Spring Security 3.1.6 使用与配置指南

需积分: 17 45 浏览量更新于2024-07-22 收藏 1.15MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"Spring Security Reference 3.1.6 使用指南" Spring Security 是一个强大的、高度可定制的身份验证和授权框架，适用于 Java 和 Spring 应用程序。这份指南详细介绍了 Spring Security 3.1.6 版本的使用方法，旨在帮助开发者在他们的应用中集成安全功能。 1. 引言 - Spring Security 的定义：它是一个全面的框架，专注于为 Web 应用程序提供认证和授权服务。 - 历史：文档提及了 Spring Security 的发展过程，这有助于理解其演进和改进的方向。 - 发行版本编号：解释了版本号的含义，如 3.1.6.RELEASE，表示这是一个稳定版。 - 获取 Spring Security：提供了获取和安装 Spring Security 的途径，包括项目模块的介绍。 2. 项目模块 - 核心模块（spring-security-core.jar）：包含核心安全服务，如访问决策管理器、权限表达式、安全上下文和认证管理。 - 远程模块（spring-security-remoting.jar）：支持远程安全服务调用。 - Web 模块（spring-security-web.jar）：处理 HTTP 安全相关的操作，如会话管理和 CSRF 防御。 - 配置模块（spring-security-config.jar）：提供 XML 和注解配置来设置安全特性。 - LDAP 模块（spring-security-ldap.jar）：与 LDAP 服务器进行集成，用于用户认证和授权。 - ACL 模块（spring-security-acl.jar）：提供细粒度的对象级权限控制。 - CAS 模块（spring-security-cas.jar）：支持 Central Authentication Service（CAS）协议的集成。 - OpenID 模块（spring-security-openid.jar）：允许用户通过 OpenID 进行身份验证。 3. Spring Security 3.1 新特性 - 高级别更新：概述了 3.1 版本引入的新功能和改进。 - 3.1 的命名空间更新：描述了在配置文件中使用的命名空间的变化。 4. 安全命名空间配置 - 简介：解释了 Spring Security 的 XML 命名空间设计，使配置更加简洁和直观。 - 设计原则：阐述了命名空间设计的目标和工作原理。 - 开始使用安全命名空间配置：提供了在 web.xml 文件中配置 Spring Security 的基本步骤。 - 示例配置：展示了最小的 `<http>` 配置，以及自动配置包含的内容。 - 表单和基本登录选项：讨论了如何配置基于表单和基本认证的登录方式。本指南详细阐述了 Spring Security 的各个方面，从基础概念到具体配置，对于任何想要在 Spring 应用中实现安全控制的开发者来说，都是宝贵的参考资料。通过学习，开发者可以理解如何设置用户认证、授权规则，以及如何防止常见的 Web 安全威胁，如跨站请求伪造（CSRF）和会话劫持。

资源详情

资源推荐

Spring Security

3.1.6.RELEASE 2

1.1 What is Spring Security?

Spring Security provides comprehensive security services for J2EE-based enterprise software applications.

There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading

J2EE solution for enterprise software development. If you're not using Spring for developing enterprise

applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in

particular dependency injection principles - will help you get up to speed with Spring Security more easily.

People use Spring Security for many reasons, but most are drawn to the project after finding the security features

of J2EE's Servlet Specification or EJB Specification lack the depth required for typical enterprise application

scenarios. Whilst mentioning these standards, it's important to recognise that they are not portable at a WAR

or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your

application's security in the new target environment. Using Spring Security overcomes these problems, and

also brings you dozens of other useful, customisable security features.

As you probably know two major areas of application security are “authentication” and “authorization” (or

“access-control”). These are the two main areas that Spring Security targets. “Authentication” is the process

of establishing a principal is who they claim to be (a “principal” generally means a user, device or some other

system which can perform an action in your application). “Authorization” refers to the process of deciding

whether a principal is allowed to perform an action within your application. To arrive at the point where an

authorization decision is needed, the identity of the principal has already been established by the authentication

process. These concepts are common, and not at all specific to Spring Security.

