|
|
@@ -4,207 +4,14 @@
|
|
|
|
|
|
What is Spring Security?
|
|
|
|
|
|
- Spring Security is a powerful, flexible security solution for enterprise software,
|
|
|
- with a particular emphasis on applications that use
|
|
|
- {{{http://www.springframework.org/}Spring}}. Using Spring Security provides your
|
|
|
- applications with comprehensive authentication, authorization, instance-based access control,
|
|
|
- channel security and human user detection capabilities.
|
|
|
-
|
|
|
-Key Features
|
|
|
-
|
|
|
- * <<Stable and mature:>> Acegi Security 1.0.0 was released in May 2006 after
|
|
|
- more than two and a half years of use in large production software projects, 70,000+ downloads
|
|
|
- and hundreds of community contributions.
|
|
|
- In terms of release numbering, we also use the
|
|
|
- {{{http://apr.apache.org/versioning.html}Apache APR Project Versioning Guidelines}} so that you can easily identify release compatibility.
|
|
|
-
|
|
|
- * <<Well documented:>> All APIs are fully documented using
|
|
|
- {{{http://acegisecurity.org/multiproject/acegi-security/apidocs/index.html}JavaDoc}},
|
|
|
- with almost 100 pages of
|
|
|
- {{{./reference.html}Reference Guide}} documentation providing an easy-to-follow
|
|
|
- introduction. Even more documentation is provided on this web site, as
|
|
|
- shown in the left hand navigation sidebar.
|
|
|
-
|
|
|
- * <<Fast results:>> View our {{{./suggested.html}suggested steps}}
|
|
|
- for the fastest way to develop complex, security-compliant applications.
|
|
|
-
|
|
|
- * <<Enterprise-wide single sign on:>> Using JA-SIG's open
|
|
|
- source {{{http://www.ja-sig.org/products/cas/}Central Authentication Service}} (CAS),
|
|
|
- the Spring Security can participate
|
|
|
- in an enterprise-wide single sign on environment. You no longer need
|
|
|
- every web application to have its own authentication database. Nor are
|
|
|
- you restricted to single sign on across a single web container. Advanced
|
|
|
- single sign on features like proxy support and forced refresh of logins
|
|
|
- are supported by both CAS and Spring Security. Several other SSO solutions
|
|
|
- are also provided by third party projects, including JOSSO and CAS.
|
|
|
-
|
|
|
- * <<Reuses your Spring expertise:>> We use Spring application
|
|
|
- contexts for all configuration, which should help Spring developers get
|
|
|
- up-to-speed nice and quickly.
|
|
|
-
|
|
|
- * <<Domain object instance security:>> In many applications it's
|
|
|
- desirable to define Access Control Lists (ACLs) for individual domain
|
|
|
- object instances. We provide a comprehensive ACL package with features
|
|
|
- including integer bit masking, permission inheritence (including
|
|
|
- blocking), a JDBC-backed ACL repository, caching and a pluggable,
|
|
|
- interface-driven design.
|
|
|
-
|
|
|
- * <<Non-intrusive setup:>> The entire security system can operate
|
|
|
- within a single web application using the provided filters. There is no
|
|
|
- need to make special changes or deploy libraries to your Servlet or EJB
|
|
|
- container.
|
|
|
-
|
|
|
- * <<Full (but optional) container integration:>> The credential
|
|
|
- collection and authorization capabilities of your Servlet or EJB
|
|
|
- container can be fully utilised via included "container adapters". We
|
|
|
- currently support Catalina (Tomcat), Jetty, JBoss and Resin, with
|
|
|
- additional containers easily added.
|
|
|
-
|
|
|
- * <<Keeps your objects free of security code:>> Many applications
|
|
|
- need to secure data at the bean level based on any combination of
|
|
|
- parameters (user, time of day, authorities held, method being invoked,
|
|
|
- parameter on method being invoked....). This package gives you this
|
|
|
- flexibility without adding security code to your Spring business
|
|
|
- objects.
|
|
|
-
|
|
|
- * <<After invocation security:>> Spring Security can not only protect
|
|
|
- methods from being invoked in the first place, but it can also
|
|
|
- deal with the objects returned from the methods. Included implementations
|
|
|
- of after invocation security can throw an exception or mutate the returned
|
|
|
- object based on ACLs.
