Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-01 10:59:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Extract subsections for preface

Browse Source 
Issue: gh-2567
This commit is contained in:
Rob Winch 2018-03-05 16:56:47 -06:00
parent 86465026a1
commit 73cec43842
11 changed files with 3159 additions and 3151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3150
docs/manual/src/docs/asciidoc/_includes/preface.adoc
View File

File diff suppressed because it is too large Load Diff

31
docs/manual/src/docs/asciidoc/_includes/preface/community.adoc Normal file
View File

@ -0,0 +1,31 @@
[[community]]
== Spring Security Community
[[jira]]
=== Issue Tracking
Spring Security uses JIRA to manage bug reports and enhancement requests.
If you find a bug, please log a report using JIRA.
Do not log it on the support forum, mailing list or by emailing the project's developers.
Such approaches are ad-hoc and we prefer to manage bugs using a more formal process.
If possible, in your issue report please provide a JUnit test that demonstrates any incorrect behaviour.
Or, better yet, provide a patch that corrects the issue.
Similarly, enhancements are welcome to be logged in the issue tracker, although we only accept enhancement requests if you include corresponding unit tests.
This is necessary to ensure project test coverage is adequately maintained.
You can access the issue tracker at https://github.com/spring-projects/spring-security/issues.
[[becoming-involved]]
=== Becoming Involved
We welcome your involvement in the Spring Security project.
There are many ways of contributing, including reading the forum and responding to questions from other people, writing new code, improving existing code, assisting with documentation, developing samples or tutorials, or simply making suggestions.
[[further-info]]
=== Further Information
Questions and comments on Spring Security are welcome.
You can use the Spring at Stack Overflow web site at http://spring.io/questions[http://spring.io/questions] to discuss Spring Security with other users of the framework.
Remember to use JIRA for bug reports, as explained above.

13
docs/manual/src/docs/asciidoc/_includes/preface/getting-started.adoc Normal file
View File

@ -0,0 +1,13 @@
[[getting-started]]
== Getting Started
The later parts of this guide provide an in-depth discussion of the framework architecture and implementation classes, which you need to understand if you want to do any serious customization.
In this part, we'll introduce Spring Security 4.
0, give a brief overview of the project's history and take a slightly gentler look at how to get started using the framework.
In particular, we'll look at namespace configuration which provides a much simpler way of securing your application compared to the traditional Spring bean approach where you have to wire up all the implementation classes individually.
We'll also take a look at the sample applications that are available.
It's worth trying to run these and experimenting with them a bit even before you read the later sections - you can dip back into them as your understanding of the framework increases.
Please also check out the http://spring.
io/spring-security[project website] as it has useful information on building the project, plus links to articles, videos and tutorials.

34
docs/manual/src/docs/asciidoc/_includes/preface/guides.adoc Normal file
View File

@ -0,0 +1,34 @@
[[samples]]
== Samples and Guides (Start Here)
If you are looking to get started with Spring Security, the best place to start is our Sample Applications.
.Sample Applications
|===
| Source | Description | Guide
| {gh-samples-url}/javaconfig/helloworld[Hello Spring Security]
| Demonstrates how to integrate Spring Security with an existing application using Java-based configuration.
| link:../../guides/html5/helloworld-javaconfig.html[Hello Spring Security Guide]
| {gh-samples-url}/boot/helloworld[Hello Spring Security Boot]
| Demonstrates how to integrate Spring Security with an existing Spring Boot application.
| link:../../guides/html5/helloworld-boot.html[Hello Spring Security Boot Guide]
| {gh-samples-url}/xml/helloworld[Hello Spring Security XML]
| Demonstrates how to integrate Spring Security with an existing application using XML-based configuration.
| link:../../guides/html5/helloworld-xml.html[Hello Spring Security XML Guide]
| {gh-samples-url}/javaconfig/hellomvc[Hello Spring MVC Security]
| Demonstrates how to integrate Spring Security with an existing Spring MVC application.
| link:../../guides/html5/hellomvc-javaconfig.html[Hello Spring MVC Security Guide]
| {gh-samples-url}/javaconfig/form[Custom Login Form]
| Demonstrates how to create a custom login form.
| link:../../guides/html5/form-javaconfig.html[Custom Login Form Guide]
| {gh-samples-url}/boot/oauth2login[OAuth 2.0 Login]
| Demonstrates how to integrate OAuth 2.0 Login with an OAuth 2.0 or OpenID Connect 1.0 Provider.
| link:{gh-samples-url}/boot/oauth2login/README.adoc[OAuth 2.0 Login Guide]
|===

58
docs/manual/src/docs/asciidoc/_includes/preface/index.adoc Normal file
View File

@ -0,0 +1,58 @@
[[preface]]
= Preface
Spring Security provides a comprehensive security solution for Java EE-based enterprise software applications.
As you will discover as you venture through this reference guide, we have tried to provide you a useful and highly configurable security system.
Security is an ever-moving target, and it's important to pursue a comprehensive, system-wide approach.
In security circles we encourage you to adopt "layers of security", so that each layer tries to be as secure as possible in its own right, with successive layers providing additional security.
The "tighter" the security of each layer, the more robust and safe your application will be.
At the bottom level you'll need to deal with issues such as transport security and system identification, in order to mitigate man-in-the-middle attacks.
Next you'll generally utilise firewalls, perhaps with VPNs or IP security to ensure only authorised systems can attempt to connect.
In corporate environments you may deploy a DMZ to separate public-facing servers from backend database and application servers.
Your operating system will also play a critical part, addressing issues such as running processes as non-privileged users and maximising file system security.
An operating system will usually also be configured with its own firewall.
Hopefully somewhere along the way you'll be trying to prevent denial of service and brute force attacks against the system.
An intrusion detection system will also be especially useful for monitoring and responding to attacks, with such systems able to take protective action such as blocking offending TCP/IP addresses in real-time.
Moving to the higher layers, your Java Virtual Machine will hopefully be configured to minimize the permissions granted to different Java types, and then your application will add its own problem domain-specific security configuration.
Spring Security makes this latter area - application security - much easier.
Of course, you will need to properly address all security layers mentioned above, together with managerial factors that encompass every layer.
A non-exhaustive list of such managerial factors would include security bulletin monitoring, patching, personnel vetting, audits, change control, engineering management systems, data backup, disaster recovery, performance benchmarking, load monitoring, centralised logging, incident response procedures etc.
With Spring Security being focused on helping you with the enterprise application security layer, you will find that there are as many different requirements as there are business problem domains.
A banking application has different needs from an ecommerce application.
An ecommerce application has different needs from a corporate sales force automation tool.
These custom requirements make application security interesting, challenging and rewarding.
Please read <<getting-started>>, in its entirety to begin with.
This will introduce you to the framework and the namespace-based configuration system with which you can get up and running quite quickly.
To get more of an understanding of how Spring Security works, and some of the classes you might need to use, you should then read <<overall-architecture>>.
The remaining parts of this guide are structured in a more traditional reference style, designed to be read on an as-required basis.
We'd also recommend that you read up as much as possible on application security issues in general.
Spring Security is not a panacea which will solve all security issues.
It is important that the application is designed with security in mind from the start.
Attempting to retrofit it is not a good idea.
In particular, if you are building a web application, you should be aware of the many potential vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should be taking into account from the start.
The OWASP web site (http://www.
owasp.
org/) maintains a top ten list of web application vulnerabilities as well as a lot of useful reference information.
We hope that you find this reference guide useful, and we welcome your feedback and <<jira,suggestions>>.
Finally, welcome to the Spring Security <<community,community>>.
include::getting-started.adoc[]
include::introduction.adoc[]
include::whats-new.adoc[]
include::guides.adoc[]
include::java-configuration.adoc[]
include::namespace.adoc[]
include::samples.adoc[]
include::community.adoc[]

