Spring Security is a

Java Java (; id, Jawa, ; jv, ꦗꦮ; su, ) is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea to the north. With a population of 151.6 million people, Java is the world's mo ...

Java EE Jakarta EE, formerly Java Platform, Enterprise Edition (Java EE) and Java 2 Platform, Enterprise Edition (J2EE), is a set of specifications, extending Java SE with specifications for enterprise features such as distributed computing and web se ...

framework that provides

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicat ...

authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More f ...

and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced ''Ah-see-gee'' , whose letters are the first, third, fifth, seventh, and ninth characters from the English alphabet, in order to prevent name conflicts) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.

Authentication flow

Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.

Key authentication features

LDAP The Lightweight Directory Access Protocol (LDAP ) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory serv ...

(using both bind-based and password comparison strategies) for centralization of authentication information. *

Single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...

capabilities using the popular Central Authentication Service. *

Java Authentication and Authorization Service Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. JAAS was introduced as an extension library to the Java Pl ...

(JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule. *

Basic access authentication In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent (e.g. a web browser) to provide a user name and password when making a request. In basic HTTP authentication, a request contains a header field ...

as defined through RFC 1945. * Digest access authentication as defined through RFC 2617 and RFC 2069. * X.509 client certificate presentation over the

Secure Sockets Layer Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in sec ...

standard. * CA, Inc SiteMinder for authentication (a popular commercial access management product). * Su (Unix)-like support for switching principal identity over a

HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...

HTTPS Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is e ...

connection. *Run-as replacement, which enables an operation to assume a different security identity. *Anonymous authentication, which means that even unauthenticated principals are allocated a security identity. *Container adapter (custom realm) support for

Apache Tomcat Apache Tomcat (called "Tomcat" for short) is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies. It provides a "pure Java" HTTP web server environment in which Java code can also ...

Resin In polymer chemistry and materials science, resin is a solid or highly viscous substance of plant or synthetic origin that is typically convertible into polymers. Resins are usually mixtures of organic compounds. This article focuses on n ...

JBoss WildFly, formerly known as JBoss AS, or simply JBoss, is an application server written by JBoss, now developed by Red Hat. WildFly is written in Java and implements the Java Platform, Enterprise Edition (Java EE) specification. It runs on mu ...

and Jetty (web server). *Windows NTLM to enable browser integration (experimental). * Web form authentication, similar to the servlet container specification. *"Remember-me" support via

HTTP cookie HTTP cookies (also called web cookies, Internet cookies, browser cookies, or simply cookies) are small blocks of data created by a web server while a user is browsing a website and placed on the user's computer or other device by the user's ...

s. *Concurrent session support, which limits the number of simultaneous logins permitted by a principal. *Full support for customization and plugging in custom authentication implementations.

Key authorization features

* AspectJ method invocation authorization. *

authorization of web request

URL A Uniform Resource Locator (URL), colloquially termed as a web address, is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it. A URL is a specific type of Uniform Resource Identifie ...

s using a choice of

Apache Ant Apache Ant is a software tool for automating software build processes which originated from the Apache Tomcat project in early 2000 as a replacement for the Make build tool of Unix. It is similar to Make, but is implemented using the Java langu ...

paths or

regular expressions A regular expression (shortened as regex or regexp; sometimes referred to as rational expression) is a sequence of characters that specifies a search pattern in text. Usually such patterns are used by string-searching algorithms for "find" o ...

Instance-based security features

*Used for specifying

access control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on giv ...

s applicable to domain objects. *Spring Security offers a repository for storing, retrieving, and modifying ACLs in a

database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases spa ...

. *

Authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More f ...

features are provided to enforce policies before and after method invocations.

Other features

* Software localization so

user interface In the industrial design field of human–computer interaction, a user interface (UI) is the space where interactions between humans and machines occur. The goal of this interaction is to allow effective operation and control of the machine f ...

messages can be in any language. *Channel security, to automatically switch between

and

upon meeting particular rules. *

Caching In computing, a cache ( ) is a hardware or software component that stores data so that future requests for that data can be served faster; the data stored in a cache might be the result of an earlier computation or a copy of data stored elsewher ...

in all database-touching areas of the framework. *Publishing of messages to facilitate

event-driven programming In computer programming, event-driven programming is a programming paradigm in which the flow of the program is determined by events such as user actions (mouse clicks, key presses), sensor outputs, or message passing from other programs or th ...

. *Support for performing integration testing via JUnit. *Spring Security itself has comprehensive JUnit isolation tests. *Several sample applications, detailed JavaDocs and a reference guide. *Web framework independence.

Releases

* 2.0.0 (April 2008) * 3.0.0 (December 2009) *3.1.0 (December 7, 2011) *3.1.2 (August 10, 2012) *3.2.0 (December 16, 2013) *4.0.0 (March 26, 2015) *4.1.3 (August 24, 2016) *4.2.0 (November 10, 2016) *3.2.10, 4.1.4, 4.2.1 (December 22, 2016) *4.2.2 (March 2, 2017) *4.2.3 (June 8, 2017) *5.0.0 (November 28, 2017) *5.0.8, 4.2.8 (September 11, 2018) *5.1.0 GA (September 27, 2018) *5.1.1, 5.0.9, 4.2.9 (October 16, 2018) *5.1.2, 5.0.10, 4.2.10 (November 29, 2018) *5.1.3, 5.0.11, 4.2.11 (January 11, 2019) *5.1.4 (February 14, 2019) *5.1.5, 5.0.12, 4.2.12 (April 3, 2019)

Citations

References

* *

External links

* {{Portal bar, Computer programming Java enterprise platform Computer access control