Spring Security Reference
Table of Contents
-
-
I. Preface
-
-
1. Getting Started
-
2. Introduction
-
-
2.1. What is Spring Security?
-
2.2. History
-
2.3. Release Numbering
-
2.4. Getting Spring Security
-
-
2.4.1. Usage with Maven
-
-
Maven Repositories
-
Spring Framework Bom
-
2.4.2. Gradle
-
-
Gradle Repositories
-
Using Spring 4.0.x and Gradle
-
2.4.3. Project Modules
-
-
Core - spring-security-core.jar
-
Remoting - spring-security-remoting.jar
-
Web - spring-security-web.jar
-
Config - spring-security-config.jar
-
LDAP - spring-security-ldap.jar
-
ACL - spring-security-acl.jar
-
CAS - spring-security-cas.jar
-
OpenID - spring-security-openid.jar
-
Test - spring-security-test.jar
-
2.4.4. Checking out the Source
-
3. What’s New in Spring Security 4.2
-
-
3.1. Web Improvements
-
3.2. Configuration Improvements
-
3.3. Miscellaneous
-
4. Samples and Guides (Start Here)
-
5. Java Configuration
-
-
5.1. Hello Web Security Java Configuration
-
-
5.1.1. AbstractSecurityWebApplicationInitializer
-
5.1.2. AbstractSecurityWebApplicationInitializer without Existing Spring
-
5.1.3. AbstractSecurityWebApplicationInitializer with Spring MVC
-
5.2. HttpSecurity
-
5.3. Java Configuration and Form Login
-
5.4. Authorize Requests
-
5.5. Handling Logouts
-
-
5.5.1. LogoutHandler
-
5.5.2. LogoutSuccessHandler
-
5.5.3. Further Logout-Related References
-
5.6. Authentication
-
-
5.6.1. In-Memory Authentication
-
5.6.2. JDBC Authentication
-
5.6.3. LDAP Authentication
-
5.6.4. AuthenticationProvider
-
5.6.5. UserDetailsService
-
5.6.6. LDAP Authentication
-
5.7. Multiple HttpSecurity
-
5.8. Method Security
-
-
5.8.1. EnableGlobalMethodSecurity
-
5.8.2. GlobalMethodSecurityConfiguration
-
5.9. Post Processing Configured Objects
-
5.10. Custom DSLs
-
6. Security Namespace Configuration
-
-
6.1. Introduction
-
-
6.1.1. Design of the Namespace
-
6.2. Getting Started with Security Namespace Configuration
-
-
6.2.1. web.xml Configuration
-
6.2.2. A Minimal <http> Configuration
-
6.2.3. Form and Basic Login Options
-
-
Setting a Default Post-Login Destination
-
6.2.4. Logout Handling
-
6.2.5. Using other Authentication Providers
-
-
Adding a Password Encoder
-
6.3. Advanced Web Features
-
-
6.3.1. Remember-Me Authentication
-
6.3.2. Adding HTTP/HTTPS Channel Security
-
6.3.3. Session Management
-
-
Detecting Timeouts
-
Concurrent Session Control
-
Session Fixation Attack Protection
-
6.3.4. OpenID Support
-
-
Attribute Exchange
-
6.3.5. Response Headers
-
6.3.6. Adding in Your Own Filters
-
-
Setting a Custom AuthenticationEntryPoint
-
6.4. Method Security
-
-
6.4.1. The <global-method-security> Element
-
-
Adding Security Pointcuts using protect-pointcut
-
6.5. The Default AccessDecisionManager
-
-
6.5.1. Customizing the AccessDecisionManager
-
6.6. The Authentication Manager and the Namespace
-
7. Sample Applications
-
-
7.1. Tutorial Sample
-
7.2. Contacts
-
7.3. LDAP Sample
-
7.4. OpenID Sample
-
7.5. CAS Sample
-
7.6. JAAS Sample
-
7.7. Pre-Authentication Sample
-
8. Spring Security Community
-
-
8.1. Issue Tracking
-
8.2. Becoming Involved
-
8.3. Further Information
-
II. Architecture and Implementation
-
-
9. Technical Overview
-
-
9.1. Runtime Environment
-
9.2. Core Components
-
-
9.2.1. SecurityContextHolder, SecurityContext and Authentication Objects
-
-
Obtaining information about the current user
-
9.2.2. The UserDetailsService
-
9.2.3. GrantedAuthority
-
9.2.4. Summary
-
9.3. Authentication
-
-
9.3.1. What is authentication in Spring Security?
-
9.3.2. Setting the SecurityContextHolder Contents Directly
-
9.4. Authentication in a Web Application
-
-
9.4.1. ExceptionTranslationFilter
-
9.4.2. AuthenticationEntryPoint
-
9.4.3. Authentication Mechanism
-
9.4.4. Storing the SecurityContext between requests
-
9.5. Access-Control (Authorization) in Spring Security
-
-
9.5.1. Security and AOP Advice
-
9.5.2. Secure Objects and the AbstractSecurityInterceptor
-
-
What are Configuration Attributes?
