Spring Security参考指南4.1.1.RELEASE

需积分: 1 83 浏览量更新于2024-07-20 收藏 1.87MB PDF 举报

"Spring Security Reference 4.1.1.RELEASE" Spring Security 是一个强大的和高度可定制的身份验证和授权框架，适用于Java企业级应用程序。它为保护基于Spring的应用程序提供了全面的安全解决方案。此文档详细介绍了Spring Security 4.1.1.RELEASE版本的功能和用法。 1. **入门 (Getting Started)** 开始使用Spring Security，你需要了解如何将它集成到你的项目中。文档这部分将指导你完成基础配置，包括如何添加必要的依赖，无论是通过Maven还是Gradle。Maven用户可以直接在pom.xml中添加对应的Spring Security依赖，而Gradle用户则需要配置相应的repository并引入相关模块。 2. **简介 (Introduction)** - **什么是Spring Security?** Spring Security提供了一套安全相关的服务，包括用户认证、访问控制、权限管理等，能够有效地处理用户身份验证、会话管理以及对敏感资源的保护。 - **历史**：Spring Security自2004年以来不断发展，经过多个版本的迭代，成为了Java领域内广泛使用的安全框架。 - **版本编号**：4.1.1.RELEASE表示这是一个稳定版本，提供了可靠的特性和修复了已知的问题。 - **获取Spring Security**：你可以从官方仓库或者通过构建工具如Maven或Gradle来获取和使用。 3. **项目模块 (Project Modules)** Spring Security由多个模块组成，每个模块专注于特定的安全功能： - **spring-security-core.jar**：核心模块，包含认证和授权的基础组件。 - **spring-security-remoting.jar**：支持远程调用的安全特性。 - **spring-security-web.jar**：处理HTTP安全性的Web层组件。 - **spring-security-config.jar**：配置相关，提供了XML和注解的配置方式。 - **spring-security-ldap.jar**：与LDAP服务器集成的模块。 - **spring-security-acl.jar**：访问控制列表（ACL）支持，用于精细的权限控制。 - **spring-security-cas.jar**：支持Central Authentication Service（CAS）协议的模块。 - **spring-security-openid.jar**：支持OpenID身份验证。 - **spring-security-test.jar**：测试支持，帮助进行安全相关的单元和集成测试。 - 检出源码：如果你打算深度开发或定制Spring Security，可以克隆其源码仓库进行研究。 4. **更多内容 (What’s Next)** 文档后续章节将深入探讨Spring Security的各个方面，如配置、认证、授权、表达式访问控制、过滤器链、SAML支持、Web安全、移动应用安全等等。这些章节会详细介绍如何配置和使用这些特性，以及如何解决常见的安全问题。 Spring Security Reference 4.1.1.RELEASE是开发者深入理解并实施Spring Security安全策略的重要参考资料，无论你是初学者还是有经验的开发者，都能从中获得宝贵的知识。通过阅读和实践，你可以构建起一套强大而灵活的安全体系，确保你的Spring应用程序免受潜在威胁。

Spring Security Reference

4.1.1.RELEASE Spring Security xvi

The authorize JSP Tag doesn’t respect my method security annotations when

using the URL attribute. .................................................................................. 253

43.3. Spring Security Architecture Questions ............................................................ 253

How do I know which package class X is in? ................................................... 254

How do the namespace elements map to conventional bean configurations? ...... 254

What does "ROLE_" mean and why do I need it on my role names? .................. 254

How do I know which dependencies to add to my application to work with Spring

Security? ........................................................................................................ 254

What dependencies are needed to run an embedded ApacheDS LDAP server?

