- Spring Security Tutorial
- Sprint Security - Home
- Spring Security - Introduction
- Spring Security - Architecture
- Spring Security - Project Modules
- Spring Security - Environment Setup
- Spring Security - Form Login
- Spring Security - Custom Form Login
- Spring Security - Logout
- Spring Security - Remember Me
- Spring Security - Redirection
- Spring Security - Taglibs
- Spring Security - XML Configuration
- Spring Security Useful Resources
- Spring Security - Quick Guide
- Spring Security - Useful Resources
- Spring Security - Discussion
Spring Security - Introduction
What is Spring Security?
Spring Security is one of Spring Project or Module to secure a Spring based application. Spring security provides us many in-built features to implement authentication and authorization in our application. We can use these features with our changes to secure an application very quickly. In addition to this, Spring Security also allows plenty of customizations to the features mentioned before to implement our own complex authentications and authorizations.
In addition to providing various inbuilt authentication and authorization options, Spring Security allows us to customize our authentication process as much as we want. Starting from a custom login page to our very own customized authentication providers and authentication filters, we can pretty much customize every aspect of the authentication process. We can define our own authentication process which can range from basic authentication using a username and a password to a complex one such as two-factor authentication using tokens and OTP’s. Also, we can use various databases – both relational and non-relational, use various password encoders, lock malicious users out of their accounts, and so on.
Authentication and Authorization
Authentication and Authorization are two main components of Spring Security.
Authentication − Authentication is to ensure that the user or the client is who they claim to be. There are many ways in which Spring Security enables us to perform authentication. Spring Security supports Basic Authentication, LDAP authentication, JDBC authentication, etc.
Authorization − Authorization ensures whether the user has permission for the action or not. If our application is a complex one, with different kinds of users such as admins, regular users, other less privileged users, we need to maintain access control in our application. For example, a guest user should not be able to access admin content. So, to control access to various resources within our application, we need to check if a user has permission to access that resource. Spring Security supports roles, claims etc. to provide user level authorization.
Spring Security supports a large set of authentication models. Most of these authentication models are developed by third parties or by Internet Engineering Task Force, IETF as a standard body. Being able to integrate with wide set of third parties autentication models, spring security becomes very popular among developers to integrate in their projects. Spring provides its own authentication features as well. Following list shows the various authentication methods supported by Spring security.
HTTP BASIC authentication headers
HTTP Digest authentication headers
HTTP X.509 client certificate exchange
LDAP
Form-based authentication
OpenID authentication
Authentication based on pre-established request headers
JA-SIG Central Authentication Service, a open source single sign on system
Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker
Remember Me
Anonymous authentication
Run-as authentication
Java Authentication and Authorization Service (JAAS)
JEE container autentication
Kerberos
Java Open Source Single Sign On (JOSSO)
OpenNMS Network Management Platform
AppFuse
AndroMDA
Mule ESB
Direct Web Request (DWR)
Grails
Tapestry
JTrac
Jasypt
Roller
Elastic Path
Atlassian Crowd
We can integrate own custom authentication mechanism as well with Spring Security.
History of Spring Security
Spring Security started in late 2003 as The Acegi Security System for Spring as a simple Spring based security implementation. Later as spring community members enquired for an existing framework, it was assigned to one of the community member to work and by Jan 2004, a team of 20+ people started working in this project which was later established as a SourceForge project in Mar 2004. Initially spring security had not its authentication module and it was relying completely on Container managed security and Acegi security system was focusing only on authorization modules.
In following year, 2005, Acegi Security specific Authentication services were introduced and Acegi Security System became an official Spring sub-project. In May 2006, after being used in numerous production softwares, community improvements and bug fixes, 1.0.0 was released. By the end of 2007, Acegi Security System was rebranded as Spring Security and it became an Official Spring Portfolio Project.