managerial factors would include security bulletin monitoring, patching, personnel vetting, audits, change control, engineering management systems, data backup, disaster
recovery, performance benchmarking, load monitoring, centralised logging, incident response procedures etc.
With Spring Security being focused on helping you with the enterprise application security layer, you will find that there are as many different requirements as there are
business problem domains. A banking application has different needs from an ecommerce application. An ecommerce application has different needs from a corporate sales
force automation tool. These custom requirements make application security interesting, challenging and rewarding.
Please read Chapter 1, Getting Started, in its entirety to begin with. This will introduce you to the framework and the namespace-based configuration system with which you
can get up and running quite quickly. To get more of an understanding of how Spring Security works, and some of the classes you might need to use, you should then read
Part II, “Architecture and Implementation”. The remaining parts of this guide are structured in a more traditional reference style, designed to be read on an as-required basis.
We’d also recommend that you read up as much as possible on application security issues in general. Spring Security is not a panacea which will solve all security issues. It is
important that the application is designed with security in mind from the start. Attempting to retrofit it is not a good idea. In particular, if you are building a web application, you
should be aware of the many potential vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should be taking into account from the start.
The OWASP web site (http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as a lot of useful reference information.
We hope that you find this reference guide useful, and we welcome your feedback and suggestions.
Finally, welcome to the Spring Security community.
1. Getting Started
The later parts of this guide provide an in-depth discussion of the framework architecture and implementation classes, which you need to understand if you want to do any
serious customization. In this part, we’ll introduce Spring Security 4.0, give a brief overview of the project’s history and take a slightly gentler look at how to get started using the
framework. In particular, we’ll look at namespace configuration which provides a much simpler way of securing your application compared to the traditional Spring bean
approach where you have to wire up all the implementation classes individually.
We’ll also take a look at the sample applications that are available. It’s worth trying to run these and experimenting with them a bit even before you read the later sections - you
can dip back into them as your understanding of the framework increases. Please also check out the project website as it has useful information on building the project, plus
links to articles, videos and tutorials.
2. Introduction
2.1 What is Spring Security?
Spring Security provides comprehensive security services for Java EE-based enterprise software applications. There is a particular emphasis on supporting projects built
using The Spring Framework, which is the leading Java EE solution for enterprise software development. If you’re not using Spring for developing enterprise applications, we
warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring
Security more easily.
People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE’s Servlet Specification or EJB Specification lack
the depth required for typical enterprise application scenarios. Whilst mentioning these standards, it’s important to recognise that they are not portable at a WAR or EAR level.
Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application’s security in the new target environment. Using Spring Security