Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-09-08 20:51:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated contacts sample info and added information on ACL database schema and using it with Postgres.

Browse Source
This commit is contained in:
Luke Taylor 2009-05-06 14:34:27 +00:00
parent c6dfee69d4
commit 0d1ebfa85a
3 changed files with 295 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
src/docbkx/appendix-db-schema.xml
View File

@ -1,27 +1,20 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<appendix version="5.0" xml:id="appendix-schema" xmlns="http://docbook.org/ns/docbook" <appendix version="5.0" xml:id="appendix-schema" xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
xmlns:xi="http://www.w3.org/2001/XInclude">
<info> <info>
<title>Security Database Schema</title> <title>Security Database Schema</title>
</info> </info>
<para> <para> There are various database schema used by the framework and this appendix provides a single
There are various database schema used by the framework and this appendix reference point to them all. You only need to provide the tables for the areas of functonality
provides a single reference point to them all. You only need to you require. </para>
provide the tables for the areas of functonality you require. <para> DDL statements are given for the HSQLDB database. You can use these as a guideline for
</para> defining the schema for the database you are using. </para>
<para>
DDL statements are given for the HSQLDB database. You can use these as a guideline for defining the
schema for the database you are using.
</para>
<section> <section>
<title>User Schema</title> <title>User Schema</title>
<para> <para> The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename>
The standard JDBC implementation of the <interfacename>UserDetailsService</interfacename> requires tables requires tables to load the password, account status (enabled or disabled) and a list of
to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user. authorities (roles) for the user.
<programlisting xml:id="db_schema_users_authorities"> <programlisting xml:id="db_schema_users_authorities">
create table users( create table users(
username varchar_ignorecase(50) not null primary key, username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null, password varchar_ignorecase(50) not null,
@ -32,13 +25,10 @@
authority varchar_ignorecase(50) not null, authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username)); constraint fk_authorities_users foreign key(username) references users(username));
create unique index ix_auth_username on authorities (username,authority);; create unique index ix_auth_username on authorities (username,authority);;
</programlisting> </programlisting></para>
</para>
<section> <section>
<title>Group Authorities</title> <title>Group Authorities</title>
<para> <para> Spring Security 2.0 introduced support for group authorities
Spring Security 2.0 introduced support for group authorities
<programlisting xml:id="db-schema-groups"> <programlisting xml:id="db-schema-groups">
create table groups ( create table groups (
id bigint generated by default as identity(start with 0) primary key, id bigint generated by default as identity(start with 0) primary key,
@ -54,33 +44,56 @@ create table group_members (
username varchar(50) not null, username varchar(50) not null,
group_id bigint not null, group_id bigint not null,
constraint fk_group_members_group foreign key(group_id) references groups(id)); constraint fk_group_members_group foreign key(group_id) references groups(id));
</programlisting> </programlisting></para>
</para>
</section> </section>
</section> </section>
<section> <section>
<title>Persistent Login (Remember-Me) Schema</title> <title>Persistent Login (Remember-Me) Schema</title>
<para> <para> This table is used to store data used by the more secure <link
This table is used to store data used by the more secure xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
<link xlink:href="#remember-me-persistent-token">persistent token</link> remember-me implementation. implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
If you are using <classname>JdbcTokenRepositoryImpl</classname> either directly or through the namespace, directly or through the namespace, then you will need this table.
then you will need this table. <programlisting xml:id="db-schema-remeber-me">
<programlisting xml:id="db-schema-remeber-me">
create table persistent_logins ( create table persistent_logins (
username varchar(64) not null, username varchar(64) not null,
series varchar(64) primary key, series varchar(64) primary key,
token varchar(64) not null, token varchar(64) not null,
last_used timestamp not null); last_used timestamp not null);
</programlisting> </programlisting></para>
</para>
</section> </section>
<section xml:id="dbschema-acl">
<section>
<title>ACL Schema</title> <title>ACL Schema</title>
<para> <para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
The tables used by the Spring Security <link xlink:href="#domain-acls">ACL</link> implementation. >ACL</link> implementation. <orderedlist>
<programlisting xml:id="dbschema-acl"> <listitem>
<para><literal>acl_sid</literal> stores the security identities recognised by the ACL
system. These can be unique principals or authorities which may apply to multiple
principals.</para>
</listitem>
<listitem>
<para><literal>acl_class</literal> defines the domain object types to which ACLs apply.