448
docs/manual/src/docs/asciidoc/_includes/preface/introduction.adoc Normal file
View File

@ -0,0 +1,448 @@
[[introduction]]
== Introduction
[[what-is-acegi-security]]
=== What is Spring Security?
Spring Security provides comprehensive security services for Java EE-based enterprise software applications.
There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading Java EE solution for enterprise software development.
If you're not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it.
Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.
People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE's Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios.
Whilst mentioning these standards, it's important to recognise that they are not portable at a WAR or EAR level.
Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application's security in the new target environment.
Using Spring Security overcomes these problems, and also brings you dozens of other useful, customisable security features.
As you probably know two major areas of application security are "authentication" and "authorization" (or "access-control").
These are the two main areas that Spring Security targets.
"Authentication" is the process of establishing a principal is who they claim to be (a "principal" generally means a user, device or some other system which can perform an action in your application).
"Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application.
To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process.
These concepts are common, and not at all specific to Spring Security.
At an authentication level, Spring Security supports a wide range of authentication models.
Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force.
In addition, Spring Security provides its own set of authentication features.
Specifically, Spring Security currently supports authentication integration with all of these technologies:
* HTTP BASIC authentication headers (an IETF RFC-based standard)
* HTTP Digest authentication headers (an IETF RFC-based standard)
* HTTP X.509 client certificate exchange (an IETF RFC-based standard)
* LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
* Form-based authentication (for simple user interface needs)
* OpenID authentication
* Authentication based on pre-established request headers (such as Computer Associates Siteminder)
* Jasig Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)
* Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
* Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
* Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)
* Run-as authentication (which is useful if one call should proceed with a different security identity)
* Java Authentication and Authorization Service (JAAS)
* Java EE container authentication (so you can still use Container Managed Authentication if desired)
* Kerberos
* Java Open Source Single Sign-On (JOSSO) *
* OpenNMS Network Management Platform *
* AppFuse *
* AndroMDA *
* Mule ESB *
* Direct Web Request (DWR) *
* Grails *
* Tapestry *
* JTrac *
* Jasypt *
* Roller *
* Elastic Path *
* Atlassian Crowd *
* Your own authentication systems (see below)
(* Denotes provided by a third party)
Many independent software vendors (ISVs) adopt Spring Security because of this significant choice of flexible authentication models.
Doing so allows them to quickly integrate their solutions with whatever their end clients need, without undertaking a lot of engineering or requiring the client to change their environment.
If none of the above authentication mechanisms suit your needs, Spring Security is an open platform and it is quite simple to write your own authentication mechanism.
Many corporate users of Spring Security need to integrate with "legacy" systems that don't follow any particular security standards, and Spring Security is happy to "play nicely" with such systems.
Irrespective of the authentication mechanism, Spring Security provides a deep set of authorization capabilities.
There are three main areas of interest: authorizing web requests, authorizing whether methods can be invoked and authorizing access to individual domain object instances.
To help you understand the differences, consider the authorization capabilities found in the Servlet Specification web pattern security, EJB Container Managed Security and file system security respectively.
Spring Security provides deep capabilities in all of these important areas, which we'll explore later in this reference guide.
[[history]]
=== History
Spring Security began in late 2003 as "The Acegi Security System for Spring".
A question was posed on the Spring Developers' mailing list asking whether there had been any consideration given to a Spring-based security implementation.
At the time the Spring community was relatively small (especially compared with the size today!), and indeed Spring itself had only existed as a SourceForge project from early 2003.
The response to the question was that it was a worthwhile area, although a lack of time currently prevented its exploration.
With that in mind, a simple security implementation was built and not released.
A few weeks later another member of the Spring community inquired about security, and at the time this code was offered to them.
Several other requests followed, and by January 2004 around twenty people were using the code.
These pioneering users were joined by others who suggested a SourceForge project was in order, which was duly established in March 2004.
In those early days, the project didn't have any of its own authentication modules.
Container Managed Security was relied upon for the authentication process, with Acegi Security instead focusing on authorization.
This was suitable at first, but as more and more users requested additional container support, the fundamental limitation of container-specific authentication realm interfaces became clear.
There was also a related issue of adding new JARs to the container's classpath, which was a common source of end user confusion and misconfiguration.
Acegi Security-specific authentication services were subsequently introduced.
Around a year later, Acegi Security became an official Spring Framework subproject.
The 1.
0.
0 final release was published in May 2006 - after more than two and a half years of active use in numerous production software projects and many hundreds of improvements and community contributions.
Acegi Security became an official Spring Portfolio project towards the end of 2007 and was rebranded as "Spring Security".
Today Spring Security enjoys a strong and active open source community.
There are thousands of messages about Spring Security on the support forums.
There is an active core of developers who work on the code itself and an active community which also regularly share patches and support their peers.
[[release-numbering]]
=== Release Numbering
It is useful to understand how Spring Security release numbers work, as it will help you identify the effort (or lack thereof) involved in migrating to future releases of the project.
Each release uses a standard triplet of integers: MAJOR.MINOR.PATCH.
The intent is that MAJOR versions are incompatible, large-scale upgrades of the API.
MINOR versions should largely retain source and binary compatibility with older minor versions, thought there may be some design changes and incompatible updates.
PATCH level should be perfectly compatible, forwards and backwards, with the possible exception of changes which are to fix bugs and defects.
The extent to which you are affected by changes will depend on how tightly integrated your code is.
If you are doing a lot of customization you are more likely to be affected than if you are using a simple namespace configuration.
You should always test your application thoroughly before rolling out a new version.
[[get-spring-security]]
=== Getting Spring Security
You can get hold of Spring Security in several ways.
You can download a packaged distribution from the main http://spring.
io/spring-security[Spring Security] page, download individual jars from the Maven Central repository (or a Spring Maven repository for snapshot and milestone releases) or, alternatively, you can build the project from source yourself.
[[maven]]
==== Usage with Maven
A minimal Spring Security Maven set of dependencies typically looks like the following:
.pom.xml
[source,xml]
[subs="verbatim,attributes"]
----
<dependencies>
<!-- ... other dependency elements ... -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>{spring-security-version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>{spring-security-version}</version>
</dependency>
</dependencies>
----
If you are using additional features like LDAP, OpenID, etc. you will need to also include the appropriate <<modules>>.
[[maven-repositories]]
===== Maven Repositories
All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central, so no additional Maven repositories need to be declared in your pom.
If you are using a SNAPSHOT version, you will need to ensure you have the Spring Snapshot repository defined as shown below:
.pom.xml
[source,xml]
----
<repositories>
<!-- ... possibly other repository elements ... -->
<repository>
<id>spring-snapshot</id>
<name>Spring Snapshot Repository</name>
<url>http://repo.spring.io/snapshot</url>
</repository>
</repositories>
----
If you are using a milestone or release candidate version, you will need to ensure you have the Spring Milestone repository defined as shown below:
.pom.xml
[source,xml]
----
<repositories>
<!-- ... possibly other repository elements ... -->
<repository>
<id>spring-milestone</id>
<name>Spring Milestone Repository</name>
<url>http://repo.spring.io/milestone</url>
</repository>
</repositories>
----
[[maven-bom]]
===== Spring Framework Bom
Spring Security builds against Spring Framework {spring-version}, but should work with 4.0.x.
The problem that many users will have is that Spring Security's transitive dependencies resolve Spring Framework {spring-version} which can cause strange classpath problems.
One (tedious) way to circumvent this issue would be to include all the Spring Framework modules in a http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management[<dependencyManagement>] section of your pom.
An alternative approach is to include the `spring-framework-bom` within your `<dependencyManagement>` section of your `pom.xml` as shown below:
.pom.xml
[source,xml]
[subs="verbatim,attributes"]
----
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
<version>{spring-version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
----
This will ensure that all the transitive dependencies of Spring Security use the Spring {spring-version} modules.
NOTE: This approach uses Maven's "bill of materials" (BOM) concept and is only available in Maven 2.0.9+.
For additional details about how dependencies are resolved refer to http://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html[Maven's Introduction to the Dependency Mechanism documentation].
[[gradle]]
==== Gradle
A minimal Spring Security Gradle set of dependencies typically looks like the following:
.build.gradle
[source,groovy]
[subs="verbatim,attributes"]
----
dependencies {
compile 'org.springframework.security:spring-security-web:{spring-security-version}'
compile 'org.springframework.security:spring-security-config:{spring-security-version}'
}
----
If you are using additional features like LDAP, OpenID, etc. you will need to also include the appropriate <<modules>>.
[[gradle-repositories]]
===== Gradle Repositories
All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central, so using the mavenCentral() repository is sufficient for GA releases.
.build.gradle
[source,groovy]
----
repositories {
mavenCentral()
}
----
If you are using a SNAPSHOT version, you will need to ensure you have the Spring Snapshot repository defined as shown below:
.build.gradle
[source,groovy]
----
repositories {
maven { url 'https://repo.spring.io/snapshot' }
}
----
If you are using a milestone or release candidate version, you will need to ensure you have the Spring Milestone repository defined as shown below:
.build.gradle
[source,groovy]
----
repositories {
maven { url 'https://repo.spring.io/milestone' }
}
----
[[gradle-resolutionStrategy]]
===== Using Spring 4.0.x and Gradle
By default Gradle will use the newest version when resolving transitive versions.
This means that often times no additional work is necessary when running Spring Security {spring-security-version} with Spring Framework {spring-version}.
However, at times there can be issues that come up so it is best to mitigate this using http://www.gradle.org/docs/current/dsl/org.gradle.api.artifacts.ResolutionStrategy.html[Gradle's ResolutionStrategy] as shown below:
.build.gradle
[source,groovy]
[subs="verbatim,attributes"]
----
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.springframework') {
details.useVersion '{spring-version}'
}
}
}
----
This will ensure that all the transitive dependencies of Spring Security use the Spring {spring-version} modules.
NOTE: This example uses Gradle 1.9, but may need modifications to work in future versions of Gradle since this is an incubating feature within Gradle.
[[modules]]
==== Project Modules
In Spring Security 3.0, the codebase has been sub-divided into separate jars which more clearly separate different functionality areas and third-party dependencies.
If you are using Maven to build your project, then these are the modules you will add to your `pom.xml`.
Even if you're not using Maven, we'd recommend that you consult the `pom.xml` files to get an idea of third-party dependencies and versions.
Alternatively, a good idea is to examine the libraries that are included in the sample applications.
[[spring-security-core]]
===== Core - spring-security-core.jar
Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs.
Required by any application which uses Spring Security.
Supports standalone applications, remote clients, method (service layer) security and JDBC user provisioning.
Contains the top-level packages:
* `org.springframework.security.core`
* `org.springframework.security.access`
* `org.springframework.security.authentication`
* `org.springframework.security.provisioning`
[[spring-security-remoting]]
===== Remoting - spring-security-remoting.jar
Provides intergration with Spring Remoting.
You don't need this unless you are writing a remote client which uses Spring Remoting.
The main package is `org.springframework.security.remoting`.
[[spring-security-web]]
===== Web - spring-security-web.jar
Contains filters and related web-security infrastructure code.
Anything with a servlet API dependency.
You'll need it if you require Spring Security web authentication services and URL-based access-control.
The main package is `org.springframework.security.web`.
[[spring-security-config]]
===== Config - spring-security-config.jar
Contains the security namespace parsing code & Java configuration code.
You need it if you are using the Spring Security XML namespace for configuration or Spring Security's Java Configuration support.
The main package is `org.springframework.security.config`.
None of the classes are intended for direct use in an application.
[[spring-security-ldap]]
===== LDAP - spring-security-ldap.jar
LDAP authentication and provisioning code.
Required if you need to use LDAP authentication or manage LDAP user entries.
The top-level package is `org.springframework.security.ldap`.
[[spring-security-oauth2-core]]
===== OAuth 2.0 Core - spring-security-oauth2-core.jar
`spring-security-oauth2-core.jar` contains core classes and interfaces that provide support for the _OAuth 2.0 Authorization Framework_ and for _OpenID Connect Core 1.0_.
It is required by applications that use _OAuth 2.0_ or _OpenID Connect Core 1.0_, such as Client, Resource Server, and Authorization Server.
The top-level package is `org.springframework.security.oauth2.core`.
[[spring-security-oauth2-client]]
===== OAuth 2.0 Client - spring-security-oauth2-client.jar
`spring-security-oauth2-client.jar` is Spring Security's client support for _OAuth 2.0 Authorization Framework_ and _OpenID Connect Core 1.0_.
Required by applications leveraging *OAuth 2.0 Login* and/or OAuth Client support.
The top-level package is `org.springframework.security.oauth2.client`.
[[spring-security-oauth2-jose]]
===== OAuth 2.0 JOSE - spring-security-oauth2-jose.jar
`spring-security-oauth2-jose.jar` contains Spring Security's support for the _JOSE_ (Javascript Object Signing and Encryption) framework.
The _JOSE_ framework is intended to provide a method to securely transfer claims between parties.
It is built from a collection of specifications:
* JSON Web Token (JWT)
* JSON Web Signature (JWS)
* JSON Web Encryption (JWE)
* JSON Web Key (JWK)
It contains the top-level packages:
* `org.springframework.security.oauth2.jwt`
* `org.springframework.security.oauth2.jose`
[[spring-security-acl]]
===== ACL - spring-security-acl.jar
Specialized domain object ACL implementation.
Used to apply security to specific domain object instances within your application.
The top-level package is `org.springframework.security.acls`.
[[spring-security-cas]]
===== CAS - spring-security-cas.jar
Spring Security's CAS client integration.
If you want to use Spring Security web authentication with a CAS single sign-on server.
The top-level package is `org.springframework.security.cas`.
[[spring-security-openid]]
===== OpenID - spring-security-openid.jar
OpenID web authentication support.
Used to authenticate users against an external OpenID server.
`org.springframework.security.openid`.
Requires OpenID4Java.
[[spring-security-test]]
===== Test - spring-security-test.jar
Support for testing with Spring Security.
[[get-source]]
==== Checking out the Source
Since Spring Security is an Open Source project, we'd strongly encourage you to check out the source code using git.
This will give you full access to all the sample applications and you can build the most up to date version of the project easily.
Having the source for a project is also a huge help in debugging.
Exception stack traces are no longer obscure black-box issues but you can get straight to the line that's causing the problem and work out what's happening.
The source is the ultimate documentation for a project and often the simplest place to find out how something actually works.
To obtain the source for the project, use the following git command:
[source,txt]
----
git clone https://github.com/spring-projects/spring-security.git
----
This will give you access to the entire project history (including all releases and branches) on your local machine.

