Project Modules and Dependencies

即使您不使用 Maven,我们建议您查阅 pom.xml 文件,以便了解第三方依赖项和版本。另一个好主意是检查包含在示例应用程序中的库。

Even if you do not use Maven, we recommend that you consult the pom.xml files to get an idea of third-party dependencies and versions. Another good idea is to examine the libraries that are included in the sample applications.

本节提供了 Spring Security 中模块的参考,以及它们在运行的应用程序中运行所需的附加依赖项。我们不包括仅在构建或测试 Spring Security 本身时才会使用的依赖项。我们也不包括外部依赖项所需的传递性依赖项。

This section provides a reference of the modules in Spring Security and the additional dependencies that they require in order to function in a running application. We do not include dependencies that are used only when building or testing Spring Security itself. Nor do we include transitive dependencies that are required by external dependencies.

项目网站上列出了所需的 Spring 版本,因此在示例中 Spring 依赖项的特定版本被省略。请注意,示例中列为 “optional” 的某些依赖项仍可能需要用于 Spring 应用程序中的其他非安全功能。此外,如果在大多数应用程序中使用了列为 “optional” 的依赖项,则不一定会在项目的 Maven POM 文件中标记为这样。它们 “optional” 仅表示在您不使用指定功能的情况下不需要它们。

The version of Spring required is listed on the project website, so the specific versions are omitted for Spring dependencies in the examples. Note that some of the dependencies listed as “optional” in the examples may still be required for other non-security functionality in a Spring application Also dependencies listed as “optional” may not actually be marked as such in the project’s Maven POM files if they are used in most applications. They are “optional” only in the sense that you do not need them unless you use the specified functionality.

如果一个模块依赖另一个 Spring Security 模块,那么它所依赖模块的非可选依赖项也被认为是必需的,并且不会单独列出。

Where a module depends on another Spring Security module, the non-optional dependencies of the module it depends on are also assumed to be required and are not listed separately.

Core — `spring-security-core.jar`

此模块包含核心身份验证和访问控制类和接口、远程支持和基本预置 API。任何使用 Spring Security 的应用程序都需要它。它支持独立应用程序、远程客户端、方法(服务层)安全性和 JDBC 用户预置。它包含以下顶级软件包:

This module contains core authentication and access-control classes and interfaces, remoting support, and basic provisioning APIs. It is required by any application that uses Spring Security. It supports standalone applications, remote clients, method (service layer) security, and JDBC user provisioning. It contains the following top-level packages:

  • org.springframework.security.core

  • org.springframework.security.access

  • org.springframework.security.authentication

  • org.springframework.security.provisioning

Table 1. Core Dependencies
Dependency Version Description

ehcache

1.6.2

Required if the Ehcache-based user cache implementation is used (optional).

spring-aop

Method security is based on Spring AOP

spring-beans

Required for Spring configuration

spring-expression

Required for expression-based method security (optional)

spring-jdbc

Required if using a database to store user data (optional).

spring-tx

Required if using a database to store user data (optional).

aspectjrt

1.6.10

Required if using AspectJ support (optional).

jsr250-api

1.0

Required if you are using JSR-250 method-security annotations (optional).

Remoting — `spring-security-remoting.jar`

此模块提供与 Spring Remoting 的集成。除非您正在编写使用 Spring Remoting 的远程客户端,否则不需要此模块。主要软件包是 org.springframework.security.remoting

This module provides integration with Spring Remoting. You do not need this unless you are writing a remote client that uses Spring Remoting. The main package is org.springframework.security.remoting.

Table 2. Remoting Dependencies
Dependency Version Description

spring-security-core

spring-web

Required for clients which use HTTP remoting support.

Web — `spring-security-web.jar`

此模块包含过滤器和相关的 Web 安全基础设施代码。它包含具有 Servlet API 依赖项的内容。如果您需要 Spring Security Web 身份验证服务和基于 URL 的访问控制,则需要它。主要软件包是 org.springframework.security.web

This module contains filters and related web-security infrastructure code. It contains anything with a servlet API dependency. You need it if you require Spring Security web authentication services and URL-based access-control. The main package is org.springframework.security.web.

Table 3. Web Dependencies
Dependency Version Description

spring-security-core

spring-web

Required for clients that use HTTP remoting support.

spring-jdbc

Required for a JDBC-based persistent remember-me token repository (optional).

spring-tx

Required by remember-me persistent token repository implementations (optional).

Config — `spring-security-config.jar`

此模块包含安全命名空间解析代码和 Java 配置代码。如果您将 Spring Security XML 命名空间用于配置或 Spring Security 的 Java 配置支持,则需要它。主要软件包是 org.springframework.security.config。任何类都不打算在应用程序中直接使用。

This module contains the security namespace parsing code and Java configuration code. You need it if you use the Spring Security XML namespace for configuration or Spring Security’s Java Configuration support. The main package is org.springframework.security.config. None of the classes are intended for direct use in an application.

Table 4. Config Dependencies
Dependency Version Description

spring-security-core

spring-security-web

Required if you are using any web-related namespace configuration (optional).

spring-security-ldap

Required if you are using the LDAP namespace options (optional).

aspectjweaver

1.6.10

Required if using the protect-pointcut namespace syntax (optional).

LDAP — `spring-security-ldap.jar`

此模块提供 LDAP 身份验证和预置代码。如果您需要使用 LDAP 身份验证或管理 LDAP 用户条目,则需要它。顶级软件包是 org.springframework.security.ldap

This module provides LDAP authentication and provisioning code. It is required if you need to use LDAP authentication or manage LDAP user entries. The top-level package is org.springframework.security.ldap.

