Spring Security 3.1: Multiple http, Stateless, Debug, Crypto, HttpOnly, Custom form-login Params
SpringSource has released Spring Security 3.1.0. The last major Spring Security release was version 3.0.0 released on December 23, 2009 with maintenance releases up to 3.0.7. Here is what's new with Spring Security 3.1.
- Multiple http Elements.
You can now create multiple http elements to define different security filter chain configurations for different request patterns. The http element will match all request patterns if the pattern attribute is not specified. Using the request-matcher attribute instead of the pattern attribute for more powerful matching is still supported. The primary use case is to support stateless and stateful URLs in the same application, like specifying different a security configuration for the web application and the REST services it exposes. It is also now possible to bypass the security filter completely by setting the security attribute to none.
<http pattern="/resources/**" security="none" /> <http> ... </http>
- stateless Option for http@create-session
If you specify create-session="stateless", Spring Security will not create a session. This differs from the existing create-session="never" which means that Spring Security will not create a session, but will use an existing one if the application creates it.
- debug Element
Enables debugging support. It currently displays the matching of requests to filter chains and the creation of new sessions. Note that the information displayed may include sensitive information and should only be used in a development environment.
<http> ... </http> <debug />
Active Directory is sufficiently different from standard LDAP and is widely used, and thus ActiveDirectoryLdapAuthenticationProvider was created for better Active Directory support.
- Crypto Module
The Spring Security Crypto module provides support for symmetric encryption, key generation, and password encoding. The primary classes introduced are Encryptors, KeyGenerators and PasswordEncoder.
- HttpOnly for Servlet 3.0
It is recommended that remember-me cookies be flagged as "secure" and thus only submitted over HTTPS. By default, the cookie will be secure if the request is secure.
<http> ... <remember-me key="..." use-secure-cookie="true" /> </http>
InMemoryUserDetailsManager provides a non-persistent implementation of UserDetailsManager, which is backed by an in-memory map. This is primarily intended for development and testing purposes, where persistence isn't required.
- hasPermission in authorize tag
Added support for the hasPermission expression on the authorize JSP tag.
<sec:authorize access="hasPermission(#var, 'permission')">
- Disable UI Security
It is now possible to show the parts of the UI which would normally be hidden by the authorize tag. This allows you to easily test whether the URLs are actually secured at the back end. If the system property spring.security.disableUISecurity is set to "true", the contents will still rendered. These "hidden" areas will be surrounded by the <span class="securityHiddenUI"> tag so they can be differentiated using CSS.
If the attribute erase-credentials is set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. It maps to the eraseCredentialsAfterAuthentication property of the ProviderManager. This is the default behavior in Spring Security 3.1.
<http> ... </http> <authentication-manager erase-credentials="true"> ... </authentication-manager>
Added support for clearing cookies on logout. The delete-cookies attribute accepts a comma-separated list of cookie names that will be deleted by Spring Security when the user logs out.
<http> ... <logout delete-cookies="cookieName1, cookieName2, ..." /> </http>
- CAS Proxy Tickets
Added support for CAS (Central Authentication Service) proxy tickets. Spring Security now supports the CAS proxy ticket convention of using the request parameter "ticket".
- JAAS Configuration Injection
Added support for different implementations of JAAS (Java Authentication and Authorization Service) configuration. JAAS support can now be configured solely using Spring configuration, without the need to extend classes.
- Prevent Nested Switches
SwitchUserFilter, the processing filter responsible for user context switching no longer allows nested switches. The method attemptExitUser is now called before every switch.
- http@authentication-manager-ref and global-method-security@authentication-manager-ref
Since it is now possible to have multiple security filter chains, you can now specify a different AuthenticationManager reference for each one.
<global-method-security authentication-manager-ref="..."> <http authentication-manager-ref="..."> <authentication-manager alias="...">
The http element now has the name attribute, which can used for referring to the bean elsewhere in the context.