The <literal>class</literal> column stores the Java class name of the object. </para>
</listitem>
<listitem>
<para><literal>acl_object_identity</literal> stores the object identity definitions of
specific domai objects.</para>
</listitem>
<listitem>
<para><literal>acl_entry</literal> stores the ACL permissions which apply to a specific
object identity and security identity.</para>
</listitem>
</orderedlist></para>
<para>It is assumed that the database will auto-generate the primary keys for each of the
identities. The <literal>JdbcMutableAclService</literal> has to be able to retrieve these when
it has created a new row in the <literal>acl_sid</literal> or <literal>acl_class</literal>
tables. It has two properties which define the SQL needed to retrieve these values
<literal>classIdentityQuery</literal> and <literal>sidIdentityQuery</literal>. Both of these
default to <literal>call identity()</literal></para>
<section>
<title>Hypersonic SQL</title>
<para>The default schema works with the embedded HSQLDB database that is used in unit tests
within the
framework.<programlisting xml:id="dbschema-acl-hsql">
create table acl_sid ( create table acl_sid (
id bigint generated by default as identity(start with 100) not null primary key, id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null, principal boolean not null,
@ -112,12 +125,60 @@ create table acl_entry (
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id), constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id) ); constraint foreign_fk_5 foreign key(sid) references acl_sid(id) );
</programlisting> </programlisting></para>
<section>
<title>PostgreSQL</title>
</para> <para>
<programlisting>create table acl_sid(
id bigserial not null primary key,
principal boolean not null,
sid varchar(100) not null,
constraint unique_uk_1 unique(sid,principal));
create table acl_class(
id bigserial not null primary key,
class varchar(100) not null,
constraint unique_uk_2 unique(class));
create table acl_object_identity(
id bigserial primary key,
object_id_class bigint not null,
object_id_identity bigint not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id));
create table acl_entry(
id bigserial primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id));
</programlisting>
</para>
<para>You will have to set the <literal>classIdentityQuery</literal> and
<literal>sidIdentityQuery</literal> properties of
<classname>JdbcMutableAclService</classname> to the following values, respectively: <itemizedlist>
<listitem>
<para><literal>select currval(pg_get_serial_sequence('acl_class',
'id'))</literal></para>
</listitem>
<listitem>
<para><literal>select currval(pg_get_serial_sequence('acl_sid',
'id'))</literal></para>
</listitem>
</itemizedlist></para>
</section>
</section>
</section> </section>
</appendix>
</appendix>

180
src/docbkx/samples.xml
View File

@ -1,70 +1,50 @@
<chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="sample-apps"> <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0" xml:id="sample-apps">
<info> <info>
<title xml:id="samples">Sample Applications</title> <title xml:id="samples">Sample Applications</title>
</info> </info>
<para> <para> There are several sample web applications that are available with the project. To avoid
There are several sample web applications that are available with the an overly large download, only the "tutorial" and "contacts" samples are included in the
project. To avoid an overly large download, only the "tutorial" distribution zip file. You can either build the others yourself, or you can obtain the war
and "contacts" samples are included in the distribution zip file. You can files individually from the central Maven repository. We'd recommend the former. You can get
either build the others yourself, or you can obtain the war files the source as described in <link xlink:href="#get-source">the introduction</link> and it's
individually from the central Maven repository. We'd recommend the former. easy to build the project using Maven. There is more information on the project web site at
You can get the source as described in <link xlink:href="#get-source">the introduction</link> <link xlink:href="http://www.springframework.org/spring-security/">
and it's easy to build the project using Maven. There is more information http://www.springframework.org/spring-security/ </link> if you need it. All paths
on the project web site at referred to in this chapter are relative to the source directory, once you have checked it
<link xlink:href="http://www.springframework.org/spring-security/"> out from subversion. </para>
http://www.springframework.org/spring-security/
</link> if you need it.