-
RunAsManager
-
AfterInvocationManager
-
Extending the Secure Object Model
-
9.6. Localization
-
10. Core Services
-
-
10.1. The AuthenticationManager, ProviderManager and AuthenticationProvider
-
-
10.1.1. Erasing Credentials on Successful Authentication
-
10.1.2. DaoAuthenticationProvider
-
10.2. UserDetailsService Implementations
-
-
10.2.1. In-Memory Authentication
-
10.2.2. JdbcDaoImpl
-
-
Authority Groups
-
10.3. Password Encoding
-
-
10.3.1. What is a hash?
-
10.3.2. Adding Salt to a Hash
-
10.3.3. Hashing and Authentication
-
10.4. Jackson Support
-
III. Testing
-
-
11. Testing Method Security
-
-
11.1. Security Test Setup
-
11.2. @WithMockUser
-
11.3. @WithAnonymousUser
-
11.4. @WithUserDetails
-
11.5. @WithSecurityContext
-
11.6. Test Meta Annotations
-
12. Spring MVC Test Integration
-
-
12.1. Setting Up MockMvc and Spring Security
-
12.2. SecurityMockMvcRequestPostProcessors
-
-
12.2.1. Testing with CSRF Protection
-
12.2.2. Running a Test as a User in Spring MVC Test
-
12.2.3. Running as a User in Spring MVC Test with RequestPostProcessor
-
-
Running as a User in Spring MVC Test with Annotations
-
12.2.4. Testing HTTP Basic Authentication
-
12.3. SecurityMockMvcRequestBuilders
-
-
12.3.1. Testing Form Based Authentication
-
12.3.2. Testing Logout
-
12.4. SecurityMockMvcResultMatchers
-
-
12.4.1. Unauthenticated Assertion
-
12.4.2. Authenticated Assertion
-
IV. Web Application Security
-
-
13. The Security Filter Chain
-
-
13.1. DelegatingFilterProxy
-
13.2. FilterChainProxy
-
-
13.2.1. Bypassing the Filter Chain
-
13.3. Filter Ordering
-
13.4. Request Matching and HttpFirewall
-
13.5. Use with other Filter-Based Frameworks
-
13.6. Advanced Namespace Configuration
-
14. Core Security Filters
-
-
14.1. FilterSecurityInterceptor
-
14.2. ExceptionTranslationFilter
-
-
14.2.1. AuthenticationEntryPoint
-
14.2.2. AccessDeniedHandler
-
14.2.3. SavedRequest s and the RequestCache Interface
-
14.3. SecurityContextPersistenceFilter
-
-
14.3.1. SecurityContextRepository
-
14.4. UsernamePasswordAuthenticationFilter
-
-
14.4.1. Application Flow on Authentication Success and Failure
-
15. Servlet API integration
-
-
15.1. Servlet 2.5+ Integration
-
-
15.1.1. HttpServletRequest.getRemoteUser()
-
15.1.2. HttpServletRequest.getUserPrincipal()
-
15.1.3. HttpServletRequest.isUserInRole(String)
-
15.2. Servlet 3+ Integration
-
-
15.2.1. HttpServletRequest.authenticate(HttpServletResponse)
-
15.2.2. HttpServletRequest.login(String,String)
-
15.2.3. HttpServletRequest.logout()
-
15.2.4. AsyncContext.start(Runnable)
-
15.2.5. Async Servlet Support
-
15.3. Servlet 3.1+ Integration
-
-
15.3.1. HttpServletRequest#changeSessionId()
-
16. Basic and Digest Authentication
-
-
16.1. BasicAuthenticationFilter
-
-
16.1.1. Configuration
-
16.2. DigestAuthenticationFilter
-
-
16.2.1. Configuration
-
17. Remember-Me Authentication
-
-
17.1. Overview
-
17.2. Simple Hash-Based Token Approach
-
17.3. Persistent Token Approach
-
17.4. Remember-Me Interfaces and Implementations
-
-
17.4.1. TokenBasedRememberMeServices
-
17.4.2. PersistentTokenBasedRememberMeServices
-
18. Cross Site Request Forgery (CSRF)
-
-
18.1. CSRF Attacks
-
18.2. Synchronizer Token Pattern
-
18.3. When to use CSRF protection
-
-
18.3.1. CSRF protection and JSON
-
18.3.2. CSRF and Stateless Browser Applications
-
18.4. Using Spring Security CSRF Protection
-
-
18.4.1. Use proper HTTP verbs
-
18.4.2. Configure CSRF Protection
-
