PacktLib: Spring Security 3.1

Spring Security 3.1

Credits

About the Author

Acknowledgement

About the Reviewers

www.PacktPub.com

Preface

Anatomy of an Unsafe Application

Security audit

About the sample application

The JBCP calendar application architecture

Application technology

Reviewing the audit results

Authentication

Authorization

Database credential security

Sensitive information

Transport-level protection

Using Spring Security 3.1 to address security concerns

Why Spring Security

Summary

Getting Started with Spring Security

Hello Spring Security

A little bit of polish

Summary

Custom Authentication

JBCP Calendar architecture

Logging in new users using SecurityContextHolder


Creating a custom UserDetailsService object

Creating a custom AuthenticationProvider object

Which authentication method to use

Summary

JDBC-based Authentication

Using Spring Security's default JDBC authentication

UserDetailsManager

Group-based access control

Support for a custom schema

Configuring secure passwords

Summary

LDAP Directory Services

Understanding LDAP

LDAP

Common LDAP attribute names

Updating our dependencies

Configuring embedded LDAP integration

Configuring an LDAP server reference

Troubleshooting embedded LDAP

Understanding how Spring LDAP authentication works

Authenticating user credentials

Binding anonymously to LDAP

Searching for the user

Binding as a user to LDAP

Determining user role membership

Mapping additional attributes of UserDetails

Advanced LDAP configuration

Sample JBCP LDAP users

Configuring basic password comparison

LDAP password encoding and storage

Configuring UserDetailsContextMapper

Viewing additional user details

Using an alternate password attribute

Using LDAP as UserDetailsService

Configuring LdapUserDetailsService

Integrating with an external LDAP server

Explicit LDAP bean configuration

Configuring LdapAuthenticationProvider

Integrating with Microsoft Active Directory via LDAP

Summary

Remember-me Services

What is remember-me

Dependencies

The token-based remember-me feature

Is remember-me secure

Persistent remember-me

Remember-me architecture

Restricting the remember-me feature to an IP address

Summary

Client Certificate Authentication

How client certificate authentication works

Setting up client certificate authentication infrastructure

Configuring client certificate authentication in Spring Security

Configuring client certificate authentication using Spring Beans

Considerations when implementing Client Certificate authentication

Summary

Opening up to OpenID

The promising world of OpenID

Signing up for an OpenID

Enabling OpenID authentication with Spring Security

Additional required dependencies

The OpenID user registration problem

Implementing user registration with OpenID

Attribute Exchange

Usability enhancements

Automatic redirection to the OpenID Provider

Is OpenID Secure

Summary

Single Sign-on with Central Authentication Service

Introducing Central Authentication Service

Configuring basic CAS integration

Single logout

Proxy ticket authentication for stateless services

Customizing the CAS Server

Getting UserDetails from a CAS assertion

Additional CAS capabilities

Summary

Fine-grained Access Control

Maven dependencies

Spring Expression Language (SpEL) integration

Page-level authorization

Method-level security

Summary

Access Control Lists

Using access control lists for business object security

Basic configuration of Spring Security ACL support

Advanced ACL topics

Custom ACL permission declaration

Mutable ACLs and authorization

Considerations for a typical ACL deployment

Should I use Spring Security ACL

Summary

Custom Authorization

How requests are authorized

Configuring to use a UnanimousBased access decision manager

Customizing request authorization

Creating a custom PermissionEvaluator

Summary

Session Management

Configuring session fixation protection

Restricting the number of concurrent sessions per user

How Spring Security uses the HttpSession

Summary

Integrating with Other Frameworks

Integrating with Java Server Faces (JSF)

Google Web Toolkit (GWT) integration

Summary

Migration to Spring Security 3.1

Migrating from Spring Security 2

Enhancements in Spring Security 3

Changes to configuration in Spring Security 3

Changes to CustomAfterInvocationProvider

Changes to packages and classes

Updates in Spring Security 3.1

Summary

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Additional Reference Material

Index