All paths referred to in this chapter are relative to the source directory, once
you have checked it out from subversion.
</para>
<section xml:id="tutorial-sample"> <section xml:id="tutorial-sample">
<title>Tutorial Sample</title> <title>Tutorial Sample</title>
<para> The tutorial sample is a nice basic example to get you started. It uses simple
<para> The tutorial sample is a nice basic example to get you started. It uses namespace configuration throughout. The compiled application is included in the
simple namespace configuration throughout. The compiled application is included in the distribution zip file, ready to be deployed into your web container
distribution zip file, ready to be deployed into your web container (<filename>spring-security-samples-tutorial-3.0.x.war</filename>). The <link
(<filename>spring-security-samples-tutorial-2.0.x.war</filename>). xlink:href="#form">form-based</link> authentication mechanism is used in combination
The <link xlink:href="#form">form-based</link> with the commonly-used <link xlink:href="#remember-me">remember-me</link> authentication
authentication mechanism is used in combination with the commonly-used provider to automatically remember the login using cookies.</para>
<link xlink:href="#remember-me">remember-me</link> <para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
authentication provider to automatically remember the login using follow. Most importantly, you can easily add this one XML file (and its corresponding
cookies.</para> <literal>web.xml</literal> entries) to your existing application. Only when this
basic integration is achieved do we suggest you attempt adding in method authorization
<para>We recommend you start with the tutorial sample, as the XML is or domain object security.</para>
minimal and easy to follow. Most importantly, you can easily add
this one XML file (and its corresponding <literal>web.xml</literal> entries) to your existing
application. Only when this basic integration is achieved do we
suggest you attempt adding in method authorization or domain object
security.</para>
</section> </section>
<section xml:id="contacts-sample"> <section xml:id="contacts-sample">
<title>Contacts</title> <title>Contacts</title>
<para> The Contacts Sample is an advanced example in that it illustrates the more powerful
<para> features of domain object access control lists (ACLs) in addition to basic application
The Contacts Sample is quite an advanced example in that it security. The application provides an interface with which the users are able to
illustrates the more powerful features of domain object access control lists administer a simple database of contacts (the domain objects).</para>
in addition to basic application security. <para>To deploy, simply copy the WAR file from Spring Security distribution into your
</para> containers <literal>webapps</literal> directory. The war should be called
<filename>spring-security-samples-contacts-3.0.x.war</filename> (the appended
<para>To deploy, simply copy the WAR file from Spring version number will vary depending on what release you are using). </para>
Security distribution into your containers <literal>webapps</literal> <para>After starting your container, check the application can load. Visit
directory. The war should be called <filename>spring-security-samples-contacts-2.0.0.war</filename> <literal>http://localhost:8080/contacts</literal> (or whichever URL is appropriate
(the appended version number will vary depending on what release you are using). for your web container and the WAR you deployed). </para>
</para> <para>Next, click "Debug". You will be prompted to authenticate, and a series of usernames
and passwords are suggested on that page. Simply authenticate with any of these and view
<para>After starting your container, check the application can load. the resulting page. It should contain a success message similar to the following:
Visit <literallayout>
<literal>http://localhost:8080/contacts</literal>
(or whichever URL is appropriate for your web container and the WAR
you deployed). </para>
<para>Next, click "Debug". You will be prompted to authenticate, and a
series of usernames and passwords are suggested on that page. Simply
authenticate with any of these and view the resulting page. It should
contain a success message similar to the following:
<literallayout>
Authentication object is of type: org.springframework.security.providers.UsernamePasswordAuthenticationToken Authentication object is of type: org.springframework.security.providers.UsernamePasswordAuthenticationToken
Authentication object as a String: Authentication object as a String:
@ -83,21 +63,17 @@
ROLE_USER (getAuthority(): ROLE_USER) ROLE_USER (getAuthority(): ROLE_USER)
SUCCESS! Your web filters appear to be properly configured! SUCCESS! Your web filters appear to be properly configured!
