Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Spring Security
open-in-new
<h2 id="authentication-flow">Authentication flow</h2> <p>Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error. </p> <table><tbody><tr><td colspan="2">Browser submits "<i>authentication credentials</i>"</td></tr><tr><td colspan="2">"<i>Authentication mechanism</i>" collects the details</td></tr><tr><td></td><td>An "<i>authentication request</i>" object is built</td></tr><tr><td></td><td><i>Authentication request</i> sent to an AuthenticationManager</td></tr><tr><td></td><td><i>AuthenticationManager</i> (this is responsible for passing requests through a chain of <i>AuthenticationProviders</i>)</td></tr><tr><td></td><td>"<i>Authentication provider</i>" will ask a UserDetailsService to provide a UserDetails object</td></tr><tr><td></td><td>The resultant UserDetails object (which also contains the <i>GrantedAuthority[]s</i>) will be used to build the fully populated Authentication object.</td></tr><tr><td colspan="2">If "<i>Authentication mechanism</i>" receives back the fully populated Authentication object, it will deem the request valid, put the Authentication into the SecurityContextHolder; and cause the original request to be retried.If, on the other hand, the AuthenticationProvider rejected the request, the authentication mechanism will ask the user agent to retry.</td></tr><tr><td colspan="2"><i>AbstractSecurityInterceptor</i> authorizes the regenerated request and throws Java exceptions. (Asks AccessDecisionManager for decision.)</td></tr><tr><td colspan="2"><i>ExceptionTranslationFilter</i> translates the exceptions thrown by <i>AbstractSecurityInterceptor</i> into HTTP related error codes</td></tr><tr><td></td><td>Error code 403 – if the principal has been authenticated and therefore simply lacks sufficient accessLaunch an AuthenticationEntryPoint – if the principal has not been authenticated which is an authentication mechanism</td></tr></tbody></table> <h2 id="key-authentication-features">Key authentication features</h2> <ul><li><a href="/facts/Lightweight_Directory_Access_Protocol/KgpfD8nR">LDAP</a> (using both bind-based and password comparison strategies) for centralization of authentication information.<a class="footnote-ref" id="fnref:2" href="#fn:2"><sup>2</sup></a>: 358–362, §7-3 </li> <li><a href="/facts/Single_sign-on/qqqLoB8h">Single sign-on</a> capabilities using the popular <a href="/facts/Central_Authentication_Service/29qQ65Tu">Central Authentication Service</a>.</li> <li><a href="/facts/Java_Authentication_and_Authorization_Service/SICEXQK5">Java Authentication and Authorization Service</a> (JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a></li> <li><a href="/facts/Basic_access_authentication/9N7Q1AYy">Basic access authentication</a> as defined through RFC 1945.</li> <li><a href="/facts/Digest_access_authentication/V1tmcv5h">Digest access authentication</a><a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a>: 356–358, §7-3 as defined through RFC 2617 and RFC 2069.</li> <li><a href="/facts/X.509/rs0JuYDd">X.509</a> <a href="/facts/Client_certificate/6w3cM2AV">client certificate</a> presentation over the <a href="/facts/Secure_Sockets_Layer/pGy16TnA">Secure Sockets Layer</a> standard.</li> <li><a href="/facts/CA,_Inc/DErAtDJF">CA, Inc</a> SiteMinder for authentication (a popular commercial access management product).</li> <li><a href="/facts/Su_(Unix)/doJ74AIv">Su (Unix)</a>-like support for switching principal identity over a <a href="/facts/HTTP/TWtvf7JD">HTTP</a> or <a href="/facts/HTTPS/MSWYz4zo">HTTPS</a> connection.</li> <li>Run-as replacement, which enables an operation to assume a different security identity.</li> <li>Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.</li> <li>Container adapter (custom realm) support for <a href="/facts/Apache_Tomcat/psmVfM2B">Apache Tomcat</a>, <a href="/facts/Resin_Server/g3WzgQQ0">Resin</a>, <a href="/facts/JBoss/sdwoM5jn">JBoss</a> and <a href="/facts/Jetty_(web_server)/QI8x2ooX">Jetty (web server)</a>.