1527
docs/manual/src/docs/asciidoc/_includes/preface/java-configuration.adoc Normal file
View File

File diff suppressed because it is too large Load Diff

912
docs/manual/src/docs/asciidoc/_includes/preface/namespace.adoc Normal file
View File

@ -0,0 +1,912 @@
[[ns-config]]
== Security Namespace Configuration
=== Introduction
Namespace configuration has been available since version 2.0 of the Spring Framework.
It allows you to supplement the traditional Spring beans application context syntax with elements from additional XML schema.
You can find more information in the Spring http://docs.spring.io/spring/docs/current/spring-framework-reference/htmlsingle/[Reference Documentation].
A namespace element can be used simply to allow a more concise way of configuring an individual bean or, more powerfully, to define an alternative configuration syntax which more closely matches the problem domain and hides the underlying complexity from the user.
A simple element may conceal the fact that multiple beans and processing steps are being added to the application context.
For example, adding the following element from the security namespace to an application context will start up an embedded LDAP server for testing use within the application:
[source,xml]
----
<security:ldap-server />
----
This is much simpler than wiring up the equivalent Apache Directory Server beans.
The most common alternative configuration requirements are supported by attributes on the `ldap-server` element and the user is isolated from worrying about which beans they need to create and what the bean property names are.
footnote:[You can find out more about the use of the `ldap-server` element in the chapter on pass:specialcharacters,macros[<<ldap>>].].
Use of a good XML editor while editing the application context file should provide information on the attributes and elements that are available.
We would recommend that you try out the http://spring.io/tools/sts[Spring Tool Suite] as it has special features for working with standard Spring namespaces.
To start using the security namespace in your application context, you need to have the `spring-security-config` jar on your classpath.
Then all you need to do is add the schema declaration to your application context file:
[source,xml]
----
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
...
</beans>
----
In many of the examples you will see (and in the sample applications), we will often use "security" as the default namespace rather than "beans", which means we can omit the prefix on all the security namespace elements, making the content easier to read.
You may also want to do this if you have your application context divided up into separate files and have most of your security configuration in one of them.
Your security application context file would then start like this
[source,xml]
----
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
...
</beans:beans>
----
We'll assume this syntax is being used from now on in this chapter.
==== Design of the Namespace
The namespace is designed to capture the most common uses of the framework and provide a simplified and concise syntax for enabling them within an application.
The design is based around the large-scale dependencies within the framework, and can be divided up into the following areas:
* __Web/HTTP Security__ - the most complex part.
Sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more.
* __Business Object (Method) Security__ - options for securing the service layer.
* __AuthenticationManager__ - handles authentication requests from other parts of the framework.
* __AccessDecisionManager__ - provides access decisions for web and method security.
A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax.
* __AuthenticationProvider__s - mechanisms against which the authentication manager authenticates users.
The namespace provides supports for several standard options and also a means of adding custom beans declared using a traditional syntax.
* __UserDetailsService__ - closely related to authentication providers, but often also required by other beans.
We'll see how to configure these in the following sections.
[[ns-getting-started]]
=== Getting Started with Security Namespace Configuration
In this section, we'll look at how you can build up a namespace configuration to use some of the main features of the framework.
Let's assume you initially want to get up and running as quickly as possible and add authentication support and access control to an existing web application, with a few test logins.
Then we'll look at how to change over to authenticating against a database or other security repository.
In later sections we'll introduce more advanced namespace configuration options.
[[ns-web-xml]]
==== web.xml Configuration
The first thing you need to do is add the following filter declaration to your `web.xml` file:
[source,xml]
----
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
----
This provides a hook into the Spring Security web infrastructure.
`DelegatingFilterProxy` is a Spring Framework class which delegates to a filter implementation which is defined as a Spring bean in your application context.
In this case, the bean is named "springSecurityFilterChain", which is an internal infrastructure bean created by the namespace to handle web security.
Note that you should not use this bean name yourself.
Once you've added this to your `web.xml`, you're ready to start editing your application context file.
Web security services are configured using the `<http>` element.
[[ns-minimal]]
==== A Minimal <http> Configuration
All you need to enable web security to begin with is
[source,xml]
----
<http>
<intercept-url pattern="/**" access="hasRole('USER')" />
<form-login />
<logout />
</http>
----
Which says that we want all URLs within our application to be secured, requiring the role `ROLE_USER` to access them, we want to log in to the application using a form with username and password, and that we want a logout URL registered which will allow us to log out of the application.
`<http>` element is the parent for all web-related namespace functionality.
The `<intercept-url>` element defines a `pattern` which is matched against the URLs of incoming requests using an ant path style syntax footnote:[See the section on pass:specialcharacters,macros[<<request-matching>>] in the Web Application Infrastructure chapter for more details on how matches are actually performed.].
You can also use regular-expression matching as an alternative (see the namespace appendix for more details).
The `access` attribute defines the access requirements for requests matching the given pattern.
With the default configuration, this is typically a comma-separated list of roles, one of which a user must have to be allowed to make the request.
The prefix"ROLE_" is a marker which indicates that a simple comparison with the user's authorities should be made.
In other words, a normal role-based check should be used.
Access-control in Spring Security is not limited to the use of simple roles (hence the use of the prefix to differentiate between different types of security attributes).
We'll see later how the interpretation can vary footnote:[The interpretation of the comma-separated values in the `access` attribute depends on the implementation of the pass:specialcharacters,macros[<<ns-access-manager,AccessDecisionManager>>] which is used.
In Spring Security 3.0, the attribute can also be populated with an pass:specialcharacters,macros[<<el-access,EL expression>>].
[NOTE]
====
You can use multiple `<intercept-url>` elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used.
So you must put the most specific matches at the top.
You can also add a `method` attribute to limit the match to a particular HTTP method (`GET`, `POST`, `PUT` etc.).
====
To add some users, you can define a set of test data directly in the namespace:
[source,xml]
----
<authentication-manager>
<authentication-provider>
<user-service>
<!-- Password is prefixed with {noop} to indicate to DelegatingPasswordEncoder that
NoOpPasswordEncoder should be used. This is not safe for production, but makes reading
in samples easier. Normally passwords should be hashed using BCrypt -->
<user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="{noop}bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
----
This is an example of a secure way of storing the same passwords.
The password is prefixed with `{bcrypt}` to instruct `DelegatingPasswordEncoder`, which supports any configured `PasswordEncoder` for matching, that the passwords are hashed using BCrypt:
[source,xml]
----
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="{bcrypt}$2a$10$ddEWZUl8aU0GdZPPpy7wbu82dvEw/pBpbRvDQRqA41y6mK1CoH00m"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="{bcrypt}$2a$10$/elFpMBnAYYig6KRR5bvOOYeZr1ie1hSogJryg9qDlhza4oCw1Qka"
authorities="ROLE_USER" />
<user name="jimi" password="{noop}jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="{noop}bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
----
[subs="quotes"]
****
If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what's going on here.
The `<http>` element is responsible for creating a `FilterChainProxy` and the filter beans which it uses.
Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.
The `<authentication-provider>` element creates a `DaoAuthenticationProvider` bean and the `<user-service>` element creates an `InMemoryDaoImpl`.
All `authentication-provider` elements must be children of the `<authentication-manager>` element, which creates a `ProviderManager` and registers the authentication providers with it.
You can find more detailed information on the beans that are created in the <<appendix-namespace,namespace appendix>>.
It's worth cross-checking this if you want to start understanding what the important classes in the framework are and how they are used, particularly if you want to customise things later.
****
The configuration above defines two users, their passwords and their roles within the application (which will be used for access control).
It is also possible to load user information from a standard properties file using the `properties` attribute on `user-service`.