<http name=""> ... </http>
- http@request-matcher-ref and filter-chain@request-matcher-ref
The request-matcher-ref attribute points to a bean that implements the RequestMatcher interface that will determine if this filter chain should be used. This is a more powerful alternative to http@pattern. You can use the built-in ELRequestMatcher or IpAddressMatcher, or you can create your own custom RequestMatcher.
<http request-matcher-ref="..."> ... </http>
- AuthenticationDetailsSource in Namespace
Added Support for setting the AuthenticationDetailsSource using the namespace which will be used by the authentication filter. An AuthenticationDetailsSource provides a Authentication.getDetails() object for a given web request. See form-login@authentication-details-source-ref, openid-login@authentication-details-source-ref, http-basic@authentication-details-source-ref, and x509@authentication-details-source-ref.
Added support for http/expression-handler for custom expression-based access control. Defines a reference to a Spring bean that implements SecurityExpressionHandler which will be used if expression-based access-control is enabled. A default implementation with no ACL support will be used if not supplied.
<global-method-security expression-handler="..."> <http expression-handler="...">
Sets the AuthenticationEntryPoint for BasicAuthenticationFilter. BasicAuthenticationFilter processes the request's BASIC authorization headers, putting the result into the SecurityContextHolder.
<http> ... <http-basic entry-point-ref="..." /> </http>
The authentication-success-handler-ref attribute sets the authenticationSuccessHandler property on the RememberMeAuthenticationFilter if custom navigation is required. The value should be the name of a AuthenticationSuccessHandler bean used to handle a successful user authentication. The most common use case is to control the navigation to the subsequent destination using a redirect or a forward.
<http> ... <remember-me key="..." authentication-success-handler-ref="..." /> </http>
- method-security-metadata-source and global-method-security@metadata-source-ref
The method-security-metadata-source element creates a MethodSecurityMetadataSource instance, which is a SecurityMetadataSource implementation that is designed to perform lookups keyed on Methods. The MethodSecurityMetadataSource instance supplied will take priority over other sources like the default annotations. The use-expressions attribute enables the use of expressions in the 'access' attributes in
<global-method-security metadata-source-ref="id"> <http> ... </http> <method-security-metadata-source id="id" use-expressions="..." />
The mode attribute can be set to specify that AspectJ should be used instead of the default Spring AOP.
The attribute-exchange element defines the list of attributes to be fetched from the OpenID provider. Multiple attribute-exchange elements can be used, in which case each must have an identifier-match attribute which is matched against the OpenID identifier. This allows different attribute lists to be requested from different identity providers.
<http> ... <openid-login> <attribute-exchange> <openid-attribute name="..." type="..." /> </attribute-exchange> </openid-login> </http>
If available, runs the request as the Subject acquired from the JaasAuthenticationToken which is implemented by adding a JaasApiIntegrationFilter bean to the stack. This is false by default.
<http jaas-api-provision="..."> ... </http>
- form-login@username-parameter and form-login@password-parameter
You can now specify the request parameters for the form-login element. The username-parameter attribute specifies the request parameter which contains the username, which by default is "j_username". The password-parameter attribute specifies the request parameter which contains the password, which by defaults is "j_password".
<http> <form-login username-parameter="..." password-parameter="..." /> </http>
You can get started by downloading the release from the Spring Community Downloads area. For Maven users, use the groupId org.springframework.security, artifactId pattern spring-security-* and dependency version 3.1.0. Don't forget to use the new Spring Security schema, http://www.springframework.org/schema/security/spring-security-3.1.xsd in your Spring Security XML, to take advantage of the namespace enhancements.
For more information, visit the official Spring Security 3.1 Reference Documentation You can clone the source code from the Spring Security Git repository at git://git.springsource.org/spring-security/spring-security.git.
Mike Keane Dec 21, 2014
Jeremy Stieglitz Dec 21, 2014