Spring Security 4.0.3.RELEASE 官方英文文档解析

Spring

需积分: 9 108 浏览量更新于2024-07-20 收藏 1.65MB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

"Spring Security 官方说明文档(英文版)" Spring Security 是一个强大的且高度可配置的安全框架，专为Java应用程序设计，特别是基于Spring生态系统的应用。这份文档是4.0.3.RELEASE版本，由Ben Alex、Luke Taylor、Rob Winch和Gunnar Hillert等人编写，并受版权保护。文档的前言部分介绍了Spring Security的基本概念和历史。Spring Security旨在提供全面的身份验证、授权和安全控制，用于保护Web应用程序和企业级应用。自2004年以来，它不断发展，成为Java安全领域的重要组成部分。 "Getting Started"章节是入门指南，其中： 1.1. "What is Spring Security?" 描述了Spring Security的主要功能，包括身份验证（Authentication）——确认用户身份，以及授权（Authorization）——决定用户可以访问哪些资源。 1.2. "History"概述了Spring Security的发展历程，展示了其如何从最初的Acegi Security演变为现在的Spring Security。 1.3. "Release Numbering"解释了Spring Security的版本命名规则，帮助用户理解版本间的差异和兼容性。 1.4. "Getting Spring Security"提供了获取和集成Spring Security到项目中的指导，包括使用Maven或Gradle的依赖管理，以及Spring Framework的Bill of Materials (BOM)。对于Maven用户，Spring Security可以通过Maven仓库获取，而对于Gradle用户，提供了相关的配置方法。此外，文档还提到了不同模块，如： - Core-spring-security-core.jar：核心模块，包含基本的安全组件。 - Remoting-spring-security-remoting.jar：远程调用的安全支持。 - Web-spring-security-web.jar：Web应用的安全防护。 - Config-spring-security-config.jar：配置相关的类库。 - LDAP-spring-security-ldap.jar：与LDAP（轻量级目录访问协议）集成的安全服务。 - ACL-spring-security-acl.jar：访问控制列表，用于细粒度的权限管理。 - CAS-spring-security-cas.jar：与CAS（Central Authentication Service）服务器的集成。 - OpenID-spring-security-openid.jar：对OpenID身份验证的支持。另外，文档还提到了如何检查和获取源代码，以便进行深入学习和自定义开发。 "2. What's new in Spring Security 4.0"章节详细列出了该版本的新特性，但在这个摘要中没有给出具体的内容。通常，新版本会包括性能提升、新的API、改进的安全特性和对旧版本的兼容性更新等。 Spring Security的全面性使得它能够处理各种安全需求，从基本的登录验证到复杂的访问控制策略，包括HTTP安全头配置、CSRF（跨站请求伪造）防护、OAuth2整合等。这份文档是学习和使用Spring Security的重要参考资料，对于任何希望加强Java应用安全性的开发者来说都是不可或缺的。

资源详情

资源推荐

Part I. Preface

Spring Security provides a comprehensive security solution for Java EE-based enterprise software

applications. As you will discover as you venture through this reference guide, we have tried to provide

you a useful and highly configurable security system.

Security is an ever-moving target, and it’s important to pursue a comprehensive, system-wide approach.

In security circles we encourage you to adopt "layers of security", so that each layer tries to be as secure

as possible in its own right, with successive layers providing additional security. The "tighter" the security

of each layer, the more robust and safe your application will be. At the bottom level you’ll need to deal

with issues such as transport security and system identification, in order to mitigate man-in-the-middle

attacks. Next you’ll generally utilise firewalls, perhaps with VPNs or IP security to ensure only authorised

systems can attempt to connect. In corporate environments you may deploy a DMZ to separate public-

facing servers from backend database and application servers. Your operating system will also play

a critical part, addressing issues such as running processes as non-privileged users and maximising

file system security. An operating system will usually also be configured with its own firewall. Hopefully

somewhere along the way you’ll be trying to prevent denial of service and brute force attacks against

the system. An intrusion detection system will also be especially useful for monitoring and responding to

attacks, with such systems able to take protective action such as blocking offending TCP/IP addresses in

real-time. Moving to the higher layers, your Java Virtual Machine will hopefully be configured to minimize

the permissions granted to different Java types, and then your application will add its own problem

domain-specific security configuration. Spring Security makes this latter area - application security -

much easier.

Of course, you will need to properly address all security layers mentioned above, together with

managerial factors that encompass every layer. A non-exhaustive list of such managerial factors would

include security bulletin monitoring, patching, personnel vetting, audits, change control, engineering

management systems, data backup, disaster recovery, performance benchmarking, load monitoring,

centralised logging, incident response procedures etc.

With Spring Security being focused on helping you with the enterprise application security layer, you will

find that there are as many different requirements as there are business problem domains. A banking

application has different needs from an ecommerce application. An ecommerce application has different

needs from a corporate sales force automation tool. These custom requirements make application

security interesting, challenging and rewarding.

Please read Part II, “Getting Started”, in its entirety to begin with. This will introduce you to the framework

and the namespace-based configuration system with which you can get up and running quite quickly.

To get more of an understanding of how Spring Security works, and some of the classes you might need

to use, you should then read Part III, “Architecture and Implementation”. The remaining parts of this

guide are structured in a more traditional reference style, designed to be read on an as-required basis.