</literallayout> </literallayout></para>
</para> <para>Once you successfully receive the above message, return to the sample application's
home page and click "Manage". You can then try out the application. Notice that only the
<para>Once you successfully receive the above message, return to the contacts available to the currently logged on user are displayed, and only users with
sample application's home page and click "Manage". You can then try <literal>ROLE_SUPERVISOR</literal> are granted access to delete their contacts.
out the application. Notice that only the contacts available to the Behind the scenes, the <classname>MethodSecurityInterceptor</classname> is securing the
currently logged on user are displayed, and only users with business objects. </para>
<literal>ROLE_SUPERVISOR</literal> are granted access to delete their <para>The application allows you to modify the access control lists associated with
contacts. Behind the scenes, the different contacts. Be sure to give this a try and understand how it works by reviewing
<classname>MethodSecurityInterceptor</classname> is securing the business the application context XML files.</para>
objects. </para> <!--
<para>The application allows you to modify the access control lists associated
with different contacts. Be sure to give this a try and understand how
it works by reviewing the application context XML files.</para>
<!--
TODO: Reintroduce standalone client example. TODO: Reintroduce standalone client example.
<para>The Contacts sample application also includes a <para>The Contacts sample application also includes a
<literal>client</literal> directory. Inside you will find a small <literal>client</literal> directory. Inside you will find a small
@ -110,40 +86,32 @@
and the password to use. Note that you may need to edit and the password to use. Note that you may need to edit
<literal>client.properties</literal> to use a different target <literal>client.properties</literal> to use a different target
URL.</para> URL.</para>
--> -->
</section> </section>
<section xml:id="ldap-sample"> <section xml:id="ldap-sample">
<title>LDAP Sample</title> <title>LDAP Sample</title>
<para> <para> The LDAP sample application provides a basic configuration and sets up both a
The LDAP sample application provides a basic configuration and sets up both a namespace configuration namespace configuration and an equivalent configuration using traditional beans, both in
and an equivalent configuration using traditional beans, both in the same application context file. the same application context file. This means there are actually two identical
This means there are actually two identical authentication providers configured in this application. authentication providers configured in this application. </para>
</para>
</section> </section>
<section xml:id="cas-sample"> <section xml:id="cas-sample">
<title>CAS Sample</title> <title>CAS Sample</title>
<para> <para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
The CAS sample requires that you run both a CAS server and CAS client. It isn't included in the distribution so you should check out included in the distribution so you should check out the project code as described in
the project code as described in <link xlink:href="get-source">the introduction</link>. You'll find the relevant files under the <link xlink:href="get-source">the introduction</link>. You'll find the relevant
<filename>sample/cas</filename> directory. There's also a <filename>Readme.txt</filename> file in there which explains how to run files under the <filename>sample/cas</filename> directory. There's also a
both the server and the client directly from the source tree, complete with SSL support. You have to download the CAS Server web application <filename>Readme.txt</filename> file in there which explains how to run both the
(a war file) from the CAS site and drop it into the <filename>samples/cas/server</filename> directory. server and the client directly from the source tree, complete with SSL support. You have
</para> to download the CAS Server web application (a war file) from the CAS site and drop it
into the <filename>samples/cas/server</filename> directory. </para>
</section> </section>
<section xml:id="preauth-sample"> <section xml:id="preauth-sample">
<title>Pre-Authentication Sample</title> <title>Pre-Authentication Sample</title>
<para> <para> This sample application demonstrates how to wire up beans from the <link
This sample application demonstrates how to wire up beans from the <link xlink:href="#preauth">pre-authentication</link> xlink:href="#preauth">pre-authentication</link> framework to make use of login
framework to make use of login information from a J2EE container. The user name and roles are those setup by the container. information from a J2EE container. The user name and roles are those setup by the
</para> container. </para>
<para> <para> The code is in <filename>samples/preauth</filename> . </para>
The code is in <filename>samples/preauth</filename> .
