PacktLib: Spring Security 3.1

Spring Security 3.1


About the Author


About the Reviewers


Anatomy of an Unsafe Application

Security audit

About the sample application

The JBCP calendar application architecture

Application technology

Reviewing the audit results



Database credential security

Sensitive information

Transport-level protection

Using Spring Security 3.1 to address security concerns

Why Spring Security


Getting Started with Spring Security

Hello Spring Security

A little bit of polish


Custom Authentication

JBCP Calendar architecture

Logging in new users using SecurityContextHolder

Creating a custom UserDetailsService object

Creating a custom AuthenticationProvider object

Which authentication method to use


JDBC-based Authentication

Using Spring Security's default JDBC authentication


Group-based access control

Support for a custom schema

Configuring secure passwords


LDAP Directory Services

Understanding LDAP


Common LDAP attribute names

Updating our dependencies

Configuring embedded LDAP integration

Configuring an LDAP server reference

Troubleshooting embedded LDAP

Understanding how Spring LDAP authentication works

Authenticating user credentials

Binding anonymously to LDAP

Searching for the user

Binding as a user to LDAP

Determining user role membership

Mapping additional attributes of UserDetails

Advanced LDAP configuration

Sample JBCP LDAP users

Configuring basic password comparison

LDAP password encoding and storage

Configuring UserDetailsContextMapper

Viewing additional user details

Using an alternate password attribute

Using LDAP as UserDetailsService

Configuring LdapUserDetailsService

Integrating with an external LDAP server

Explicit LDAP bean configuration

Configuring LdapAuthenticationProvider

Integrating with Microsoft Active Directory via LDAP


Remember-me Services

What is remember-me


The token-based remember-me feature

Is remember-me secure

Persistent remember-me

Remember-me architecture

Restricting the remember-me feature to an IP address


Client Certificate Authentication

How client certificate authentication works

Setting up client certificate authentication infrastructure

Configuring client certificate authentication in Spring Security

Configuring client certificate authentication using Spring Beans

Considerations when implementing Client Certificate authentication


Opening up to OpenID

The promising world of OpenID

Signing up for an OpenID

Enabling OpenID authentication with Spring Security

Additional required dependencies

The OpenID user registration problem

Implementing user registration with OpenID

Attribute Exchange

Usability enhancements

Automatic redirection to the OpenID Provider

Is OpenID Secure


Single Sign-on with Central Authentication Service

Introducing Central Authentication Service

Configuring basic CAS integration

Single logout

Proxy ticket authentication for stateless services

Customizing the CAS Server

Getting UserDetails from a CAS assertion

Additional CAS capabilities


Fine-grained Access Control

Maven dependencies

Spring Expression Language (SpEL) integration

Page-level authorization

Method-level security


Access Control Lists

Using access control lists for business object security

Basic configuration of Spring Security ACL support

Advanced ACL topics

Custom ACL permission declaration

Mutable ACLs and authorization

Considerations for a typical ACL deployment

Should I use Spring Security ACL


Custom Authorization

How requests are authorized

Configuring to use a UnanimousBased access decision manager

Customizing request authorization

Creating a custom PermissionEvaluator


Session Management

Configuring session fixation protection

Restricting the number of concurrent sessions per user

How Spring Security uses the HttpSession


Integrating with Other Frameworks

Integrating with Java Server Faces (JSF)

Google Web Toolkit (GWT) integration


Migration to Spring Security 3.1

Migrating from Spring Security 2

Enhancements in Spring Security 3

Changes to configuration in Spring Security 3

Changes to CustomAfterInvocationProvider

Changes to packages and classes

Updates in Spring Security 3.1


Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material