Spring Security Reference
Table of Contents
- I. Preface
-
- 1. Spring Security Community
- 2. What’s New in Spring Security 5.1
- 3. Getting Spring Security
- 4. Project Modules
-
- 4.1. Core - spring-security-core.jar
- 4.2. Remoting - spring-security-remoting.jar
- 4.3. Web - spring-security-web.jar
- 4.4. Config - spring-security-config.jar
- 4.5. LDAP - spring-security-ldap.jar
- 4.6. OAuth 2.0 Core - spring-security-oauth2-core.jar
- 4.7. OAuth 2.0 Client - spring-security-oauth2-client.jar
- 4.8. OAuth 2.0 JOSE - spring-security-oauth2-jose.jar
- 4.9. ACL - spring-security-acl.jar
- 4.10. CAS - spring-security-cas.jar
- 4.11. OpenID - spring-security-openid.jar
- 4.12. Test - spring-security-test.jar
- 5. Sample Applications
- II. Servlet Applications
-
- 6. Java Configuration
-
- 6.1. Hello Web Security Java Configuration
- 6.2. HttpSecurity
- 6.3. Java Configuration and Form Login
- 6.4. Authorize Requests
- 6.5. Handling Logouts
- 6.6. OAuth 2.0 Client
-
- 6.6.1. ClientRegistration
- 6.6.2. ClientRegistrationRepository
- 6.6.3. OAuth2AuthorizedClient
- 6.6.4. OAuth2AuthorizedClientRepository / OAuth2AuthorizedClientService
- 6.6.5. RegisteredOAuth2AuthorizedClient
- 6.6.6. AuthorizationRequestRepository
- 6.6.7. OAuth2AuthorizationRequestResolver
- 6.6.8. OAuth2AccessTokenResponseClient
- 6.7. OAuth 2.0 Login
- 6.8. OAuth 2.0 Resource Server
- 6.9. Authentication
- 6.10. Multiple HttpSecurity
- 6.11. Method Security
- 6.12. Post Processing Configured Objects
- 6.13. Custom DSLs
- 7. Security Namespace Configuration
-
- 7.1. Introduction
- 7.2. Getting Started with Security Namespace Configuration
- 7.3. Advanced Web Features
- 7.4. Method Security
- 7.5. The Default AccessDecisionManager
- 7.6. The Authentication Manager and the Namespace
- 8. Architecture and Implementation
-
- 8.1. Technical Overview
- 8.2. Core Services
- 9. Testing
- 10. Web Application Security
-
- 10.1. The Security Filter Chain
- 10.2. Core Security Filters
- 10.3. Servlet API integration
- 10.4. Basic and Digest Authentication
- 10.5. Remember-Me Authentication
- 10.6. Cross Site Request Forgery (CSRF)
- 10.7. CORS
- 10.8. Security HTTP Response Headers
- 10.9. Session Management
- 10.10. Anonymous Authentication
- 10.11. WebSocket Security
- 11. Authorization
- 12. Additional Topics
-
- 12.1. Domain Object Security (ACLs)
- 12.2. Pre-Authentication Scenarios
- 12.3. LDAP Authentication
- 12.4. OAuth 2.0 Login — Advanced Configuration
- 13. WebClient for Servlet Environments
-
- 13.1. WebClient OAuth2 Setup
- 13.2. Implicit OAuth2AuthorizedClient
- 13.3. Explicit OAuth2AuthorizedClient
- 13.4. clientRegistrationId
- 13.5. JSP Tag Libraries
- 13.6. Java Authentication and Authorization Service (JAAS) Provider
- 13.7. CAS Authentication
- 13.8. X.509 Authentication
- 13.9. Run-As Authentication Replacement
- 13.10. Spring Security Crypto Module
- 13.11. Concurrency Support
- 13.12. Spring MVC Integration
- 14. Spring Data Integration
- 15. Appendix
-
- 15.1. Security Database Schema
- 15.2. The Security Namespace
-
- 15.2.1. Web Application Security
-
- <debug>
- <http>
- <access-denied-handler>
- <cors>
- <headers>
- <cache-control>
- <hsts>
- <hpkp>
- <pins>
- <pin>
- <content-security-policy>
- <referrer-policy>
- <feature-policy>
- <frame-options>
- <xss-protection>
- <content-type-options>
- <header>
- <anonymous>
- <csrf>
- <custom-filter>
- <expression-handler>
- <form-login>
- <http-basic>
- <http-firewall> Element
- <intercept-url>
- <jee>
- <logout>
- <openid-login>
- <attribute-exchange>
- <openid-attribute>
- <port-mappings>
- <port-mapping>
- <remember-me>
- <request-cache> Element
- <session-management>
- <concurrency-control>
- <x509>
- <filter-chain-map>