See the section on <<core-services-in-memory-service,in-memory authentication>> for more details on the file format.
Using the `<authentication-provider>` element means that the user information will be used by the authentication manager to process authentication requests.
You can have multiple `<authentication-provider>` elements to define different authentication sources and each will be consulted in turn.
At this point you should be able to start up your application and you will be required to log in to proceed.
Try it out, or try experimenting with the "tutorial" sample application that comes with the project.
[[ns-form-and-basic]]
==== Form and Basic Login Options
You might be wondering where the login form came from when you were prompted to log in, since we made no mention of any HTML files or JSPs.
In fact, since we didn't explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after logging in and so on.
However, the namespace offers plenty of support to allow you to customize these options.
For example, if you want to supply your own login page, you could use:
[source,xml]
----
<http>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
----
Also note that we've added an extra `intercept-url` element to say that any requests for the login page should be available to anonymous users footnote:[See the chapter on pass:specialcharacters,macros[<<anonymous>>]] and also the <<authz-authenticated-voter,AuthenticatedVoter>> class for more details on how the value `IS_AUTHENTICATED_ANONYMOUSLY` is processed.].
Otherwise the request would be matched by the pattern /** and it wouldn't be possible to access the login page itself!
This is a common configuration error and will result in an infinite loop in the application.
Spring Security will emit a warning in the log if your login page appears to be secured.
It is also possible to have all requests matching a particular pattern bypass the security filter chain completely, by defining a separate `http` element for the pattern like this:
[source,xml]
----
<http pattern="/css/**" security="none"/>
<http pattern="/login.jsp*" security="none"/>
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>
----
From Spring Security 3.1 it is now possible to use multiple `http` elements to define separate security filter chain configurations for different request patterns.
If the `pattern` attribute is omitted from an `http` element, it matches all requests.
Creating an unsecured pattern is a simple example of this syntax, where the pattern is mapped to an empty filter chain footnote:[The use of multiple `<http>` elements is an important feature, allowing the namespace to simultaneously support both stateful and stateless paths within the same application, for example.
The previous syntax, using the attribute `filters="none"` on an `intercept-url` element is incompatible with this change and is no longer supported in 3.1.].
We'll look at this new syntax in more detail in the chapter on the <<filter-chains-with-ns,Security Filter Chain>>.
It's important to realise that these unsecured requests will be completely oblivious to any Spring Security web-related configuration or additional attributes such as `requires-channel`, so you will not be able to access information on the current user or call secured methods during the request.
Use `access='IS_AUTHENTICATED_ANONYMOUSLY'` as an alternative if you still want the security filter chain to be applied.
If you want to use basic authentication instead of form login, then change the configuration to
[source,xml]
----
<http use-expressions="false">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>
----
Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to access a protected resource.
Form login is still available in this configuration if you wish to use it, for example through a login form embedded in another web page.
[[ns-form-target]]
===== Setting a Default Post-Login Destination
If a form login isn't prompted by an attempt to access a protected resource, the `default-target-url` option comes into play.
This is the URL the user will be taken to after successfully logging in, and defaults to "/".
You can also configure things so that the user __always__ ends up at this page (regardless of whether the login was "on-demand" or they explicitly chose to log in) by setting the `always-use-default-target` attribute to "true".
This is useful if your application always requires that the user starts at a "home" page, for example:
[source,xml]
----
<http pattern="/login.htm*" security="none"/>
<http use-expressions="false">
<intercept-url pattern='/**' access='ROLE_USER' />
<form-login login-page='/login.htm' default-target-url='/home.htm'
always-use-default-target='true' />
</http>
----
For even more control over the destination, you can use the `authentication-success-handler-ref` attribute as an alternative to `default-target-url`.
The referenced bean should be an instance of `AuthenticationSuccessHandler`.
You'll find more on this in the <<form-login-flow-handling,Core Filters>> chapter and also in the namespace appendix, as well as information on how to customize the flow when authentication fails.
[[ns-logout]]
==== Logout Handling
The `logout` element adds support for logging out by navigating to a particular URL.
The default logout URL is `/logout`, but you can set it to something else using the `logout-url` attribute.
More information on other available attributes may be found in the namespace appendix.
[[ns-auth-providers]]
==== Using other Authentication Providers
In practice you will need a more scalable source of user information than a few names added to the application context file.
Most likely you will want to store your user information in something like a database or an LDAP server.
LDAP namespace configuration is dealt with in the <<ldap,LDAP chapter>>, so we won't cover it here.
If you have a custom implementation of Spring Security's `UserDetailsService`, called "myUserDetailsService" in your application context, then you can authenticate against this using
[source,xml]
----
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'/>
</authentication-manager>
----
If you want to use a database, then you can use
[source,xml]
----
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="securityDataSource"/>
</authentication-provider>
</authentication-manager>
----
Where "securityDataSource" is the name of a `DataSource` bean in the application context, pointing at a database containing the standard Spring Security <<user-schema,user data tables>>.
Alternatively, you could configure a Spring Security `JdbcDaoImpl` bean and point at that using the `user-service-ref` attribute:
[source,xml]
----
<authentication-manager>
<authentication-provider user-service-ref='myUserDetailsService'/>
</authentication-manager>
<beans:bean id="myUserDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
----
You can also use standard `AuthenticationProvider` beans as follows
[source,xml]
----
<authentication-manager>
<authentication-provider ref='myAuthenticationProvider'/>
</authentication-manager>
----
where `myAuthenticationProvider` is the name of a bean in your application context which implements `AuthenticationProvider`.
You can use multiple `authentication-provider` elements, in which case the providers will be queried in the order they are declared.
See <<ns-auth-manager>> for more information on how the Spring Security `AuthenticationManager` is configured using the namespace.
[[ns-password-encoder]]
===== Adding a Password Encoder
Passwords should always be encoded using a secure hashing algorithm designed for the purpose (not a standard algorithm like SHA or MD5).
This is supported by the `<password-encoder>` element.
With bcrypt encoded passwords, the original authentication provider configuration would look like this:
[source,xml]
----
<beans:bean name="bcryptEncoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<authentication-manager>
<authentication-provider>
<password-encoder ref="bcryptEncoder"/>
<user-service>
<user name="jimi" password="$2a$10$ddEWZUl8aU0GdZPPpy7wbu82dvEw/pBpbRvDQRqA41y6mK1CoH00m"
authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="$2a$10$/elFpMBnAYYig6KRR5bvOOYeZr1ie1hSogJryg9qDlhza4oCw1Qka"
authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
----
bcrypt is a good choice for most cases, unless you have a legacy system which forces you to use a different algorithm.
If you are using a simple hashing algorithm or, even worse, storing plain text passwords, then you should consider migrating to a more secure option like bcrypt.
[[ns-web-advanced]]
=== Advanced Web Features
[[ns-remember-me]]
==== Remember-Me Authentication
See the separate <<remember-me,Remember-Me chapter>> for information on remember-me namespace configuration.
[[ns-requires-channel]]
==== Adding HTTP/HTTPS Channel Security
If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the `requires-channel` attribute on `<intercept-url>`:
[source,xml]
----
<http>
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
...
</http>
----
With this configuration in place, if a user attempts to access anything matching the "/secure/**" pattern using HTTP, they will first be redirected to an HTTPS URL footnote:[For more details on how channel-processing is implemented, see the Javadoc for `ChannelProcessingFilter` and related classes.].
The available options are "http", "https" or "any".
Using the value "any" means that either HTTP or HTTPS can be used.
If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows:
[source,xml]
----
<http>
...
<port-mappings>
<port-mapping http="9080" https="9443"/>
</port-mappings>
</http>
----
Note that in order to be truly secure, an application should not use HTTP at all or switch between HTTP and HTTPS.
It should start in HTTPS (with the user entering an HTTPS URL) and use a secure connection throughout to avoid any possibility of man-in-the-middle attacks.
[[ns-session-mgmt]]
==== Session Management
===== Detecting Timeouts
You can configure Spring Security to detect the submission of an invalid session ID and redirect the user to an appropriate URL.
This is achieved through the `session-management` element:
[source,xml]
----
<http>
...
