Login
Login

Spring Security

{{Infobox software

| name = Spring Security

| logo =

| screenshot =

| caption =

| collapsible =

| developer = 4

| latest release version = 6.3.1

| latest release date = {{start date and age|2024|06|18}} {{cite web|url=https://spring.io/blog/2024/06/18/spring-security-5-8-13-6-2-5-and-6-3-1-are-available-now |title=Spring Security 5.8.13, 6.2.5, and 6.3.1 are available now|website=spring.io|access-date=August 18, 2024}}

| latest preview version =

| latest preview date =

| operating system = Cross-platform

| programming language = Java

| genre = web application framework security

| license = Apache License 2.0

| website = {{URL|https://projects.spring.io/spring-security/}}

}}

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee {{IPAc-en|ɑː|s|iː|dʒ|iː}}, whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts{{cite web|url=https://spring.io/blog/2007/01/25/why-the-name-acegi|title=Why the name Acegi?|website=spring.io}}) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.

Authentication flow

Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.

File:ACEGI Authentication.JPG

class="wikitable"
colspan=2 | Browser submits "authentication credentials"
colspan=2 | "Authentication mechanism" collects the details
An "authentication request" object is built
Authentication request sent to an AuthenticationManager
AuthenticationManager (this is responsible for passing requests through a chain of AuthenticationProviders)
"Authentication provider" will ask a UserDetailsService to provide a UserDetails object
The resultant UserDetails object (which also contains the GrantedAuthority[]s) will be used to build the fully populated Authentication object.
colspan=2 | If "Authentication mechanism" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder; and cause the original request to be retried.
If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.
colspan=2 | AbstractSecurityInterceptor authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)
colspan=2 | ExceptionTranslationFilter translates the exceptions thrown by AbstractSecurityInterceptor into HTTP related error codes
Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient access
Launch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism

Key authentication features

  • LDAP (using both bind-based and password comparison strategies) for centralization of authentication information.{{sfn|Deinum|Rubio|Long|Mak|2014}}{{rp|loc=§7-3|pp=358–362}}
  • Single sign-on capabilities using the popular Central Authentication Service.
  • Java Authentication and Authorization Service (JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.{{Cite web |date=December 29, 2024 |title=Master OAuth: How To Build a Secure Authorization Server |url=https://authorization.news/master-oauth-how-to-build-a-secure-authorization-serverpart-ii/ }}
  • Basic access authentication as defined through RFC 1945.
  • Digest access authentication{{sfn|Deinum|Rubio|Long|Mak|2014}}{{rp|loc=§7-3|pp=356–358}} as defined through RFC 2617 and RFC 2069.
  • X.509 client certificate presentation over the Secure Sockets Layer standard.
  • CA, Inc SiteMinder for authentication (a popular commercial access management product).
  • Su (Unix)-like support for switching principal identity over a HTTP or HTTPS connection.
  • Run-as replacement, which enables an operation to assume a different security identity.
  • Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
  • Container adapter (custom realm) support for Apache Tomcat, Resin, JBoss and Jetty (web server).
  • Windows NTLM to enable browser integration (experimental).
  • Web form authentication, similar to the servlet container specification.
  • "Remember-me" support via HTTP cookies.
  • Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
  • Full support for customization and plugging in custom authentication implementations.

Key authorization features

Instance-based security features

  • Used for specifying access control lists applicable to domain objects.
  • Spring Security offers a repository for storing, retrieving, and modifying ACLs in a database.{{sfn|Deinum|Rubio|Long|Mak|2014}}{{rp|loc=§7-7|pp=376–381}}
  • Authorization features are provided to enforce policies before and after method invocations.

Other features

  • Software localization so user interface messages can be in any language.
  • Channel security, to automatically switch between HTTP and HTTPS upon meeting particular rules.
  • Caching in all database-touching areas of the framework.
  • Publishing of messages to facilitate event-driven programming.
  • Support for performing integration testing via JUnit.
  • Spring Security itself has comprehensive JUnit isolation tests.
  • Several sample applications, detailed JavaDocs and a reference guide.
  • Web framework independence.

Releases

  • 2.0.0 (April 2008)
  • 3.0.0 (December 2009)
  • 3.1.0 (December 7, 2011)
  • 3.1.2 (August 10, 2012)
  • 3.2.0 (December 16, 2013)
  • 4.0.0 (March 26, 2015)
  • 4.1.3 (August 24, 2016)
  • 4.2.0 (November 10, 2016)
  • 3.2.10, 4.1.4, 4.2.1 (December 22, 2016)
  • 4.2.2 (March 2, 2017)
  • 4.2.3 (June 8, 2017)
  • 5.0.0 (November 28, 2017)
  • 5.0.8, 4.2.8 (September 11, 2018){{Cite web|url=https://spring.io/blog/2018/09/11/spring-security-5-0-8-and-4-2-8-released|title=Spring Security 5.0.8 and 4.2.8 Released|website=spring.io|access-date=2019-06-09}}
  • 5.1.0 GA (September 27, 2018){{Cite web|url=https://spring.io/blog/2018/09/27/spring-security-5-1-goes-ga|title=Spring Security 5.1 goes GA|website=spring.io|access-date=2019-06-09}}
  • 5.1.1, 5.0.9, 4.2.9 (October 16, 2018){{Cite web|url=https://spring.io/blog/2018/10/16/spring-security-5-1-1-5-0-9-and-4-2-9-released|title=Spring Security 5.1.1, 5.0.9, and 4.2.9 Released|website=spring.io|access-date=2019-06-09}}
  • 5.1.2, 5.0.10, 4.2.10 (November 29, 2018){{Cite web|url=https://spring.io/blog/2018/11/29/spring-security-5-1-2-5-0-10-4-2-10-released|title=Spring Security 5.1.2, 5.0.10, 4.2.10 Released|website=spring.io|access-date=2019-06-09}}
  • 5.1.3, 5.0.11, 4.2.11 (January 11, 2019){{Cite web|url=https://spring.io/blog/2019/01/11/spring-security-5-1-3-5-0-11-4-2-11-released|title=Spring Security 5.1.3, 5.0.11, 4.2.11 Released|website=spring.io|access-date=2019-06-09}}
  • 5.1.4 (February 14, 2019){{Cite web|url=https://spring.io/blog/2019/02/14/spring-security-5-1-4-released|title=Spring Security 5.1.4 Released|website=spring.io|access-date=2019-06-09}}
  • 5.1.5, 5.0.12, 4.2.12 (April 3, 2019){{Cite web|url=https://spring.io/blog/2019/04/03/spring-security-5-1-5-5-0-12-4-2-12-released|title=Spring Security 5.1.5, 5.0.12, 4.2.12 Released|website=spring.io|access-date=2019-06-09}}

Citations

{{Reflist}}

References

  • {{cite book

| last1 = Deinum

| first1 = Marten

| last2 = Rubio

| first2 = Daniel

| last3 = Long

| first3 = Josh

| last4 = Mak

| first4 = Gary

| title = Spring Recipes: A Problem-Solution Approach

| publisher = Apress

| edition = Second

| date = September 1, 2014

| page = 1104

| isbn = 978-1-4302-2499-0

}}

  • {{cite web|url=https://spring.io/blog/2007/01/25/why-the-name-acegi|title=Why the name Acegi?|website=spring.io}}

External links

  • {{Official website|projects.spring.io/spring-security/}}

{{Portal bar|Computer programming}}

Category:Java enterprise platform

Category:Computer access control