Spring Security, formerly known as Acegi Security, is an open source security provider that is used extensively in Java based web applications. Due to its power and ability to be customized, Spring Security has evolved itself into the de-facto standard for securing Spring-based applications. The purpose of this blog series is to examine Spring Security 3.0, as well as provide informational resources into its various functions.
Spring security targets two main areas of web application, these are “authentication” and “authorization.” Authentication refers to the process of establishing that a principal is who they claim to be. Authorization is the process of deciding whether a principal is allowed to perform an action within your application.
**Side Note: Spring Security is currently in version 3. Several examples online use version 2, but may not mention it. There are several differences between version 2 and 3. As an example, the <authentication-provider> element in the security.xml file is within the <beans> element in version 2, but in version 3, it is inside another element called <authentication-manager>. Also, the registerPermissionsFor method that is used when extending the BasePermission class in version 2 is deprecated in version 3. So just be aware that you may need to modify your code if you test code from version 2 but intend to use it with version 3.
In Spring Security 3.0, the codebase has been sub-divided into separate jars which more clearly separate different functionality areas and third-party dependencies. To add spring security capabilities to your application, you need to download spring security jars and add them to your application. The following jars are available:
Spring Security utilizes a filters approach to enforce security. In order to integrate Spring Security with our web application, we must add the following lines to your web.xml under the <web-app> element:
<!-- - Location of the XML file that defines the root application context - Applied by ContextLoaderListener. --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> WEB-INF\applicationContext-security.xml </param-value> </context-param> <!-- - Loads the root application context of this web app at startup. - The application context is then available via - WebApplicationContextUtils.getWebApplicationContext(servletContext). --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- Spring security uses filters to enforce security. The springSecurityFilterChain tells the application context to load the security specific configuration in applicationContext-security.xml. --> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
Now that you have that accomplished, you need to decide what exactly it is within your application that you wish to secure. Spring Security provides three broad categories of handling security:
See each of these blog posts for more information about the different methods of Spring Security.