On this page
- I. Preface
- 1. Getting Started
- 2. Introduction
- 3. What’s New in Spring Security 4.2
- 4. Samples and Guides (Start Here)
- 5. Java Configuration
- 6. Security Namespace Configuration
- 6.1. Introduction
- 6.2. Getting Started with Security Namespace Configuration
- 6.3. Advanced Web Features
- 6.4. Method Security
- 6.5. The Default AccessDecisionManager
- 6.6. The Authentication Manager and the Namespace
- 7. Sample Applications
- 8. Spring Security Community
- II. Architecture and Implementation
- 9. Technical Overview
- 10. Core Services
- III. Testing
- IV. Web Application Security
- 13. The Security Filter Chain
- 14. Core Security Filters
- 15. Servlet API integration
- 16. Basic and Digest Authentication
- 17. Remember-Me Authentication
- 18. Cross Site Request Forgery (CSRF)
- 19. CORS
- 20. Security HTTP Response Headers
- 21. Session Management
- 22. Anonymous Authentication
- 23. WebSocket Security
- V. Authorization
- VI. Additional Topics
- 27. Domain Object Security (ACLs)
- 28. Pre-Authentication Scenarios
- 29. LDAP Authentication
- 29.1. Overview
- 29.2. Using LDAP with Spring Security
- 29.3. Configuring an LDAP Server
- 29.4. Implementation Classes
- 29.5. Active Directory Authentication
- 30. JSP Tag Libraries
- 31. Java Authentication and Authorization Service (JAAS) Provider
- 32. CAS Authentication
- 33. X.509 Authentication
- 34. Run-As Authentication Replacement
- 35. Spring Security Crypto Module
- 36. Concurrency Support
- 37. Spring MVC Integration
- VII. Spring Data Integration
- VIII. Appendix
- 40. Security Database Schema
- 41. The Security Namespace
- 41.1. Web Application Security
- 41.1.1. <debug>
- 41.1.2. <http>
- 41.1.3. <access-denied-handler>
- 41.1.4. <cors>
- 41.1.5. <headers>
- 41.1.6. <cache-control>
- 41.1.7. <hsts>
- 41.1.8. <hpkp>
- 41.1.9. <pins>
- 41.1.10. <pin>
- 41.1.11. <content-security-policy>
- 41.1.12. <referrer-policy>
- 41.1.13. <frame-options>
- 41.1.14. <xss-protection>
- 41.1.15. <content-type-options>
- 41.1.16. <header>
- 41.1.17. <anonymous>
- 41.1.18. <csrf>
- 41.1.19. <custom-filter>
- 41.1.20. <expression-handler>
- 41.1.21. <form-login>
- 41.1.22. <http-basic>
- 41.1.23. <http-firewall> Element
- 41.1.24. <intercept-url>
- 41.1.25. <jee>
- 41.1.26. <logout>
- 41.1.27. <openid-login>
- 41.1.28. <attribute-exchange>
- 41.1.29. <openid-attribute>
- 41.1.30. <port-mappings>
- 41.1.31. <port-mapping>
- 41.1.32. <remember-me>
- 41.1.33. <request-cache> Element
- 41.1.34. <session-management>
- 41.1.35. <concurrency-control>
- 41.1.36. <x509>
- 41.1.37. <filter-chain-map>
- 41.1.38. <filter-chain>
- 41.1.39. <filter-security-metadata-source>
- 41.2. WebSocket Security
- 41.3. Authentication Services
- 41.4. Method Security
- 41.4.1. <global-method-security>
- 41.4.2. <after-invocation-provider>
- 41.4.3. <pre-post-annotation-handling>
- 41.4.4. <invocation-attribute-factory>
- 41.4.5. <post-invocation-advice>
- 41.4.6. <pre-invocation-advice>
- 41.4.7. Securing Methods using
- 41.4.8. <intercept-methods>
- 41.4.9. <method-security-metadata-source>
- 41.4.10. <protect>
- 41.5. LDAP Namespace Options
- 41.1. Web Application Security
- 42. Spring Security Dependencies
- 43. Proxy Server Configuration
- 44. Spring Security FAQ
- 44.1. General Questions
- 44.1.1. Will Spring Security take care of all my application security requirements?
