Table of Contents
Preface
Chapter 1: Anatomy of an Unsafe Application
Chapter 2: Getting Started with Spring Security
Chapter 3: Custom Authentication
Chapter 4: JDBC-based Authentication
Chapter 5: LDAP Directory Services
Chapter 6: Remember-me Services
Chapter 7: Client Certificate Authentication
Chapter 8: Opening up to OpenID
Chapter 9: Single Sign-on with Central Authentication Service
Chapter 10: Fine-grained Access Control
Chapter 11: Access Control Lists
Chapter 12: Custom Authorization
Chapter 13: Session Management
Chapter 14: Integrating with Other Frameworks
Chapter 15: Migration to Spring Security 3.1
Appendix: Additional Reference Material
Index
Preface
Up
Chapter 1: Anatomy of an Unsafe Application
Security audit
About the sample application
The JBCP calendar application architecture
Application technology
Reviewing the audit results
Authentication
Authorization
Database credential security
Sensitive information
Transport-level protection
Using Spring Security 3.1 to address security concerns
Why Spring Security
Summary
Up
Chapter 2: Getting Started with Spring Security
Hello Spring Security
Importing the sample application
Updating your dependencies
Using Spring 3.1 and Spring Security 3.1
Implementing a Spring Security XML configuration file
Updating your web.xml file
ContextLoaderListener
ContextLoaderListener versus DispatcherServlet
springSecurityFilterChain
DelegatingFilterProxy
FilterChainProxy
Running a secured application
Common problems
A little bit of polish
Customizing login
Configuring logout
The page isn't redirecting properly
Basic role-based authorization
Expression-based authorization
Conditionally displaying authentication information
Customizing the behavior after login
Summary
Up
Chapter 3: Custom Authentication
JBCP Calendar architecture
CalendarUser
Event
CalendarService
UserContext
SpringSecurityUserContext
Logging in new users using SecurityContextHolder
Managing users in Spring Security
Logging in a new user to an application
Updating SignupController
Creating a custom UserDetailsService object
CalendarUserDetailsService
Configuring UserDetailsService
Removing references to UserDetailsManager
CalendarUserDetails
SpringSecurityUserContext simplifications
Displaying custom user attributes
Creating a custom AuthenticationProvider object
CalendarUserAuthenticationProvider
Configuring CalendarUserAuthenticationProvider
Authenticating with different parameters
DomainUsernamePasswordAuthenticationToken
Updating CalendarUserAuthenticationProvider
Adding domain to the login page
DomainUsernamePasswordAuthenticationFilter
Updating our configuration
Which authentication method to use
Summary
Up
Chapter 4: JDBC-based Authentication
Using Spring Security's default JDBC authentication
Required dependencies
Using the H2 database
Provided JDBC scripts
Configuring the H2-embedded database
Configuring JDBC UserDetailsManager
Spring Security's default user schema
Defining users
Defining user authorities
UserDetailsManager
What other features does UserDetailsManager provide out of the box
Group-based access control
Configuring group-based access control
Configuring JdbcUserDetailsManager to use groups
Utilize the GBAC JDBC scripts
Group-based schema
Group authority mappings
Support for a custom schema
Determining the correct JDBC SQL queries
Updating the SQL scripts that are loaded
CalendarUser authority SQL
Insert custom authorities
Configuring the JdbcUserDetailsManager to use custom SQL queries
Configuring secure passwords
PasswordEncoder
Configuring password encoding
Configuring the PasswordEncoder
Making Spring Security aware of the PasswordEncoder
Hashing the stored passwords
Hashing a new user's passwords
Not quite secure
Would you like some salt with that password
Using salt in Spring Security
Summary
Up
Chapter 5: LDAP Directory Services
Understanding LDAP
LDAP
Common LDAP attribute names
Updating our dependencies
Configuring embedded LDAP integration
Configuring an LDAP server reference
Enabling the LDAP AuthenticationProviderNext interface
Troubleshooting embedded LDAP
Understanding how Spring LDAP authentication works
Authenticating user credentials
Demonstrating authentication with Apache Directory Studio
Binding anonymously to LDAP
Searching for the user
Binding as a user to LDAP
Determining user role membership
Determining roles with Apache Directory Studio
Mapping additional attributes of UserDetails
Advanced LDAP configuration
Sample JBCP LDAP users
Password comparison versus bind authentication
Configuring basic password comparison
LDAP password encoding and storage
The drawbacks of a password comparison authenticator
Configuring UserDetailsContextMapper
Implicit configuration of UserDetailsContextMapper
Viewing additional user details
Using an alternate password attribute
Using LDAP as UserDetailsService
Configuring LdapUserDetailsService
