Spring Security is a
Java
Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's List ...
/
Java EE
Jakarta EE, formerly Java Platform, Enterprise Edition (Java EE) and Java 2 Platform, Enterprise Edition (J2EE), is a set of specifications, extending Java SE with specifications for enterprise features such as distributed computing and web serv ...
framework that provides
authentication
Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
,
authorization
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced ''Ah-see-gee'' , whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts) by Ben Alex, with it being publicly released under the
Apache License in March 2004. Subsequently, Acegi was incorporated into the
Spring
Spring(s) may refer to:
Common uses
* Spring (season)
Spring, also known as springtime, is one of the four temperate seasons, succeeding winter and preceding summer. There are various technical definitions of spring, but local usage of ...
portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from
SpringSource
Spring (previously known as SpringSource) was the company created by the founders of the Spring Framework (a programming model for enterprise Java applications) to support and develop Spring and related projects. Originally incorporated as Inte ...
.
Authentication flow
Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.
Key authentication features
*
LDAP
The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory servi ...
(using both bind-based and password comparison strategies) for centralization of authentication information.
*
Single sign-on
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
True single sign-on allows the user to log in once and access services without re-enterin ...
capabilities using the popular
Central Authentication Service
The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as user ID and password) only once. It also allows web app ...
.
*
Java Authentication and Authorization Service
Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework.
JAAS was introduced as an extension library to the Java Pla ...
(JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.
*
Basic access authentication
In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field i ...
as defined through RFC 1945.
*
Digest access authentication
Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive info ...
as defined through RFC 2617 and RFC 2069.
*
X.509
In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secu ...
client certificate In cryptography, a client certificate is a type of digital certificate that is used by client systems to make authenticated requests to a remote server. Client certificates play a key role in many mutual authentication
Mutual authentication or tw ...
presentation over the
Secure Sockets Layer
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
standard.
*
CA, Inc
CA Technologies, formerly known as CA, Inc. and Computer Associates International, Inc., is an American multinational corporation headquartered in New York City. It is primarily known for its business-to-business (B2B) software with a product p ...
SiteMinder for authentication (a popular commercial access management product).
*
Su (Unix)
The Unix command , which stands for 'substitute user' (or historically 'superuser'), is used by a computer user to execute commands with the privileges of another user account. When executed it invokes a shell without changing the current working ...
-like support for switching principal identity over a
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
or
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
connection.
*Run-as replacement, which enables an operation to assume a different security identity.
*Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
*Container adapter (custom realm) support for
Apache Tomcat
Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also ...
,
Resin
In polymer chemistry and materials science, resin is a solid or highly viscous substance of plant or synthetic origin that is typically convertible into polymers. Resins are usually mixtures of organic compounds. This article focuses on natu ...
,
JBoss
WildFly, formerly known as JBoss AS, or simply JBoss, is an application server written by JBoss, now developed by Red Hat. WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification. It runs on mul ...
and
Jetty (web server)
Eclipse Jetty is a Java web server and Java Servlet container. While web servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks. Je ...
.
*Windows
NTLM
In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. NTLM is the successor to the authentication protocol in Microsoft L ...
to enable browser integration (experimental).
*
Web form authentication, similar to the
servlet container
A web container (also known as a servlet container;
and compare "webcontainer"
) is the component of a web server that interacts with Jakarta Servlets. A web container is responsible for managing the lifecycle of servlets, mapping a URL to a pa ...
specification.
*"Remember-me" support via
HTTP cookie
HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's w ...
s.
*Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
*Full support for customization and plugging in custom authentication implementations.
Key authorization features
*
AspectJ
AspectJ is an aspect-oriented programming (AOP) extension created at PARC for the Java programming language. It is available in Eclipse Foundation open-source projects, both stand-alone and integrated into Eclipse. AspectJ has become a widely use ...
method invocation authorization.
*
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
authorization of web request
URLs using a choice of
Apache Ant
Apache Ant is a software tool for automating software build processes which originated from the Apache Tomcat project in early 2000 as a replacement for the Make build tool of Unix. It is similar to Make, but is implemented using the Java languag ...
paths or
regular expressions
A regular expression (shortened as regex or regexp; sometimes referred to as rational expression) is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for "find" o ...
.
Instance-based security features
*Used for specifying
access control list
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on giv ...
s applicable to
domain object
Domain-driven design (DDD) is a major software design approach, focusing on modeling software to match a domain according to input from that domain's experts.
Under domain-driven design, the structure and language of software code (class names, ...
s.
*Spring Security offers a repository for storing, retrieving, and modifying ACLs in a
database
In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
.
*
Authorization
Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
features are provided to enforce policies before and after method invocations.
Other features
*
Software localization
In computing, internationalization and localization ( American) or internationalisation and localisation (British English), often abbreviated i18n and L10n, are means of adapting computer software to different languages, regional peculiarities an ...
so
user interface
In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine f ...
messages can be in any language.
*Channel security, to automatically switch between
HTTP
The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
and
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
upon meeting particular rules.
*
Caching in all database-touching areas of the framework.
*Publishing of messages to facilitate
event-driven programming
In computer programming, event-driven programming is a programming paradigm in which the flow of the program is determined by events such as user actions ( mouse clicks, key presses), sensor outputs, or message passing from other programs or t ...
.
*Support for performing integration testing via
JUnit
JUnit is a unit testing framework for the Java programming language. JUnit has been important in the development of test-driven development, and is one of a family of unit testing frameworks which is collectively known as xUnit that originated ...
.
*Spring Security itself has comprehensive
JUnit
JUnit is a unit testing framework for the Java programming language. JUnit has been important in the development of test-driven development, and is one of a family of unit testing frameworks which is collectively known as xUnit that originated ...
isolation tests.
*Several sample applications, detailed
JavaDocs and a reference guide.
*Web framework independence.
Releases
* 2.0.0 (April 2008)
* 3.0.0 (December 2009)
*3.1.0 (December 7, 2011)
*3.1.2 (August 10, 2012)
*3.2.0 (December 16, 2013)
*4.0.0 (March 26, 2015)
*4.1.3 (August 24, 2016)
*4.2.0 (November 10, 2016)
*3.2.10, 4.1.4, 4.2.1 (December 22, 2016)
*4.2.2 (March 2, 2017)
*4.2.3 (June 8, 2017)
*5.0.0 (November 28, 2017)
*5.0.8, 4.2.8 (September 11, 2018)
*5.1.0 GA (September 27, 2018)
*5.1.1, 5.0.9, 4.2.9 (October 16, 2018)
*5.1.2, 5.0.10, 4.2.10 (November 29, 2018)
*5.1.3, 5.0.11, 4.2.11 (January 11, 2019)
*5.1.4 (February 14, 2019)
*5.1.5, 5.0.12, 4.2.12 (April 3, 2019)
Citations
References
*
*
External links
*
{{Portal bar, Computer programming
Java enterprise platform
Computer access control