343 lines
10 KiB
Plaintext
343 lines
10 KiB
Plaintext
// FIXME: This might make sense in Getting Spring Security along with the artifact information
|
|
|
|
[[modules]]
|
|
= Project Modules and Dependencies
|
|
In Spring Security 3.0, the codebase was sub-divided into separate jars which more clearly separate different functionality areas and third-party dependencies.
|
|
If you use Maven to build your project, these are the modules you should add to your `pom.xml`.
|
|
Even if you do not use Maven, we recommend that you consult the `pom.xml` files to get an idea of third-party dependencies and versions.
|
|
Another good idea is to examine the libraries that are included in the sample applications.
|
|
|
|
This section provides a reference of the modules in Spring Security and the additional dependencies that they require in order to function in a running application.
|
|
We don't include dependencies that are only used when building or testing Spring Security itself.
|
|
Nor do we include transitive dependencies which are required by external dependencies.
|
|
|
|
The version of Spring required is listed on the project website, so the specific versions are omitted for Spring dependencies below.
|
|
Note that some of the dependencies listed as "optional" below may still be required for other non-security functionality in a Spring application.
|
|
Also dependencies listed as "optional" may not actually be marked as such in the project's Maven POM files if they are used in most applications.
|
|
They are "optional" only in the sense that you don't need them unless you are using the specified functionality.
|
|
|
|
Where a module depends on another Spring Security module, the non-optional dependencies of the module it depends on are also assumed to be required and are not listed separately.
|
|
|
|
|
|
[[spring-security-core]]
|
|
== Core -- `spring-security-core.jar`
|
|
This module contains core authentication and access-contol classes and interfaces, remoting support, and basic provisioning APIs.
|
|
It is required by any application that uses Spring Security.
|
|
It supports standalone applications, remote clients, method (service layer) security, and JDBC user provisioning.
|
|
It contains the following top-level packages:
|
|
|
|
* `org.springframework.security.core`
|
|
* `org.springframework.security.access`
|
|
* `org.springframework.security.authentication`
|
|
* `org.springframework.security.provisioning`
|
|
|
|
.Core Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| ehcache
|
|
| 1.6.2
|
|
| Required if the Ehcache-based user cache implementation is used (optional).
|
|
|
|
| spring-aop
|
|
|
|
|
| Method security is based on Spring AOP
|
|
|
|
| spring-beans
|
|
|
|
|
| Required for Spring configuration
|
|
|
|
| spring-expression
|
|
|
|
|
| Required for expression-based method security (optional)
|
|
|
|
| spring-jdbc
|
|
|
|
|
| Required if using a database to store user data (optional).
|
|
|
|
| spring-tx
|
|
|
|
|
| Required if using a database to store user data (optional).
|
|
|
|
| aspectjrt
|
|
| 1.6.10
|
|
| Required if using AspectJ support (optional).
|
|
|
|
| jsr250-api
|
|
| 1.0
|
|
| Required if you are using JSR-250 method-security annotations (optional).
|
|
|===
|
|
|
|
|
|
[[spring-security-remoting]]
|
|
== Remoting -- `spring-security-remoting.jar`
|
|
This module provides integration with Spring Remoting.
|
|
You do not need this unless you are writing a remote client that uses Spring Remoting.
|
|
The main package is `org.springframework.security.remoting`.
|
|
|
|
.Remoting Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-web
|
|
|
|
|
| Required for clients which use HTTP remoting support.
|
|
|===
|
|
|
|
[[spring-security-web]]
|
|
== Web -- `spring-security-web.jar`
|
|
This module contains filters and related web-security infrastructure code.
|
|
It contains anything with a servlet API dependency.
|
|
You need it if you require Spring Security web authentication services and URL-based access-control.
|
|
The main package is `org.springframework.security.web`.
|
|
|
|
.Web Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-web
|
|
|
|
|
| Spring web support classes are used extensively.
