Spring Book – Chapter 15 – Web Application Security with Spring

Spring Security Modules

The codebase of Spring Security 3.x has been sub-divided into separate JAR’s (Java ARchive), which separates different functionalities clearly and in a modular fashion along with its associated third party dependencies. The various JAR’s in Spring Security are as summarized below:

  • spring-security-core-3.x.x.RELEASE.jar – It contains core classes and interfaces related to user authentication and authorization, as well as the maintenance of a security context. It also contains access-control related code, including security metadata related classes, EL support etc.
  • spring-security-remoting-3.x.x.RELEASE.jar – It contains various classes and interfaces related to remoting which allows DNS (Domain Name System) resolution and enables use of Spring’s HttpInvoker and RMI extension points in your application.
  • spring-security-web-3.x.x.RELEASE.jar – It contains various classes, interfaces and various other modules which becomes core part of the Spring Security’s web security module.
  • spring-security-config-3.x.x.RELEASE.jar – It contains all the support classes for the Spring Security namespace.
  • spring-security-ldap-3.x.x.RELEASE.jar – It contains all the support classes for Spring Security’s LDAP (Lightweight Directory Access Protocol) module. LDAP is an application protocol for accessing and maintaining distributed directory information services over an internet protocol network.
  • spring-security-acl-3.x.x.RELEASE.jar – It contains all the necessary support classes for the Spring Security ACL package which implements instance-based security for domain objects.
  • spring-security-cas-3.x.x.RELEASE.jar – It contains all the necessary classes for Spring Security’s support for Jasig’s Central Authentication Service (CAS).
  • spring-security-openid-3.x.x.RELEASE.jar – It contains necessary support classes which aid’s Spring Security in authenticating standard web browser users via OpenID.
  • spring-security-crypto-3.x.x.RELEASE.jar – It contains utility classes which aid’s Spring Security to achieve the necessary standard cryptographic encryptions and decryptions.
  • spring-security-taglibs-3.x.x.RELEASE.jar – It contains Spring Security related tag libraries that can be used in JSP’s and templates alike.

Spring Security Features and Capabilities

Spring Security possesses various features and capabilities related to security and in this section I have made conscious call to make these things considered as two sections to make a distinction so that we know why Spring Security is good on features and capabilities individually.

Spring Security possesses important features which can be as summarized below:

  • Ease of configuration – Since Spring Security is built on top of Spring Framework; it allows using Spring’s capabilities like Dependency Injection to reduce configuration hick-ups and eases it to a larger extend.
  • Non-Intrusive setup – It uses Servlet Filters effectively to plug security into your application avoiding deployment conflicts which usually results in various containers.
  • Non-Invasive – Due to its architecture, your application objects are always free from security code and clear separation exists between your business application logic and the security logic.
  • Pluggability – Spring Security is designed considering principles like loose coupling and interface-driven design making it easy to replace, customize or extend parts of code with ease. Many independent software vendors because of this adopt Spring Security resulting in flexibility of choosing security models to do authentication and authorization which allows quick integration with end client’s need, without undertaking a lot of change based on the deployed environment.
  • Commercial support – SpringSource (division of VMware) provides technical and consultancy support services tailored to organization’s requirement.
  • License – Released under version 2.0 of the Apache License which makes the code to be used and modified as required in your application.

Spring Security provides very important capabilities which makes it outright leader in securing your application. These can be summarized as bulleted below:

  • Authentication – Spring Security provides integrating your application with a choice of flexible authentication models. It also gives capability to write your own authentication model if none of the standard ways works for your application. By having this capability your application can integrate with other legacy applications in your organization with ease.
  • Web URL authorization – one of the reasons you can choose Spring Security is its advanced authorization capabilities. Spring Security provides advanced authorization on the basis of web URL.
  • Method invocation authorization – Spring Security can also be used to secure method invocations as well.
  • Domain instance based security – security requirements in your application can not only be limited to who (authentication) and where (method invocation), it can be even what (domain object). Spring Security allows you to even have security enabled on the domain object level as well.
  • Web Service Security via Spring Web Services – Spring Security provides capability to secure web services.
  • Flow authorization via Spring WebFlow – Web state and flow transition authorization in the Spring Web Flow.
  • Human user detection – capability to work well with captcha solutions available in the market as well as provision for building custom captcha solutions.
  • Capability to play with other Spring components and third-party components

In the section “Spring Security Concepts” we will cover important concepts of Spring Security as highlighted above in more detail.

Page Visitors: 7233

The following two tabs change content below.
Tomcy John

Tomcy John

Blogger & Author at javacodebook
He is an Enterprise Java Specialist holding a degree in Engineering (B-Tech) with over 10 years of experience in several industries. He's currently working as Principal Architect at Emirates Group IT since 2005. Prior to this he has worked with Oracle Corporation and Ernst & Young. His main specialization is on various web technologies and acts as chief mentor and Architect to facilitate incorporating Spring as Corporate Standard in the organization.
Tomcy John

Latest posts by Tomcy John (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *