-
Notifications
You must be signed in to change notification settings - Fork 0
Spring Security
- Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs
- Required by any application which uses Spring Security
- Supports standalone applications, remote clients, method (service layer) security and JDBC user provisioning
- Contains filters and related web-security infrastructure code
- You'll need it if you require Spring Security web authentication services and URL-based access-control.
- LDAP authentication and provisioning code.
- Required if you need to use LDAP authentication or manage LDAP user entries
- Specialized domain object ACL implementation
- Used to apply security to specific domain object instances within your application
- Spring Security's CAS client integration
- If you want to use Spring Security web authentication with a CAS single sign-on server
- sets up the filters and related service beans used to apply the framework authentication mechanisms, to secure URLs, render login and error pages and much more
- options for securing the service layer
- handles authentication requests from other parts of the framework
- provides access decisions for web and method security. A default one will be registered, but you can also choose to use a custom one, declared using normal Spring bean syntax
- mechanisms against which the authentication manager authenticates users
- closely related to authentication providers, but often also required by other beans
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- DelegatingFilterProxy is a Spring Framework class which delegates to a filter implementation (to an internal infrastructure bean created by the namespace to handle web security)
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
</http>
- says that we want all URLs within our application to be secured, requiring the role ROLE_USER to access them
- the <http> element is the parent for all web-related namespace functionality
- the <intercept-url> element defines a pattern which is matched against the URLs of incoming requests
- multiple elements can be used to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used.
- the auto-config attribute, as we have used it above, is just a shorthand syntax for:
<http>
<form-login />
<http-basic />
<logout />
</http>
- It's mandatory to have defined a user-service
- You can have multiple elements to define different authentication sources and each will be consulted in turn
<authentication-manager>
<authentication-provider>
<user-service>
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
<authentication-manager>
<authentication-provider>
< password-encoder hash="md5"/>
< user-service>
<user name="jimi" password="0ddbe36716977a9cfe7595b36e4409fe" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="12b141f35d58b8b3a46eea65e6ac179e" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
- Remember-me or persistent-login authentication refers to web sites being able to remember the identity of a principal between sessions
- This is typically accomplished by sending a cookie to the browser, with the cookie being detected during future sessions and causing automated login to take place
- Spring has two concrete implementations: Simple Hash-Based Token and Persistent Token
- Simple Hash-Based Token
<http>
...
<remember-me key="myAppKey"/>
</http>
- Persistent Token
<http>
...
<remember-me data-source-ref="someDataSource"/>
</http>
- In order to use this approach you need to have the following table:
create table persistent_logins (username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null)
- since we didn't explicitly set a URL for the login page, Spring Security generates one automatically, based on the features that are enabled and using standard values for the URL which processes the submitted login, the default target URL the user will be sent to after loggin in and so on
<http auto-config='true'>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page='/login.jsp'/>
</http>