</para>
</section> </section>
</chapter>
</chapter>

307
src/docbkx/springsecurity.xml
View File

@ -1,229 +1,150 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<book version="5.0" xml:id="spring-security-reference-guide" xmlns="http://docbook.org/ns/docbook" <book version="5.0" xml:id="spring-security-reference-guide" xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude">
xmlns:xi="http://www.w3.org/2001/XInclude"> <info><title>Spring Security</title><subtitle>Reference Documentation</subtitle><author>
<personname>Ben Alex, Luke Taylor</personname>
<info> </author>
<title>Spring Security</title> <releaseinfo>2.0.x</releaseinfo>
</info>
<subtitle>Reference Documentation</subtitle>
<author>
<personname>Ben Alex, Luke Taylor</personname>
</author>
<releaseinfo>2.0.x</releaseinfo>
</info>
<toc/> <toc/>
<preface xml:id="preface"> <preface xml:id="preface">
<title>Preface</title> <title>Preface</title>
<para>Spring Security provides a comprehensive security solution for J2EE-based enterprise
<para>Spring Security provides a comprehensive security solution for software applications. As you will discover as you venture through this reference guide, we
J2EE-based enterprise software applications. As you will discover as you have tried to provide you a useful and highly configurable security system.</para>
venture through this reference guide, we have tried to provide you a <para>Security is an ever-moving target, and it's important to pursue a comprehensive,
useful and highly configurable security system.</para> system-wide approach. In security circles we encourage you to adopt "layers of security", so
that each layer tries to be as secure as possible in its own right, with successive layers
<para>Security is an ever-moving target, and it's important to pursue a providing additional security. The "tighter" the security of each layer, the more robust and
comprehensive, system-wide approach. In security circles we encourage you safe your application will be. At the bottom level you'll need to deal with issues such as
to adopt "layers of security", so that each layer tries to be as secure as transport security and system identification, in order to mitigate man-in-the-middle attacks.
possible in its own right, with successive layers providing additional Next you'll generally utilise firewalls, perhaps with VPNs or IP security to ensure only
security. The "tighter" the security of each layer, the more robust and authorised systems can attempt to connect. In corporate environments you may deploy a DMZ to
safe your application will be. At the bottom level you'll need to deal separate public-facing servers from backend database and application servers. Your operating
with issues such as transport security and system identification, in order system will also play a critical part, addressing issues such as running processes as
to mitigate man-in-the-middle attacks. Next you'll generally utilise non-privileged users and maximising file system security. An operating system will usually
firewalls, perhaps with VPNs or IP security to ensure only authorised also be configured with its own firewall. Hopefully somewhere along the way you'll be trying
systems can attempt to connect. In corporate environments you may deploy a to prevent denial of service and brute force attacks against the system. An intrusion
DMZ to separate public-facing servers from backend database and detection system will also be especially useful for monitoring and responding to attacks, with
application servers. Your operating system will also play a critical part, such systems able to take protective action such as blocking offending TCP/IP addresses in
addressing issues such as running processes as non-privileged users and real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured
maximising file system security. An operating system will usually also be to minimize the permissions granted to different Java types, and then your application will
configured with its own firewall. Hopefully somewhere along the way you'll add its own problem domain-specific security configuration. Spring Security makes this latter
be trying to prevent denial of service and brute force attacks against the area - application security - much easier. </para>
system. An intrusion detection system will also be especially useful for <para>Of course, you will need to properly address all security layers mentioned above, together
monitoring and responding to attacks, with such systems able to take with managerial factors that encompass every layer. A non-exhaustive list of such managerial
protective action such as blocking offending TCP/IP addresses in factors would include security bulletin monitoring, patching, personnel vetting, audits,