<session-management invalid-session-url="/invalidSession.htm" />
</http>
----
Note that if you use this mechanism to detect session timeouts, it may falsely report an error if the user logs out and then logs back in without closing the browser.
This is because the session cookie is not cleared when you invalidate the session and will be resubmitted even if the user has logged out.
You may be able to explicitly delete the JSESSIONID cookie on logging out, for example by using the following syntax in the logout handler:
[source,xml]
----
<http>
<logout delete-cookies="JSESSIONID" />
</http>
----
Unfortunately this can't be guaranteed to work with every servlet container, so you will need to test it in your environment
[NOTE]
====
If you are running your application behind a proxy, you may also be able to remove the session cookie by configuring the proxy server.
For example, using Apache HTTPD's mod_headers, the following directive would delete the `JSESSIONID` cookie by expiring it in the response to a logout request (assuming the application is deployed under the path `/tutorial`):
[source,xml]
----
<LocationMatch "/tutorial/logout">
Header always set Set-Cookie "JSESSIONID=;Path=/tutorial;Expires=Thu, 01 Jan 1970 00:00:00 GMT"
</LocationMatch>
----
====
[[ns-concurrent-sessions]]
===== Concurrent Session Control
If you wish to place constraints on a single user's ability to log in to your application, Spring Security supports this out of the box with the following simple additions.
First you need to add the following listener to your `web.xml` file to keep Spring Security updated about session lifecycle events:
[source,xml]
----
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
----
Then add the following lines to your application context:
[source,xml]
----
<http>
...
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
</http>
----
This will prevent a user from logging in multiple times - a second login will cause the first to be invalidated.
Often you would prefer to prevent a second login, in which case you can use
[source,xml]
----
<http>
...
<session-management>
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>
</http>
----
The second login will then be rejected.
By "rejected", we mean that the user will be sent to the `authentication-failure-url` if form-based login is being used.
If the second authentication takes place through another non-interactive mechanism, such as "remember-me", an "unauthorized" (401) error will be sent to the client.
If instead you want to use an error page, you can add the attribute `session-authentication-error-url` to the `session-management` element.
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
More details can be found in the <<session-mgmt,Session Management chapter>>.
[[ns-session-fixation]]
===== Session Fixation Attack Protection
http://en.wikipedia.org/wiki/Session_fixation[Session fixation] attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example).
Spring Security protects against this automatically by creating a new session or otherwise changing the session ID when a user logs in.
If you don't require this protection, or it conflicts with some other requirement, you can control the behavior using the `session-fixation-protection` attribute on `<session-management>`, which has four options
* `none` - Don't do anything.
The original session will be retained.
* `newSession` - Create a new "clean" session, without copying the existing session data (Spring Security-related attributes will still be copied).
* `migrateSession` - Create a new session and copy all existing session attributes to the new session.
This is the default in Servlet 3.0 or older containers.
* `changeSessionId` - Do not create a new session.
Instead, use the session fixation protection provided by the Servlet container (`HttpServletRequest#changeSessionId()`).
This option is only available in Servlet 3.1 (Java EE 7) and newer containers.
Specifying it in older containers will result in an exception.
This is the default in Servlet 3.1 and newer containers.
When session fixation protection occurs, it results in a `SessionFixationProtectionEvent` being published in the application context.
If you use `changeSessionId`, this protection will __also__ result in any `javax.servlet.http.HttpSessionIdListener` s being notified, so use caution if your code listens for both events.
See the <<session-mgmt,Session Management>> chapter for additional information.
[[ns-openid]]
==== OpenID Support
The namespace supports http://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
[source,xml]
----
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<openid-login />
</http>
----
You should then register yourself with an OpenID provider (such as myopenid.com), and add the user information to your in-memory `<user-service>`:
[source,xml]
----
<user name="http://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
----
You should be able to login using the `myopenid.com` site to authenticate.
It is also possible to select a specific `UserDetailsService` bean for use OpenID by setting the `user-service-ref` attribute on the `openid-login` element.
See the previous section on <<ns-auth-providers,authentication providers>> for more information.
Note that we have omitted the password attribute from the above user configuration, since this set of user data is only being used to load the authorities for the user.
A random password will be generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.
===== Attribute Exchange
Support for OpenID http://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange].
As an example, the following configuration would attempt to retrieve the email and full name from the OpenID provider, for use by the application:
[source,xml]
----
<openid-login>
<attribute-exchange>
<openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
<openid-attribute name="name" type="http://axschema.org/namePerson"/>
</attribute-exchange>
</openid-login>
----
The "type" of each OpenID attribute is a URI, determined by a particular schema, in this case http://axschema.org/[http://axschema.org/].
If an attribute must be retrieved for successful authentication, the `required` attribute can be set.
The exact schema and attributes supported will depend on your OpenID provider.
The attribute values are returned as part of the authentication process and can be accessed afterwards using the following code:
[source,java]
----
OpenIDAuthenticationToken token =
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
List<OpenIDAttribute> attributes = token.getAttributes();
----
The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes).
We'll see more about how the `SecurityContextHolder` class is used when we look at core Spring Security components in the <<core-components,technical overview>> chapter.
Multiple attribute exchange configurations are also be supported, if you wish to use multiple identity providers.
You can supply multiple `attribute-exchange` elements, using an `identifier-matcher` attribute on each.
This contains a regular expression which will be matched against the OpenID identifier supplied by the user.
See the OpenID sample application in the codebase for an example configuration, providing different attribute lists for the Google, Yahoo and MyOpenID providers.
[[ns-headers]]
==== Response Headers
For additional information on how to customize the headers element refer to the <<headers>> section of the reference.
[[ns-custom-filters]]
==== Adding in Your Own Filters
If you've used Spring Security before, you'll know that the framework maintains a chain of filters in order to apply its services.
You may want to add your own filters to the stack at particular locations or use a Spring Security filter for which there isn't currently a namespace configuration option (CAS, for example).
Or you might want to use a customized version of a standard namespace filter, such as the `UsernamePasswordAuthenticationFilter` which is created by the `<form-login>` element, taking advantage of some of the extra configuration options which are available by using the bean explicitly.
How can you do this with namespace configuration, since the filter chain is not directly exposed?
The order of the filters is always strictly enforced when using the namespace.
When the application context is being created, the filter beans are sorted by the namespace handling code and the standard Spring Security filters each have an alias in the namespace and a well-known position.
[NOTE]
====
In previous versions, the sorting took place after the filter instances had been created, during post-processing of the application context.
In version 3.0+ the sorting is now done at the bean metadata level, before the classes have been instantiated.
This has implications for how you add your own filters to the stack as the entire filter list must be known during the parsing of the `<http>` element, so the syntax has changed slightly in 3.0.
====
The filters, aliases and namespace elements/attributes which create the filters are shown in <<filter-stack>>.
The filters are listed in the order in which they occur in the filter chain.
[[filter-stack]]
.Standard Filter Aliases and Ordering
|===
| Alias | Filter Class | Namespace Element or Attribute
| CHANNEL_FILTER
| `ChannelProcessingFilter`
| `http/intercept-url@requires-channel`
| SECURITY_CONTEXT_FILTER
| `SecurityContextPersistenceFilter`
| `http`
| CONCURRENT_SESSION_FILTER
| `ConcurrentSessionFilter`
| `session-management/concurrency-control`
| HEADERS_FILTER
| `HeaderWriterFilter`
| `http/headers`
| CSRF_FILTER
| `CsrfFilter`
| `http/csrf`
| LOGOUT_FILTER
| `LogoutFilter`
| `http/logout`
| X509_FILTER
| `X509AuthenticationFilter`
| `http/x509`
| PRE_AUTH_FILTER
| `AbstractPreAuthenticatedProcessingFilter` Subclasses
| N/A
| CAS_FILTER
| `CasAuthenticationFilter`
| N/A
| FORM_LOGIN_FILTER
| `UsernamePasswordAuthenticationFilter`
| `http/form-login`
| BASIC_AUTH_FILTER
| `BasicAuthenticationFilter`
| `http/http-basic`
| SERVLET_API_SUPPORT_FILTER
| `SecurityContextHolderAwareRequestFilter`
| `http/@servlet-api-provision`
| JAAS_API_SUPPORT_FILTER
| `JaasApiIntegrationFilter`
| `http/@jaas-api-provision`
