduce Spring Security, before examining these central elements that
are necessary to successfully planning and executing a Spring Security
integration.</para>
<para>Like most software, Spring Security has certain central interfaces, classes and
conceptual abstractions that are commonly used throughout the framework. In this part of the
reference guide we will introduce Spring Security, before examining these central elements
that are necessary to successfully planning and executing a Spring Security
integration.</para>
</partintro>
<xi:include href="technical-overview.xml" />
<xi:include href="supporting-infrastructure.xml" />
<xi:include href="channel-security.xml" />
<xi:include href="technical-overview.xml"/>
<xi:include href="supporting-infrastructure.xml"/>
<xi:include href="channel-security.xml"/>
</part>
<part xml:id="authentication">
<title>Authentication</title>
<partintro>
<para>We've already introduced Spring Security's authentication architecture
in the <link xlink:href="#technical-overview">Technical Overview</link> chapter.
In this part of the reference guide we will examine individual
authentication mechanisms and their corresponding
<classname>AuthenticationProvider</classname>s. We'll also look at how to
configure authentication more generally, including if you have several
authentication approaches that need to be chained together.</para>
<para>
With some exceptions, we will be discussing the full details of Spring Security
bean configuration rather than the shorthand
<link xlink:href="#ns-config">namespace syntax</link>. You should review
the introduction to using namespace configuration and the options it provides
to see if they will meet your needs. As you come to use the framework more,
and need to customize the internal behaviour, you will probably want to understand
more about how the individual services are implemented, which classes to look at
extending and so on. This part is more targeted at providing this kind of information.
We'd recommend that you supplement the content by browsing the Javadoc and the source
itself <footnote><para>Links to both Javadoc APIs and browsable source cross-reference
are available from the project web site.</para></footnote>.
</para>
<para>We've already introduced Spring Security's authentication architecture in the <link
xlink:href="#technical-overview">Technical Overview</link> chapter. In this part of the
reference guide we will examine individual authentication mechanisms and their corresponding
<classname>AuthenticationProvider</classname>s. We'll also look at how to configure
authentication more generally, including if you have several authentication approaches that
need to be chained together.</para>
<para> With some exceptions, we will be discussing the full details of Spring Security bean
configuration rather than the shorthand <link xlink:href="#ns-config">namespace
syntax</link>. You should review the introduction to using namespace configuration and the
options it provides to see if they will meet your needs. As you come to use the framework
more, and need to customize the internal behaviour, you will probably want to understand
more about how the individual services are implemented, which classes to look at extending
and so on. This part is more targeted at providing this kind of information. We'd recommend
that you supplement the content by browsing the Javadoc and the source itself <footnote>
<para>Links to both Javadoc APIs and browsable source cross-reference are available from
the project web site.</para>
</footnote>. </para>
</partintro>
<xi:include href="common-auth-services.xml" />
<xi:include href="dao-auth-provider.xml" />
<xi:include href="common-auth-services.xml"/>
<xi:include href="dao-auth-provider.xml"/>
<xi:include href="ldap-auth-provider.xml"/>
<xi:include href="form-authentication.xml" />
<xi:include href="basic-authentication.xml" />
<xi:include href="digest-authentication.xml" />
<xi:include href="remember-me-authentication.xml" />
<xi:include href="jaas-auth-provider.xml" />
<xi:include href="preauth.xml" />
<xi:include href="anon-auth-provider.xml" />
<xi:include href="form-authentication.xml"/>
<xi:include href="basic-authentication.xml"/>
<xi:include href="digest-authentication.xml"/>
<xi:include href="remember-me-authentication.xml"/>
<xi:include href="jaas-auth-provider.xml"/>
<xi:include href="preauth.xml"/>
<xi:include href="anon-auth-provider.xml"/>
<xi:include href="x509-auth-provider.xml"/>
<xi:include href="cas-auth-provider.xml"/>
<xi:include href="runas-auth-provider.xml" />
<xi:include href="runas-auth-provider.xml"/>
</part>
<part xml:id="authorization">
<title>Authorization</title>
<partintro>
<para>The advanced authorization capabilities within Spring Security
represent one of the most compelling reasons for its popularity.
Irrespective of how you choose to authenticate - whether using a Spring
Security-provided mechanism and provider, or integrating with a
container or other non-Spring Security authentication authority - you
will find the authorization services can be used within your application
in a consistent and simple way.</para>
<para>The advanced authorization capabilities within Spring Security represent one of the most
compelling reasons for its popularity. Irrespective of how you choose to authenticate -
whether using a Spring Security-provided mechanism and provider, or integrating with a
container or other non-Spring Security authentication authority - you will find the
authorization services can be used within your application in a consistent and simple
way.</para>
<para>In this part we'll explore the different
<classname>AbstractSecurityInterceptor</classname> implementations, which
were introduced in Part I. We then move on to explore how to fine-tune
authorization through use of domain access control lists.</para>
<classname>AbstractSecurityInterceptor</classname> implementations, which were introduced
in Part I. We then move on to explore how to fine-tune authorization through use of domain
access control lists.</para>
</partintro>
<xi:include href="authorization-common.xml"/>
<xi:include href="authorization-common.xml"/>
<xi:include href="secured-objects.xml"/>
<xi:include href="domain-acls.xml"/>
</part>
<xi:include href="appendix-db-schema.xml"/>
<xi:include href="appendix-namespace.xml"/>
</book>
</book>