</li> <li>Windows <a href="/facts/NTLM/R6H8vAFL">NTLM</a> to enable browser integration (experimental).</li> <li>Web form authentication, similar to the <a href="/facts/Servlet_container/Pv06YKvB">servlet container</a> specification.</li> <li>"Remember-me" support via <a href="/facts/HTTP_cookie/o1laXyng">HTTP cookies</a>.</li> <li>Concurrent session support, which limits the number of simultaneous logins permitted by a principal.</li> <li>Full support for customization and plugging in custom authentication implementations.</li></ul> <h2 id="key-authorization-features">Key authorization features</h2> <ul><li><a href="/facts/AspectJ/0ctawTQj">AspectJ</a> method invocation authorization.</li> <li><a href="/facts/HTTP/TWtvf7JD">HTTP</a> authorization of web request <a href="/facts/Uniform_Resource_Locator/pPD5g7Wq">URLs</a> using a choice of <a href="/facts/Apache_Ant/CT6ABXEx">Apache Ant</a> paths or <a href="/facts/Regular_expressions/KFL3veHX">regular expressions</a>.</li></ul> <h2 id="instance-based-security-features">Instance-based security features</h2> <ul><li>Used for specifying <a href="/facts/Access_control_list/t38J9Vao">access control lists</a> applicable to <a href="/facts/Domain_object/vJpcBKxu">domain objects</a>.</li> <li>Spring Security offers a repository for storing, retrieving, and modifying ACLs in a <a href="/facts/Database/VYcpkevb">database</a>.<a class="footnote-ref" id="fnref:5" href="#fn:5"><sup>5</sup></a>: 376–381, §7-7 </li> <li><a href="/facts/Authorization/FYFAkCH2">Authorization</a> features are provided to enforce policies before and after method invocations.</li></ul> <h2 id="other-features">Other features</h2> <ul><li><a href="/facts/Software_localization/IGkl9VBM">Software localization</a> so <a href="/facts/User_interface/e9sPEWVD">user interface</a> messages can be in any language.</li> <li>Channel security, to automatically switch between <a href="/facts/HTTP/TWtvf7JD">HTTP</a> and <a href="/facts/HTTPS/MSWYz4zo">HTTPS</a> upon meeting particular rules.</li> <li><a href="/facts/Cache_(computing)/gmJYN8wm">Caching</a> in all database-touching areas of the framework.</li> <li>Publishing of messages to facilitate <a href="/facts/Event-driven_programming/QlGL2Fu6">event-driven programming</a>.</li> <li>Support for performing integration testing via <a href="/facts/JUnit/zlddF9S2">JUnit</a>.</li> <li>Spring Security itself has comprehensive <a href="/facts/JUnit/zlddF9S2">JUnit</a> isolation tests.</li> <li>Several sample applications, detailed <a href="/facts/Javadoc/pm72Xvlf">JavaDocs</a> and a reference guide.</li> <li>Web framework independence.</li></ul> <h2 id="releases">Releases</h2> <ul><li>2.0.0 (April 2008)</li> <li>3.0.0 (December 2009)</li> <li>3.1.0 (December 7, 2011)</li> <li>3.1.2 (August 10, 2012)</li> <li>3.2.0 (December 16, 2013)</li> <li>4.0.0 (March 26, 2015)</li> <li>4.1.3 (August 24, 2016)</li> <li>4.2.0 (November 10, 2016)</li> <li>3.2.10, 4.1.4, 4.2.1 (December 22, 2016)</li> <li>4.2.2 (March 2, 2017)</li> <li>4.2.3 (June 8, 2017)</li> <li>5.0.0 (November 28, 2017)</li> <li>5.0.8, 4.2.8 (September 11, 2018)<a class="footnote-ref" id="fnref:6" href="#fn:6"><sup>6</sup></a></li> <li>5.1.0 GA (September 27, 2018)<a class="footnote-ref" id="fnref:7" href="#fn:7"><sup>7</sup></a></li> <li>5.1.1, 5.0.9, 4.2.9 (October 16, 2018)<a class="footnote-ref" id="fnref:8" href="#fn:8"><sup>8</sup></a></li> <li>5.1.2, 5.0.10, 4.2.10 (November 29, 2018)<a class="footnote-ref" id="fnref:9" href="#fn:9"><sup>9</sup></a></li> <li>5.1.3, 5.0.11, 4.2.11 (January 11, 2019)<a class="footnote-ref" id="fnref:10" href="#fn:10"><sup>10</sup></a></li> <li>5.1.4 (February 14, 2019)<a class="footnote-ref" id="fnref:11" href="#fn:11"><sup>11</sup></a></li> <li>5.1.5, 5.0.12, 4.2.12 (April 3, 2019)<a class="footnote-ref" id="fnref:12" href="#fn:12"><sup>12</sup></a></li></ul> <h2 id="citations">Citations</h2> <ul><li>Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). <i>Spring Recipes: A Problem-Solution Approach</i> (Second ed.). <a href="/facts/Apress/pxdyEeD3">Apress</a>. p. 1104. <a href="/facts/ISBN_(identifier)/15AdSPa9">ISBN</a> 978-1-4302-2499-0.