Table 5. LDAP Dependencies
Dependency Version Description

spring-security-core

spring-ldap-core

1.3.0

LDAP support is based on Spring LDAP.

spring-tx

Data exception classes are required.

apache-ds

1.5.5

Required if you are using an embedded LDAP server (optional). If you use apache-ds, the apacheds-core, apacheds-core-entry, apacheds-protocol-shared, apacheds-protocol-ldap and apacheds-server-jndi modules are required.

shared-ldap

0.9.15

Required if you are using an embedded LDAP server (optional).

ldapsdk

4.1

Mozilla LdapSDK. Used for decoding LDAP password policy controls if you are using password-policy functionality with OpenLDAP, for example.

OAuth 2.0 Core — `spring-security-oauth2-core.jar`

spring-security-oauth2-core.jar 包含提供对 OAuth 2.0 授权框架和 OpenID Connect Core 1.0 支持的核心类和接口。使用 OAuth 2.0 或 OpenID Connect Core 1.0 的应用程序需要它,例如客户端、资源服务器和授权服务器。顶级软件包是 org.springframework.security.oauth2.core

spring-security-oauth2-core.jar contains core classes and interfaces that provide support for the OAuth 2.0 Authorization Framework and for OpenID Connect Core 1.0. It is required by applications that use OAuth 2.0 or OpenID Connect Core 1.0, such as client, resource server, and authorization server. The top-level package is org.springframework.security.oauth2.core.

OAuth 2.0 Client — `spring-security-oauth2-client.jar`

spring-security-oauth2-client.jar 包含 Spring Security 对 OAuth 2.0 授权框架和 OpenID Connect Core 1.0 的客户端支持。使用 OAuth 2.0 或 OpenID Connect Core 1.0 的应用程序需要它,例如客户端、资源服务器和授权服务器。顶级软件包是 org.springframework.security.oauth2.core

spring-security-oauth2-client.jar contains Spring Security’s client support for OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0. It is required by applications that use OAuth 2.0 or OpenID Connect Core 1.0, such as the client, the resource server, and the authorization server. The top-level package is org.springframework.security.oauth2.core.

OAuth 2.0 JOSE — `spring-security-oauth2-jose.jar`

spring-security-oauth2-jose.jar 包含 Spring Security 对 JOSE(Javascript 对象签名和加密)框架的支持。JOSE 框架旨在提供一种在各方之间安全地传输声明的方法。它是从一组规范构建的:

spring-security-oauth2-jose.jar contains Spring Security’s support for the JOSE (Javascript Object Signing and Encryption) framework. The JOSE framework is intended to provide a method to securely transfer claims between parties. It is built from a collection of specifications:

  • JSON Web Token (JWT)

  • JSON Web Signature (JWS)

  • JSON Web Encryption (JWE)

  • JSON Web Key (JWK)

它包含以下顶级软件包:

It contains the following top-level packages:

  • org.springframework.security.oauth2.jwt

  • org.springframework.security.oauth2.jose

OAuth 2.0 Resource Server — `spring-security-oauth2-resource-server.jar`

spring-security-oauth2-resource-server.jar 包含 Spring Security 对 OAuth 2.0 资源服务器的支持。它用于通过使用 OAuth 2.0 持有令牌来保护 API。顶级软件包是 org.springframework.security.oauth2.server.resource

spring-security-oauth2-resource-server.jar contains Spring Security’s support for OAuth 2.0 Resource Servers. It is used to protect APIs by using OAuth 2.0 Bearer Tokens. The top-level package is org.springframework.security.oauth2.server.resource.

ACL — `spring-security-acl.jar`

此模块包含一个专门的域对象 ACL 实现。它用于将安全性应用于应用程序中的特定域对象实例。顶级软件包是 org.springframework.security.acls

This module contains a specialized domain object ACL implementation. It is used to apply security to specific domain object instances within your application. The top-level package is org.springframework.security.acls.

Table 6. ACL Dependencies
Dependency Version Description

spring-security-core

ehcache

1.6.2

Required if the Ehcache-based ACL cache implementation is used (optional if you use your own implementation).

spring-jdbc

Required if you are using the default JDBC-based AclService (optional if you implement your own).

spring-tx

Required if you are using the default JDBC-based AclService (optional if you implement your own).

CAS — `spring-security-cas.jar`

此模块包含 Spring Security 的 CAS 客户端集成。如果您想通过 CAS 单点登录服务器使用 Spring Security Web 身份验证,则应使用它。顶级软件包是 org.springframework.security.cas

This module contains Spring Security’s CAS client integration. You should use it if you want to use Spring Security web authentication with a CAS single sign-on server. The top-level package is org.springframework.security.cas.

Table 7. CAS Dependencies
Dependency Version Description

spring-security-core

spring-security-web

cas-client-core

3.1.12

The JA-SIG CAS Client. This is the basis of the Spring Security integration.

ehcache

1.6.2

Required if you are using the Ehcache-based ticket cache (optional).

Test — `spring-security-test.jar`

此模块包含对 Spring Security 测试的支持。

This module contains support for testing with Spring Security.

Taglibs — `spring-security-taglibs.jar`

提供 Spring Security 的 JSP 标签实现。

Provides Spring Security’s JSP tag implementations.

Table 8. Taglib Dependencies
Dependency Version Description

spring-security-core

spring-security-web

spring-security-acl

Required if you are using the accesscontrollist tag or hasPermission() expressions with ACLs (optional).

spring-expression

Required if you are using SPEL expressions in your tag access constraints.