|
|
|
|
| spring-jdbc
|
|
|
|
|
| Required for JDBC-based persistent remember-me token repository (optional).
|
|
|
|
| spring-tx
|
|
|
|
|
| Required by remember-me persistent token repository implementations (optional).
|
|
|===
|
|
|
|
[[spring-security-config]]
|
|
== Config -- `spring-security-config.jar`
|
|
This module contains the security namespace parsing code and Java configuration code.
|
|
You need it if you use the Spring Security XML namespace for configuration or Spring Security's Java Configuration support.
|
|
The main package is `org.springframework.security.config`.
|
|
None of the classes are intended for direct use in an application.
|
|
|
|
.Config Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-security-web
|
|
|
|
|
| Required if you are using any web-related namespace configuration (optional).
|
|
|
|
| spring-security-ldap
|
|
|
|
|
| Required if you are using the LDAP namespace options (optional).
|
|
|
|
| spring-security-openid
|
|
|
|
|
| Required if you are using OpenID authentication (optional).
|
|
|
|
| aspectjweaver
|
|
| 1.6.10
|
|
| Required if using the protect-pointcut namespace syntax (optional).
|
|
|===
|
|
|
|
[[spring-security-ldap]]
|
|
== LDAP -- `spring-security-ldap.jar`
|
|
This module provides LDAP authentication and provisioning code.
|
|
It is required if you need to use LDAP authentication or manage LDAP user entries.
|
|
The top-level package is `org.springframework.security.ldap`.
|
|
|
|
.LDAP Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-ldap-core
|
|
| 1.3.0
|
|
| LDAP support is based on Spring LDAP.
|
|
|
|
| spring-tx
|
|
|
|
|
| Data exception classes are required.
|
|
|
|
| apache-ds footnote:[The modules `apacheds-core`, `apacheds-core-entry`, `apacheds-protocol-shared`, `apacheds-protocol-ldap` and `apacheds-server-jndi` are required.
|
|
]
|
|
| 1.5.5
|
|
| Required if you are using an embedded LDAP server (optional).
|
|
|
|
| shared-ldap
|
|
| 0.9.15
|
|
| Required if you are using an embedded LDAP server (optional).
|
|
|
|
| ldapsdk
|
|
| 4.1
|
|
| Mozilla LdapSDK.
|
|
Used for decoding LDAP password policy controls if you are using password-policy functionality with OpenLDAP, for example.
|
|
|===
|
|
|
|
[[spring-security-oauth2-core]]
|
|
== OAuth 2.0 Core -- `spring-security-oauth2-core.jar`
|
|
`spring-security-oauth2-core.jar` contains core classes and interfaces that provide support for the OAuth 2.0 Authorization Framework and for OpenID Connect Core 1.0.
|
|
It is required by applications that use OAuth 2.0 or OpenID Connect Core 1.0, such as client, resource server, and authorization server.
|
|
The top-level package is `org.springframework.security.oauth2.core`.
|
|
|
|
|
|
[[spring-security-oauth2-client]]
|
|
== OAuth 2.0 Client -- `spring-security-oauth2-client.jar`
|
|
`spring-security-oauth2-client.jar` contains Spring Security's client support for OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0.
|
|
It is required by applications that use OAuth 2.0 Login or OAuth Client support.
|
|
The top-level package is `org.springframework.security.oauth2.client`.
|
|
|
|
|
|
[[spring-security-oauth2-jose]]
|
|
== OAuth 2.0 JOSE -- `spring-security-oauth2-jose.jar`
|
|
`spring-security-oauth2-jose.jar` contains Spring Security's support for the JOSE (Javascript Object Signing and Encryption) framework.
|
|
The JOSE framework is intended to provide a method to securely transfer claims between parties.
