You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
186 lines
12 KiB
186 lines
12 KiB
<?xml version="1.0" encoding="UTF-8"?> |
|
<book version="5.0" xml:id="spring-security-reference-guide" xmlns="http://docbook.org/ns/docbook" |
|
xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude"> |
|
<info><title>Spring Security</title><subtitle>Reference Documentation</subtitle><authorgroup> |
|
<author> |
|
<personname>Ben Alex</personname> |
|
</author> |
|
<author> |
|
<personname>Luke Taylor</personname> |
|
</author> |
|
</authorgroup> |
|
<productname>Spring Security</productname> |
|
<releaseinfo>3.0.3.RELEASE</releaseinfo> |
|
</info> |
|
<toc/> |
|
<preface xml:id="preface"> |
|
<title>Preface</title> |
|
<para>Spring Security provides a comprehensive security solution for J2EE-based enterprise |
|
software applications. As you will discover as you venture through this reference guide, we |
|
have tried to provide you a useful and highly configurable security system.</para> |
|
<para>Security is an ever-moving target, and it's important to pursue a comprehensive, |
|
system-wide approach. In security circles we encourage you to adopt "layers of security", so |
|
that each layer tries to be as secure as possible in its own right, with successive layers |
|
providing additional security. The "tighter" the security of each layer, the more robust and |
|
safe your application will be. At the bottom level you'll need to deal with issues such as |
|
transport security and system identification, in order to mitigate man-in-the-middle attacks. |
|
Next you'll generally utilise firewalls, perhaps with VPNs or IP security to ensure only |
|
authorised systems can attempt to connect. In corporate environments you may deploy a DMZ to |
|
separate public-facing servers from backend database and application servers. Your operating |
|
system will also play a critical part, addressing issues such as running processes as |
|
non-privileged users and maximising file system security. An operating system will usually |
|
also be configured with its own firewall. Hopefully somewhere along the way you'll be trying |
|
to prevent denial of service and brute force attacks against the system. An intrusion |
|
detection system will also be especially useful for monitoring and responding to attacks, with |
|
such systems able to take protective action such as blocking offending TCP/IP addresses in |
|
real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured |
|
to minimize the permissions granted to different Java types, and then your application will |
|
add its own problem domain-specific security configuration. Spring Security makes this latter |
|
area - application security - much easier. </para> |
|
<para>Of course, you will need to properly address all security layers mentioned above, together |
|
with managerial factors that encompass every layer. A non-exhaustive list of such managerial |
|
factors would include security bulletin monitoring, patching, personnel vetting, audits, |
|
change control, engineering management systems, data backup, disaster recovery, performance |
|
benchmarking, load monitoring, centralised logging, incident response procedures etc.</para> |
|
<para>With Spring Security being focused on helping you with the enterprise application security |
|
layer, you will find that there are as many different requirements as there are business |
|
problem domains. A banking application has different needs from an ecommerce application. An |
|
ecommerce application has different needs from a corporate sales force automation tool. These |
|
custom requirements make application security interesting, challenging and rewarding. </para> |
|
<para>Please read <xref linkend="getting-started"/>, in its entirety to begin with. This will |
|
introduce you to the framework and the namespace-based configuration system with which you can |
|
get up and running quite quickly. To get more of an understanding of how Spring Security |
|
works, and some of the classes you might need to use, you should then read <xref |
|
linkend="overall-architecture"/>. The remaining parts of this guide are structured in a more |
|
traditional reference style, designed to be read on an as-required basis. We'd also recommend |
|
that you read up as much as possible on application security issues in general. Spring |
|
Security is not a panacea which will solve all security issues. It is important that the |
|
application is designed with security in mind from the start. Attempting to retrofit it is not |
|
a good idea. In particular, if you are building a web application, you should be aware of the |
|
many potential vulnerabilities such as cross-site scripting, request-forgery and |
|
session-hijacking which you should be taking into account from the start. The OWASP web site |
|
(http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as |
|
a lot of useful reference information. </para> |
|
<para>We hope that you find this reference guide useful, and we welcome your feedback and <link |
|
xlink:href="#jira">suggestions</link>. </para> |
|
<para>Finally, welcome to the Spring Security <link xlink:href="#community">community</link>. |
|
</para> |
|
</preface> |
|
<part xml:id="getting-started"> |
|
<title>Getting Started</title> |
|
<partintro> |
|
<para>The later parts of this guide provide an in-depth discussion of the framework |
|
architecture and implementation classes, which you need to understand if you want to do any |
|
serious customization. In this part, we'll introduce Spring Security 3.0, give a brief |
|
overview of the project's history and take a slightly gentler look at how to get started |
|
using the framework. In particular, we'll look at namespace configuration which provides a |
|
much simpler way of securing your application compared to the traditional Spring bean |
|
approach where you have to wire up all the implementation classes individually. </para> |
|
