Spring security 笔记(一): what is spring security?
Spring Security provides comprehensive security services for Java EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading Java EE solution for enterprise software development. If you’re not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.
Spring security提供基于java EE企业软件应用全方面的安全服务.Spring目前已经领导了Java EE企业软件开发的解决方案,spring security使用spring framework的工程提供很重要的支持。如果你不打算采用spring作为应用开发的框架,我们恳切的鼓励你仔细看看它。对spring多一点熟悉,尤其是依赖注入这方面,将会对你使用spring security产生莫大的助益。
People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios. Whilst mentioning these standards, it’s important to recognise that they are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application’s security in the new target environment. Using Spring Security overcomes these problems, and also brings you dozens of other useful, customisable security features.
人们使用Spring security可能有很多原因,但是大多都能归结于Java EE的Servlet特殊规定或者EJB关于某些典型应用场景的缺乏了解之后。提到这些标准的同时,也要意识到它们在war或者ear级别上不够灵活。所以,如果你需要切换server环境,会需要做很多工作重新配置应用安全。使用Spring security将会解决这些问题, 并且提供给你很多有用可自定义的安全服务。
As you probably know two major areas of application security are “authentication” and “authorization” (or “access-control”). These are the two main areas that Spring Security targets. “Authentication” is the process of establishing a principal is who they claim to be (a “principal” generally means a user, device or some other system which can perform an action in your application).”Authorization” refers to the process of deciding whether a principal is allowed to perform an action within your application. To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process. These concepts are common, and not at all specific to Spring Security.
你可能知道应用主要的两个方面就是authentication和authorization(或者说access-control)。这是spring security最主要的两个目标。Authentication主要是为验证是否可以建议一个principa(一个principal可能是一个用户,一台设备或者一些其他系统可以调用你系统中的action).Authorization主要负责验证principal所属的线程是否可以调用某个action。为了达到这个目标,principal必须先建立。这些概念是很通用,并非是只属于spring.
At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force. In addition, Spring Security provides its own set of authentication features. Specifically, Spring Security currently supports authentication integration with all of these technologies:
在一个认证级别上,Spring security支持很多的认证模型。很多认证模型要么是第三方提供的,要么是被相关标准主体开发的,就像Internet Engineering Task Force.此外,Spring security提供了它自己的认证特性。具体来说,Spring security目前支持一下技术认证:
- HTTP BASIC authentication headers (an IETF RFC-based standard)
- HTTP Digest authentication headers (an IETF RFC-based standard)
- HTTP X.509 client certificate exchange (an IETF RFC-based standard)
- LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
- Form-based authentication (for simple user interface needs)
- OpenID authentication
- Authentication based on pre-established request headers (such as Computer * Associates Siteminder)
- JA-SIG Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)
- Transparent authentication context propagation for Remote Method * * Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
- Automatic “remember-me” authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
- Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)
- Run-as authentication (which is useful if one call should proceed with a different security identity)
- Java Authentication and Authorization Service (JAAS)
- JEE container autentication (so you can still use Container Managed Authentication if desired)
- Kerberos
- Java Open Source Single Sign On (JOSSO) *
- OpenNMS Network Management Platform *
- AppFuse *
- AndroMDA *
- Mule ESB *
- Direct Web Request (DWR) *
- Grails *
- Tapestry *
- JTrac *
- Jasypt *
- Roller *
- Elastic Path *
- Atlassian Crowd *
- Your own authentication systems (see below)
Note:
这里可以看到spring security是产生来自于一些安全问题,比如说session劫持,伪造请求等,为了解决这些问题,spring security结合一些验证模型进行验证。主要分两个方面:身份验证和访问验证。主要是使用filterchain过滤器,然后进行验证