Spring Security 简明教程

Spring Security - Introduction

What is Spring Security?

Spring Security 是 Spring 项目或模块之一,用于保护基于 Spring 的应用程序。Spring Security 为我们在应用程序中实施身份验证和授权提供了许多内置功能。我们可以将这些功能与更改结合使用来非常快速地保护应用程序。除此之外,Spring Security 还允许大量自定义之前提到的功能,以实施我们自己的复杂身份验证和授权。

Spring Security is one of Spring Project or Module to secure a Spring based application. Spring security provides us many in-built features to implement authentication and authorization in our application. We can use these features with our changes to secure an application very quickly. In addition to this, Spring Security also allows plenty of customizations to the features mentioned before to implement our own complex authentications and authorizations.

除了提供各种内置认证和授权选项之外,Spring Security 还允许我们尽可能地自定义认证流程,从自定义登录页面到我们自己的自定义认证提供程序和认证过滤器,我们几乎可以自定义认证流程的每一个方面。我们可以定义自己的认证流程,该流程可以从使用用户名和密码的基本认证到使用令牌和 OTP 的复杂认证,例如双因素认证。此外,我们可以使用各种数据库(包括关系型和非关系型数据库),使用各种密码编码器,将恶意用户锁定在账户之外,等等。

In addition to providing various inbuilt authentication and authorization options, Spring Security allows us to customize our authentication process as much as we want. Starting from a custom login page to our very own customized authentication providers and authentication filters, we can pretty much customize every aspect of the authentication process. We can define our own authentication process which can range from basic authentication using a username and a password to a complex one such as two-factor authentication using tokens and OTP’s. Also, we can use various databases – both relational and non-relational, use various password encoders, lock malicious users out of their accounts, and so on.

Authentication and Authorization

身份验证和授权是 Spring Security 的两个主要组件。

Authentication and Authorization are two main components of Spring Security.

  1. Authentication − Authentication is to ensure that the user or the client is who they claim to be. There are many ways in which Spring Security enables us to perform authentication. Spring Security supports Basic Authentication, LDAP authentication, JDBC authentication, etc.

  2. Authorization − Authorization ensures whether the user has permission for the action or not. If our application is a complex one, with different kinds of users such as admins, regular users, other less privileged users, we need to maintain access control in our application. For example, a guest user should not be able to access admin content. So, to control access to various resources within our application, we need to check if a user has permission to access that resource. Spring Security supports roles, claims etc. to provide user level authorization.

Spring Security 支持大量的身份验证模型。其中大多数身份验证模型是由第三方或互联网工程任务组 (IETF) 作为一个标准机构开发的。由于能够与广泛的第三方 autentication 模型集成,spring security 在开发人员中变得非常流行,以集成到他们的项目中。Spring 也提供了自己的身份验证功能。以下列表显示了 Spring 安全支持的各种身份验证方法。

Spring Security supports a large set of authentication models. Most of these authentication models are developed by third parties or by Internet Engineering Task Force, IETF as a standard body. Being able to integrate with wide set of third parties autentication models, spring security becomes very popular among developers to integrate in their projects. Spring provides its own authentication features as well. Following list shows the various authentication methods supported by Spring security.

  1. HTTP BASIC authentication headers

  2. HTTP Digest authentication headers

  3. HTTP X.509 client certificate exchange

  4. LDAP

  5. Form-based authentication

  6. OpenID authentication

  7. Authentication based on pre-established request headers

  8. JA-SIG Central Authentication Service, a open source single sign on system

  9. Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker

  10. Remember Me

  11. Anonymous authentication

  12. Run-as authentication

  13. Java Authentication and Authorization Service (JAAS)

  14. JEE container autentication

  15. Kerberos

  16. Java Open Source Single Sign On (JOSSO)

  17. OpenNMS Network Management Platform

  18. AppFuse

  19. AndroMDA

  20. Mule ESB

  21. Direct Web Request (DWR)

  22. Grails

  23. Tapestry

  24. JTrac

  25. Jasypt

  26. Roller

  27. Elastic Path

  28. Atlassian Crowd

我们也可以将自己的自定义身份验证机制与 Spring 安全集成。

We can integrate own custom authentication mechanism as well with Spring Security.

History of Spring Security

Spring Security 于 2003 年底作为 The Acegi Security System for Spring 一个基于 Spring 的简单安全实现开始。后来当 spring 社区成员询问现有框架时,它被分配给一个社区成员进行工作,到 2004 年 1 月,一个 20 多人的团队开始在这个项目中工作,该项目后来于 2004 年 3 月建立为 SourceForge 项目。最初,spring security 还没有身份验证模块,它完全依赖于容器托管的安全和 Acegi 安全系统,后者只关注授权模块。

Spring Security started in late 2003 as The Acegi Security System for Spring as a simple Spring based security implementation. Later as spring community members enquired for an existing framework, it was assigned to one of the community member to work and by Jan 2004, a team of 20+ people started working in this project which was later established as a SourceForge project in Mar 2004. Initially spring security had not its authentication module and it was relying completely on Container managed security and Acegi security system was focusing only on authorization modules.

在第二年,2005 年,引入了 Acegi Security 特定身份验证服务,而 Acegi Security System 成为官方 Spring 子项目。2006 年 5 月,在用于众多产品软件、社区改进和错误修复后,1.0.0 版发布。到 2007 年底,Acegi Security System 被重新命名为 Spring Security 并成为官方 Spring Portfolio 项目。

In following year, 2005, Acegi Security specific Authentication services were introduced and Acegi Security System became an official Spring sub-project. In May 2006, after being used in numerous production softwares, community improvements and bug fixes, 1.0.0 was released. By the end of 2007, Acegi Security System was rebranded as Spring Security and it became an Official Spring Portfolio Project.