Thông tin tài liệu
www.it-ebooks.info
Spring Security 3.1
Secure your web applications from hackers with this
step-by-step guide
Robert Winch
Peter Mularien
BIRMINGHAM - MUMBAI
www.it-ebooks.info
Spring Security 3.1
Copyright © 2012 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted in any form or by any means, without the prior written
permission of the publisher, except in the case of brief quotations embedded in
critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy
of the information presented. However, the information contained in this book is
sold without warranty, either express or implied. Neither the author, nor Packt
Publishing, and its dealers and distributors will be held liable for any damages
caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the
companies and products mentioned in this book by the appropriate use of capitals.
However, Packt Publishing cannot guarantee the accuracy of this information.
First published: May 2010
Second published: December 2012
Production Reference: 1191212
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-84951-826-0
www.packtpub.com
Cover Image by Asher Wishkerman (wishkerman@hotmail.com)
www.it-ebooks.info
Credits
Authors
Robert Winch
Peter Mularien
Reviewers
Marten Deinum
Brian Relph
Bryan Kelly
Acquisition Editor
Usha Iyer
Lead Technical Editor
Susmita Panda
Technical Editors
Lubna Shaikh
Worrell Lewis
Copy Editors
Brandt D'mello
Insiya Morbiwala
Alda Paiva
Laxmi Subramanian
Project Coordinator
Michelle Quadros
Proofreader
Mario Cecere
Indexers
Monica Ajmera
Rekha Nair
Graphics
Aditi Gajjar
Production Coordinator
Arvindkumar Gupta
Cover Work
Arvindkumar Gupta
www.it-ebooks.info
About the Author
Robert Winch is currently a Senior Software Engineer at VMware and is the
project lead of the Spring Security framework. In the past, he has worked as a
Software Architect at Cerner, the largest provider of electronic medical systems in
the U.S., securing health care applications. Throughout his career, he has developed
hands on experience integrating Spring Security with an array of security standards
(that is, LDAP, SAML, CAS, OAuth, and so on). Before he was employed at Cerner,
he worked as an independent web contractor, in proteomics research at Loyola
University Chicago, and on the Globus Toolkit at Argonne National Laboratory.
www.it-ebooks.info
Acknowledgement
Before we get started, I would like to extend my thanks to those who helped
me make this book possible. First, I would like to thank Peter Mularien, for
recommending me to Packt Publishing to write the second edition of his book
Spring Security 3, Packt Publishing. It was very useful to have such a sound
foundation to start Spring Security 3.1.
Writing a book is a very involved process and there were many that played a key
part in the book's success. I would like to thank all the members of the team at
Packt Publishing for making this possible. To Usha Iyer, for guiding me through the
process; to Theresa Chettiar, for ensuring that I stayed focused and on time; and to
Susmita Panda, for her diligence in reviewing the book. Thank you to my technical
reviewers Peter Mularien, Marten Deinum, Brian Relph, and Bryan Kelly. Your
feedback was critical in ensuring this book's success.
This book, the Spring Security Framework, and the Spring Framework are all made
possible by the large and active community. Thank you to all of those who contribute
to the Spring Framework through patches, JIRA submissions, and answering other
user's questions. Thanks to Ben Alex for creating Spring Security. I'd like to extend my
special thanks to Luke Taylor for his leadership of Spring Security. It was through his
mentoring that I have grown into a leader in the Spring Security community.
Thank you to my friends and family for your continued support. Last, but certainly
not least, I would like to thank my wife, Amanda. Without your love, patience, and
encouragement, I would have never been able to nish this book. Thank you for
taking such good care of me and reminding me to eat.
www.it-ebooks.info
Peter Mularien is an experienced software architect and engineer, and the
author of the book Spring Security 3, Packt Publishing. Peter currently works for a
large nancial services company and has over 12 years consulting and product
experience in Java, Spring, Oracle, and many other enterprise technologies.
He is also the reviewer of this book.
www.it-ebooks.info
About the Reviewers
Marten Deinum is a Java/software consultant working for Conspect. He
has developed and architected software, primarily in Java, for small and large
companies. He is an enthusiastic open source user and longtime fan, user, and
advocate of the Spring Framework. He has held a number of positions including
Software Engineer, Development Lead, Coach, and also as a Java and Spring Trainer.
When not working or answering questions on the Spring Framework forums, he can
be found in the water training for the triathlon or under the water diving or guiding
other people around.
Brian Relph is currently a Software Engineer at Google, with a focus on web
application development. In the past, he has worked as a Software Architect at
Cerner, the largest provider of electronic medical systems in the U.S. Throughout
his career, he has developed hands on experience in integrating Spring and Spring
Security with an array of Java standards (that is, LDAP, CAS, OAuth, and so on), and
other open source frameworks (Hibernate, Struts, and so on). He has also worked as
an independent Web Contractor.
www.it-ebooks.info
Bryan Kelly is currently a Software Architect at Cerner Corporation,
the largest provider of electronic medical systems in the U.S. At Cerner, his
primary responsibility is designing and implementing solutions that use the
Spring Framework, Spring Security, and Hibernate for Web Applications and
RESTful Web Services. Previously, he has worked as a Software Developer for
CJK Software Consultants. Throughout his career, he has developed hands on
experience in integrating Spring Security with an array of security standards
(that is, LDAP, SAML v1 and v2, CAS, OAuth, OpenID, and so on).
