Spring Framework - Security
SPRING FRAMEWORK
Dmitry Noskov
Spring Security 3.0
Application security
Security is arguably one of the most critical
architectural components of any application written
in the 21st century
Spring Framework - Security
Dmitry Noskov
What is Spring Security
a powerful and highly customizable authentication
and access-control framework
build on top of Spring Framework
de-facto standard for securing Spring-based
applications
Spring Framework - Security
Dmitry Noskov
Fundamentals (1)
principal
authentication
user that performs the action
confirming truth of credentials
authorization
define access policy for principal
Spring Framework - Security
Dmitry Noskov
Fundamentals (2)
Authentication
GrantedAuthority
application-wide permissions granted to a principal
SecurityContext
the principal in a Spring Security-specific manner
hold the Authentication and other security information
SecurityContextHolder
provide access to SecurityContext
Spring Framework - Security
Dmitry Noskov
SecurityContextHolder
provide access to SecurityContext
strategies
ThreadLocal
InreritableThreadLocal
Global
Spring Framework - Security
Dmitry Noskov
Getting started
SecurityContext context = SecurityContextHolder.getContext();
Object principal = context.getAuthentication().getPrincipal();
if (principal instanceof UserDetails) {
String username = ((UserDetails)principal).getUsername();
} else {
String username = principal.toString();
}
Spring Framework - Security
Dmitry Noskov
Use case
Spring Framework - Security
Dmitry Noskov
Namespace
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema
/beans
http://www.springframework.org/schema/
beans/spring-beans-3.0.xsd
http://www.springframework.org/schema
/security
http://www.springframework.org/schema
/security/spring-security-3.0.xsd">
Spring Framework - Security
Dmitry Noskov
Filters
Spring Framework - Security
Dmitry Noskov
Security filter
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Spring Framework - Security
Dmitry Noskov
Filter chain
Spring Framework - Security
Dmitry Noskov
Filter chain (2)
<bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/login.do*" filters="none"/>
<sec:filter-chain pattern="/**.do*"
filters="
securityContextPersistenceFilter,
logoutFilter,
usernamePasswordAuthenticationFilter,
rememberMeAuthenticationFilter,
exceptionTranslationFilter,
filterSecurityInterceptor" />
</sec:filter-chain-map>
</bean>
Spring Framework - Security
Dmitry Noskov
Basic filters
Filter
Description
ChannelProcessingFilter
ensures that a request is being sent over HTTP or HTTPS
SecurityContextPersistentFilter
Populates the security context using information obtained from the
repository (http session)
LogoutFilter
Used to log a user out of the application
UsernamePasswordAuthenticationFilter
Accepts the users principal and credentials and attempts to
authenticate the user
BasicAuthenticationFilter
Attempts to authenticate a user by processing an HTTP Basic
authentication
ExceptionTranslationFilter
Handles any AccessDeniedException or
AuthenticationException
FilterSecurityInterceptor
Decides whether or not to allow access to a secured resource
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/nsconfig.html#ns-custom-filters
Spring Framework - Security
Dmitry Noskov
Authentication
Spring Framework - Security
Dmitry Noskov
Authentication variants
credential-based
two-factor
hardware
other
Spring Framework - Security
Dmitry Noskov
Authentication mechanisms
basic
form
x.509
JAAS
etc.
Spring Framework - Security
Dmitry Noskov
Authentication storage
RDMBS
LDAP
custom storage
etc.
Spring Framework - Security
Dmitry Noskov
Fundamentals
Filter
Manager
Provider
Authentication
UserDetails
Spring Framework - Security
Dmitry Noskov
HTML form
<form action="j_spring_security_check" method="post">
<span>Login:</span><input name="login" type="text"/>
<span>Password:</span><input name="password" type="password"/>
<input type="submit" value="Login">
</form>
Spring Framework - Security
Dmitry Noskov
Username-password filter
<bean id="..." class="...security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
<property name="usernameParameter" value="login"/>
<property name="passwordParameter" value="password"/>
<property name="authenticationSuccessHandler">
<bean class="...security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/index.do"/>
</bean>
</property>
<property name="authenticationFailureHandler">
<bean class="...security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.do"/>
</bean>
</property>
<property name="rememberMeServices" ref="rememberMeService"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Core authentication services
AuthenticationManager
AuthenticationProvider
performs authentication
UserDetailsService
handles authentication requests
responsible for returning an UserDetails object
UerDetails
provides the core user information
Spring Framework - Security
Dmitry Noskov
AuthenticationManager
public interface AuthenticationManager {
/* Attempts to authenticate the passed Authentication object,
* returning a fully populated Authentication object (including
* granted authorities) if successful.
* @param authentication the authentication request object
* @return a fully authenticated object including credentials
* @throws AuthenticationException if authentication fails */
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
Spring Framework - Security
Dmitry Noskov
AuthenticationProvider
public interface AuthenticationProvider {
/* Performs authentication.
* @param authentication the authentication request object.
* @return a fully authenticated object including credentials.
* @throws AuthenticationException if authentication fails.*/
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
/*Returns true if this provider supports the indicated
*Authentication object.*/
boolean supports(Class<? extends Object> authentication);
}
Spring Framework - Security
Dmitry Noskov
UserDetailsService
/*Core interface which loads user-specific data.*/
public interface UserDetailsService {
/* Locates the user based on the username.
* @param username the username identifying the user
* @return a fully populated user record (never null)
* @throws UsernameNotFoundException if the user could not be
found or the user has no GrantedAuthority
* @throws DataAccessException if user could not be found for a
repository-specific reason*/
UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException;
}
Spring Framework - Security
Dmitry Noskov
UserDetails
/* Provides core user information.*/
public interface UserDetails extends Serializable {
Collection<GrantedAuthority> getAuthorities();
String getPassword();
String getUsername();
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
}
Spring Framework - Security
Dmitry Noskov
Authentication manager
<bean id="..." class="...security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
<ref local="daoAuthenticationProvider"/>
<ref local="ldapAuthenticationProvider"/>
</list>
</property>
</bean>
Spring Framework - Security
Dmitry Noskov
Authentication provider
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<property name="saltSource" ref bean="saltSource"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
<bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Authentication DB schema
Spring Framework - Security
Dmitry Noskov
Password encoding
PasswordEncoder
MD5
SHA
SaltSource
SystemWide
reflection
Spring Framework - Security
Dmitry Noskov
Session management
<bean id="sessionManagementFilter"
class="org.springframework.security.web.session.SessionManagementFilter">
<property name="invalidSessionUrl" value="/timeout.do"/>
<property name="sessionAuthenticationStrategy" ref="strategy"/>
</bean>
<bean id="strategy"
class="SessionFixationProtectionStrategy">
<property name="alwaysCreateSession" value="true"/>
<property name="migrateSessionAttributes" value="true"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Logout
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg>
<bean class="SimpleUrlLogoutSuccessHandler">
<property name="defaultTargetUrl" value="/login"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Remember Me authentication
RememberMeAuthenticationFilter
RememberMeServices
RememberMeAuthenticationProvider
Spring Framework - Security
Dmitry Noskov
RememberMe service
public interface RememberMeServices {
Authentication autoLogin(HttpServletRequest request,
HttpServletResponse response);
void loginFail(HttpServletRequest request,
HttpServletResponse response);
void loginSuccess(HttpServletRequest request,
HttpServletResponse response,
Authentication successfulAuthentication);
}
Spring Framework - Security
Dmitry Noskov
Remember Me shema
Spring Framework - Security
Dmitry Noskov
Anonymous authentication
<bean id="anonymousAuthenticationFilter"
class="...web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymous,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="...authentication.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Authentication with magic tags
<sec:http auto-config="true">
<sec:form-login login-page="" login-processing-url=""/>
<sec:anonymous enabled="true"/>
<sec:logout invalidate-session="true" logout-url=""/>
<sec:remember-me services-ref=""/>
</sec:http>
Spring Framework - Security
Dmitry Noskov
Authorization
Spring Framework - Security
Dmitry Noskov
Use case
Spring Framework - Security
Dmitry Noskov
Authorization
handling
pre-invocation
after invocation
implementations
voting based
expression based
Spring Framework - Security
Dmitry Noskov
Security layers
WEB (URLs)
Servlet Filter
methods
Spring AOP
AspectJ
content
JSP tag
Spring Framework - Security
Dmitry Noskov
Security interceptor (1)
Spring Framework - Security
Dmitry Noskov
Security interceptor (2)
Security
Interceptor
Authentication
Manager
Access Decision
Manager
Run-As
Manager
Spring Framework - Security
After-Invocation
Manager
Dmitry Noskov
Voting based
DecisionManager
DecisionVoter
ConfigAttribute
Spring Framework - Security
Dmitry Noskov
Decision managers
Decision manager
Description
AffirmativeBased
Allows access if at least one voter votes to grant access
ConsensusBased
Allows access if a consensus of voters vote to grant access
UnanimousBased
Allows access if all voters vote to grant access
Spring Framework - Security
Dmitry Noskov
Decision voter
public interface AccessDecisionVoter {
int ACCESS_GRANTED = 1;
int ACCESS_ABSTAIN = 0;
int ACCESS_DENIED = -1;
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
int vote(Authentication authentication,
Object object,
Collection<ConfigAttribute> attributes);
}
Spring Framework - Security
Dmitry Noskov
Basic expressions
Expression
Description
hasRole(ROLE_USER)
Returns true if the current principal has the specified role
hasAnyRole(ROLE_USER, ROLE_ADMIN)
Returns true if the current principal has any of the roles
principal
Allows direct access to the principal object representing
the current user
authentication
Allows direct access to the current Authentication object
obtained from the SecurityContext
permitAll
Always evaluates to true
denyAll
Always evaluates to false
isAnonymous()
Returns true if the current principal is an anonymous user
isRememberMe()
Returns true if the current principal is a remember-me user
Spring Framework - Security
Dmitry Noskov
WEB authorization
Spring Framework - Security
Dmitry Noskov
Web authorization
<bean id="..." class="web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authManager"/>
<property name="accessDecisionManager" ref="decisionManager"/>
<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:intercept-url pattern="/index.do*"
access="IS_AUTHENTICATED_FULLY"/>
<sec:intercept-url pattern="/**"
access="ROLE_USER"
filters="none"
method="GET"
requires-channel="https"/>
</sec:filter-security-metadata-source>
</property>
</bean>
Spring Framework - Security
Dmitry Noskov
WEB authorization with magic tags
<sec:http use-expressions="true">
<sec:intercept-url pattern="/index*"
access="isAuthenticated()"/>
<sec:intercept-url pattern="/**"
access="hasRole('ROLE_USER')"
filters="none"
method="GET"
requires-channel="https"/>
</sec:http>
Spring Framework - Security
Dmitry Noskov
WEB authorization
<bean id="webExpressionHandler"
class="DefaultWebSecurityExpressionHandler"/>
<bean id="webExpressionVoter" class="WebExpressionVoter">
<property name="expressionHandler" ref="webExpressionHandler"/>
</bean>
<bean class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<ref bean="webExpressionVoter"/>
</list>
</property>
</bean>
Spring Framework - Security
Dmitry Noskov
Custom expression root
public class CustomWebSecurityExpressionRoot
extends WebSecurityExpressionRoot {
public CustomWebSecurityExpressionRoot(Authentication a,
FilterInvocation fi) {
super(a, fi);
}
public boolean hasAllRoles(String... roles) {
return false;
}
}
Spring Framework - Security
Dmitry Noskov
Custom expression handler
public class CustomWebSecurityExpressionHandler
extends DefaultWebSecurityExpressionHandler {
@Override
public EvaluationContext createEvaluationContext(Authentication a,
FilterInvocation fi) {
StandardEvaluationContext ctx =
(StandardEvaluationContext)super.createEvaluationContext(a, fi);
SecurityExpressionRoot root =
new CustomWebSecurityExpressionRoot(a, fi);
ctx.setRootObject(root);
return ctx;
}
}
Spring Framework - Security
Dmitry Noskov
Method authorization
Spring Framework - Security
Dmitry Noskov
Method authorization
annotation driven
voting based - @Secured
expression based - @Pre/@Post
JSR-250 - @RolesAllowed
xml driven
Spring Framework - Security
Dmitry Noskov
Configuration
<sec:global-method-security>
access-decision-manager-ref="accessDecisionManager"
jsr250-annotations="disabled"
pre-post-annotations="disabled"
secured-annotations="enabled"
</sec:global-method-security>
Spring Framework - Security
Dmitry Noskov
Annotation driven (voting)
voting
@Secured({"ROLE_USER"})
void create(Customer customer);
jsr-250
@RolesAllowed({"ROLE_USER"})
void create(Customer customer);
Spring Framework - Security
Dmitry Noskov
Annotation driven (expression)
1
@PreAuthorize("hasRole('ROLE_USER')")
void create(Customer customer);
2
@PreAuthorize("hasRole('ROLE_USER') and hasRole('ROLE_ADMIN')")
void create(Customer customer);
3
@PreAuthorize("hasAnyRole('ROLE_USER', 'ROLE_ADMIN')")
void create(Customer customer);
Spring Framework - Security
Dmitry Noskov
XML driven authorization (1)
<bean id="methodInterceptor" class="MethodSecurityInterceptor">
<property name="authenticationManager" ref="authManager"/>
<property name="accessDecisionManager" ref="decisionManager"/>
<property name="securityMetadataSource">
<value>
org.training.AccountService.createAccount=ROLE_USER
org.training.AccountService.delete*=ROLE_ADMIN
</value>
</property>
</bean>
Spring Framework - Security
Dmitry Noskov
XML driven authorization (2)
<bean id="accountService"
class="org.training.AccountServiceImpl">
<sec:intercept-methods>
<sec:protect access="ROLE_USER" method="createAccount"/>
<sec:protect access="ROLE_ADMIN" method="delete*"/>
</sec:intercept-methods>
</bean>
Spring Framework - Security
Dmitry Noskov
Domain Object Security
Spring Framework - Security
Dmitry Noskov
ACL DB scheme
Spring Framework - Security
Dmitry Noskov
ACL_CLASS
ACL_SID
ACL_OBJECT_IDENTITY
ACL_ENTRY
Spring Framework - Security
Dmitry Noskov
Basic classes
Acl
AccessControlEntry
Permission
Sid
ObjectIdentity
represents the identity of an individual domain object
Spring Framework - Security
Dmitry Noskov
Basic ACL services
AclService
MutableAclService
LookupStrategy
ObjectIdentityRetrievalStrategy
SidRetrievalStrategy
Spring Framework - Security
Dmitry Noskov
Permissions
base permissions
read (1)
write (2)
create (4)
delete (8)
administration (16)
custom permissions
Spring Framework - Security
Dmitry Noskov
Spring Framework - Security
Dmitry Noskov
Configuration (voting)
<sec:global-method-security
access-decision-manager-ref="accessDecisionManager"
secured-annotations="enabled">
</sec:global-method-security>
<bean id="accessDecisionManager" class="AffirmativeBased">
<property name="decisionVoters">
<list>
<ref bean="voter1"/>
<ref bean="voter2"/>
</list>
</property>
</bean>
Spring Framework - Security
Dmitry Noskov
@Secured
annotation
@Secured("ACL_CUSTOMER_READ")
public Customer getProjectsByCustomer(Customer customer) {}
voter
<bean id="customerReadVoter" class="AclEntryVoter">
<constructor-arg ref="aclService"/>
<constructor-arg value="ACL_CUSTOMER_READ"/>
<constructor-arg>
<array>
<util:constant static-field="BasePermission.READ"/>
</array>
</constructor-arg>
<property name="processDomainObjectClass" value="Customer"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Configuration (expressions)
<sec:global-method-security pre-post-annotations="enabled">
<sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security>
<bean id="expressionHandler"
class="DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
<bean id="permissionEvaluator" class="AclPermissionEvaluator">
<constructor-arg ref="aclService"/>
</bean>
Spring Framework - Security
Dmitry Noskov
Permission evaluator
public interface PermissionEvaluator {
boolean hasPermission(Authentication authentication,
Object targetDomainObject,
Object permission);
boolean hasPermission(Authentication authentication,
Serializable targetId,
String targetType,
Object permission);
}
Spring Framework - Security
Dmitry Noskov
@PreAuthorize
by domain object
@PreAuthorize("hasPermission(#customer, 'delete')")
public void delete(Customer customer);
by identifier
@PreAuthorize(
"hasPermission(#id, 'org.training.Customer', 'read') or " +
"hasPermission(#id, 'org.training.Customer', 'admin')")
public Customer getById(Long id);
hardcode
@PreAuthorize("#customer.owner.id == principal.id")
public void create(Customer customer);
Spring Framework - Security
Dmitry Noskov
@PreFilter
single parameter
@PreFilter("hasPermission(filterObject, 'read')")
public List<Customer> filterCustomers(List<Customer> customers) {
return customers;
}
multiple parameters
@PreFilter(filterTarget = "customers",
value = "hasPermission(filterObject, 'update')")
public void updateCustomers(List<Customer> customers, State st) {
}
Spring Framework - Security
Dmitry Noskov
Additional features
Spring Framework - Security
Dmitry Noskov
RunAsManager
/*Creates a new temporary Authentication object.*/
public interface RunAsManager {
/ *Returns a replacement Authentication object for the current
*secure object, or null if replacement not required*/
Authentication buildRunAs(Authentication authentication,
Object object,
Collection<ConfigAttribute> attr);
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
}
Spring Framework - Security
Dmitry Noskov
RunAs configuration (1)
<bean id="runAsManager" class="RunAsManagerImpl">
<property name="rolePrefix" value="ROLE_"/>
<property name="key" value="someKey"/>
</bean>
<bean class="RunAsImplAuthenticationProvider">
<property name="key" value="someKey"/>
</bean>
Spring Framework - Security
Dmitry Noskov
RunAs configuration (2)
magic tag
<sec:global-method-security run-as-manager-ref="runAsManager">
</sec:global-method-security>
interceptor bean
<bean class="MethodSecurityInterceptor">
<property name="runAsManager" ref="runAsManager"/>
</bean>
Spring Framework - Security
Dmitry Noskov
After invocation
Spring Framework - Security
Dmitry Noskov
Basic services
public interface AfterInvocationManager {
Object decide(Authentication authentication, Object object,
Collection<ConfigAttribute> attributes,
Object returnedObject) throws AccessDeniedException;
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
}
public interface AfterInvocationProvider {
Object decide(Authentication authentication, Object object,
Collection<ConfigAttribute> attributes,
Object returnedObject) throws AccessDeniedException;
boolean supports(ConfigAttribute attribute);
boolean supports(Class<?> clazz);
}
Spring Framework - Security
Dmitry Noskov
Configuration
custom provider
<sec:global-method-security>
<sec:after-invocation-provider ref="myProvider"/>
</sec:global-method-security>
custom manager
<bean class="MethodSecurityInterceptor">
<property name="afterInvocationManager" ref="myManager"/>
</bean>
Spring Framework - Security
Dmitry Noskov
@Post
@PostAuthorize
@PreAuthorize("hasRole('ROLE_USER')")
@PostAuthorize("hasPermission(returnObject, 'read')")
public Employee getEmployeeByName(String name) {
}
@PostFilter
@PreAuthorize("hasRole('ROLE_USER')")
@PostFilter("hasPermission(filterObject, 'read')")
public List<Employee> getEmployees() {
}
Spring Framework - Security
Dmitry Noskov
JSP tag library
Spring Framework - Security
Dmitry Noskov
Authentication
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:authentication property="principal" var="user"/>
<div class="links"><div>Logged in: ${user.name}</div></div>
<div class="links">
<div><sec:authentication property="principal.name"/></div>
</div>
Spring Framework - Security
Dmitry Noskov
Authorize (1)
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:authorize ifAllGranted="ROLE_ADMIN, ROLE_SUPERVISOR">
</sec:authorize>
<security:authorize ifAnyGranted="ROLE_ADMIN, ROLE_SUPERVISOR">
</security:authorize>
<security:authorize ifNotGranted="ROLE_ADMIN, ROLE_SUPERVISOR">
</security:authorize>
Spring Framework - Security
Dmitry Noskov
Authorize (2)
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:authorize access="hasRole('supervisor')">
This content will only be visible to users who have
the "supervisor" authority in their list of
<tt>GrantedAuthority</tt>s.
</sec:authorize>
Spring Framework - Security
Dmitry Noskov
Authorize (3)
JSP
<sec:authorize url="/admin" >
This content will only be visible to users who are authorized
to send requests to the "/admin" URL.
</sec:authorize>
security interceptor
<bean id="..." class="web.access.intercept.FilterSecurityInterceptor">
<property name="securityMetadataSource">
<sec:filter-security-metadata-source>
<sec:intercept-url pattern="/admin*" access="ROLE_ADMIN"/>
</sec:filter-security-metadata-source>
</property>
</bean>
Spring Framework - Security
Dmitry Noskov
ACL
<%@ taglib prefix="sec"
uri="http://www.springframework.org/security/tags" %>
<sec:accesscontrollist hasPermission="1,2" domainObject="object">
This will be shown if the user has either of the permissions
represented by the values "1" or "2" on the given object.
</sec:accesscontrollist>
Spring Framework - Security
Dmitry Noskov
Summary
Spring Framework - Security
Dmitry Noskov
Separation of concerns
business logic is decoupled from security concern
authentication and authorization are decoupled
Spring Framework - Security
Dmitry Noskov
Flexibility
authentication mechanisms
user data storage
basic, form, cookies, SSO
RDBMS, LDAP, etc.
based on Spring
Spring Framework - Security
Dmitry Noskov
Portability
portable across containers
can be deployed as-is
runs in standalone environment
Spring Framework - Security
Dmitry Noskov
Books
Spring Framework - Security
Dmitry Noskov
Links
main features
http://static.springsource.org/spring-security/site/features.html
articles
http://static.springsource.org/spring-security/site/articles.html
reference
http://static.springsource.org/springsecurity/site/docs/3.0.x/reference/springsecurity.html
blog
http://blog.springsource.com/category/security/
refcardz
http://refcardz.dzone.com/refcardz/expression-basedauthorization
Spring Framework - Security
Dmitry Noskov
Questions
Spring Framework - Core
Dmitry Noskov
The end
http://www.linkedin.com/in/noskovd
http://www.slideshare.net/analizator/presentations