18.4.3. Include the CSRF Token
-
-
Form Submissions
-
Ajax and JSON Requests
-
CookieCsrfTokenRepository
-
18.5. CSRF Caveats
-
-
18.5.1. Timeouts
-
18.5.2. Logging In
-
18.5.3. Logging Out
-
18.5.4. Multipart (file upload)
-
-
Placing MultipartFilter before Spring Security
-
Include CSRF token in action
-
18.5.5. HiddenHttpMethodFilter
-
18.6. Overriding Defaults
-
19. CORS
-
20. Security HTTP Response Headers
-
-
20.1. Default Security Headers
-
-
20.1.1. Cache Control
-
20.1.2. Content Type Options
-
20.1.3. HTTP Strict Transport Security (HSTS)
-
20.1.4. HTTP Public Key Pinning (HPKP)
-
20.1.5. X-Frame-Options
-
20.1.6. X-XSS-Protection
-
20.1.7. Content Security Policy (CSP)
-
-
Configuring Content Security Policy
-
Additional Resources
-
20.1.8. Referrer Policy
-
-
Configuring Referrer Policy
-
20.2. Custom Headers
-
-
20.2.1. Static Headers
-
20.2.2. Headers Writer
-
20.2.3. DelegatingRequestMatcherHeaderWriter
-
21. Session Management
-
-
21.1. SessionManagementFilter
-
21.2. SessionAuthenticationStrategy
-
21.3. Concurrency Control
-
-
21.3.1. Querying the SessionRegistry for currently authenticated users and their sessions
-
22. Anonymous Authentication
-
-
22.1. Overview
-
22.2. Configuration
-
22.3. AuthenticationTrustResolver
-
23. WebSocket Security
-
-
23.1. WebSocket Configuration
-
23.2. WebSocket Authentication
-
23.3. WebSocket Authorization
-
-
23.3.1. WebSocket Authorization Notes
-
-
WebSocket Authorization on Message Types
-
WebSocket Authorization on Destinations
-
23.3.2. Outbound Messages
-
23.4. Enforcing Same Origin Policy
-
-
23.4.1. Why Same Origin?
-
23.4.2. Spring WebSocket Allowed Origin
-
23.4.3. Adding CSRF to Stomp Headers
-
23.4.4. Disable CSRF within WebSockets
-
23.5. Working with SockJS
-
-
23.5.1. SockJS & frame-options
-
23.5.2. SockJS & Relaxing CSRF
-
V. Authorization
-
-
24. Authorization Architecture
-
-
24.1. Authorities
-
24.2. Pre-Invocation Handling
-
-
24.2.1. The AccessDecisionManager
-
24.2.2. Voting-Based AccessDecisionManager Implementations
-
-
RoleVoter
-
AuthenticatedVoter
-
Custom Voters
-
24.3. After Invocation Handling
-
24.4. Hierarchical Roles
-
25. Secure Object Implementations
-
-
25.1. AOP Alliance (MethodInvocation) Security Interceptor
-
-
25.1.1. Explicit MethodSecurityInterceptor Configuration
-
25.2. AspectJ (JoinPoint) Security Interceptor
-
26. Expression-Based Access Control
-
-
26.1. Overview
-
-
26.1.1. Common Built-In Expressions
-
26.2. Web Security Expressions
-
-
26.2.1. Referring to Beans in Web Security Expressions
-
26.2.2. Path Variables in Web Security Expressions
-
26.3. Method Security Expressions
-
-
26.3.1. @Pre and @Post Annotations
-
-
Access Control using @PreAuthorize and @PostAuthorize
-
Filtering using @PreFilter and @PostFilter
-
26.3.2. Built-In Expressions
-
-
The PermissionEvaluator interface
-
Method Security Meta Annotations
-
VI. Additional Topics
-
-
27. Domain Object Security (ACLs)
-
-
27.1. Overview
-
27.2. Key Concepts
-
27.3. Getting Started
-
28. Pre-Authentication Scenarios
-
-
28.1. Pre-Authentication Framework Classes
-
-
28.1.1. AbstractPreAuthenticatedProcessingFilter
-
-
J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource
-
28.1.2. PreAuthenticatedAuthenticationProvider
-
28.1.3. Http403ForbiddenEntryPoint
-
28.2. Concrete Implementations
-
-
28.2.1. Request-Header Authentication (Siteminder)
-
-
Siteminder Example Configuration
-
28.2.2. Java EE Container Authentication