|
|
|
-
|
|
|
- * <<Secures your HTTP requests as well:>> In addition to securing
|
|
|
- your beans, the project also secures your HTTP requests. No longer is it
|
|
|
- necessary to rely on web.xml security constraints. Best of all, your
|
|
|
- HTTP requests can now be secured by your choice of regular expressions
|
|
|
- or Apache Ant paths, along with pluggable authentication, authorization
|
|
|
- and run-as replacement managers.
|
|
|
-
|
|
|
- * <<Channel security:>> Spring Security can
|
|
|
- automatically redirect requests across an appropriate transport channel.
|
|
|
- Whilst flexible enough to support any of your "channel" requirements (eg
|
|
|
- the remote user is a human, not a robot), a common channel security
|
|
|
- feature is to ensure your secure pages will only be available over
|
|
|
- HTTPS, and your public pages only over HTTP. Spring Security also
|
|
|
- supports unusual port combinations (including if accessed via an
|
|
|
- intermediate server like Apache) and pluggable transport decision
|
|
|
- managers.
|
|
|
-
|
|
|
- * <<Supports HTTP BASIC authentication:>> Perfect for remoting
|
|
|
- protocols or those web applications that prefer a simple browser pop-up
|
|
|
- (rather than a form login), Spring Security can directly process HTTP
|
|
|
- BASIC authentication requests as per RFC 1945.
|
|
|
-
|
|
|
- * <<Supports HTTP Digest authentication:>> For greater security than
|
|
|
- offered by BASIC authentcation, Spring Security also supports Digest Authentication
|
|
|
- (which never sends the user's password across the wire). Digest Authentication
|
|
|
- is widely supported by modern browsers. Spring Security's implementation complies
|
|
|
- with both RFC 2617 and RFC 2069.
|
|
|
-
|
|
|
- * <<Computer Associates Siteminder support:>> Authentication can be
|
|
|
- delegated through to CA's Siteminder solution, which is common in large
|
|
|
- corporate environments.
|
|
|
-
|
|
|
- * <<X509 (Certificate) support:>> Spring Security can easily read
|
|
|
- client-side X509 certificates for authenticating users.
|
|
|
-
|
|
|
- * <<LDAP Support:>> Do you have an LDAP directory? Spring Security can
|
|
|
- happily authenticate against it.
|
|
|
-
|
|
|
- * <<Tag library support:>> Your JSP files can use our taglib
|
|
|
- to ensure that protected content like links and messages are only
|
|
|
- displayed to users holding the appropriate granted authorities. The taglib
|
|
|
- also fully integrates with Spring Security's ACL services, and
|
|
|
- obtaining extra information about the logged-in principal.
|
|
|
-
|
|
|
- * <<Configuration via IoC XML, Commons Attributes, or JDK 5 Annotations:>> You
|
|
|
- select the method used to configure your security environment. The
|
|
|
- project supports configuration via Spring application contexts, as well
|
|
|
- as Jakarta Commons Attributes and Java 5's annotations feature. Some users
|
|
|
- (such as those building content management systems) pull configuration data
|
|
|
- from a database, which exemplifies Spring Security's flexible configuration
|
|
|
- metadata system.
|
|
|
-
|
|
|
- * <<Various authentication backends:>> We include the ability to
|
|
|
- retrieve your user and granted authority definitions from an XML
|
|
|
- file, JDBC datasource or Properties file. Alternatively, you can implement the
|
|
|
- single-method UserDetailsService interface and obtain authentication details from
|
|
|
- anywhere you like.
|
|
|
-
|
|
|
- * <<Event support:>> Building upon Spring's
|
|
|
- <<<ApplicationEvent>>> services, you can write your own listeners
|
|
|
- for authentication-related events, along with authorisation-related events.
|
|
|
- This enables you to implement account lockout and audit log systems, with
|
|
|
- complete decoupling from Spring Security code.
|
|
|
-
|
|
|
- * <<Easy integration with existing databases:>> Our implementations
|
|
|
- have been designed to make it very easy to use your existing
|
|
|
- authentication schema and data (without modification). Of course,
|
|
|
- you can also provide your own Data Access Object if you wish.
|
|
|
-
|
|
|
- * <<Caching:>> Spring Security integrates with Spring's {{{http://ehcache.sourceforge.net}EHCACHE}} factory.
|
|
|
- This flexibility means your database (or other authentication
|
|
|
- repository) is not repeatedly queried for authentication
|
|
|
- information.