- 44.1.2. Why not just use web.xml security?
- 44.1.3. What Java and Spring Framework versions are required?
- 44.1.4. I’m new to Spring Security and I need to build an application that supports CAS single sign-on over HTTPS, while allowing Basic authentication locally for certain URLs, authenticating against multiple back end user information sources (LDAP and JDBC). I’ve copied some configuration files I found but it doesn’t work. What could be wrong?
- 44.2. Common Problems
- 44.2.1. When I try to log in, I get an error message that says "Bad Credentials". What’s wrong?
- 44.2.2. My application goes into an "endless loop" when I try to login, what’s going on?
- 44.2.3. I get an exception with the message "Access is denied (user is anonymous);". What’s wrong?
- 44.2.4. Why can I still see a secured page even after I’ve logged out of my application?
- 44.2.5. I get an exception with the message "An Authentication object was not found in the SecurityContext". What’s wrong?
- 44.2.6. I can’t get LDAP authentication to work. What’s wrong with my configuration?
- 44.2.7. Session Management
- 44.2.8. I’m using Spring Security’s concurrent session control to prevent users from logging in more than once at a time. When I open another browser window after logging in, it doesn’t stop me from logging in again. Why can I log in more than once?
- 44.2.9. Why does the session Id change when I authenticate through Spring Security?
- 44.2.10. I’m using Tomcat (or some other servlet container) and have enabled HTTPS for my login page, switching back to HTTP afterwards. It doesn’t work - I just end up back at the login page after authenticating.
- 44.2.11. I’m not switching between HTTP and HTTPS but my session is still getting lost
- 44.2.12. I’m trying to use the concurrent session-control support but it won’t let me log back in, even if I’m sure I’ve logged out and haven’t exceeded the allowed sessions.
- 44.2.13. Spring Security is creating a session somewhere, even though I’ve configured it not to, by setting the create-session attribute to never.
- 44.2.14. I get a 403 Forbidden when performing a POST
- 44.2.15. I’m forwarding a request to another URL using the RequestDispatcher, but my security constraints aren’t being applied.
- 44.2.16. I have added Spring Security’s <global-method-security> element to my application context but if I add security annotations to my Spring MVC controller beans (Struts actions etc.) then they don’t seem to have an effect.
- 44.2.17. I have a user who has definitely been authenticated, but when I try to access the SecurityContextHolder during some requests, the Authentication is null. Why can’t I see the user information?
- 44.2.18. The authorize JSP Tag doesn’t respect my method security annotations when using the URL attribute.
- 44.3. Spring Security Architecture Questions
- 44.3.1. How do I know which package class X is in?
- 44.3.2. How do the namespace elements map to conventional bean configurations?
- 44.3.3. What does "ROLE_" mean and why do I need it on my role names?
- 44.3.4. How do I know which dependencies to add to my application to work with Spring Security?
- 44.3.5. What dependencies are needed to run an embedded ApacheDS LDAP server?
- 44.3.6. What is a UserDetailsService and do I need one?
- 44.4. Common "Howto" Requests
- 44.4.1. I need to login in with more information than just the username. How do I add support for extra login fields (e.g. a company name)?
- 44.4.2. How do I apply different intercept-url constraints where only the fragment value of the requested URLs differs (e.g./foo#bar and /foo#blah?
- 44.4.3. How do I access the user’s IP Address (or other web-request data) in a UserDetailsService?
- 44.4.4. How do I access the HttpSession from a UserDetailsService?
- 44.4.5. How do I access the user’s password in a UserDetailsService?
- 44.4.6. How do I define the secured URLs within an application dynamically?
- 44.4.7. How do I authenticate against LDAP but load user roles from a database?
- 44.4.8. I want to modify the property of a bean that is created by the namespace, but there is nothing in the schema to support it. What can I do short of abandoning namespace use?
- 44.1. General Questions
- 45. Migrating from 3.x to 4.x