</li> <li><a href="https://spring.io/blog/2007/01/25/why-the-name-acegi">"Why the name Acegi?"</a>. <i>spring.io</i>.</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://projects.spring.io/spring-security/">Official website</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>"Why the name Acegi?". spring.io. <a href="https://spring.io/blog/2007/01/25/why-the-name-acegi" target="_blank">https://spring.io/blog/2007/01/25/why-the-name-acegi</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Deinum et al. 2014. - Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0. <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Master OAuth: How To Build a Secure Authorization Server". December 29, 2024. <a href="https://authorization.news/master-oauth-how-to-build-a-secure-authorization-serverpart-ii/" target="_blank">https://authorization.news/master-oauth-how-to-build-a-secure-authorization-serverpart-ii/</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>Deinum et al. 2014. - Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0. <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> <li id="fn:5"><p>Deinum et al. 2014. - Deinum, Marten; Rubio, Daniel; Long, Josh; Mak, Gary (September 1, 2014). Spring Recipes: A Problem-Solution Approach (Second ed.). Apress. p. 1104. ISBN 978-1-4302-2499-0. <a href="#fnref:5" class="footnote-back-ref">↩</a></p></li> <li id="fn:6"><p>"Spring Security 5.0.8 and 4.2.8 Released". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2018/09/11/spring-security-5-0-8-and-4-2-8-released" target="_blank">https://spring.io/blog/2018/09/11/spring-security-5-0-8-and-4-2-8-released</a> <a href="#fnref:6" class="footnote-back-ref">↩</a></p></li> <li id="fn:7"><p>"Spring Security 5.1 goes GA". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2018/09/27/spring-security-5-1-goes-ga" target="_blank">https://spring.io/blog/2018/09/27/spring-security-5-1-goes-ga</a> <a href="#fnref:7" class="footnote-back-ref">↩</a></p></li> <li id="fn:8"><p>"Spring Security 5.1.1, 5.0.9, and 4.2.9 Released". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2018/10/16/spring-security-5-1-1-5-0-9-and-4-2-9-released" target="_blank">https://spring.io/blog/2018/10/16/spring-security-5-1-1-5-0-9-and-4-2-9-released</a> <a href="#fnref:8" class="footnote-back-ref">↩</a></p></li> <li id="fn:9"><p>"Spring Security 5.1.2, 5.0.10, 4.2.10 Released". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2018/11/29/spring-security-5-1-2-5-0-10-4-2-10-released" target="_blank">https://spring.io/blog/2018/11/29/spring-security-5-1-2-5-0-10-4-2-10-released</a> <a href="#fnref:9" class="footnote-back-ref">↩</a></p></li> <li id="fn:10"><p>"Spring Security 5.1.3, 5.0.11, 4.2.11 Released". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2019/01/11/spring-security-5-1-3-5-0-11-4-2-11-released" target="_blank">https://spring.io/blog/2019/01/11/spring-security-5-1-3-5-0-11-4-2-11-released</a> <a href="#fnref:10" class="footnote-back-ref">↩</a></p></li> <li id="fn:11"><p>"Spring Security 5.1.4 Released". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2019/02/14/spring-security-5-1-4-released" target="_blank">https://spring.io/blog/2019/02/14/spring-security-5-1-4-released</a> <a href="#fnref:11" class="footnote-back-ref">↩</a></p></li> <li id="fn:12"><p>"Spring Security 5.1.5, 5.0.12, 4.2.12 Released". spring.io. Retrieved 2019-06-09. <a href="https://spring.io/blog/2019/04/03/spring-security-5-1-5-5-0-12-4-2-12-released" target="_blank">https://spring.io/blog/2019/04/03/spring-security-5-1-5-5-0-12-4-2-12-released</a> <a href="#fnref:12" class="footnote-back-ref">↩</a></p></li> </ol>