-
29. LDAP Authentication
-
-
29.1. Overview
-
29.2. Using LDAP with Spring Security
-
29.3. Configuring an LDAP Server
-
-
29.3.1. Using an Embedded Test Server
-
29.3.2. Using Bind Authentication
-
29.3.3. Loading Authorities
-
29.4. Implementation Classes
-
-
29.4.1. LdapAuthenticator Implementations
-
-
Common Functionality
-
BindAuthenticator
-
PasswordComparisonAuthenticator
-
29.4.2. Connecting to the LDAP Server
-
29.4.3. LDAP Search Objects
-
-
FilterBasedLdapUserSearch
-
29.4.4. LdapAuthoritiesPopulator
-
29.4.5. Spring Bean Configuration
-
29.4.6. LDAP Attributes and Customized UserDetails
-
29.5. Active Directory Authentication
-
-
29.5.1. ActiveDirectoryLdapAuthenticationProvider
-
-
Active Directory Error Codes
-
30. JSP Tag Libraries
-
-
30.1. Declaring the Taglib
-
30.2. The authorize Tag
-
-
30.2.1. Disabling Tag Authorization for Testing
-
30.3. The authentication Tag
-
30.4. The accesscontrollist Tag
-
30.5. The csrfInput Tag
-
30.6. The csrfMetaTags Tag
-
31. Java Authentication and Authorization Service (JAAS) Provider
-
-
31.1. Overview
-
31.2. AbstractJaasAuthenticationProvider
-
-
31.2.1. JAAS CallbackHandler
-
31.2.2. JAAS AuthorityGranter
-
31.3. DefaultJaasAuthenticationProvider
-
-
31.3.1. InMemoryConfiguration
-
31.3.2. DefaultJaasAuthenticationProvider Example Configuration
-
31.4. JaasAuthenticationProvider
-
31.5. Running as a Subject
-
32. CAS Authentication
-
-
32.1. Overview
-
32.2. How CAS Works
-
-
32.2.1. Spring Security and CAS Interaction Sequence
-
32.3. Configuration of CAS Client
-
-
32.3.1. Service Ticket Authentication
-
32.3.2. Single Logout
-
32.3.3. Authenticating to a Stateless Service with CAS
-
-
Configuring CAS to Obtain Proxy Granting Tickets
-
Calling a Stateless Service Using a Proxy Ticket
-
32.3.4. Proxy Ticket Authentication
-
33. X.509 Authentication
-
-
33.1. Overview
-
33.2. Adding X.509 Authentication to Your Web Application
-
33.3. Setting up SSL in Tomcat
-
34. Run-As Authentication Replacement
-
-
34.1. Overview
-
34.2. Configuration
-
35. Spring Security Crypto Module
-
-
35.1. Introduction
-
35.2. Encryptors
-
-
35.2.1. BytesEncryptor
-
35.2.2. TextEncryptor
-
35.3. Key Generators
-
-
35.3.1. BytesKeyGenerator
-
35.3.2. StringKeyGenerator
-
35.4. Password Encoding
-
36. Concurrency Support
-
-
36.1. DelegatingSecurityContextRunnable
-
36.2. DelegatingSecurityContextExecutor
-
36.3. Spring Security Concurrency Classes
-
37. Spring MVC Integration
-
-
37.1. @EnableWebMvcSecurity
-
37.2. MvcRequestMatcher
-
37.3. @AuthenticationPrincipal
-
37.4. Spring MVC Async Integration
-
37.5. Spring MVC and CSRF Integration
-
-
37.5.1. Automatic Token Inclusion
-
37.5.2. Resolving the CsrfToken
-
VII. Spring Data Integration
-
-
38. Spring Data & Spring Security Configuration
-
39. Security Expressions within @Query
-
VIII. Appendix
-
-
40. Security Database Schema
-
-
40.1. User Schema
-
-
40.1.1. Group Authorities
-
40.2. Persistent Login (Remember-Me) Schema
-
40.3. ACL Schema
-
-
40.3.1. HyperSQL
-
40.3.2. PostgreSQL
-
40.3.3. MySQL and MariaDB
-
40.3.4. Microsoft SQL Server
-
40.3.5. Oracle Database
-
41. The Security Namespace
-
-
41.1. Web Application Security
-
-
41.1.1. <debug>
-
41.1.2. <http>
-
-
<http> Attributes
-
Child Elements of <http>
-
41.1.3. <access-denied-handler>
-
-
Parent Elements of <access-denied-handler>
-
<access-denied-handler> Attributes
-
41.1.4. <cors>
-
-
<cors> Attributes
-
Parent Elements of <cors>
