About Spring Security

Source: Internet
Author: User
Tags http digest authentication rfc maven central mule esb

1. What is Spring Security?


Spring security is a powerful and highly customizable framework for authentication and access control, formerly known as Acegi security.


Spring Security focuses on providing authentication and authorization for Java applications. Identity Verification is the process of establishing a principal that he declares for the user ( Main body generic refers to the user, device, or other system that can perform actions on your system). Authorization refers to whether a user can perform an action in your app, and the identity's principal has been established by the authentication process before the authorization decision is reached. These concepts are generic and are not unique to spring security.


2. What is the Spring security feature?


Spring Security has the following characteristics:


Comprehensive and extensible support for authentication and authorization


Prevent session pinning attacks, such as Click Hijacking, cross-site request forgery, etc.


Servlet API Integration


Integration with spring WEB MVC



3. What authentication modes does Spring security support?


at the authentication level, Spring security supports a wide variety of authentication modes. The vast majority of these validation models are provided by third parties, or are being developed by relevant standards bodies, such as the Internet Engineering Task force. As a supplement, Spring Security also provides its own set of validation capabilities. Spring Security currently supports certification integration and the following authentication technologies:


HTTP BASIC Authentication Headers (a standard based on the Ieft RFC)

HTTP Digest Authentication Headers (a standard based on Ieft RFC)


HTTP Certificate Client Exchange (a ieft RFC-based standard)


LDAP (a very common cross-platform authentication requires a procedure, especially in a large environment)


form-based Authentication (requirements for simple user interface)


OpenID Authentication


Computer Associates Siteminder


Ja-sig Central authentication Service (also known as CAS, which is a popular open source single sign-on system)


Transparent authentication context propagation for remote Method invocation (RMI) and Httpinvoker (a spring Remote call protocol)


Automatic "Remember-me" Authentication (so you can set a period of time to avoid having to re-verify over time)


Anonymous authentication (allows any call to automatically assume a specific security principal)


Run-as authentication (This is useful when using different security identities within a session)


Java Authentication and Authorization Service (JAAS)


Container integration with JBoss, Jetty, Resin and Tomcat (so you can continue to use container management authentication, if you want)


Java Open Source Single Sign On (Josso) *


OpenNMS Network Management Platform *


AppFuse *


ANDROMDA *


Mule ESB *


Direct Web Request (DWR) *


Grails *


Tapestry *


Jtrac *


Jasypt *


Roller *


Elastic Plath *


Atlassian Crowd *


4. Why use spring Security?


Many independent software vendors (ISVs, independent software vendors) use Spring Security because they have a rich and flexible validation model. In this way, whatever the end-user needs, they can be quickly integrated into the system without much effort and without the user changing the operating environment. If none of the above verification mechanisms meet your needs, Spring security is an open platform and it is easy to write your own validation mechanism. Many of spring Security's enterprise users need to integrate "legacy" systems that do not follow any specific security standards, and spring security is doing well on such systems.


Sometimes the basic certification is not enough. Sometimes you need to apply different security measures in a way that interacts with the subject and the application. For example, you might, in order to protect a password, not be monitored or attacked by a man-in-the-middle, want to ensure that the request arrives only via HTTPS. Or, you want to make sure that the request is a real person, not a robot or other automated program. This is especially helpful for protecting your passwords from brute force attacks, or making it harder for others to replicate key content in your program. To help you achieve these goals, Spring security supports automatic "channel safety", integrating Jcaptcha integration for human user detection.


Spring Security not only provides authentication functions, but also provides complete authorization functions. There are three main areas of authorization, authorizing Web requests, authorizing the invoked method, and authorizing access to an instance of a single object. To help you understand the differences between them, consider granting authorization in the SERVLET Specification Web mode security, EJB container Management security, and file system security. Spring Security provides complete capabilities in all of these important areas, which we will explore later in this reference guide.


5. How do I get spring Security?


Spring Security is an open source project and we can get the source code through subversion. But in most cases, we just need the spring security jar. We can download packaged packages from the Spring Security website or download them from the MAVEN central repository.


Spring security is currently the latest version of 4.0.0 RC1, but the stable version is still 3.2.5.



This article is from the "Dust Wind with the Sky" blog, please be sure to keep this source http://favccxx.blog.51cto.com/2890523/1606179

About Spring Security

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.