We’d also recommend that you read up as much as possible on application security issues in general.

Spring Security is not a panacea which will solve all security issues. It is important that the application

is designed with security in mind from the start. Attempting to retrofit it is not a good idea. In particular,

if you are building a web application, you should be aware of the many potential vulnerabilities such

as cross-site scripting, request-forgery and session-hijacking which you should be taking into account

from the start. The OWASP web site (http://www.owasp.org/) maintains a top ten list of web application

vulnerabilities as well as a lot of useful reference information.

We hope that you find this reference guide useful, and we welcome your feedback and suggestions.

Spring Security Reference

4.0.3.RELEASE Spring Security 4

1. Introduction

1.1 What is Spring Security?

Spring Security provides comprehensive security services for Java EE-based enterprise software

applications. There is a particular emphasis on supporting projects built using The Spring Framework,

which is the leading Java EE solution for enterprise software development. If you’re not using Spring for

developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity

with Spring - and in particular dependency injection principles - will help you get up to speed with Spring

Security more easily.

People use Spring Security for many reasons, but most are drawn to the project after finding the security

features of Java EE’s Servlet Specification or EJB Specification lack the depth required for typical

enterprise application scenarios. Whilst mentioning these standards, it’s important to recognise that they

are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot

of work to reconfigure your application’s security in the new target environment. Using Spring Security

overcomes these problems, and also brings you dozens of other useful, customisable security features.

As you probably know two major areas of application security are "authentication" and "authorization" (or

"access-control"). These are the two main areas that Spring Security targets. "Authentication" is the

process of establishing a principal is who they claim to be (a "principal" generally means a user, device

or some other system which can perform an action in your application)."Authorization" refers to the

process of deciding whether a principal is allowed to perform an action within your application. To arrive

at the point where an authorization decision is needed, the identity of the principal has already been

established by the authentication process. These concepts are common, and not at all specific to Spring

Security.

At an authentication level, Spring Security supports a wide range of authentication models. Most of

these authentication models are either provided by third parties, or are developed by relevant standards

bodies such as the Internet Engineering Task Force. In addition, Spring Security provides its own set of

authentication features. Specifically, Spring Security currently supports authentication integration with

all of these technologies:

• HTTP BASIC authentication headers (an IETF RFC-based standard)

• HTTP Digest authentication headers (an IETF RFC-based standard)

• HTTP X.509 client certificate exchange (an IETF RFC-based standard)

• LDAP (a very common approach to cross-platform authentication needs, especially in large

environments)

• Form-based authentication (for simple user interface needs)

• OpenID authentication

• Authentication based on pre-established request headers (such as Computer Associates Siteminder)

• JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source

single sign-on system)

• Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker

(a Spring remoting protocol)

Spring Security Reference

4.0.3.RELEASE Spring Security 5

• Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a

predetermined period of time)

• Anonymous authentication (allowing every unauthenticated call to automatically assume a particular

security identity)

• Run-as authentication (which is useful if one call should proceed with a different security identity)

• Java Authentication and Authorization Service (JAAS)

• JEE container autentication (so you can still use Container Managed Authentication if desired)

• Kerberos

• Java Open Source Single Sign On (JOSSO) *

• OpenNMS Network Management Platform *

• AppFuse *

• AndroMDA *

• Mule ESB *

• Direct Web Request (DWR) *

• Grails *

• Tapestry *

• JTrac *

• Jasypt *

• Roller *

• Elastic Path *

• Atlassian Crowd *

• Your own authentication systems (see below)

(* Denotes provided by a third party

Many independent software vendors (ISVs) adopt Spring Security because of this significant choice of

flexible authentication models. Doing so allows them to quickly integrate their solutions with whatever

their end clients need, without undertaking a lot of engineering or requiring the client to change their

environment. If none of the above authentication mechanisms suit your needs, Spring Security is an

open platform and it is quite simple to write your own authentication mechanism. Many corporate users

of Spring Security need to integrate with "legacy" systems that don’t follow any particular security

standards, and Spring Security is happy to "play nicely" with such systems.

Irrespective of the authentication mechanism, Spring Security provides a deep set of authorization

capabilities. There are three main areas of interest - authorizing web requests, authorizing whether

methods can be invoked, and authorizing access to individual domain object instances. To help you

understand the differences, consider the authorization capabilities found in the Servlet Specification web

剩余241页未读，继续阅读

冥王•雷利

粉丝: 40
资源: 30

Spring Security 4.0.3.RELEASE 官方英文文档解析

springsecurity3.1官方手册(含中文版-英文版)

Spring Security Third Edition.pdf英文版

Spring security 4 帮助文档(英文版)

Spring Security 3.0.1中文官方文档翻译版

Spring Security 3.0.1 中文官方文档翻译修订版

Spring Security 3.0.1 中文官方文档翻译版

Spring Security 3.0.1 中文官方文档翻译版详解

Spring Security 3.0.1中文修复版文档翻译与入门指南

Spring Security集成Thymeleaf模板

Spring Security框架解析与实践

Spring Security过滤器链解析

Spring Security登录失败处理与策略

Spring Security中的注解权限控制

springsecurity6.1中文文档

springsecurity官方文档

Spring Security中文文档

spring security api文档

Spring Security的官方文档

spring security 3.2.5文档

springsecurity5.5.7版本

最新资源