Spring Security
| Developer(s) | 4 |
|---|---|
| Stable release | 5.2.1
/ November 4, 2019 [1] |
| Written in | web application framework security |
| License | Apache License 2.0 |
| Website | projects |
Spring Security is a
SpringSource
.
Authentication flow
Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.
| Browser submits "authentication credentials" | |
| "Authentication mechanism" collects the details | |
| An "authentication request" object is built | |
| Authentication request sent to an AuthenticationManager | |
| AuthenticationManager (this is responsible for passing requests through a chain of AuthenticationProviders) | |
"Authentication provider" will ask a UserDetailsService to provide a UserDetails object
| |
The resultant UserDetails object (which also contains the GrantedAuthority[]s) will be used to build the fully populated Authentication object.
| |
If "Authentication mechanism" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder; and cause the original request to be retried.If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.
| |
AbstractSecurityInterceptor authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)
| |
ExceptionTranslationFilter translates the exceptions thrown by AbstractSecurityInterceptor into HTTP related error codes
| |
| Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient access Launch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism
| |
Key authentication features
- LDAP (using both bind-based and password comparison strategies) for centralization of authentication information.[3]: 358–362, §7-3
- Single sign-on capabilities using the popular Central Authentication Service.
- Java Authentication and Authorization Service (JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.
- Basic access authentication as defined through RFC 1945.
- Digest access authentication[3]: 356–358, §7-3 as defined through RFC 2617 and RFC 2069.
- Secure Sockets Layerstandard.
- CA, IncSiteMinder for authentication (a popular commercial access management product).
- Su (Unix)-like support for switching principal identity over a HTTP or HTTPS connection.
- Run-as replacement, which enables an operation to assume a different security identity.
- Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
- Container adapter (custom realm) support for JBoss and Jetty (web server).
- Windows NTLM to enable browser integration (experimental).
- servlet containerspecification.
- "Remember-me" support via HTTP cookies.
- Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
- Full support for customization and plugging in custom authentication implementations.
Key authorization features
- AspectJ method invocation authorization.
- regular expressions.
Instance-based security features
- Used for specifying domain objects.
- Spring Security offers a repository for storing, retrieving, and modifying ACLs in a database.[3]: 376–381, §7-7
- Authorization features are provided to enforce policies before and after method invocations.
Other features
- Software localization so user interfacemessages can be in any language.
- Channel security, to automatically switch between HTTP and HTTPS upon meeting particular rules.
- Caching in all database-touching areas of the framework.
- Publishing of messages to facilitate event-driven programming.
- Support for performing integration testing via JUnit.
- Spring Security itself has comprehensive JUnit isolation tests.
- Several sample applications, detailed JavaDocs and a reference guide.
- Web framework independence.
Releases
- 2.0.0 (April 2008)
- 3.0.0 (December 2009)
- 3.1.0 (December 7, 2011)
- 3.1.2 (August 10, 2012)
- 3.2.0 (December 16, 2013)
- 4.0.0 (March 26, 2015)
- 4.1.3 (August 24, 2016)
- 4.2.0 (November 10, 2016)
- 3.2.10, 4.1.4, 4.2.1 (December 22, 2016)
- 4.2.2 (March 2, 2017)
- 4.2.3 (June 8, 2017)
- 5.0.0 (November 28, 2017)
- 5.0.8, 4.2.8 (September 11, 2018)[4]
- 5.1.0 GA (September 27, 2018)[5]
- 5.1.1, 5.0.9, 4.2.9 (October 16, 2018)[6]
- 5.1.2, 5.0.10, 4.2.10 (November 29, 2018)[7]
- 5.1.3, 5.0.11, 4.2.11 (January 11, 2019)[8]
- 5.1.4 (February 14, 2019)[9]
- 5.1.5, 5.0.12, 4.2.12 (April 3, 2019)[10]
Citations
- ^ "Spring Security 5.2.1 and 5.1.7 Released". spring.io. Retrieved December 4, 2019.
- ^ "Why the name Acegi?". spring.io.
- ^ a b c Deinum et al. 2014.
- ^ "Spring Security 5.0.8 and 4.2.8 Released". spring.io. Retrieved 2019-06-09.
- ^ "Spring Security 5.1 goes GA". spring.io. Retrieved 2019-06-09.
- ^ "Spring Security 5.1.1, 5.0.9, and 4.2.9 Released". spring.io. Retrieved 2019-06-09.
- ^ "Spring Security 5.1.2, 5.0.10, 4.2.10 Released". spring.io. Retrieved 2019-06-09.
- ^ "Spring Security 5.1.3, 5.0.11, 4.2.11 Released". spring.io. Retrieved 2019-06-09.
- ^ "Spring Security 5.1.4 Released". spring.io. Retrieved 2019-06-09.
- ^ "Spring Security 5.1.5, 5.0.12, 4.2.12 Released". spring.io. Retrieved 2019-06-09.
References
- Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). ISBN 978-1-4302-2499-0.
- "Why the name Acegi?". spring.io.
