Spring security is a secure framework that provides declarative, secure access control solutions for spring-based enterprise applications. It provides a set of beans that can be configured in the context of the spring application, taking full advantage of the spring Ioc,di (control inversion inversion of controls, di:dependency injection Dependency injection) and AOP (aspect-oriented programming) capabilities provide declarative, secure access control for application systems, reducing the effort to write large amounts of repetitive code for enterprise system security controls.
Security consists of two operations, "Authentication and authentication (permission control)", which is now the two main direction for spring security, and" Authentication" is the process of establishing a principal that he declares for the user (" subject" generally refers to the user, Devices or other systems that can perform actions on your system). " Verify" refers to whether a user can perform an action in your app.
At the authentication level, Spring security supports a wide variety of authentication modes. The vast majority of these validation models are provided by third parties, or are being developed by relevant standards bodies, such as the Internet Engineering Task force. As a supplement, Spring Security also provides its own set of validation capabilities. Spring Security currently supports certification integration and the following authentication technologies:
HTTP BASIC Authentication Headers (an IETF RFC-based standard)
HTTP Digest Authentication Headers (an IETF RFC-based standard)
HTTP Certificate Client Exchange (an IETF RFC-based standard)
LDAP (a very common cross-platform authentication requires a procedure, especially in a large environment)
form-based Authentication (requirements for simple user interface)
OpenID Authentication
Authentication based on pre-established request headers (e.g. computer Associates Siteminder)
Ja-sig Central authentication Service (also known as CAS, which is a popular open source single sign-on system)
Transparent authentication context propagation for remote Method invocation (RMI) and Httpinvoker (a spring Remote call protocol)
Automatic "Remember-me" Authentication (so you can set a period of time to avoid having to re-verify over time)
Anonymous authentication (allows any call that is not authenticated, automatically assumes a specific security principal)
Run-as authentication (This is useful when using different security identities within a session)
Java Authentication and Authorization Service (JAAS)
JEE Container autentication (so that you can continue using the container management certification, if you want)
Kerberos
Java Open Source Single Sign On (Josso) *
OpenNMS Network Management Platform *
AppFuse *
ANDROMDA *
Mule ESB *
Direct Web Request (DWR) *
Grails *
Tapestry *
Jtrac *
Jasypt *
Roller *
Elastic Plath *
Atlassian Crowd *
Your own authentication system (look down)
(* means provided by a third party.) )
Many independent software vendors (ISVs, independent software vendors) use Spring Security because they have a rich and flexible validation model. In this way, whatever the end-user needs, they can be quickly integrated into the system without much effort and without the user changing the operating environment. If none of the above verification mechanisms meet your needs, Spring security is an open platform and it is easy to write your own validation mechanism. Many of spring Security's enterprise users need to integrate "legacy" systems that do not follow any specific security standards, and spring security is doing well on such systems.
Spring Security not only provides authentication functions, but also provides complete authorization functions. There are three main areas of authorization, authorizing Web requests, authorizing the invoked method, and authorizing access to an instance of a single object. To help you understand the differences between them, consider granting authorization in the SERVLET Specification Web mode security, EJB container Management security, and file system security. Spring Security provides complete capabilities in all of these important areas
Well, here's a brief description of some of the spring security-related jar packages:
1.4.1.1. Core-
spring-security-core.jar
Includes core authentication and permission control classes and interfaces, transport support and basic provisioning APIs. necessary to use spring security. Supports standalone applications, remote clients, methods (service layer) security, and JDBC user provisioning. Include top-level packages:
org.springframework.security.core
org.springframework.security.access
org.springframework.security.authentication
org.springframework.security.provisioning
1.4.1.2. Remote Call-
spring-security-remoting.jar
Provides integration with spring remote calls. You don't need it unless you write a remote client using spring Remoting. The main package is org.springframework.security.remoting
.
1.4.1.3. Web-
spring-security-web.jar
Contains the filter and the corresponding Web security architecture code. Any need to rely on the servlet API. You will need it if you need the Spring Security Web Authentication service and URL-based permission control. The main package is org.springframework.security.web
.
1.4.1.4. Config-
spring-security-config.jar
Contains the security naming control resolution code that you need if you use the Spring security XML naming control to configure it. The main package is org.springframework.security.config
. None of these classes should be used directly in the app.
1.4.1.5. LDAP-
spring-security-ldap.jar
LDAP authentication and implementation code are required if you need to use LDAP authentication or manage LDAP user entities. The top-level package is org.springframework.security.ldap
.
1.4.1.6. ACL-
spring-security-acl.jar
Handles the Realm object ACL implementation. Used to provide security to specific domain object instances in your application. The top-level package is org.springframework.security.acls
.
1.4.1.7. CAS-
spring-security-cas.jar
Spring Security's CAS client integration. If you want to use Spring Security Web authentication to consolidate one CAS single sign-on server. The top-level package is org.springframework.security.cas
.