|
|
It is built from a collection of specifications:
|
|
|
|
* JSON Web Token (JWT)
|
|
* JSON Web Signature (JWS)
|
|
* JSON Web Encryption (JWE)
|
|
* JSON Web Key (JWK)
|
|
|
|
It contains the following top-level packages:
|
|
|
|
* `org.springframework.security.oauth2.jwt`
|
|
* `org.springframework.security.oauth2.jose`
|
|
|
|
[[spring-security-oauth2-resource-server]]
|
|
== OAuth 2.0 Resource Server -- `spring-security-oauth2-resource-server.jar`
|
|
`spring-security-oauth2-resource-server.jar` contains Spring Security's support for OAuth 2.0 Resource Servers.
|
|
It is used to protect APIs via OAuth 2.0 Bearer Tokens.
|
|
The top-level package is `org.springframework.security.oauth2.server.resource`.
|
|
|
|
[[spring-security-acl]]
|
|
== ACL -- `spring-security-acl.jar`
|
|
This module contains a specialized domain object ACL implementation.
|
|
It is used to apply security to specific domain object instances within your application.
|
|
The top-level package is `org.springframework.security.acls`.
|
|
|
|
.ACL Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| ehcache
|
|
| 1.6.2
|
|
| Required if the Ehcache-based ACL cache implementation is used (optional if you are using your own implementation).
|
|
|
|
| spring-jdbc
|
|
|
|
|
| Required if you are using the default JDBC-based AclService (optional if you implement your own).
|
|
|
|
| spring-tx
|
|
|
|
|
| Required if you are using the default JDBC-based AclService (optional if you implement your own).
|
|
|===
|
|
|
|
[[spring-security-cas]]
|
|
== CAS -- `spring-security-cas.jar`
|
|
This module contains Spring Security's CAS client integration.
|
|
You should use it if you want to use Spring Security web authentication with a CAS single sign-on server.
|
|
The top-level package is `org.springframework.security.cas`.
|
|
|
|
.CAS Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-security-web
|
|
|
|
|
|
|
|
|
|
| cas-client-core
|
|
| 3.1.12
|
|
| The JA-SIG CAS Client.
|
|
This is the basis of the Spring Security integration.
|
|
|
|
| ehcache
|
|
| 1.6.2
|
|
| Required if you are using the Ehcache-based ticket cache (optional).
|
|
|===
|
|
|
|
[[spring-security-openid]]
|
|
== OpenID -- `spring-security-openid.jar`
|
|
[NOTE]
|
|
The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
|
|
|
|
This module contains OpenID web authentication support.
|
|
It is used to authenticate users against an external OpenID server.
|
|
The top-level package is `org.springframework.security.openid`.
|
|
It requires OpenID4Java.
|
|
|
|
.OpenID Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-security-web
|
|
|
|
|
|
|
|
|
|
| openid4java-nodeps
|
|
| 0.9.6
|
|
| Spring Security's OpenID integration uses OpenID4Java.
|
|
|
|
| httpclient
|
|
| 4.1.1
|
|
| openid4java-nodeps depends on HttpClient 4.
|
|
|
|
| guice
|
|
| 2.0
|
|
| openid4java-nodeps depends on Guice 2.
|
|
|===
|
|
|
|
|
|
[[spring-security-test]]
|
|
== Test -- `spring-security-test.jar`
|
|
This module contains support for testing with Spring Security.
|
|
|
|
[[spring-security-taglibs]]
|
|
== Taglibs -- `spring-secuity-taglibs.jar`
|
|
Provides Spring Security's JSP tag implementations.
|
|
|
|
.Taglib Dependencies
|
|
|===
|
|
| Dependency | Version | Description
|
|
|
|
| spring-security-core
|
|
|
|
|
|
|
|
|
|
| spring-security-web
|
|
|
|
|
|
|
|
|
|
| spring-security-acl
|
|
|
|
|
| Required if you are using the `accesscontrollist` tag or `hasPermission()` expressions with ACLs (optional).
|
|
|
|
| spring-expression
|
|
|
|
|
| Required if you are using SPEL expressions in your tag access constraints.
|
|
|===
|