real-time. Moving to the higher layers, your Java Virtual Machine will change control, engineering management systems, data backup, disaster recovery, performance
hopefully be configured to minimize the permissions granted to different benchmarking, load monitoring, centralised logging, incident response procedures etc.</para>
Java types, and then your application will add its own problem <para>With Spring Security being focused on helping you with the enterprise application security
domain-specific security configuration. Spring Security makes this latter layer, you will find that there are as many different requirements as there are business
area - application security - much easier. problem domains. A banking application has different needs from an ecommerce application. An
</para> ecommerce application has different needs from a corporate sales force automation tool. These
custom requirements make application security interesting, challenging and rewarding. </para>
<para>Of course, you will need to properly address all security layers <para>Please read <xref linkend="getting-started"/>, in its entirety to begin with. This will
mentioned above, together with managerial factors that encompass every introduce you to the framework and the namespace-based configuration system with which you can
layer. A non-exhaustive list of such managerial factors would include get up and running quite quickly. To get more of an understanding of an in-depth understaning
security bulletin monitoring, patching, personnel vetting, audits, change of how Spring Security works, and some of the classes you might need to use, you should then
control, engineering management systems, data backup, disaster recovery, read <xref linkend="overall-architecture"/>. The remaining parts of this guide are structured
performance benchmarking, load monitoring, centralised logging, incident in a more traditional reference style, designed to be read on an as-required basis. We'd also
response procedures etc.</para> recommend that you read up as much as possible on application security issues in general.
Spring Security is not a panacea which will solve all security issues. It is important that
<para>With Spring Security being focused on helping you with the the application is designed with security in mind from the start. Attempting to retrofit it is
enterprise application security layer, you will find that there are as not a good idea. In particular, if you are building a web application, you should be aware of
many different requirements as there are business problem domains. A the many potential vulnerabilities such as cross-site scripting, request-forgery and
banking application has different needs from an ecommerce application. An session-hijacking which you should be taking into account from the start. The OWASP web site
ecommerce application has different needs from a corporate sales force (http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as
automation tool. These custom requirements make application security a lot of useful reference information. </para>
interesting, challenging and rewarding. <para>We hope that you find this reference guide useful, and we welcome your feedback and <link
</para> xlink:href="#jira">suggestions</link>. </para>
<para>Finally, welcome to the Spring Security <link xlink:href="#community">community</link>.
<para>Please read <xref linkend="getting-started"/>, in
its entirety to begin with. This will introduce you to the framework and the namespace-based
configuration system with which you can get up and running quite quickly. To get more of an understanding
of an in-depth understaning of how Spring Security works, and some of the classes you might
need to use, you should then read <xref linkend="overall-architecture"/>.
The remaining parts of this guide are structured in a more traditional reference style,
designed to be read on an as-required basis. We'd also recommend that you read up as much as
possible on application security issues in general. Spring Security is not a panacea which will
solve all security issues. It is important that the application is designed with security in
mind from the start. Attempting to retrofit it is not a good idea.
In particular, if you are building a web application, you should be aware of the many potential
vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should
be taking into account from the start. The OWASP web site (http://www.owasp.org/) maintains a
top ten list of web application vulnerabilities as well as a lot of useful reference information.
</para>
<para>We hope that you find this reference guide useful, and we welcome
your feedback and <link xlink:href="#jira">suggestions</link>.
</para>
<para>Finally, welcome to the Spring Security <link xlink:href="#community" >community</link>.
