Spring Security 3.1：权威参考指南

需积分: 10 164 浏览量更新于2024-07-26 收藏 1.15MB PDF 举报

"Spring Security是Spring框架的一个强大安全模块，提供了全面的应用程序安全解决方案。它涵盖了身份验证、授权、CSRF防护、访问控制等多个方面，是Java开发者构建安全Web应用的必备工具。" Spring Security的核心功能和组件包括： 1. **身份验证**：Spring Security提供了多种身份验证方式，如基于内存的用户数据、数据库连接、LDAP服务器等。用户可以通过用户名和密码进行登录，也可以通过CAS或OpenID等单点登录协议进行身份验证。 2. **授权**：系统支持基于角色的访问控制（RBAC），可以定义不同角色对资源的访问权限。此外，它还提供了表达式语言，允许在运行时动态地决定访问权限。 3. **过滤器链**：Spring Security通过一系列的过滤器处理HTTP请求，实现对请求的拦截和安全控制。这些过滤器包括了认证、会话管理、CSRF防护等功能。 4. **Web安全配置**：Spring Security提供了一套XML命名空间配置，简化了安全配置。例如，`<http>`元素可以用于配置各种安全特性，如自动配置、登录表单、基本认证等。 5. **Remember Me服务**：Spring Security支持“记住我”功能，允许用户在一段时间内无需再次登录。 6. **CSRF防护**：Spring Security内置了CSRF（跨站请求伪造）防护机制，防止恶意第三方利用用户已登录状态进行非预期操作。 7. **AOP安全注解**：Spring Security与Spring AOP结合，允许开发者使用注解来声明哪些方法需要特定的权限才能访问。 8. **自定义扩展**：Spring Security的灵活性使得开发者可以方便地扩展其功能，包括自定义认证提供者、权限决策管理器、访问决策投票器等。 9. **多模块架构**：Spring Security由多个模块组成，如core、web、config、ldap等，每个模块都专注于特定的安全领域，便于按需选择和集成。 10. **版本更新**：Spring Security 3.1引入了许多新特性，如高级别的更新、新的命名空间配置等，提升了安全性和易用性。了解和掌握Spring Security是构建安全的Spring应用的关键。通过深入学习其原理和实践，开发者能够有效地保护应用程序免受各种攻击，确保用户数据的安全。

Spring Security

3.1.3.RELEASE 2

1.1 What is Spring Security?

Spring Security provides comprehensive security services for J2EE-based enterprise software applications.

There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading

J2EE solution for enterprise software development. If you're not using Spring for developing enterprise

applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in

particular dependency injection principles - will help you get up to speed with Spring Security more easily.

People use Spring Security for many reasons, but most are drawn to the project after finding the security features

of J2EE's Servlet Specification or EJB Specification lack the depth required for typical enterprise application

scenarios. Whilst mentioning these standards, it's important to recognise that they are not portable at a WAR

or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your

application's security in the new target environment. Using Spring Security overcomes these problems, and

also brings you dozens of other useful, customisable security features.

As you probably know two major areas of application security are “authentication” and “authorization” (or

“access-control”). These are the two main areas that Spring Security targets. “Authentication” is the process

of establishing a principal is who they claim to be (a “principal” generally means a user, device or some other

system which can perform an action in your application). “Authorization” refers to the process of deciding

whether a principal is allowed to perform an action within your application. To arrive at the point where an

authorization decision is needed, the identity of the principal has already been established by the authentication

process. These concepts are common, and not at all specific to Spring Security.

At an authentication level, Spring Security supports a wide range of authentication models. Most of these

authentication models are either provided by third parties, or are developed by relevant standards bodies such as

the Internet Engineering Task Force. In addition, Spring Security provides its own set of authentication features.

Specifically, Spring Security currently supports authentication integration with all of these technologies:

• HTTP BASIC authentication headers (an IETF RFC-based standard)

• HTTP Digest authentication headers (an IETF RFC-based standard)

• HTTP X.509 client certificate exchange (an IETF RFC-based standard)

• LDAP (a very common approach to cross-platform authentication needs, especially in large environments)

• Form-based authentication (for simple user interface needs)

• OpenID authentication

• Authentication based on pre-established request headers (such as Computer Associates Siteminder)

• JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source single

sign-on system)

• Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a

Spring remoting protocol)

• Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a

predetermined period of time)

• Anonymous authentication (allowing every unauthenticated call to automatically assume a particular

security identity)

• Run-as authentication (which is useful if one call should proceed with a different security identity)

• Java Authentication and Authorization Service (JAAS)

Spring Security

3.1.3.RELEASE 3

• JEE container autentication (so you can still use Container Managed Authentication if desired)

• Kerberos

• Java Open Source Single Sign On (JOSSO) *

• OpenNMS Network Management Platform *

• AppFuse *

• AndroMDA *

• Mule ESB *

• Direct Web Request (DWR) *

• Grails *

• Tapestry *

• JTrac *

• Jasypt *

• Roller *

• Elastic Path *

• Atlassian Crowd *

• Your own authentication systems (see below)

(* Denotes provided by a third party

Many independent software vendors (ISVs) adopt Spring Security because of this significant choice of flexible

authentication models. Doing so allows them to quickly integrate their solutions with whatever their end clients

need, without undertaking a lot of engineering or requiring the client to change their environment. If none

of the above authentication mechanisms suit your needs, Spring Security is an open platform and it is quite

simple to write your own authentication mechanism. Many corporate users of Spring Security need to integrate

with "legacy" systems that don't follow any particular security standards, and Spring Security is happy to "play

nicely" with such systems.