|
|
|
-
|
|
|
- * <<Pluggable architecture:>> Every critical aspect of the package
|
|
|
- has been modelled using high cohesion, loose coupling, interface-driven
|
|
|
- design principles. You can easily replace, customise or extend parts of
|
|
|
- the package.
|
|
|
-
|
|
|
- * <<Startup-time validation:>> Every critical object dependency and
|
|
|
- configuration parameter is validated at application context startup
|
|
|
- time. Security configuration errors are therefore detected early and
|
|
|
- corrected quickly.
|
|
|
-
|
|
|
- * <<Remoting support:>> Does your project use a rich client? Not a
|
|
|
- problem. Spring Security integrates with standard Spring remoting
|
|
|
- protocols, because it automatically processes the HTTP BASIC
|
|
|
- authentication headers they present. Add our BASIC authentication filter
|
|
|
- to your web.xml and you're done. You can also easily use RMI or Digest
|
|
|
- authentication for your rich clients with a simple configuration statement.
|
|
|
-
|
|
|
- * <<Advanced password encoding:>> Of course, passwords in your
|
|
|
- authentication repository need not be in plain text. We support both SHA
|
|
|
- and MD5 encoding, and also pluggable "salt" providers to maximise
|
|
|
- password security. Spring Security doesn't even need to see the password
|
|
|
- if your backend can use a bind-based strategy for authentication (such as
|
|
|
- an LDAP directory, or a database login).
|
|
|
-
|
|
|
- * <<Run-as replacement:>> The system fully supports
|
|
|
- temporarily replacing the authenticated principal for the duration of the web
|
|
|
- request or bean invocation. This enables you to build public-facing
|
|
|
- object tiers with different security configurations than your backend
|
|
|
- objects.
|
|
|
-
|
|
|
- * <<Transparent security propagation:>> Spring Security can automatically
|
|
|
- transfer its core authentication information from one machine to another,
|
|
|
- using a variety of protocols including RMI and Spring's HttpInvoker.
|
|
|
-
|
|
|
- * <<Compatible with HttpServletRequest's security methods:>> Even though
|
|
|
- Spring Security can deliver authentication using a range of pluggable mechanisms
|
|
|
- (most of which require no web container configuration), we allow you to access
|
|
|
- the resulting Authentication object via the getRemoteUser() and other
|
|
|
- security methods on HttpServletRequest.
|
|
|
-
|
|
|
- * <<Unit tests:>> A must-have of any quality security project, unit
|
|
|
- tests are included. Our unit test coverage is very high, as shown in the
|
|
|
- {{{acegi-security/cobertura/index.html}coverage report}}.
|
|
|
-
|
|
|
- * <<Built by Maven:>> This assists you in effectively reusing the Acegi
|
|
|
- Security artifacts in your own Maven-based projects.
|
|
|
-
|
|
|
- * <<Supports your own unit tests:>> We provide a number of classes
|
|
|
- that assist with your own unit testing of secured business objects. For
|
|
|
- example, you can change the authentication identity and its associated
|
|
|
- granted authorities directly within your test methods.
|
|
|
-
|
|
|
- * <<Peer reviewed:>> Whilst nothing is ever completely secure,
|
|
|
- using an open source security package leverages the continuous design
|
|
|
- and code quality improvements that emerge from peer review.
|
|
|
-
|
|
|
- * <<Community:>> Well-known for its supportive community, Spring Security
|
|
|
- has an active group of developers and users. Visit our project resources (below)
|
|
|
- to access these services.
|
|
|
-
|
|
|
- * <<Apache license.>> You can confidently use Spring Security in your project.
|
|
|
+ Spring Security is the renamed Acegi Security System for Spring, which became an official Spring
|
|
|
+ Portfolio project towards the end of 2007. It is the portolio's security offering, focused on providing a powerful and
|
|
|
+ flexible security solution for enterprise applications developed using the Spring Framework.
|
|
|
+ It is a stable and mature product - Acegi Security 1.0.0 was released in May 2006 after more than two and a half
|
|
|
+ years of use in large production software projects.
|
|
|
+
|
|
|
+ Spring Security 2.0 builds on Acegi Security's solid foundations, adding new features such as a simplified
|
|
|
+ namespace configuration syntax.
|
|
|
+
|
|
|
+
|
|
|
+ ~~ TODO: Expand based on original Acegi page.
|
Luke Taylor