1.4.1.8. OpenID-
spring-security-openid.jar
OpenID Web authentication support. Used to authenticate users through an external OpenID service. org.springframework.security.openid
. Need Openid4java.
The configuration in Pom.xml can be seen in the following:
1<dependency>2<groupId>org.springframework.security</groupId>3<artifactId>Spring-security-web</artifactId>4<version>4.1.2.RELEASE</version>5</dependency>6<dependency>7<groupId>org.springframework.security</groupId>8<artifactId>Spring-security-config</artifactId>9<version>4.1.2.RELEASE</version>Ten</dependency> One<dependency> A<groupId>org.springframework.security</groupId> -<artifactId>Spring-security-taglibs</artifactId> -<version>4.1.2.RELEASE</version> the</dependency>
The configuration of spring security in Web. xml:
1<!--Spring Secutiry4.1 filter Chain Configuration--2<filter>3<Filter-name>Springsecurityfilterchain</filter-name>4<filter-class>Org.springframework.web.filter.DelegatingFilterProxy</filter-class>5</filter>6<filter-mapping>7<Filter-name>Springsecurityfilterchain</Filter-name>8<url-pattern>/*</url-pattern>9 </filter-mapping>
The spring Security.xml is configured as follows:
<?xml version= "1.0" encoding= "UTF-8"? ><beans:beans xmlns= "http://www.springframework.org/schema/security "Xmlns:beans= "Http://www.springframework.org/schema/beans" xmlns:p= "http://www.springframework.org/schema/p"Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance" xmlns:context= "Http://www.springframework.org/schema/context"xsi:schemalocation= "Http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsdhttp//Www.springframework.org/schema/contexthttp//www.springframework.org/schema/context/spring-context.xsdhttp//www.springframework.org/schema/securityhttp//www.springframework.org/schema/security/spring-security.xsd ">Logout-success-url= "/loginlog/logout.do"Invalidate-session= "true"/> <custom-filter ref= "Loginfilter" position= "Form_login_filter"/> <!--login successful After denying access to the jump page-<access-denied-handler ref= "Accessdeniedhandler"/> <csrf disabled= "tr UE "/> class= "Com.seawin.webapp.base.security.MyAccessDeniedHandler" > <beans:property name= "errorpage" value= "/sysadmin /error.jsp?errorcode=1 "></beans:property> </beans:bean> <!--use custom classes Myuserdetailsservice get users from a database Info-<authentication-manager alias= "Myauthenticationmanager" > <authentication-provider user- service-ref= "Myuserdetailsservice" ></authentication-provider> </authentication-manager> <! --Customize User resource information get-<beans:bean id= "Myuserdetailsservice"class= "Com.seawin.webapp.base.security.MyUserDetailService" > </beans:bean> <!--The authenticated request jumps to a different login interface depending on the required permissions- <beans:bean id= "Myauthenticationentrypoint"class= "Org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" > <beans: Constructor-arg name= "Loginformurl" value= "/login.html" ></beans:constructor-arg> </beans:bean> <!--Verify after successful operation--<beans:bean id= "Authenticationsuccesshandler"class= "Com.seawin.webapp.base.security.MySimpleUrlAuthenticationSuccessHandler"/> <!--after validation fails-<beans:b Ean id= "Authenticationfailurehandler"class= "Com.seawin.webapp.base.security.MySimpleUrlAuthenticationFailureHandler" > <beans:property name= " Defaultfailureurl "value="/login.html "/> </beans:bean> <!--custom landing blocker--<beans:bean id=" L Oginfilter "class= "Com.seawin.webapp.base.security.MyAuthenticationFilter" > <beans:property name= "AuthenticationManager" ref = "Myauthenticationmanager"/> <beans:property name= "Filterprocessesurl" value= "/j_spring_security_check"/> ; <!--certification successfully processed with custom class Authenticationsuccesshandler-<beans:property name= "Authenticationsuccesshandler" ref = "Authenticationsuccesshandler"/> <beans:property name= "Authenticationfailurehandler" ref= " Authenticationfailurehandler "/> </beans:bean> <!--custom Interceptors--<beans:bean id=" Securityinter Ceptor "class= "Com.seawin.webapp.base.security.MyAuthorizationFilter" > <beans:property name= "AuthenticationManager" ref= "Myauthenticationmanager"/> <beans:property name= "Accessdecisionmanager" ref= "MysecurityAccessDecisionManag Er "/> <beans:property name=" Securitymetadatasource "ref=" Secureresourcefilterinvocationdefinitionsource "/& Gt </beans:bean> <beans:bean id= "Mysecurityaccessdecisionmanager"class= "Com.seawin.webapp.base.security.MyAccessDecisionManager"/> <beans:bean id= " Secureresourcefilterinvocationdefinitionsource "class= "Com.seawin.webapp.base.security.MySecurityMetadataSource"/></beans:beans>
View Code
(i) A brief introduction to spring security, as well as related configuration and Jar package awareness