Irrespective of the authentication mechanism, Spring Security provides a deep set of authorization capabilities.

There are three main areas of interest - authorizing web requests, authorizing whether methods can be invoked,

and authorizing access to individual domain object instances. To help you understand the differences, consider

the authorization capabilities found in the Servlet Specification web pattern security, EJB Container Managed

Security and file system security respectively. Spring Security provides deep capabilities in all of these

important areas, which we'll explore later in this reference guide.

1.2 History

Spring Security began in late 2003 as “The Acegi Security System for Spring”. A question was posed on

the Spring Developers' mailing list asking whether there had been any consideration given to a Spring-based

security implementation. At the time the Spring community was relatively small (especially compared with the

size today!), and indeed Spring itself had only existed as a SourceForge project from early 2003. The response

to the question was that it was a worthwhile area, although a lack of time currently prevented its exploration.

With that in mind, a simple security implementation was built and not released. A few weeks later another

member of the Spring community inquired about security, and at the time this code was offered to them. Several

other requests followed, and by January 2004 around twenty people were using the code. These pioneering

Spring Security

3.1.3.RELEASE 4

users were joined by others who suggested a SourceForge project was in order, which was duly established

in March 2004.

In those early days, the project didn't have any of its own authentication modules. Container Managed Security

was relied upon for the authentication process, with Acegi Security instead focusing on authorization. This was

suitable at first, but as more and more users requested additional container support, the fundamental limitation

of container-specific authentication realm interfaces became clear. There was also a related issue of adding new

JARs to the container's classpath, which was a common source of end user confusion and misconfiguration.

Acegi Security-specific authentication services were subsequently introduced. Around a year later, Acegi

Security became an official Spring Framework subproject. The 1.0.0 final release was published in May 2006 -

after more than two and a half years of active use in numerous production software projects and many hundreds

of improvements and community contributions.

Acegi Security became an official Spring Portfolio project towards the end of 2007 and was rebranded as

“Spring Security”.

Today Spring Security enjoys a strong and active open source community. There are thousands of messages

about Spring Security on the support forums. There is an active core of developers who work on the code itself

and an active community which also regularly share patches and support their peers.

1.3 Release Numbering

It is useful to understand how Spring Security release numbers work, as it will help you identify the effort

(or lack thereof) involved in migrating to future releases of the project. Each release uses a standard triplet of

integers: MAJOR.MINOR.PATCH. The intent is that MAJOR versions are incompatible, large-scale upgrades

of the API. MINOR versions should largely retain source and binary compatibility with older minor versions,

thought there may be some design changes and incompatible udates. PATCH level should be perfectly

compatible, forwards and backwards, with the possible exception of changes which are to fix bugs and defects.

The extent to which you are affected by changes will depend on how tightly integrated your code is. If you

are doing a lot of customization you are more likely to be affected than if you are using a simple namespace

configuration.

You should always test your application thoroughly before rolling out a new version.

1.4 Getting Spring Security

You can get hold of Spring Security in several ways. You can download a packaged distribution

from the main Spring download page [http://www.springsource.com/download/community?project=Spring

%20Security], download individual jars (and sample WAR files) from the Maven Central repository (or a

SpringSource Maven repository for snapshot and milestone releases) or, alternatively, you can build the project

from source yourself. See the project web site for more details.

Project Modules

In Spring Security 3.0, the codebase has been sub-divided into separate jars which more clearly separate

different functionaltiy areas and third-party dependencies. If you are using Maven to build your project, then

Spring Security

3.1.3.RELEASE 5

these are the modules you will add to your pom.xml. Even if you're not using Maven, we'd recommend that

you consult the pom.xml files to get an idea of third-party dependencies and versions. Alternatively, a good

idea is to examine the libraries that are included in the sample applications.

Core - spring-security-core.jar

Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning

APIs. Required by any application which uses Spring Security. Supports standalone applications, remote

clients, method (service layer) security and JDBC user provisioning. Contains the top-level packages:

• org.springframework.security.core

• org.springframework.security.access

• org.springframework.security.authentication

• org.springframework.security.provisioning

Remoting - spring-security-remoting.jar

Provides intergration with Spring Remoting. You don't need this unless you are writing a remote client which

uses Spring Remoting. The main package is org.springframework.security.remoting.

Web - spring-security-web.jar

Contains filters and related web-security infrastructure code. Anything with a servlet API dependency. You'll

need it if you require Spring Security web authentication services and URL-based access-control. The main

package is org.springframework.security.web.

Config - spring-security-config.jar

Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace

for configuration. The main package is org.springframework.security.config. None of the

classes are intended for direct use in an application.

LDAP - spring-security-ldap.jar

LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage

LDAP user entries. The top-level package is org.springframework.security.ldap.

ACL - spring-security-acl.jar

Specialized domain object ACL implementation. Used to apply security to specific domain object instances

within your application. The top-level package is org.springframework.security.acls.

CAS - spring-security-cas.jar

Spring Security's CAS client integration. If you want to use Spring Security web authentication with a CAS

single sign-on server. The top-level package is org.springframework.security.cas.

剩余182页未读，继续阅读

lianchen7999

粉丝: 1
资源: 8

Spring Security 3.1：权威参考指南

Spring Security 3.pdf

spring security 3.0入门教程PDF

Spring security4.1 中文版参考手册 PDF版

spring-security-reference.pdf

spring-security-reference-4.2.2.pdf

spring-framework-5.2.0+spring-security-5.3.1.pdf

Packt.Hands-On.Spring.Security.5.for.Reactive.Applications

spring-boot-reference.pdf

spring-framework-reference.pdf

Beginning-Spring-Boot-2.pdf

最新资源