Updating AccountController to use LdapUserDetailsService
Integrating with an external LDAP server
Explicit LDAP bean configuration
Configuring an external LDAP server reference
Configuring LdapAuthenticationProvider
Delegating role discovery to UserDetailsService
Integrating with Microsoft Active Directory via LDAP
Built-In Active Directory support in Spring Security 3.1
Summary
Up
Chapter 6: Remember-me Services
What is remember-me
Dependencies
The token-based remember-me feature
Configuring the token-based remember-me feature
How the token-based remember-me feature works
MD5
Remember-me signature
Token-based remember-me configuration directives
Is remember-me secure
Authorization rules for remember-me
Persistent remember-me
Using the persistent-based remember-me feature
Adding SQL to create the remember-me schema
Initializing the data source with the remember-me schema
Configuring the persistent-based remember-me feature
How does the persistent-based remember-me feature work
Are database-backed persistent tokens more secure
Cleaning up the expired remember-me sessions
Remember-me architecture
Remember-me and the user lifecycle
Restricting the remember-me feature to an IP address
Custom cookie and HTTP parameter names
Summary
Up
Chapter 7: Client Certificate Authentication
How client certificate authentication works
Setting up client certificate authentication infrastructure
Understanding the purpose of a public key infrastructure
Creating a client certificate key pair
Configuring the Tomcat trust store
Importing the certificate key pair into a browser
Using Firefox
Using Chrome
Using Internet Explorer
Wrapping up testing
Troubleshooting client certificate authentication
Configuring client certificate authentication in Spring Security
Configuring client certificate authentication using the security namespace
How Spring Security uses certificate information
How Spring Security certificate authentication works
Handling unauthenticated requests with AuthenticationEntryPoint
Supporting dual-mode authentication
Configuring client certificate authentication using Spring Beans
Additional capabilities of bean-based configuration
Considerations when implementing Client Certificate authentication
Summary
Up
Chapter 8: Opening up to OpenID
The promising world of OpenID
Signing up for an OpenID
Enabling OpenID authentication with Spring Security
Additional required dependencies
Configuring OpenID support in Spring Security
Adding OpenID users
CalendarUserDetailsService lookup by OpenID
The OpenID user registration problem
How are OpenID identifiers resolved
Implementing user registration with OpenID
Registering OpenIDAuthenticationUserDetailsService
Attribute Exchange
Enabling AX in Spring Security OpenID
Configuring different attributes for each OpenID Provider
Usability enhancements
Automatic redirection to the OpenID Provider
Conditional automatic redirection
Is OpenID Secure
Summary
Up
Chapter 9: Single Sign-on with Central Authentication Service
Introducing Central Authentication Service
High-level CAS authentication flow
Spring Security and CAS
Required dependencies
CAS installation and configuration
Configuring basic CAS integration
Creating the CAS ServiceProperties object
Adding the CasAuthenticationEntryPoint
Enabling CAS ticket verification
Proving authenticity with the CasAuthenticationProvider
Single logout
Configuring single logout
Clustered environments
Proxy ticket authentication for stateless services
Configuring proxy ticket authentication
Using proxy tickets
Authenticating proxy tickets
Customizing the CAS Server
CAS Maven WAR Overlay
How CAS internal authentication works
Configuring CAS to connect to our embedded LDAP server
Getting UserDetails from a CAS assertion
Returning LDAP attributes in the CAS Response
Mapping LDAP attributes to CAS attributes
Authorizing CAS Services to access custom attributes
Getting UserDetails from a CAS assertion
GrantedAuthorityFromAssertionAttributesUser Details Service
Alternative ticket authentication using SAML 1.1
How is attribute retrieval useful
Additional CAS capabilities
Summary
Up
Chapter 10: Fine-grained Access Control
Maven dependencies
Spring Expression Language (SpEL) integration
WebSecurityExpressionRoot
Using the request attribute
Using hasIpAddress
MethodSecurityExpressionRoot
Page-level authorization
Conditional rendering with Spring Security tag library
Conditional rendering based on URL access rules
Conditional rendering using SpEL
Using controller logic to conditionally render content
WebInvocationPrivilegeEvaluator
What is the best way to configure in-page authorization
Method-level security
Why we secure in layers
Securing the business tier
Adding @PreAuthorize method annotation
Instructing Spring Security to use method annotations
Validating method security
Interface-based proxies