<para> We'll also take a look at the sample applications that are available. It's worth trying |
|
to run these and experimenting with them a bit even before you read the later sections - you |
|
can dip back into them as your understanding of the framework increases. Please also check |
|
out the <link xlink:href="http://static.springsource.org/spring-security/site/index.html" |
|
>project website</link> as it has useful information on building the project, plus links |
|
to articles, videos and tutorials. </para> |
|
</partintro> |
|
<xi:include href="introduction.xml"/> |
|
<xi:include href="namespace-config.xml"/> |
|
<xi:include href="samples.xml"/> |
|
<xi:include href="community.xml"/> |
|
</part> |
|
<part xml:id="overall-architecture"> |
|
<title>Architecture and Implementation</title> |
|
<partintro> |
|
<para>Once you are familiar with setting up and running some namespace-configuration based |
|
applications, you may wish to develop more of an understanding of how the framework actually |
|
works behind the namespace facade. Like most software, Spring Security has certain central |
|
interfaces, classes and conceptual abstractions that are commonly used throughout the |
|
framework. In this part of the reference guide we will look at some of these and see how |
|
they work together to support authentication and access-control within Spring |
|
Security.</para> |
|
</partintro> |
|
<xi:include href="technical-overview.xml"/> |
|
<xi:include href="core-services.xml"/> |
|
</part> |
|
<part xml:id="web-app-security"> |
|
<title>Web Application Security</title> |
|
<partintro> |
|
<para> Most Spring Security users will be using the framework in applications which make user |
|
of HTTP and the Servlet API. In this part, we'll take a look at how Spring Security provides |
|
authentication and access-control features for the web layer of an application. We'll look |
|
behind the facade of the namespace and see which classes and interfaces are actually |
|
assembled to provide web-layer security. In some situations it is necessary to use |
|
traditional bean configuration to provide full control over the configuration, so we'll also |
|
see how to configure these classes directly without the namespace.</para> |
|
</partintro> |
|
<xi:include href="security-filter-chain.xml"/> |
|
<xi:include href="core-filters.xml"/> |
|
<xi:include href="basic-and-digest-auth.xml"/> |
|
<xi:include href="remember-me-authentication.xml"/> |
|
<xi:include href="session-mgmt.xml"/> |
|
<xi:include href="anon-auth-provider.xml"/> |
|
</part> |
|
<!-- |
|
<part xml:id="authentication"> |
|
<title>Authentication</title> |
|
<partintro> |
|
<para>We've already introduced Spring Security's authentication architecture in the <link |
|
xlink:href="#technical-overview">Technical Overview</link> chapter. In this part of the |
|
reference guide we will examine individual authentication mechanisms and their corresponding |
|
<classname>AuthenticationProvider</classname>s. We'll also look at how to configure |
|
authentication more generally, including if you have several authentication approaches that |
|
need to be chained together.</para> |
|
<para> With some exceptions, we will be discussing the full details of Spring Security bean |
|
configuration rather than the shorthand <link xlink:href="#ns-config">namespace |
|
syntax</link>. You should review the introduction to using namespace configuration and the |
|
options it provides to see if they will meet your needs. As you come to use the framework |
|
more, and need to customize the internal behaviour, you will probably want to understand |
|
more about how the individual services are implemented, which classes to look at extending |
|
and so on. This part is more targeted at providing this kind of information. We'd recommend |
|
that you supplement the content by browsing the Javadoc and the source itself <footnote> |
|
<para>Links to both Javadoc APIs and browsable source cross-reference are available from |
|
the project web site.</para> |
|
</footnote>. </para> |
|
</partintro> |
|
<xi:include href="dao-auth-provider.xml"/> |
|
</part> |
|
--> |
|
<part xml:id="authorization"> |
|
<title>Authorization</title> |
|
<partintro> |
|
<para>The advanced authorization capabilities within Spring Security represent one of the most |
|
compelling reasons for its popularity. Irrespective of how you choose to authenticate - |
|
whether using a Spring Security-provided mechanism and provider, or integrating with a |
|
container or other non-Spring Security authentication authority - you will find the |
|
authorization services can be used within your application in a consistent and simple |
|
way.</para> |
|
<para>In this part we'll explore the different |
|
<classname>AbstractSecurityInterceptor</classname> implementations, which were introduced |
|
in Part I. We then move on to explore how to fine-tune authorization through use of domain |
|
access control lists.</para> |
|
</partintro> |
|
<xi:include href="authorization-common.xml"/> |
|
<xi:include href="secured-objects.xml"/> |
|
<xi:include href="el-access.xml"/> |
|
</part> |
|
<part xml:id="advanced-topics"> |
|
<title>Additional Topics</title> |
|
<!-- |
|
Essentially standalone features which do not have to follow on directly from earlier chapters |
|
--> |
|
<partintro> |
|
<para> In this part we cover features which require a knowledge of previous chapters as well |
|
as some of the more advanced and less-commonly used features of the framework.</para> |
|
</partintro> |
|
<xi:include href="domain-acls.xml"/> |
|
<xi:include href="preauth.xml"/> |
|
<xi:include href="ldap-auth-provider.xml"/> |
|
<xi:include href="taglibs.xml"/> |
|
<xi:include href="jaas-auth-provider.xml"/> |
|
<xi:include href="cas-auth-provider.xml"/> |
|
<xi:include href="x509-auth-provider.xml"/> |
|
<xi:include href="runas-auth-provider.xml"/> |
|
</part> |
|
<xi:include href="appendix-db-schema.xml"/> |
|
<xi:include href="appendix-namespace.xml"/> |
|
</book>
|
|
|