| REMEMBER_ME_FILTER
| `RememberMeAuthenticationFilter`
| `http/remember-me`
| ANONYMOUS_FILTER
| `AnonymousAuthenticationFilter`
| `http/anonymous`
| SESSION_MANAGEMENT_FILTER
| `SessionManagementFilter`
| `session-management`
| EXCEPTION_TRANSLATION_FILTER
| `ExceptionTranslationFilter`
| `http`
| FILTER_SECURITY_INTERCEPTOR
| `FilterSecurityInterceptor`
| `http`
| SWITCH_USER_FILTER
| `SwitchUserFilter`
| N/A
|===
You can add your own filter to the stack, using the `custom-filter` element and one of these names to specify the position your filter should appear at:
[source,xml]
----
<http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
</http>
<beans:bean id="myFilter" class="com.mycompany.MySpecialAuthenticationFilter"/>
----
You can also use the `after` or `before` attributes if you want your filter to be inserted before or after another filter in the stack.
The names "FIRST" and "LAST" can be used with the `position` attribute to indicate that you want your filter to appear before or after the entire stack, respectively.
.Avoiding filter position conflicts
[TIP]
====
If you are inserting a custom filter which may occupy the same position as one of the standard filters created by the namespace then it's important that you don't include the namespace versions by mistake.
Remove any elements which create filters whose functionality you want to replace.
Note that you can't replace filters which are created by the use of the `<http>` element itself - `SecurityContextPersistenceFilter`, `ExceptionTranslationFilter` or `FilterSecurityInterceptor`.
Some other filters are added by default, but you can disable them.
An `AnonymousAuthenticationFilter` is added by default and unless you have <<ns-session-fixation,session-fixation protection>> disabled, a `SessionManagementFilter` will also be added to the filter chain.
====
If you're replacing a namespace filter which requires an authentication entry point (i.e. where the authentication process is triggered by an attempt by an unauthenticated user to access to a secured resource), you will need to add a custom entry point bean too.
[[ns-entry-point-ref]]
===== Setting a Custom AuthenticationEntryPoint
If you aren't using form login, OpenID or basic authentication through the namespace, you may want to define an authentication filter and entry point using a traditional bean syntax and link them into the namespace, as we've just seen.
The corresponding `AuthenticationEntryPoint` can be set using the `entry-point-ref` attribute on the `<http>` element.
The CAS sample application is a good example of the use of custom beans with the namespace, including this syntax.
If you aren't familiar with authentication entry points, they are discussed in the <<tech-intro-auth-entry-point,technical overview>> chapter.
[[ns-method-security]]
=== Method Security
From version 2.0 onwards Spring Security has improved support substantially for adding security to your service layer methods.
It provides support for JSR-250 annotation security as well as the framework's original `@Secured` annotation.
From 3.0 you can also make use of new <<el-access,expression-based annotations>>.
You can apply security to a single bean, using the `intercept-methods` element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the AspectJ style pointcuts.
[[ns-global-method]]
==== The <global-method-security> Element
This element is used to enable annotation-based security in your application (by setting the appropriate attributes on the element), and also to group together security pointcut declarations which will be applied across your entire application context.
You should only declare one `<global-method-security>` element.
The following declaration would enable support for Spring Security's `@Secured`:
[source,xml]
----
<global-method-security secured-annotations="enabled" />
----
Adding an annotation to a method (on an class or interface) would then limit the access to that method accordingly.
Spring Security's native annotation support defines a set of attributes for the method.
These will be passed to the `AccessDecisionManager` for it to make the actual decision:
[source,java]
----
public interface BankService {
@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account readAccount(Long id);
@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account[] findAccounts();
@Secured("ROLE_TELLER")
public Account post(Account account, double amount);
}
----
Support for JSR-250 annotations can be enabled using
[source,xml]
----
<global-method-security jsr250-annotations="enabled" />
----
These are standards-based and allow simple role-based constraints to be applied but do not have the power Spring Security's native annotations.
To use the new expression-based syntax, you would use
[source,xml]
----
<global-method-security pre-post-annotations="enabled" />
----
and the equivalent Java code would be
[source,java]
----
public interface BankService {
@PreAuthorize("isAnonymous()")
public Account readAccount(Long id);
@PreAuthorize("isAnonymous()")
public Account[] findAccounts();
@PreAuthorize("hasAuthority('ROLE_TELLER')")
public Account post(Account account, double amount);
}
----
Expression-based annotations are a good choice if you need to define simple rules that go beyond checking the role names against the user's list of authorities.
[NOTE]
====
The annotated methods will only be secured for instances which are defined as Spring beans (in the same application context in which method-security is enabled).
If you want to secure instances which are not created by Spring (using the `new` operator, for example) then you need to use AspectJ.
====
[NOTE]
====
You can enable more than one type of annotation in the same application, but only one type should be used for any interface or class as the behaviour will not be well-defined otherwise.
If two annotations are found which apply to a particular method, then only one of them will be applied.
====
[[ns-protect-pointcut]]
===== Adding Security Pointcuts using protect-pointcut
The use of `protect-pointcut` is particularly powerful, as it allows you to apply security to many beans with only a simple declaration.
Consider the following example:
[source,xml]
----
<global-method-security>
<protect-pointcut expression="execution(* com.mycompany.*Service.*(..))"
access="ROLE_USER"/>
</global-method-security>
----
This will protect all methods on beans declared in the application context whose classes are in the `com.mycompany` package and whose class names end in "Service".
Only users with the `ROLE_USER` role will be able to invoke these methods.
As with URL matching, the most specific matches must come first in the list of pointcuts, as the first matching expression will be used.
Security annotations take precedence over pointcuts.
[[ns-access-manager]]
=== The Default AccessDecisionManager
This section assumes you have some knowledge of the underlying architecture for access-control within Spring Security.
If you don't you can skip it and come back to it later, as this section is only really relevant for people who need to do some customization in order to use more than simple role-based security.
When you use a namespace configuration, a default instance of `AccessDecisionManager` is automatically registered for you and will be used for making access decisions for method invocations and web URL access, based on the access attributes you specify in your `intercept-url` and `protect-pointcut` declarations (and in annotations if you are using annotation secured methods).
The default strategy is to use an `AffirmativeBased` `AccessDecisionManager` with a `RoleVoter` and an `AuthenticatedVoter`.
You can find out more about these in the chapter on <<authz-arch,authorization>>.
[[ns-custom-access-mgr]]
==== Customizing the AccessDecisionManager
If you need to use a more complicated access control strategy then it is easy to set an alternative for both method and web security.
For method security, you do this by setting the `access-decision-manager-ref` attribute on `global-method-security` to the `id` of the appropriate `AccessDecisionManager` bean in the application context:
[source,xml]
----
<global-method-security access-decision-manager-ref="myAccessDecisionManagerBean">
...
</global-method-security>
----
The syntax for web security is the same, but on the `http` element:
[source,xml]
----
<http access-decision-manager-ref="myAccessDecisionManagerBean">
...
</http>
----
[[ns-auth-manager]]
=== The Authentication Manager and the Namespace
The main interface which provides authentication services in Spring Security is the `AuthenticationManager`.
This is usually an instance of Spring Security's `ProviderManager` class, which you may already be familiar with if you've used the framework before.
If not, it will be covered later, in the <<tech-intro-authentication,technical overview chapter>>.
The bean instance is registered using the `authentication-manager` namespace element.
You can't use a custom `AuthenticationManager` if you are using either HTTP or method security through the namespace, but this should not be a problem as you have full control over the `AuthenticationProvider` s that are used.
You may want to register additional `AuthenticationProvider` beans with the `ProviderManager` and you can do this using the `<authentication-provider>` element with the `ref` attribute, where the value of the attribute is the name of the provider bean you want to add.
For example:
[source,xml]
----
<authentication-manager>
<authentication-provider ref="casAuthenticationProvider"/>
</authentication-manager>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
...
</bean>
----
Another common requirement is that another bean in the context may require a reference to the `AuthenticationManager`.
You can easily register an alias for the `AuthenticationManager` and use this name elsewhere in your application context.
[source,xml]
----
<security:authentication-manager alias="authenticationManager">
...
</security:authentication-manager>
<bean id="customizedFormLoginFilter"
class="com.somecompany.security.web.CustomFormLoginFilter">
<property name="authenticationManager" ref="authenticationManager"/>
...
</bean>
----