-
41.1.5. <headers>
-
-
<headers> Attributes
-
Parent Elements of <headers>
-
Child Elements of <headers>
-
41.1.6. <cache-control>
-
-
<cache-control> Attributes
-
Parent Elements of <cache-control>
-
41.1.7. <hsts>
-
-
<hsts> Attributes
-
Parent Elements of <hsts>
-
41.1.8. <hpkp>
-
-
<hpkp> Attributes
-
Parent Elements of <hpkp>
-
41.1.9. <pins>
-
-
Child Elements of <pins>
-
41.1.10. <pin>
-
-
<pin> Attributes
-
Parent Elements of <pin>
-
41.1.11. <content-security-policy>
-
-
<content-security-policy> Attributes
-
Parent Elements of <content-security-policy>
-
41.1.12. <referrer-policy>
-
-
<referrer-policy> Attributes
-
Parent Elements of <referrer-policy>
-
41.1.13. <frame-options>
-
-
<frame-options> Attributes
-
Parent Elements of <frame-options>
-
41.1.14. <xss-protection>
-
-
<xss-protection> Attributes
-
Parent Elements of <xss-protection>
-
41.1.15. <content-type-options>
-
-
<content-type-options> Attributes
-
Parent Elements of <content-type-options>
-
41.1.16. <header>
-
-
<header-attributes> Attributes
-
Parent Elements of <header>
-
41.1.17. <anonymous>
-
-
Parent Elements of <anonymous>
-
<anonymous> Attributes
-
41.1.18. <csrf>
-
-
Parent Elements of <csrf>
-
<csrf> Attributes
-
41.1.19. <custom-filter>
-
-
Parent Elements of <custom-filter>
-
<custom-filter> Attributes
-
41.1.20. <expression-handler>
-
-
Parent Elements of <expression-handler>
-
<expression-handler> Attributes
-
41.1.21. <form-login>
-
-
Parent Elements of <form-login>
-
<form-login> Attributes
-
41.1.22. <http-basic>
-
-
Parent Elements of <http-basic>
-
<http-basic> Attributes
-
41.1.23. <http-firewall> Element
-
-
<http-firewall> Attributes
-
41.1.24. <intercept-url>
-
-
Parent Elements of <intercept-url>
-
<intercept-url> Attributes
-
41.1.25. <jee>
-
-
Parent Elements of <jee>
-
<jee> Attributes
-
41.1.26. <logout>
-
-
Parent Elements of <logout>
-
<logout> Attributes
-
41.1.27. <openid-login>
-
-
Parent Elements of <openid-login>
-
<openid-login> Attributes
-
Child Elements of <openid-login>
-
41.1.28. <attribute-exchange>
-
-
Parent Elements of <attribute-exchange>
-
<attribute-exchange> Attributes
-
Child Elements of <attribute-exchange>
-
41.1.29. <openid-attribute>
-
-
Parent Elements of <openid-attribute>
-
<openid-attribute> Attributes
-
41.1.30. <port-mappings>
-
-
Parent Elements of <port-mappings>
-
Child Elements of <port-mappings>
-
41.1.31. <port-mapping>
-
-
Parent Elements of <port-mapping>
-
<port-mapping> Attributes
-
41.1.32. <remember-me>
-
-
Parent Elements of <remember-me>
-
<remember-me> Attributes
-
41.1.33. <request-cache> Element
-
-
Parent Elements of <request-cache>
-
<request-cache> Attributes
-
41.1.34. <session-management>
-
-
Parent Elements of <session-management>
-
<session-management> Attributes
-
Child Elements of <session-management>
-
41.1.35. <concurrency-control>
-
-
Parent Elements of <concurrency-control>
-
<concurrency-control> Attributes
-
41.1.36. <x509>
-
-
Parent Elements of <x509>
-
<x509> Attributes
-
41.1.37. <filter-chain-map>
-
-
<filter-chain-map> Attributes
-
Child Elements of <filter-chain-map>
-
41.1.38. <filter-chain>
-
-
Parent Elements of <filter-chain>
-
<filter-chain> Attributes
-
41.1.39. <filter-security-metadata-source>
-
-
<filter-security-metadata-source> Attributes
-
Child Elements of <filter-security-metadata-source>
-
41.2. WebSocket Security
-
-
41.2.1. <websocket-message-broker>
-
-
<websocket-message-broker> Attributes