</para> </para>
</preface> </preface>
<part xml:id="getting-started"> <part xml:id="getting-started">
<title>Getting Started</title> <title>Getting Started</title>
<partintro> <partintro>
<para>The later parts of this guide provide an in-depth discussion of the <para>The later parts of this guide provide an in-depth discussion of the framework
framework architecture and implementation classes, an understanding of which is important architecture and implementation classes, an understanding of which is important if you need
if you need to do any serious customization. In this part, we'll introduce Spring Security 2.0, to do any serious customization. In this part, we'll introduce Spring Security 2.0, give a
give a brief overview of the project's history and take a slightly brief overview of the project's history and take a slightly gentler look at how to get
gentler look at how to get started using the framework. started using the framework. In particular, we'll look at namespace configuration which
In particular, we'll look at namespace configuration which provides a much simpler way of securing provides a much simpler way of securing your application compared to the traditional Spring
your application compared to the traditional Spring bean approach where you had to wire up all the bean approach where you had to wire up all the implementation classes individually. </para>
implementation classes individually. <para> We'll also take a look at the sample applications that are available. It's worth trying
</para> to run these and experimenting with them a bit even before you read the later sections - you
<para> can dip back into them as your understanding of the framework increases. </para>
We'll also take a look at the sample applications that are available. It's worth trying to run
these and experimenting with them a bit even before you read the later sections - you can dip back into them
as your understanding of the framework increases.
</para>
</partintro> </partintro>
<xi:include href="introduction.xml"/>
<xi:include href="introduction.xml" /> <xi:include href="namespace-config.xml"/>
<xi:include href="namespace-config.xml" />
<xi:include href="samples.xml"/> <xi:include href="samples.xml"/>
<xi:include href="community.xml"/>
<xi:include href="community.xml"/>
</part> </part>
<part xml:id="overall-architecture"> <part xml:id="overall-architecture">
<title>Overall Architecture</title> <title>Overall Architecture</title>
<partintro> <partintro>
<para>Like most software, Spring Security has certain central <para>Like most software, Spring Security has certain central interfaces, classes and
interfaces, classes and conceptual abstractions that are commonly used conceptual abstractions that are commonly used throughout the framework. In this part of the
throughout the framework. In this part of the reference guide we will reference guide we will introduce Spring Security, before examining these central elements
introduce Spring Security, before examining these central elements that that are necessary to successfully planning and executing a Spring Security
are necessary to successfully planning and executing a Spring Security integration.</para>
integration.</para>
</partintro> </partintro>
<xi:include href="technical-overview.xml"/>
<xi:include href="technical-overview.xml" /> <xi:include href="supporting-infrastructure.xml"/>
<xi:include href="channel-security.xml"/>
<xi:include href="supporting-infrastructure.xml" />
<xi:include href="channel-security.xml" />
</part> </part>
<part xml:id="authentication"> <part xml:id="authentication">
<title>Authentication</title> <title>Authentication</title>
<partintro> <partintro>
<para>We've already introduced Spring Security's authentication architecture <para>We've already introduced Spring Security's authentication architecture in the <link
in the <link xlink:href="#technical-overview">Technical Overview</link> chapter. xlink:href="#technical-overview">Technical Overview</link> chapter. In this part of the
In this part of the reference guide we will examine individual reference guide we will examine individual authentication mechanisms and their corresponding
authentication mechanisms and their corresponding <classname>AuthenticationProvider</classname>s. We'll also look at how to configure
<classname>AuthenticationProvider</classname>s. We'll also look at how to authentication more generally, including if you have several authentication approaches that
configure authentication more generally, including if you have several need to be chained together.</para>
authentication approaches that need to be chained together.</para> <para> With some exceptions, we will be discussing the full details of Spring Security bean
<para> configuration rather than the shorthand <link xlink:href="#ns-config">namespace
With some exceptions, we will be discussing the full details of Spring Security syntax</link>. You should review the introduction to using namespace configuration and the
bean configuration rather than the shorthand options it provides to see if they will meet your needs. As you come to use the framework
<link xlink:href="#ns-config">namespace syntax</link>. You should review more, and need to customize the internal behaviour, you will probably want to understand
the introduction to using namespace configuration and the options it provides more about how the individual services are implemented, which classes to look at extending
to see if they will meet your needs. As you come to use the framework more, and so on. This part is more targeted at providing this kind of information. We'd recommend
and need to customize the internal behaviour, you will probably want to understand that you supplement the content by browsing the Javadoc and the source itself <footnote>
more about how the individual services are implemented, which classes to look at <para>Links to both Javadoc APIs and browsable source cross-reference are available from
extending and so on. This part is more targeted at providing this kind of information. the project web site.</para>
We'd recommend that you supplement the content by browsing the Javadoc and the source </footnote>. </para>
itself <footnote><para>Links to both Javadoc APIs and browsable source cross-reference
are available from the project web site.</para></footnote>.