119
docs/manual/src/docs/asciidoc/_includes/preface/samples.adoc Normal file
View File

@ -0,0 +1,119 @@
[[sample-apps]]
== Sample Applications
There are several sample web applications that are available with the project.
To avoid an overly large download, only the "tutorial" and "contacts" samples are included in the distribution zip file.
The others can be built directly from the source which you can obtain as described in <<get-source,the introduction>>.
It's easy to build the project yourself and there's more information on the project web site at http://spring.io/spring-security/[http://spring.io/spring-security/].
All paths referred to in this chapter are relative to the project source directory.
[[tutorial-sample]]
=== Tutorial Sample
The tutorial sample is a nice basic example to get you started.
It uses simple namespace configuration throughout.
The compiled application is included in the distribution zip file, ready to be deployed into your web container (`spring-security-samples-tutorial-3.1.x.war`).
The <<ns-form-and-basic,form-based>> authentication mechanism is used in combination with the commonly-used <<remember-me,remember-me>> authentication provider to automatically remember the login using cookies.
We recommend you start with the tutorial sample, as the XML is minimal and easy to follow.
Most importantly, you can easily add this one XML file (and its corresponding `web.xml` entries) to your existing application.
Only when this basic integration is achieved do we suggest you attempt adding in method authorization or domain object security.
[[contacts-sample]]
=== Contacts
The Contacts Sample is an advanced example in that it illustrates the more powerful features of domain object access control lists (ACLs) in addition to basic application security.
The application provides an interface with which the users are able to administer a simple database of contacts (the domain objects).
To deploy, simply copy the WAR file from Spring Security distribution into your container's `webapps` directory.
The war should be called `spring-security-samples-contacts-3.1.x.war` (the appended version number will vary depending on what release you are using).
After starting your container, check the application can load.
Visit http://localhost:8080/contacts (or whichever URL is appropriate for your web container and the WAR you deployed).
Next, click "Debug".
You will be prompted to authenticate, and a series of usernames and passwords are suggested on that page.
Simply authenticate with any of these and view the resulting page.
It should contain a success message similar to the following:
----
Security Debug Information
Authentication object is of type:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken
Authentication object as a String:
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@1f127853:
Principal: org.springframework.security.core.userdetails.User@b07ed00: Username: rod; \
Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
credentialsNonExpired: true; AccountNonLocked: true; \
Granted Authorities: ROLE_SUPERVISOR, ROLE_USER; \
Password: [PROTECTED]; Authenticated: true; \
Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: \
RemoteIpAddress: 127.0.0.1; SessionId: 8fkp8t83ohar; \
Granted Authorities: ROLE_SUPERVISOR, ROLE_USER
Authentication object holds the following granted authorities:
ROLE_SUPERVISOR (getAuthority(): ROLE_SUPERVISOR)
ROLE_USER (getAuthority(): ROLE_USER)
Success! Your web filters appear to be properly configured!
----
Once you successfully receive the above message, return to the sample application's home page and click "Manage".
You can then try out the application.
Notice that only the contacts available to the currently logged on user are displayed, and only users with `ROLE_SUPERVISOR` are granted access to delete their contacts.
Behind the scenes, the `MethodSecurityInterceptor` is securing the business objects.
The application allows you to modify the access control lists associated with different contacts.
Be sure to give this a try and understand how it works by reviewing the application context XML files.
[[ldap-sample]]
=== LDAP Sample
The LDAP sample application provides a basic configuration and sets up both a namespace configuration and an equivalent configuration using traditional beans, both in the same application context file.
This means there are actually two identical authentication providers configured in this application.
[[openid-sample]]
=== OpenID Sample
The OpenID sample demonstrates how to use the namespace to configure OpenID and how to set up http://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange] configurations for Google, Yahoo and MyOpenID identity providers (you can experiment with adding others if you wish).
It uses the JQuery-based http://code.google.com/p/openid-selector/[openid-selector] project to provide a user-friendly login page which allows the user to easily select a provider, rather than typing in the full OpenID identifier.
The application differs from normal authentication scenarios in that it allows any user to access the site (provided their OpenID authentication is successful).
The first time you login, you will get a "Welcome [your name]"" message.
If you logout and log back in (with the same OpenID identity) then this should change to "Welcome Back".
This is achieved by using a custom `UserDetailsService` which assigns a standard role to any user and stores the identities internally in a map.
Obviously a real application would use a database instead.
Have a look at the source form more information.
This class also takes into account the fact that different attributes may be returned from different providers and builds the name with which it addresses the user accordingly.
[[cas-sample]]
=== CAS Sample
The CAS sample requires that you run both a CAS server and CAS client.
It isn't included in the distribution so you should check out the project code as described in <<get-source,the introduction>>.
You'll find the relevant files under the `sample/cas` directory.
There's also a `Readme.txt` file in there which explains how to run both the server and the client directly from the source tree, complete with SSL support.
[[jaas-sample]]
=== JAAS Sample
The JAAS sample is very simple example of how to use a JAAS LoginModule with Spring Security.
The provided LoginModule will successfully authenticate a user if the username equals the password otherwise a LoginException is thrown.
The AuthorityGranter used in this example always grants the role ROLE_USER.
The sample application also demonstrates how to run as the JAAS Subject returned by the LoginModule by setting <<nsa-http-jaas-api-provision,jaas-api-provision>> equal to "true".
[[preauth-sample]]
=== Pre-Authentication Sample
This sample application demonstrates how to wire up beans from the <<preauth,pre-authentication>> framework to make use of login information from a Java EE container.
The user name and roles are those setup by the container.
The code is in `samples/preauth`.

