Spring Security-A secure framework that provides declarative, secure access control solutions for spring-based enterprise applications

Spring security is a secure framework that provides declarative, secure access control solutions for spring-based enterprise applications. It provides a set of beans that can be configured in the context of the spring application, taking full advantage of the spring Ioc,di (control inversion inversion of controls, di:dependency injection Dependency injection) and AOP (aspect-oriented programming) capabilities provide declarative, secure access control for application systems, reducing the effort to write large amounts of repetitive code for enterprise system security controls.

Spring Security, formerly known as Acegi Security, is the framework used in the Spring project team to provide secure authentication services.

Spring Security provides comprehensive security services for enterprise application software based on Java EE. In particular, enterprise software projects developed using the leading Java EE solution-spring Framework

Function:

Spring Security's support for Web security relies heavily on servlet filters. These filters intercept incoming requests and do some security processing before the application processes the request. Spring Security provides a number of filters that can intercept servlet requests and pass them on to authentication and Access Decision manager processing for enhanced security. Depending on your needs, you can use several filters to protect your application.

If you have used a servlet filter, then you know you want them to take effect, you must configure them with the <filter> and <filter-mapping> elements in your Web application's. xml file. While this can work, it does not apply to configurations that use dependency injection. Filtertobeanproxy is a special servlet filter that does not do much of its own work, but instead delegates its work to a bean in the context of the spring application. The commissioned Bean implements the Javax.servlet.Filter interface almost like other servlet filters, but it is configured in the spring configuration file instead of the Web. xml file. In fact, the bean that the Filtertobeanproxy agent gives can be an arbitrary implementation of the javax.servlet.Filter. This can be any of the Spring security filters, or it can be a filter created by itself. But as already mentioned in this book, Spring security requires a minimum of four and possibly a dozen or more filters to be configured.

Advantages:

　There are a number of reasons people use spring security, but what is often attracting them is a solution that does not find a typical enterprise scenario in the Java EE servlet specification or EJB specification.

It is particularly noted that they cannot be ported at war or EAR level.　　In this way, if the server environment is changed, it is necessary to do a lot of work in the new target environment to reconfigure the application system security.　　Using spring security solves these problems and provides many other security features that are useful and can be specified entirely.　　It may be known that security consists of two main operations. The first known as "Authentication" is to create a principal for the user that he declares.　　A subject generally refers to a user, device, or other system that can perform actions on the system.　　The second, "authorization", refers to whether a user can perform an action in the application, and the identity's principal is established by the authentication process before the authorization decision is reached.　　These concepts are generic, not unique to spring security.　　At the authentication level, Spring security broadly supports a variety of authentication modes, most of which are provided by third parties, or are being developed by relevant standards bodies, such as the Internet Engineering Task force.　　As a supplement, Spring Security also provides its own set of validation capabilities. Spring Security currently supports certification integration with the following authentication technologies: HTTP BASIC authentication headers (a standard based on Ieft RFC) HTTP Digest authentication headers　　(A standard based on the Ieft RFC) HTTP Client Certificate Exchange (a Ieft RFC-based standard) LDAP (a very common cross-platform certification needs a practice, especially in a large environment) form-based authentication (provides a simplified Single-user interface requirements) OpenID authentication computer Associates Siteminder Ja-sig Central authentication Service (CAS, this is a popular open source single sign-on System

Transparent authentication context propagation for remote Method invocation and Httpinvoker (a spring Remote call protocol)

Spring Security A secure framework that provides declarative, secure access control solutions for spring-based enterprise applications