- <filter-chain>
- <filter-security-metadata-source>
- 15.2.2. WebSocket Security
- 15.2.3. Authentication Services
- 15.2.4. Method Security
- 15.2.5. LDAP Namespace Options
- 15.3. Spring Security Dependencies
- 15.4. Proxy Server Configuration
- 15.5. Spring Security FAQ
-
- 15.5.1. General Questions
-
- Will Spring Security take care of all my application security requirements?
- Why not just use web.xml security?
- What Java and Spring Framework versions are required?
- I’m new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I’ve copied some configuration files I found but it doesn’t work.
- 15.5.2. Common Problems
-
- When I try to log in, I get an error message that says "Bad Credentials". What’s wrong?
- My application goes into an "endless loop" when I try to login, what’s going on?
- I get an exception with the message "Access is denied (user is anonymous);". What’s wrong?
- Why can I still see a secured page even after I’ve logged out of my application?
- I get an exception with the message "An Authentication object was not found in the SecurityContext". What’s wrong?
- I can’t get LDAP authentication to work.
- Session Management
- I’m using Spring Security’s concurrent session control to prevent users from logging in more than once at a time.
- Why does the session Id change when I authenticate through Spring Security?
- I’m using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards.
- I’m not switching between HTTP and HTTPS but my session is still getting lost
- I’m trying to use the concurrent session-control support but it won’t let me log back in, even if I’m sure I’ve logged out and haven’t exceeded the allowed sessions.
- Spring Security is creating a session somewhere, even though I’ve configured it not to, by setting the create-session attribute to never.
- I get a 403 Forbidden when performing a POST
- I’m forwarding a request to another URL using the RequestDispatcher, but my security constraints aren’t being applied.
- I have added Spring Security’s <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don’t seem to have an effect.
- I have a user who has definitely been authenticated, but when I try to access the SecurityContextHolder during some requests, the Authentication is null.
- The authorize JSP Tag doesn’t respect my method security annotations when using the URL attribute.
- 15.5.3. Spring Security Architecture Questions
-
- How do I know which package class X is in?
- How do the namespace elements map to conventional bean configurations?
- What does "ROLE_" mean and why do I need it on my role names?
- How do I know which dependencies to add to my application to work with Spring Security?
- What dependencies are needed to run an embedded ApacheDS LDAP server?
- What is a UserDetailsService and do I need one?
- 15.5.4. Common "Howto" Requests
-
- I need to login in with more information than just the username.
- How do I apply different intercept-url constraints where only the fragment value of the requested URLs differs (e.g./foo#bar and /foo#blah?
- How do I access the user’s IP Address (or other web-request data) in a UserDetailsService?
- How do I access the HttpSession from a UserDetailsService?
- How do I access the user’s password in a UserDetailsService?
- How do I define the secured URLs within an application dynamically?
- How do I authenticate against LDAP but load user roles from a database?
- I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it.
- III. Reactive Applications
-
- 16. WebFlux Security
- 17. Default Security Headers
- 18. Redirect to HTTPS
- 19. OAuth2 WebFlux
- 20. @RegisteredOAuth2AuthorizedClient
- 21. WebClient
- 22. EnableReactiveMethodSecurity
- 23. Reactive Test Support