-
Child Elements of <websocket-message-broker>
-
41.2.2. <intercept-message>
-
-
Parent Elements of <intercept-message>
-
<intercept-message> Attributes
-
41.3. Authentication Services
-
-
41.3.1. <authentication-manager>
-
-
<authentication-manager> Attributes
-
Child Elements of <authentication-manager>
-
41.3.2. <authentication-provider>
-
-
Parent Elements of <authentication-provider>
-
<authentication-provider> Attributes
-
Child Elements of <authentication-provider>
-
41.3.3. <jdbc-user-service>
-
-
<jdbc-user-service> Attributes
-
41.3.4. <password-encoder>
-
-
Parent Elements of <password-encoder>
-
<password-encoder> Attributes
-
Child Elements of <password-encoder>
-
41.3.5. <salt-source>
-
-
Parent Elements of <salt-source>
-
<salt-source> Attributes
-
41.3.6. <user-service>
-
-
<user-service> Attributes
-
Child Elements of <user-service>
-
41.3.7. <user>
-
-
Parent Elements of <user>
-
<user> Attributes
-
41.4. Method Security
-
-
41.4.1. <global-method-security>
-
-
<global-method-security> Attributes
-
Child Elements of <global-method-security>
-
41.4.2. <after-invocation-provider>
-
-
Parent Elements of <after-invocation-provider>
-
<after-invocation-provider> Attributes
-
41.4.3. <pre-post-annotation-handling>
-
-
Parent Elements of <pre-post-annotation-handling>
-
Child Elements of <pre-post-annotation-handling>
-
41.4.4. <invocation-attribute-factory>
-
-
Parent Elements of <invocation-attribute-factory>
-
<invocation-attribute-factory> Attributes
-
41.4.5. <post-invocation-advice>
-
-
Parent Elements of <post-invocation-advice>
-
<post-invocation-advice> Attributes
-
41.4.6. <pre-invocation-advice>
-
-
Parent Elements of <pre-invocation-advice>
-
<pre-invocation-advice> Attributes
-
41.4.7. Securing Methods using
-
-
Parent Elements of <protect-pointcut>
-
<protect-pointcut> Attributes
-
41.4.8. <intercept-methods>
-
-
<intercept-methods> Attributes
-
Child Elements of <intercept-methods>
-
41.4.9. <method-security-metadata-source>
-
-
<method-security-metadata-source> Attributes
-
Child Elements of <method-security-metadata-source>
-
41.4.10. <protect>
-
-
Parent Elements of <protect>
-
<protect> Attributes
-
41.5. LDAP Namespace Options
-
-
41.5.1. Defining the LDAP Server using the
-
-
<ldap-server> Attributes
-
41.5.2. <ldap-authentication-provider>
-
-
Parent Elements of <ldap-authentication-provider>
-
<ldap-authentication-provider> Attributes
-
Child Elements of <ldap-authentication-provider>
-
41.5.3. <password-compare>
-
-
Parent Elements of <password-compare>
-
<password-compare> Attributes
-
Child Elements of <password-compare>
-
41.5.4. <ldap-user-service>
-
-
<ldap-user-service> Attributes
-
42. Spring Security Dependencies
-
-
42.1. spring-security-core
-
42.2. spring-security-remoting
-
42.3. spring-security-web
-
42.4. spring-security-ldap
-
42.5. spring-security-config
-
42.6. spring-security-acl
-
42.7. spring-security-cas
-
42.8. spring-security-openid
-
42.9. spring-security-taglibs
-
43. Proxy Server Configuration
-
44. Spring Security FAQ
-
-
44.1. General Questions
-
-
44.1.1. Will Spring Security take care of all my application security requirements?
-
44.1.2. Why not just use web.xml security?
-
44.1.3. What Java and Spring Framework versions are required?
-
44.1.4. I’m new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I’ve copied some configuration files I found but it doesn’t work. What could be wrong?
-
44.2. Common Problems
