Spring Security – Main Features

Spring Security – Main Features

Formerly the Acegi Security System for Spring, Spring Security provides powerful and flexible security solutions for enterprise applications. It is a stable and mature product – Acegi Security 1.0.0 was released in May 2006 after more than two and a half years of use in large production software projects and adopted as an official Spring sub-project on its release.

Spring Security 2.0 and 3.0 build on Acegi Security's solid foundations, adding many new features. The framework provides a comprehesive set of authentication and access-control services for your applications.

• Easy Configuration using Spring Dependency Injection: Spring Security supports a custom XML namespace (introduced in 2.0). You can now secure an application in 10 lines of XML, yet still retain the full power of using Spring's familiar dependency-injection container if you need it. You can reuse your Spring expertise, which should help Spring developers get up-to-speed nice and quickly.

  Even though we use Spring to configure Spring Seurity, your application doesn't have to be Spring-based. Many people use Spring Security with web frameworks such as Struts, for example.

• Non-Intrusive Setup: The entire security system can operate within a single web application using the provided filters. There is no need to make special changes or deploy libraries to your Servlet or EJB container.

• Non-Invasive: Keeps your application objects free of security code, unless you specifically choose to interact with the security context.

• Pluggable Architecture: Every critical aspect of the package has been modelled using high cohesion, loose coupling, interface-driven design principles. You can easily replace, customise or extend parts of the system.

• Comprehensive Authorization Services

  • Powerful EL-Based Syntax: Spring Security 3.0 focuses on the use of expression-language as an alternative to the older voter-based mechanism. The latter is still fully supported. This allows security access rules to be easily defined in terms of the current invocation context without the use of custom code. Using this approach you can define your access constraints using multiple factors — user identity, time of day, authorities held, method being invoked, method arguments, specific properties on method arguments or any other syntax supported by Spring-EL.

  • HTTP Requests Authorization: No longer is it necessary to rely on web.xml security constraints. Spring Security allows securing of static URLs defined using a choice of regular expressions or Apache Ant paths, along with pluggable authentication, access-control and run-as replacement managers.

    Support is provided for RESTful web request authorization, which works well with Spring's @MVC model for building RESTful systems

  • Service Layer Security: There are multiple options for enforcing access-controls at the service layer interfaces, where it really matters.

    • JSR-250 ("EJB 3") security annotations: delivering a standards-based model for role-based authorization metadata.

    • @Pre and @Post Invocation Annotations: Introduced in version 3.0, these link the expression-language syntax to specific methods in your service interfaces. Authorization and collection filtering is supported, and the system integrates fully with our ACL framework (see below).

    • AspectJ pointcut expression language support:, allowing developers to apply cross-cutting security logic across their Spring managed objects

  • Domain object instance security: In many applications it's desirable to define Access Control Lists (ACLs) for individual domain object instances. We provide a comprehensive ACL package with features including integer bit masking, permission inheritance (including blocking), an optimized JDBC-backed ACL repository, caching and a pluggable, interface-driven design.

• Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS) which is used widely in higher education and the private sector. You no longer need every web application to have its own authentication database. Nor are you restricted to single sign on across a single web container. Advanced single sign on features like proxy support and forced refresh of logins are supported by both CAS and Spring Security. The CAS technical lead is a Spring Security committer and maintains the CAS integration.

• OpenID Support: the web's emerging single sign-on standard (supported by Google, IBM, Sun, Yahoo and others) is also supported in Spring Security

• X.509 (Certificate) support: Spring Security can easily read client-side X.509 certificates for authenticating users.

• LDAP Support: Do you have an LDAP directory? Spring Security can happily authenticate against it. In addition the security namespace can trivially be used to run an embedded LDAP server within your application for testing.

• User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.

• Supports HTTP BASIC authentication: Perfect for remoting protocols or those web applications that prefer a simple browser pop-up (rather than a form login), Spring Security can directly process HTTP BASIC authentication requests as per RFC 1945.

• Supports HTTP Digest authentication: For greater security than offered by BASIC authentcation, Spring Security also supports Digest Authentication (which never sends the user's password across the wire). Digest Authentication is widely supported by modern browsers. Spring Security's implementation complies with both RFC 2617 and RFC 2069.

• Various authentication backends: We include the ability to retrieve your user and granted authority definitions from an XML file, JDBC datasource or Properties file. Alternatively, you can implement the single-method UserDetailsService interface and obtain authentication details from anywhere you like.

• Easy integration with existing databases: Our implementations have been designed to make it easy to use your existing authentication schema and data (without modification). Of course, you can also provide your own Data Access Object if you wish.

• Password encoding: Of course, passwords in your authentication repository need not be in plain text. We support both SHA and MD5 encoding, and also pluggable "salt" providers to maximise password security.

• Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.

• Event support: Building upon Spring's ApplicationEvent services, you can write your own listeners for authentication-related events, along with authorisation-related events. This enables you to implement account lockout and audit log systems, with complete decoupling from Spring Security code.

• Remoting support: Does your project use a rich client? Not a problem. Spring Security integrates with standard Spring remoting protocols, because it automatically processes the HTTP BASIC authentication headers they present. Add our BASIC authentication filter to your web.xml and you're done. You can also easily use RMI or Digest authentication for your rich clients with a simple configuration statement.

• Transparent security propagation: Spring Security can automatically transfer its core authentication information from one machine to another, using a variety of protocols including RMI and Spring's HttpInvoker.

• Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.

• Compatibility with Servlet Security API: The HttpServletRequest's security methods such as getRemoteUser() will still function if you are using Spring Security without any container-based (web.xml) security enabled.

• Channel security: Spring Security can automatically redirect requests across an appropriate transport channel. Whilst flexible enough to support any of your "channel" requirements, a common channel security feature is to ensure your secure pages will only be available over HTTPS, and your public pages only over HTTP. Spring Security also supports unusual port combinations (including if accessed via an intermediate server like Apache) and pluggable transport decision managers.

• Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.

• Flexible "Pre-Authentication" Framework: For situations where you want to have an external system handle authentication (such as a J2EE container or a system like CA Siteminder), but still want to use Spring Security for access-control within your application. This code provides a flexible framework for retrieving the security context from the external system and integrating it with Spring Security.

• Remember-Me (Persistent Login): For web applications which want the convenience of allowing users to skip logins for a period of time by using a persistent cookie. We offer two out of the box implementations.

• IDE Support:Support for visualizing secured methods, plus configuration auto-completion support through Spring IDE or the SpringSource Tool Suite.

• Web Flow Security: web state and flow transition authorization in Spring Web Flow 2.0

• WSS (formerly WS-Security): supported through the Spring Security integration in Spring Web Services 1.5.

• Peer reviewed: Whilst nothing is ever completely secure, using an open source security package leverages the continuous design and code quality improvements that emerge from peer review.

• Commerically Supported: Technical support and consulting services are availbable directly from SpringSource.

• Apache license. You can confidently use Spring Security in your project.