At an authentication level, Spring Security supports a wide range of authentication models. Most of these

authentication models are either provided by third parties, or are developed by relevant standards bodies such as

the Internet Engineering Task Force. In addition, Spring Security provides its own set of authentication features.

Specifically, Spring Security currently supports authentication integration with all of these technologies:

• HTTP BASIC authentication headers (an IETF RFC-based standard)

• HTTP Digest authentication headers (an IETF RFC-based standard)

• HTTP X.509 client certificate exchange (an IETF RFC-based standard)

• LDAP (a very common approach to cross-platform authentication needs, especially in large environments)

• Form-based authentication (for simple user interface needs)

• OpenID authentication

• Authentication based on pre-established request headers (such as Computer Associates Siteminder)

• JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source single

sign-on system)

• Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a

Spring remoting protocol)

• Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a

predetermined period of time)

• Anonymous authentication (allowing every unauthenticated call to automatically assume a particular

security identity)

• Run-as authentication (which is useful if one call should proceed with a different security identity)

• Java Authentication and Authorization Service (JAAS)

Spring Security

3.1.6.RELEASE 3

• JEE container autentication (so you can still use Container Managed Authentication if desired)

• Kerberos

• Java Open Source Single Sign On (JOSSO) *

• OpenNMS Network Management Platform *

• AppFuse *

• AndroMDA *

• Mule ESB *

• Direct Web Request (DWR) *

• Grails *

• Tapestry *

• JTrac *

• Jasypt *

• Roller *

• Elastic Path *

• Atlassian Crowd *

• Your own authentication systems (see below)

(* Denotes provided by a third party

Many independent software vendors (ISVs) adopt Spring Security because of this significant choice of flexible

authentication models. Doing so allows them to quickly integrate their solutions with whatever their end clients

need, without undertaking a lot of engineering or requiring the client to change their environment. If none

of the above authentication mechanisms suit your needs, Spring Security is an open platform and it is quite

simple to write your own authentication mechanism. Many corporate users of Spring Security need to integrate

with "legacy" systems that don't follow any particular security standards, and Spring Security is happy to "play

nicely" with such systems.

Irrespective of the authentication mechanism, Spring Security provides a deep set of authorization capabilities.

There are three main areas of interest - authorizing web requests, authorizing whether methods can be invoked,

and authorizing access to individual domain object instances. To help you understand the differences, consider

the authorization capabilities found in the Servlet Specification web pattern security, EJB Container Managed

Security and file system security respectively. Spring Security provides deep capabilities in all of these

important areas, which we'll explore later in this reference guide.

1.2 History

Spring Security began in late 2003 as “The Acegi Security System for Spring”. A question was posed on

the Spring Developers' mailing list asking whether there had been any consideration given to a Spring-based

security implementation. At the time the Spring community was relatively small (especially compared with the

size today!), and indeed Spring itself had only existed as a SourceForge project from early 2003. The response

to the question was that it was a worthwhile area, although a lack of time currently prevented its exploration.

With that in mind, a simple security implementation was built and not released. A few weeks later another

member of the Spring community inquired about security, and at the time this code was offered to them. Several

other requests followed, and by January 2004 around twenty people were using the code. These pioneering

Spring Security

3.1.6.RELEASE 4

users were joined by others who suggested a SourceForge project was in order, which was duly established

in March 2004.

In those early days, the project didn't have any of its own authentication modules. Container Managed Security

was relied upon for the authentication process, with Acegi Security instead focusing on authorization. This was

suitable at first, but as more and more users requested additional container support, the fundamental limitation

of container-specific authentication realm interfaces became clear. There was also a related issue of adding new

JARs to the container's classpath, which was a common source of end user confusion and misconfiguration.

Acegi Security-specific authentication services were subsequently introduced. Around a year later, Acegi

Security became an official Spring Framework subproject. The 1.0.0 final release was published in May 2006 -

after more than two and a half years of active use in numerous production software projects and many hundreds

of improvements and community contributions.

Acegi Security became an official Spring Portfolio project towards the end of 2007 and was rebranded as

“Spring Security”.

Today Spring Security enjoys a strong and active open source community. There are thousands of messages

about Spring Security on the support forums. There is an active core of developers who work on the code itself

and an active community which also regularly share patches and support their peers.