-
-
44.2.1. When I try to log in, I get an error message that says "Bad Credentials". What’s wrong?
-
44.2.2. My application goes into an "endless loop" when I try to login, what’s going on?
-
44.2.3. I get an exception with the message "Access is denied (user is anonymous);". What’s wrong?
-
44.2.4. Why can I still see a secured page even after I’ve logged out of my application?
-
44.2.5. I get an exception with the message "An Authentication object was not found in the SecurityContext". What’s wrong?
-
44.2.6. I can’t get LDAP authentication to work. What’s wrong with my configuration?
-
44.2.7. Session Management
-
44.2.8. I’m using Spring Security’s concurrent session control to prevent users from logging in more than once at a time. When I open another browser window after logging in, it doesn’t stop me from logging in again. Why can I log in more than once?
-
44.2.9. Why does the session Id change when I authenticate through Spring Security?
-
44.2.10. I’m using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn’t work - I just end up back at the login page after authenticating.
-
44.2.11. I’m not switching between HTTP and HTTPS but my session is still getting lost
-
44.2.12. I’m trying to use the concurrent session-control support but it won’t let me log back in, even if I’m sure I’ve logged out and haven’t exceeded the allowed sessions.
-
44.2.13. Spring Security is creating a session somewhere, even though I’ve configured it not to, by setting the create-session attribute to never.
-
44.2.14. I get a 403 Forbidden when performing a POST
-
44.2.15. I’m forwarding a request to another URL using the RequestDispatcher, but my security constraints aren’t being applied.
-
44.2.16. I have added Spring Security’s <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don’t seem to have an effect.
-
44.2.17. I have a user who has definitely been authenticated, but when I try to access the SecurityContextHolder during some requests, the Authentication is null. Why can’t I see the user information?
-
44.2.18. The authorize JSP Tag doesn’t respect my method security annotations when using the URL attribute.
-
44.3. Spring Security Architecture Questions
-
-
44.3.1. How do I know which package class X is in?
-
44.3.2. How do the namespace elements map to conventional bean configurations?
-
44.3.3. What does "ROLE_" mean and why do I need it on my role names?
-
44.3.4. How do I know which dependencies to add to my application to work with Spring Security?
-
44.3.5. What dependencies are needed to run an embedded ApacheDS LDAP server?
-
44.3.6. What is a UserDetailsService and do I need one?
-
44.4. Common "Howto" Requests
-
-
44.4.1. I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?
-
44.4.2. How do I apply different intercept-url constraints where only the fragment value of the requested URLs differs (e.g./foo#bar and /foo#blah?
-
44.4.3. How do I access the user’s IP Address (or other web-request data) in a UserDetailsService?
-
44.4.4. How do I access the HttpSession from a UserDetailsService?
-
44.4.5. How do I access the user’s password in a UserDetailsService?
-
44.4.6. How do I define the secured URLs within an application dynamically?
-
44.4.7. How do I authenticate against LDAP but load user roles from a database?
-
44.4.8. I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it. What can I do short of abandoning namespace use?
-
45. Migrating from 3.x to 4.x