This document provides an overview of Spring Security, including what it is, how it handles authentication and authorization, and how to configure it. Spring Security provides comprehensive security services for Java enterprise applications, including authentication support for databases, LDAP, CAS, and custom authentication. It handles authentication through establishing a user's identity and authorization through controlling user access to resources. The document discusses configuring Spring Security through Java configuration and XML files, and covers topics like security filters, access control patterns, and the basic authentication process.

1. Spring Security
[ Security Reloaded ]

2. Topics
• What is security?
• Acquaring & integrating Spring Security
• HTTP BASIC authentication (Basic & Form Login/Logout options)
• Authorization
• Security Interceptors, Filters
• Authentication Manager & Provider, Authorization Manager & Provider
• Advance concept of integration
By: SAURABH SHARMA | http://javazone.techsharezone.com 2

3. What is security?
• Spring Security provides comprehensive security services for J2EE-based enterprise
software applications. Its powerful, flexible and pluggable.
• Formerly known as “Acegi Security”.
• Authentication – Database, LDAP, CAS, OpenID, Pre-Authentication, custom, etc.
• Authorization – URL based, Method based (AOP)
• Its not Firewall, proxy sever, instruction detection system, OS security, JVM security
etc.
By: SAURABH SHARMA | http://javazone.techsharezone.com 3

4. Major Operations
• Authentication (Prove who you say you are!) – process of establishing a
principal (user, system etc. which can perform an action in application)
• Authorization (We know who you are but are you allowed to access what
you want) – process of deciding whether a principal allowed to perform an
action (access-control -> admin, leader, member, contractor, anonymous
etc.) Authorization process establishes identity of the principal , which is
used for authorizationdecision.
By: SAURABH SHARMA | http://javazone.techsharezone.com 4

5. Servlet Filters
By: SAURABH SHARMA | http://javazone.techsharezone.com 5

6. Security Use Case
By: SAURABH SHARMA | http://javazone.techsharezone.com 6

7. Spring Security Setup
• JARs
• Schema
By: SAURABH SHARMA | http://javazone.techsharezone.com 7

8. Basic Architecture
By: SAURABH SHARMA | http://javazone.techsharezone.com 8

9. Configuration 1
• WEB-INF/web.xml
Proxies requests to a bean with ID “springSecurityFilterChain”
By: SAURABH SHARMA | http://javazone.techsharezone.com 9

10. Filter Proxy
By: SAURABH SHARMA | http://javazone.techsharezone.com 10

11. FilterChainProxy (springSecurityFilterChain) Pseudocode
By: SAURABH SHARMA | http://javazone.techsharezone.com 11

12. Unauthorized Request to Protect Resource
By: SAURABH SHARMA | http://javazone.techsharezone.com 12

13. Configuration 2
• WEB-INF/spring-security.xml
By: SAURABH SHARMA | http://javazone.techsharezone.com 13

14. Ant Patterns
• Spring Security uses an “AntPathRequestMatcher” to determine if a URL matches
the current URL. The following rules are used when matching:
a.Query parameters are not included in the match.
b.The contextPath is not included in the match.
c.? Matches one character.
d.* matches zero or more characters (not a directory delimiter i.e. /)
e.**matches zero or more ‘directories’ in a path.
By: SAURABH SHARMA | http://javazone.techsharezone.com 14

15. Ant patterns - Examples
• Ant pattern examples that assume a context path of/messages
By: SAURABH SHARMA | http://javazone.techsharezone.com 15

16. Cont…
By: SAURABH SHARMA | http://javazone.techsharezone.com 16

17. Cont..
• Be careful when using pattern matching
By: SAURABH SHARMA | http://javazone.techsharezone.com 17

18. Request log in page
By: SAURABH SHARMA | http://javazone.techsharezone.com 18

19. Authenticating via username & password
By: SAURABH SHARMA | http://javazone.techsharezone.com 19

20. By: SAURABH SHARMA | http://javazone.techsharezone.com 20