- High-Level Security Overview
- Motivations of Spring Security
- Portability
- Flexibility
- Extensiblity
- Separation of Concerns
- Consistency
- Spring Security: the Big Picture
- Spring Security in a Web Environment
- Web Security Filter Configuration
- Configuration for web.xml
- Configuration for ApplicationContext
- Access Unsecured Resource Prior to Login
- Access Secured Resource Prior to Login
- Submit Login Request
- Access Resource With Required Role
- Access Resource Without Required Role
- Submit Logout Request
- The Filter Chain: Summary
- Configuring Web Authentication
- Configuring Web Authorization
- Using Spring Security's Tag Libraries
Security Concepts
- Principal
- User, device or system that performs an action
- Authentication
- Establishing that a principal's credentials are valid
- Authorization
- Deciding if a principal is allowed to perform an action
Authentication
- There are many authentication mechanisms
- e.g. basic, digest, form, X.509
- There are many storage options for credential and authority information
- e.g. Database, LDAP, in-memory (development)
Authorization
- Authorization depends on authentication
- Before deciding if a user can perform an action, user identity must be established
- The decision process is often based on roles
- ADMIN can cancel orders
- MEMBER can place orders
- GUEST can browse the catalog
Spring Security in a Web Environment
- Standard Servlet Filters are used for web application security tasks
- Drive authentication
- Enforce authorization
- Manage logout
- Maintain SecurityContext in HttpSession
- and more
- A single proxy filter delegates to a chain of Spring-managed filters
- Leverages dependency injection for flexibility
sdfa
No comments:
Post a Comment