....................................................................................................................... 255

What is a UserDetailsService and do I need one? ............................................ 255

43.4. Common "Howto" Requests ............................................................................ 255

I need to login in with more information than just the username. How do I add

support for extra login fields (e.g. a company name)? ....................................... 256

How do I apply different intercept-url constraints where only the fragment value

of the requested URLs differs (e.g./foo#bar and /foo#blah? ............................... 256

How do I access the user’s IP Address (or other web-request data) in a

UserDetailsService? ........................................................................................ 256

How do I access the HttpSession from a UserDetailsService? ........................... 257

How do I access the user’s password in a UserDetailsService? ......................... 257

How do I define the secured URLs within an application dynamically? ................ 257

How do I authenticate against LDAP but load user roles from a database? ......... 258

I want to modify the property of a bean that is created by the namespace, but

there is nothing in the schema to support it. What can I do short of abandoning

namespace use? ............................................................................................ 259

44. Migrating from 3.x to 4.x ........................................................................................... 260

Part I. Preface

Spring Security provides a comprehensive security solution for Java EE-based enterprise software

applications. As you will discover as you venture through this reference guide, we have tried to provide

you a useful and highly configurable security system.

Security is an ever-moving target, and it’s important to pursue a comprehensive, system-wide approach.

In security circles we encourage you to adopt "layers of security", so that each layer tries to be as secure

as possible in its own right, with successive layers providing additional security. The "tighter" the security

of each layer, the more robust and safe your application will be. At the bottom level you’ll need to deal

with issues such as transport security and system identification, in order to mitigate man-in-the-middle

attacks. Next you’ll generally utilise firewalls, perhaps with VPNs or IP security to ensure only authorised

systems can attempt to connect. In corporate environments you may deploy a DMZ to separate public-

facing servers from backend database and application servers. Your operating system will also play

a critical part, addressing issues such as running processes as non-privileged users and maximising

file system security. An operating system will usually also be configured with its own firewall. Hopefully

somewhere along the way you’ll be trying to prevent denial of service and brute force attacks against

the system. An intrusion detection system will also be especially useful for monitoring and responding to

attacks, with such systems able to take protective action such as blocking offending TCP/IP addresses in

real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured to minimize

the permissions granted to different Java types, and then your application will add its own problem

domain-specific security configuration. Spring Security makes this latter area - application security -

much easier.

Of course, you will need to properly address all security layers mentioned above, together with

managerial factors that encompass every layer. A non-exhaustive list of such managerial factors would

include security bulletin monitoring, patching, personnel vetting, audits, change control, engineering

management systems, data backup, disaster recovery, performance benchmarking, load monitoring,

centralised logging, incident response procedures etc.

With Spring Security being focused on helping you with the enterprise application security layer, you will

find that there are as many different requirements as there are business problem domains. A banking

application has different needs from an ecommerce application. An ecommerce application has different

needs from a corporate sales force automation tool. These custom requirements make application

security interesting, challenging and rewarding.

Please read Chapter 1, Getting Started, in its entirety to begin with. This will introduce you to the

framework and the namespace-based configuration system with which you can get up and running

quite quickly. To get more of an understanding of how Spring Security works, and some of the classes

you might need to use, you should then read Part II, “Architecture and Implementation”. The remaining

parts of this guide are structured in a more traditional reference style, designed to be read on an as-

required basis. We’d also recommend that you read up as much as possible on application security

issues in general. Spring Security is not a panacea which will solve all security issues. It is important

that the application is designed with security in mind from the start. Attempting to retrofit it is not a good

idea. In particular, if you are building a web application, you should be aware of the many potential

vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should be

taking into account from the start. The OWASP web site (http://www.owasp.org/) maintains a top ten list

of web application vulnerabilities as well as a lot of useful reference information.

We hope that you find this reference guide useful, and we welcome your feedback and suggestions.

剩余276页未读，继续阅读

qinxike

粉丝: 37
资源: 62

Spring Security参考指南4.1.1.RELEASE

spring-jdbc-4.1.1.RELEASE.zip

spring-core-4.2.1.RELEASE.jar

extras-refs_tags_android-4.1.1_r1-ext4_utils.tar.gz xiazai

extras-refs_tags_android-4.1.1_r1-ext4_utils.tar.gz

``` env = SConscript("thirdLibrary/godot-cpp/godot-cpp-4.1.1/SConstruct") ```

java poi-4.1.1.jar

docker load topstack-v4.1.1-r10.tar.gz "docker load" accepts no arguments. See 'docker load --help'. Usage: docker load [OPTIONS] Load an image from a tar archive or STDIN

最新资源