16
docs/manual/src/docs/asciidoc/_includes/preface/whats-new.adoc Normal file
View File

@ -0,0 +1,16 @@
[[new]]
== What's New in Spring Security 5.1
Spring Security 5.1 provides a number of new features.
Below are the highlights of the release.
=== New Features
* <<test-method>>
** Support for customizing when the `SecurityContext` is setup in the test
For example, `@WithMockUser(setupBefore = TestExecutionEvent.TEST_EXECUTION)` will setup a user after JUnit's `@Before` and before the test executes.
** `@WithUserDetails` now works with `ReactiveUserDetailsService`
* <<jackson>> - added support for `BadCredentialsException`
* <<mvc-authentication-principal>>
** Supports resolving beans in WebFlux (was already supported in Spring MVC)
** Supports resolving `errorOnInvalidType` in WebFlux (was already supported in Spring MVC)

2
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -6,7 +6,7 @@ Ben Alex; Luke Taylor; Rob Winch; Gunnar Hillert; Joe Grandja; Jay Bryant
Spring Security is a powerful and highly customizable authentication and access-control framework.
It is the de-facto standard for securing Spring-based applications.
include::{include-dir}/preface.adoc[]
include::{include-dir}/preface/index.adoc[]
include::{include-dir}/architecture.adoc[]