- Spring Security
Spring Security is a Java/
Java EE framework that provides advancedauthentication ,authorization and other security features for enterprise applications built using theSpring Framework (Java) . The project was started in late 2003 as 'Acegi Security' (pronounced "Ah-see-gee") by Ben Alex, with it being [http://article.gmane.org/gmane.comp.java.springframework.user/716/ publicly released] under theApache License in March 2004. Subsequently, Acegi was [http://www.springframework.org/node/466 incorporated into the Spring portfolio] as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from [http://www.springsource.com SpringSource] .Authentication Flow
Diagram1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.
Key Authentication Features
*
Ldap (using both bind-based and password comparison strategies) for centralization of authentication information.
*Single sign-on capabilities using the popularCentral Authentication Service .
*Java Authentication and Authorization Service (JAAS) LoginModule, a standards-based method for authentication used within Java.Note this feature is only a delegation to a JAAS Loginmodule.
*Basic access authentication as defined through theIETF Request for Comments 1945 standard.
*Digest access authentication as defined through theIETF Request for Comments 2617 and RFC 2069 standard.
*X.509 client certificate presentation over theSecure Sockets Layer standard.
*CA, Inc SiteMinder for authentication (a popular commercial access management product).
*Su (Unix) -like support for switching principal identity over aHTTP orHTTPS connection.
*CAPTCHA support for detecting human users.
*Run-as replacement, which enables an operation to assume a different security identity.
*Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
*Container adapter (custom realm) support forApache Tomcat , Resin,Jboss andJetty (web server) .
*Windows'NTLM to enable browser integration (experimental).
* [http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/ Tivoli Access Manager] , which is a popular commercial access management product (experimental).
*Web form authentication, similar to theServlet container specification.
*"Remember-me" support viaHTTP Cookie s.
*Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
*Full support for customization and plugging in custom authentication implementations.Key Authorization Features
*
AspectJ method invocation authorization.
* [http://aopalliance.sourceforge.net/ AOP Alliance] method invocation authorization, which is used internally bySpring Framework (Java) .
*HTTP authorization of web request URLs using a choice ofApache Ant paths orregular expressions .Instance-Based Security Features
*Used for specifying
Access control list s applicable todomain object s.
*Acegi Security offers a repository for storing, retrieving, and modifying ACLs in adatabase .
*Authorization features are provided to enforce policies before and after method invocations.Other Features
*
Software localization souser interface messages can be in any language.
*Channel security, to automatically switch betweenHTTP andHTTPS upon meeting particular rules.
*Caching in all database-touching areas of the framework.
*Publishing of messages to facilitateevent-driven programming .
*Support for performing integration testing viaJUnit .
*Acegi Security itself has comprehensiveJUnit isolation tests.
*Several sample applications, detailed JavaDocs and a reference guide.
*Web framework independence.External links
* [http://static.springframework.org/spring-security/site/ Official site]
* [http://www.acegisecurity.org/ Old site]
* [http://www.acegisecurity.org/reference.html Official reference guide]
* [http://acegisecurity.org/downloads.html Download locations]
* [http://ego.developpez.com/acegi/ A tutorial in French]
* [http://www.jroller.com/aleruz/entry/acegi_captcha_integration Acegi Captcha integration]
Wikimedia Foundation. 2010.