</para>
</partintro> </partintro>
<xi:include href="common-auth-services.xml"/>
<xi:include href="common-auth-services.xml" /> <xi:include href="dao-auth-provider.xml"/>
<xi:include href="dao-auth-provider.xml" />
<xi:include href="ldap-auth-provider.xml"/> <xi:include href="ldap-auth-provider.xml"/>
<xi:include href="form-authentication.xml"/>
<xi:include href="form-authentication.xml" /> <xi:include href="basic-authentication.xml"/>
<xi:include href="digest-authentication.xml"/>
<xi:include href="basic-authentication.xml" /> <xi:include href="remember-me-authentication.xml"/>
<xi:include href="jaas-auth-provider.xml"/>
<xi:include href="digest-authentication.xml" /> <xi:include href="preauth.xml"/>
<xi:include href="anon-auth-provider.xml"/>
<xi:include href="remember-me-authentication.xml" />
<xi:include href="jaas-auth-provider.xml" />
<xi:include href="preauth.xml" />
<xi:include href="anon-auth-provider.xml" />
<xi:include href="x509-auth-provider.xml"/> <xi:include href="x509-auth-provider.xml"/>
<xi:include href="cas-auth-provider.xml"/> <xi:include href="cas-auth-provider.xml"/>
<xi:include href="runas-auth-provider.xml"/>
<xi:include href="runas-auth-provider.xml" />
</part> </part>
<part xml:id="authorization"> <part xml:id="authorization">
<title>Authorization</title> <title>Authorization</title>
<partintro> <partintro>
<para>The advanced authorization capabilities within Spring Security <para>The advanced authorization capabilities within Spring Security represent one of the most
represent one of the most compelling reasons for its popularity. compelling reasons for its popularity. Irrespective of how you choose to authenticate -
Irrespective of how you choose to authenticate - whether using a Spring whether using a Spring Security-provided mechanism and provider, or integrating with a
Security-provided mechanism and provider, or integrating with a container or other non-Spring Security authentication authority - you will find the
container or other non-Spring Security authentication authority - you authorization services can be used within your application in a consistent and simple
will find the authorization services can be used within your application way.</para>
in a consistent and simple way.</para>
<para>In this part we'll explore the different <para>In this part we'll explore the different
<classname>AbstractSecurityInterceptor</classname> implementations, which <classname>AbstractSecurityInterceptor</classname> implementations, which were introduced
were introduced in Part I. We then move on to explore how to fine-tune in Part I. We then move on to explore how to fine-tune authorization through use of domain
authorization through use of domain access control lists.</para> access control lists.</para>
</partintro> </partintro>
<xi:include href="authorization-common.xml"/>
<xi:include href="authorization-common.xml"/>
<xi:include href="secured-objects.xml"/> <xi:include href="secured-objects.xml"/>
<xi:include href="domain-acls.xml"/> <xi:include href="domain-acls.xml"/>
</part> </part>
<xi:include href="appendix-db-schema.xml"/> <xi:include href="appendix-db-schema.xml"/>
<xi:include href="appendix-namespace.xml"/> <xi:include href="appendix-namespace.xml"/>
</book>
</book>