I would like to personally thank Rob Winch for the opportunity to
be a technical reviewer of this book. I would like to thank my wife
Melinda Kelly for her unwavering support while I used my personal
time to review this book. I would also like to thank John Krzysztow
of CJK Software Consultants for giving a high schooler a chance at
professional software development.
www.it-ebooks.info
www.PacktPub.com
Support les, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support les and downloads related
to your book.
Did you know that Packt offers eBook versions of every book published, with PDF
and ePub les available? You can upgrade to the eBook version at
www.PacktPub.
com
and as a print book customer, you are entitled to a discount on the eBook copy.
Get in touch with us at service@packtpub.com for more details.
At
www.PacktPub.com, you can also read a collection of free technical articles, sign
up for a range of free newsletters and receive exclusive discounts and offers on Packt
books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online
digital book library. Here, you can access, read and search across Packt's entire
library of books.
Why Subscribe?
• Fully searchable across every book published by Packt
• Copy and paste, print and bookmark content
• On demand and accessible via web browser
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access
PacktLib today and view nine entirely free books. Simply use your login credentials
for immediate access.
www.it-ebooks.info
[...]... in Spring and Spring Security 3.1, but it would be relatively easy to adapt many of the examples to other versions of Spring Security Refer to the discussion about the detailed changes between Spring Security 2 and 3.1 in Chapter 15, Migration to Spring Security 3.1, for assistance in translating the examples to the Spring Security 2 syntax There should be no effort in translating the examples from Spring. .. Started with Spring Security Hello Spring Security Importing the sample application Updating your dependencies Using Spring 3.1 and Spring Security 3.1 21 22 22 22 23 Implementing a Spring Security XML configuration file Updating your web.xml file 24 27 Running a secured application Common problems 31 31 ContextLoaderListener 27 ContextLoaderListener versus DispatcherServlet 28 springSecurityFilterChain 29... Faces (JSF), AJAX, Google Widget Toolkit (GTW), Spring Roo, and AspectJ Chapter 15, Migration to Spring Security 3.1, provides a migration path from Spring Security 2 and Spring Security 3, including notable configuration changes, class and package migrations, and important new features It also highlights the new features that can be found in Spring Security 3.1 and provides references to examples of the... object-level security using the Spring Security Access Control Lists module—a powerful module with very flexible applicability to challenging business security problems Chapter 12, Custom Authorization, explains how Spring Security' s authorization works by writing custom implementations of key parts of Spring Security' s authorization infrastructure Chapter 13, Session Management, discusses how Spring Security. .. 7 Security audit 8 About the sample application 8 The JBCP calendar application architecture 10 Application technology 11 Reviewing the audit results 12 Authentication 14 Authorization 16 Database credential security 18 Sensitive information 19 Transport-level protection 19 Using Spring Security 3.1 to address security concerns 19 Why Spring Security 20 Summary 20 Chapter 2: Getting Started with Spring. .. 409 Migrating from Spring Security 2 Enhancements in Spring Security 3 Changes to configuration in Spring Security 3 Rearranged AuthenticationManager configuration New configuration syntax for session management options Changes to custom filter configuration Changes to CustomAfterInvocationProvider Minor configuration changes Changes to packages and classes Updates in Spring Security 3.1 Summary Getting... covers a hypothetical security audit of our Calendar application, illustrating common issues that can be resolved through proper application of Spring Security You will learn about some basic security terminology and review some prerequisites for getting the sample application up and running Chapter 2, Getting Started with Spring Security, demonstrates the "Hello World" installation of Spring Security. .. Anatomy of an Unsafe Application Many IDEs provide Maven tooling that can automatically download the Spring and Spring Security 3.1 Javadoc and source code for you However, there may be times when this is not possible In such cases, you'll want to download the full releases of both Spring 3.1 and Spring Security 3.1 The Javadoc and source code are at the top notch, if you get confused or want more information,... LoginOnAuthRequired 379 380 381 Method security with Spring Roo Authorization with AspectJ 386 386 Summary 388 Chapter 15: Migration to Spring Security 3.1 389 Appendix: Additional Reference Material 401 Creating a Tomcat v7.0 server Starting the samples within Spring Tool Suite Shutting down the samples within Spring Tool Suite Removing previous versions of the samples Using HTTPS within Spring Tool Suite 405 407... certificate authentication Configuring client certificate authentication in Spring Security Configuring client certificate authentication using the security namespace How Spring Security uses certificate information How Spring Security certificate authentication works 174 175 176 Configuring client certificate authentication using Spring Beans Additional capabilities of bean-based configuration Considerations . 13 7
Built-In Active Directory support in Spring Security 3. 1 140
Summary 14 1
Chapter 6: Remember-me Services 1 43
What is remember-me 1 43
Dependencies 14 4
The. Directory Studio 1 13
Binding anonymously to LDAP 1 13
Searching for the user 11 4
Binding as a user to LDAP 11 5
Determining user role membership 11 6
Determining
Ngày đăng: 07/03/2014, 06:20
Xem thêm: Spring Security 3.1 pot