JSR-250 compliant standardized rules
Method security using Spring's @Secured annotation
Method security rules using aspect-oriented programming
Method security rules using bean decorators
Method security rules incorporating method parameters
Method security rules incorporating returned values
Securing method data through role-based filtering
Pre-filtering collections with @PreFilter
Comparing method authorization types
Practical considerations for annotation-based security
Method security on Spring MVC controllers
Class-based proxies
Class-based proxy limitations
Summary
Up
Chapter 11: Access Control Lists
Using access control lists for business object security
Access control lists in Spring Security
Basic configuration of Spring Security ACL support
Maven dependencies
Defining a simple target scenario
Adding ACL tables to the H2 database
Configuring SecurityExpressionHandler
AclPermissionCacheOptimizer
PermissionEvaluator
JdbcMutableAclService
BasicLookupStrategy
EhCacheBasedAclCache
ConsoleAuditLogger
AclAuthorizationStrategyImpl
Creating a simple ACL entry
Advanced ACL topics
How permissions work
Custom ACL permission declaration
Enabling your JSPs with the Spring Security JSP tag library through ACL
Mutable ACLs and authorization
Adding ACLs to newly created Events
Considerations for a typical ACL deployment
About ACL scalability and performance modelling
Do not discount custom development costs
Should I use Spring Security ACL
Summary
Up
Chapter 12: Custom Authorization
How requests are authorized
Configuration of access decision aggregation
Configuring to use a UnanimousBased access decision manager
Expression-based request authorization
Customizing request authorization
Dynamically defining access control to URLs
JdbcRequestConfigMappingService
FilterInvocationServiceSecurityMetadataSource
BeanPostProcessor to extend namespace configuration
Removing our <intercept-url> elements
Creating a custom expression
CustomWebSecurityExpressionRoot
CustomWebSecurityExpressionHandler
Configuring and using CustomWebSecurityExpressionHandler
How does method security work
Creating a custom PermissionEvaluator
CalendarPermissionEvaluator
Configuring CalendarPermissionEvaluator
Securing our CalendarService
Benefits of a custom PermissionEvaluator
Summary
Up
Chapter 13: Session Management
Configuring session fixation protection
Understanding session fixation attacks
Preventing session fixation attacks with Spring Security
Simulating a session fixation attack
Comparing session-fixation-protection options
Restricting the number of concurrent sessions per user
Configuring concurrent session control
Understanding concurrent session control
Testing concurrent session control
Configuring expired session redirect
Common problems with concurrency control
Preventing authentication instead of forcing logout
Other benefits of concurrent session control
Displaying active sessions for a user
How Spring Security uses the HttpSession
HttpSessionSecurityContextRepository
Configuring how Spring Security uses HttpSession
Debugging with Spring Security's DebugFilter
Summary
Up
Chapter 14: Integrating with Other Frameworks
Integrating with Java Server Faces (JSF)
Customizations to support AJAX
DelegatingAuthenticationEntryPoint
AjaxRequestMatcher
Http401EntryPoint
Configuration updates
JavaScript updates
Proxy-based authorization with JSF
Custom login page in JSF
Spring Security Facelets tag library
Google Web Toolkit (GWT) integration
Spring Roo and GWT
Spring Security setup
GwtAuthenticationEntryPoint
GWT client updates
AuthRequestTransport
AuthRequiredEvent
LoginOnAuthRequired
Configuring GWT
Spring Security configuration
Method security
Method security with Spring Roo
Authorization with AspectJ
Summary
Up
Chapter 15: Migration to Spring Security 3.1
Migrating from Spring Security 2
Enhancements in Spring Security 3
Changes to configuration in Spring Security 3
Rearranged AuthenticationManager configuration
New configuration syntax for session management options
Changes to custom filter configuration
Changes to CustomAfterInvocationProvider
Minor configuration changes
Changes to packages and classes
Updates in Spring Security 3.1
Summary
Up
Appendix: Additional Reference Material
Getting started with the JBCP Calendar sample code
Creating a new workspace
Sample code structure
Importing the samples
Running the samples in Spring Tool Suite
Creating a Tomcat v7.0 server
Starting the samples within Spring Tool Suite
Shutting down the samples within Spring Tool Suite
Removing previous versions of the samples
Using HTTPS within Spring Tool Suite
Default URLs processed by Spring Security
Logical filter names migration reference
HTTPS setup in Tomcat
Generating a server certificate
Configuring Tomcat Connector to use SSL
Basic Tomcat SSL termination guide
Supplimentary materials
Up
Index
· · · · · · (
收起)