1.3 Release Numbering

It is useful to understand how Spring Security release numbers work, as it will help you identify the effort

(or lack thereof) involved in migrating to future releases of the project. Each release uses a standard triplet of

integers: MAJOR.MINOR.PATCH. The intent is that MAJOR versions are incompatible, large-scale upgrades

of the API. MINOR versions should largely retain source and binary compatibility with older minor versions,

thought there may be some design changes and incompatible udates. PATCH level should be perfectly

compatible, forwards and backwards, with the possible exception of changes which are to fix bugs and defects.

The extent to which you are affected by changes will depend on how tightly integrated your code is. If you

are doing a lot of customization you are more likely to be affected than if you are using a simple namespace

configuration.

You should always test your application thoroughly before rolling out a new version.

1.4 Getting Spring Security

You can get hold of Spring Security in several ways. You can download a packaged distribution

from the main Spring download page [http://www.springsource.com/download/community?project=Spring

%20Security], download individual jars (and sample WAR files) from the Maven Central repository (or a

SpringSource Maven repository for snapshot and milestone releases) or, alternatively, you can build the project

from source yourself. See the project web site for more details.

Project Modules

In Spring Security 3.0, the codebase has been sub-divided into separate jars which more clearly separate

different functionaltiy areas and third-party dependencies. If you are using Maven to build your project, then

Spring Security

3.1.6.RELEASE 5

these are the modules you will add to your pom.xml. Even if you're not using Maven, we'd recommend that

you consult the pom.xml files to get an idea of third-party dependencies and versions. Alternatively, a good

idea is to examine the libraries that are included in the sample applications.

Core - spring-security-core.jar

Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning

APIs. Required by any application which uses Spring Security. Supports standalone applications, remote

clients, method (service layer) security and JDBC user provisioning. Contains the top-level packages:

• org.springframework.security.core

• org.springframework.security.access

• org.springframework.security.authentication

• org.springframework.security.provisioning

Remoting - spring-security-remoting.jar

Provides intergration with Spring Remoting. You don't need this unless you are writing a remote client which

uses Spring Remoting. The main package is org.springframework.security.remoting.

Web - spring-security-web.jar

Contains filters and related web-security infrastructure code. Anything with a servlet API dependency. You'll

need it if you require Spring Security web authentication services and URL-based access-control. The main

package is org.springframework.security.web.

Config - spring-security-config.jar

Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace

for configuration. The main package is org.springframework.security.config. None of the

classes are intended for direct use in an application.

LDAP - spring-security-ldap.jar

LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage

LDAP user entries. The top-level package is org.springframework.security.ldap.

ACL - spring-security-acl.jar

Specialized domain object ACL implementation. Used to apply security to specific domain object instances

within your application. The top-level package is org.springframework.security.acls.

CAS - spring-security-cas.jar

Spring Security's CAS client integration. If you want to use Spring Security web authentication with a CAS

single sign-on server. The top-level package is org.springframework.security.cas.

剩余182页未读，继续阅读

ziiancs

粉丝: 0
资源: 5

Spring Security 3.1.6 使用与配置指南

Spring Security Reference中文版

spring-security-config-3.1.6.RELEASE.zip

Project 'org.springframework.boot:spring-boot-starter-parent:3.1.6' not found

windowsgawk3.1.6怎么安装

gawk-3.1.6-1-bin

spring data elasticsearch 与elasticsearch的对应关系

VS 引用libmodbus-3.1.6

jgm/pandoc/releases/tag/3.1.6

antv-v3.1.6-...a213.apk

/usr/src/debug/cygwin-3.1.6-1/winsup/cygwin/lib/libcmain.c:37: undefined reference to `WinMain'

antv-v3.1.6...xza213.apk

prosys-opc-ua-client-3.1.6-322.exe

vue2.6.14使用什么版本vue-router

linux编译安装libmodbus库

raw string

windows awk下载

win 'awk' 不是内部或外部命令，也不是可运行的程序

vs如何安装libmodbus库在window

webpack漏洞利用

最新资源