Overview and modules of Spring Security
1. Overview of spring security
Spring Security provides a comprehensive security solution for enterprise applications based on J2EE. It tried to give us a useful security system and easily configured for the project was developed based on the Spring framework.
In 2003, Spring Security began as a small, independent project with Spring and called “The Acegi Security System for Spring”. March 2004, the official project was established to develop it. About a year after the project was officially introduced Acegi Security became a subproject of the Spring Framework. Version 1.0.0 was introduced in July after more than two and a half May 2006 developed with hundreds of significant improvement. In late 2007 Acegi Security officially became a project of Spring and Spring Security renamed.
The two main tasks of the application security is authentication and authorization or controlled access (access-control), this is also the two main components of Spring Security.
Authentication is the process of validation and authentication of a principal (a principal generally means a user, device or some other system which can perform an action in the application).
Authorization refers to the process of deciding whether a principal is allowed to perform what actions within our application. To be authorized, the authentication process is necessary and must be performed first. Authorization is only done when successful authentication. These are very popular concept for most applications and it is not Own Spring Security.
At the level of authentication, Spring Security supports a variety of authentication model. Most of these authentication models or offered by third parties, or are developed by bodies such as the IETF (Internet Engineering Task Force). In addition, Spring Security also provides authentication model for his own. Specifically, Spring Security currently supports authentication with all the listening post:
- HTTP BASIC authentication headers (an IETF RFC- based standard)
- HTTP Digest authentication headers (an IETF RFC- based standard)
- HTTP X.509 client certificate exchange (an IETF RFC- based standard)
- LDAP (an authentication method common cross-platform often used in larger environments)
- Form- based authentication
- OpenID authentication
- Authentication based on pre-established request headers (such as Computer Associates Siteminder)
- JA-SIG Central Authentication Service (also known as CAS, an open source single sign)
- Transparent authentication context propagation for remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
- Automatic “remember-me” authentication
- Anonymous authentication
- Run-as authentication
- Java Authentication and Authorization Service (JAAS)
- JEE container authentication
- Java Open Source Single Sign On (JOSSO)
- Open MNS Network Mangement Platform
- Mule ESB
- Direct Web Request (DWR)
- Elastic Path
- Atlassian Crowd
Many software companies apply Spring framework Security because it provides authentication model in a flexible manner, doing so enables rapid software companies to integrate their solutions with any particular customer without need to make a lot of technical or customer requirements to environmental changes. Without authentication mechanisms suit customer needs, Spring Security is an open platform and it really simple to write own authentication mechanisms us.
Sometimes the only authentication is not enough, we need to be concerned about it integrated into applications like. For example, we want to ensure that the request only via HTTPS, to protect passwords from eavesdropping or attack from the man-in-the-middle. This feature is especially useful to protect the process of discovering passwords from brute force attacks, or simply to make it more difficult for users who want to copy the contents of applications, particularly important. To help us put these goals, Spring Security support “channel security”, together with JCaptcha to solve the above requirements.
2. The module of Spring Security
Spring Security is include 7 small module based on the function of each module and the components required from third parties
- Spring-security-core.jar: Includes the basic classes and interfaces for processing authentication and authorization, support the basic API that applications using Spring Security needs. Include the following package:
- Spring-security-web.jar: This module contains the filter and other components related to the security of a web application, any components related to the Servlet. We need to use this module if you wish authentication on Web services and access control via URL. Package of this module is:
- Spring-security-config.jar: The module is necessary if we are to Spring Security configuration using an XML file. It contains the namespace used to parse them into code. Package of this class:
- Spring-security-ldap.jar: This is the module for the model validation LDAP (Lightweight Directory Access Protocol). Package of this class
- Spring-security-acl.jar: ACL (Access Control List) is a list of the rights associated with an object. An ACL identifies the user or system processes are granted access, as well as what is allowed to operate on certain objects. Each entry in the ACL typically define a subject and an operation. For example, if a file containing ACL (Alice: read, write, Bob: read), this will allow reading and writing files Alice and Bob just read it. This module will allow us to create an authentication model as above. Package of this module is:
- Spring-security-cas-client.jar: This module contains all components needed to integrate Spring Security client and CAS (Central Authentication Service), if we use a single sign-on server CAS. Package of this module is:
- Spring-security-openid.jar: This module supports OpenID authentication model, used to authenticate users outside the system with an OpenID server. Package of this module is: