Spring security 介紹: what is spring security?

Spring security 筆記(一): what is spring security?

Spring Security provides comprehensive security services for Java EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading Java EE solution for enterprise software development. If you’re not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.

Spring security提供基于java EE企業軟體應用全方面的安全服務.Spring目前已經上司了Java EE企業軟體開發的解決方案，spring security使用spring framework的工程提供很重要的支援。如果你不打算采用spring作為應用開發的架構，我們懇切的鼓勵你仔細看看它。對spring多一點熟悉，尤其是依賴注入這方面，将會對你使用spring security産生莫大的助益。

People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios. Whilst mentioning these standards, it’s important to recognise that they are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application’s security in the new target environment. Using Spring Security overcomes these problems, and also brings you dozens of other useful, customisable security features.

人們使用Spring security可能有很多原因，但是大多都能歸結于Java EE的Servlet特殊規定或者EJB關于某些典型應用場景的缺乏了解之後。提到這些标準的同時，也要意識到它們在war或者ear級别上不夠靈活。是以，如果你需要切換server環境，會需要做很多工作重新配置應用安全。使用Spring security将會解決這些問題， 并且提供給你很多有用可自定義的安全服務。

As you probably know two major areas of application security are “authentication” and “authorization” (or “access-control”). These are the two main areas that Spring Security targets. “Authentication” is the process of establishing a principal is who they claim to be (a “principal” generally means a user, device or some other system which can perform an action in your application).”Authorization” refers to the process of deciding whether a principal is allowed to perform an action within your application. To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process. These concepts are common, and not at all specific to Spring Security.

你可能知道應用主要的兩個方面就是authentication和authorization(或者說access-control)。這是spring security最主要的兩個目标。Authentication主要是為驗證是否可以建議一個principa(一個principal可能是一個使用者，一台裝置或者一些其他系統可以調用你系統中的action).Authorization主要負責驗證principal所屬的線程是否可以調用某個action。為了達到這個目标，principal必須先建立。這些概念是很通用，并非是隻屬于spring.

At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force. In addition, Spring Security provides its own set of authentication features. Specifically, Spring Security currently supports authentication integration with all of these technologies:

在一個認證級别上，Spring security支援很多的認證模型。很多認證模型要麼是第三方提供的，要麼是被相關标準主體開發的，就像Internet Engineering Task Force.此外，Spring security提供了它自己的認證特性。具體來說，Spring security目前支援一下技術認證：

• HTTP BASIC authentication headers (an IETF RFC-based standard)
• HTTP Digest authentication headers (an IETF RFC-based standard)
• HTTP X.509 client certificate exchange (an IETF RFC-based standard)
• LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
• Form-based authentication (for simple user interface needs)
• OpenID authentication
• Authentication based on pre-established request headers (such as Computer * Associates Siteminder)
• JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)
• Transparent authentication context propagation for Remote Method * * Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
• Automatic “remember-me” authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
• Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)
• Run-as authentication (which is useful if one call should proceed with a different security identity)
• Java Authentication and Authorization Service (JAAS)
• JEE container autentication (so you can still use Container Managed Authentication if desired)
• Kerberos
• Java Open Source Single Sign On (JOSSO) *
• OpenNMS Network Management Platform *
• AppFuse *
• AndroMDA *
• Mule ESB *
• Direct Web Request (DWR) *
• Grails *
• Tapestry *
• JTrac *
• Jasypt *
• Roller *
• Elastic Path *
• Atlassian Crowd *
• Your own authentication systems (see below)

Note:

這裡可以看到spring security是産生來自于一些安全問題，比如說session劫持，僞造請求等，為了解決這些問題，spring security結合一些驗證模型進行驗證。主要分兩個方面：身份驗證和通路驗證。主要是使用filterchain過濾器，然後進行驗證