Spring Framework : A Framework from SpringSource :: Spring with Security
- What is Spring Security?
- Spring Security Project Modules
- What’s new in Spring Security 3.1
- Download Examples
|What is Spring Security?|
Spring Security, is a flexible and powerful authentication and access control framework to secure Spring-based Java web application.
Spring Security allows developer to integrate security features with J2EE web application easily, it highjacks incoming HTTP request via servlet filters, and implements user defined security checking.
Here, we will show you how to integrate Spring Security 3.0 with Spring MVC web application to secure URL access. After implemented Spring security, to view the content of the page, users need to key in correct username and password.
- Spring 3.0.5.RELEASE
- Spring Security 3.0.5.RELEASE
- Eclipse 3.6
- JDK 1.6
- Maven 3
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Spring Security is also easy to learn, deploy and manage. Spring Security is also integrated with many other Spring technologies, including Spring Web Flow, Spring Web Services, SpringSource Enterprise, SpringSource Application Management Suite and SpringSource tc Server.
Spring Security provides comprehensive security services for J2EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading J2EE solution for enterprise software development.
|Spring Security Project Modules|
In Spring Security 3.0, the codebase has been sub-divided into separate jars. If you are using Maven to build your project, then these are the modules you will add to your pom.xml. Even if you’re not using Maven, we’d recommend that you consult the pom.xml files to get an idea of third-party dependencies and versions.
Core – spring-security-core.jar
Contains core authentication and access-contol classes and interfaces, remoting support and basic provisioning APIs. Required by any application which uses Spring Security. Supports standalone applications, remote clients, method (service layer) security and JDBC user provisioning. Contains the top-level packages:
Remoting – spring-security-remoting.jar
Provides intergration with Spring Remoting. You don’t need this unless you are writing a remote client which uses Spring Remoting. The main package is org.springframework.security.remoting.
Web – spring-security-web.jar
Contains filters and related web-security infrastructure code. Anything with a servlet API dependency. You’ll need it if you require Spring Security web authentication services and URL-based access-control. The main package is org.springframework.security.web.
Config – spring-security-config.jar
Contains the security namespace parsing code. You need it if you are using the Spring Security XML namespace for configuration. The main package is org.springframework.security.config. None of the classes are intended for direct use in an application.
LDAP – spring-security-ldap.jar
LDAP authentication and provisioning code. Required if you need to use LDAP authentication or manage LDAP user entries. The top-level package is org.springframework.security.ldap.
ACL – spring-security-acl.jar
Specialized domain object ACL implementation. Used to apply security to specific domain object instances within your application. The top-level package is org.springframework.security.acls.
CAS – spring-security-cas.jar
Spring Security’s CAS client integration. If you want to use Spring Security web authentication with a CAS single sign-on server. The top-level package is org.springframework.security.cas.
OpenID – spring-security-openid.jar
OpenID web authentication support. Used to authenticate users against an external OpenID server. org.springframework.security.openid. Requires OpenID4Java.
To obtain the source for the project, use the following git command
git clone git://git.springsource.org/spring-security/spring-security.git
|What’s new in Spring Security 3.1|
What’s new in Spring Security 3.1
Below you can find a high level summary of updates to Spring Security 3.1
- Support for multiple http elements
- Support for stateless authentication
- DebugFilter provides additional debugging information
- Improved Active Directory LDAP support (i.e. ActiveDirectoryLdapAuthenticationProvider)
- Added Basic Crypto Module.
- The namespace is fully documented in the reference appendix.
- Added dependencies section to the reference appendix
- Support HttpOnly Flag for Cookies in Servlet 3.0 environments
- InMemoryUserDetailsManager provides in memory implementation of UserDetailsManager
- Support for hasPermission expression on the authorize JSP tag
- Support for disabling UI security (for testing purposes)
- Support erasing credentials after successful authentication
- Support clearing cookies on logout
- Spring Security Google App Engine example application
- Support for CAS proxy tickets
- Support for arbitrary implementations of JAAS Configuration
- Support nested switching of users for SwitchUserFilter
Click Below to download the Examples