Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Spring Security 3.1: Multiple http, Stateless, Debug, Crypto, HttpOnly, Custom form-login Params

Spring Security 3.1: Multiple http, Stateless, Debug, Crypto, HttpOnly, Custom form-login Params

This item in japanese

Lire ce contenu en français

SpringSource has released Spring Security 3.1.0. The last major Spring Security release was version 3.0.0 released on December 23, 2009 with maintenance releases up to 3.0.7. Here is what's new with Spring Security 3.1.


  • Multiple http Elements.

    You can now create multiple http elements to define different security filter chain configurations for different request patterns. The http element will match all request patterns if the pattern attribute is not specified. Using the request-matcher attribute instead of the pattern attribute for more powerful matching is still supported. The primary use case is to support stateless and stateful URLs in the same application, like specifying different a security configuration for the web application and the REST services it exposes. It is also now possible to bypass the security filter completely by setting the security attribute to none.

    	<http pattern="/resources/**" security="none" />


  • stateless Option for http@create-session

    If you specify create-session="stateless", Spring Security will not create a session. This differs from the existing create-session="never" which means that Spring Security will not create a session, but will use an existing one if the application creates it.

    	<http create-session="stateless">


  • debug Element

    Enables debugging support. It currently displays the matching of requests to filter chains and the creation of new sessions. Note that the information displayed may include sensitive information and should only be used in a development environment.

    	<debug />


  • ActiveDirectoryLdapAuthenticationProvider

    Active Directory is sufficiently different from standard LDAP and is widely used, and thus ActiveDirectoryLdapAuthenticationProvider was created for better Active Directory support.

  • Crypto Module

    The Spring Security Crypto module provides support for symmetric encryption, key generation, and password encoding. The primary classes introduced are Encryptors, KeyGenerators and PasswordEncoder.

  • HttpOnly for Servlet 3.0

    Added support for the Cookie HttpOnly flag in Servlet 3.0 environments. If the HttpOnly flag is included in the HTTP response header, the cookie cannot be accessed by client side script like JavaScript. This helps prevent cross-site scripting (XSS) attacks. Note that both the server and the browser will need to support the HttpOnly flag for this to work properly.

  • remember-me@use-secure-cookie

    It is recommended that remember-me cookies be flagged as "secure" and thus only submitted over HTTPS. By default, the cookie will be secure if the request is secure.

    		<remember-me key="..." use-secure-cookie="true" />


  • InMemoryUserDetailsManager

    InMemoryUserDetailsManager provides a non-persistent implementation of UserDetailsManager, which is backed by an in-memory map. This is primarily intended for development and testing purposes, where persistence isn't required.

  • hasPermission in authorize tag

    Added support for the hasPermission expression on the authorize JSP tag.

    	<sec:authorize access="hasPermission(#var, 'permission')">


  • Disable UI Security

    It is now possible to show the parts of the UI which would normally be hidden by the authorize tag. This allows you to easily test whether the URLs are actually secured at the back end. If the system property is set to "true", the contents will still rendered. These "hidden" areas will be surrounded by the <span class="securityHiddenUI"> tag so they can be differentiated using CSS.

  • authentication-manager@erase-credentials

    If the attribute erase-credentials is set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. It maps to the eraseCredentialsAfterAuthentication property of the ProviderManager. This is the default behavior in Spring Security 3.1.

    	<authentication-manager erase-credentials="true">


  • logout@delete-cookies

    Added support for clearing cookies on logout. The delete-cookies attribute accepts a comma-separated list of cookie names that will be deleted by Spring Security when the user logs out.

    		<logout delete-cookies="cookieName1, cookieName2, ..." />


  • CAS Proxy Tickets

    Added support for CAS (Central Authentication Service) proxy tickets. Spring Security now supports the CAS proxy ticket convention of using the request parameter "ticket".

  • JAAS Configuration Injection

    Added support for different implementations of JAAS (Java Authentication and Authorization Service) configuration. JAAS support can now be configured solely using Spring configuration, without the need to extend classes.

  • Prevent Nested Switches

    SwitchUserFilter, the processing filter responsible for user context switching no longer allows nested switches. The method attemptExitUser is now called before every switch.

  • http@authentication-manager-ref and global-method-security@authentication-manager-ref

    Since it is now possible to have multiple security filter chains, you can now specify a different AuthenticationManager reference for each one.

    	<global-method-security authentication-manager-ref="...">
    	<http authentication-manager-ref="...">
    	<authentication-manager alias="...">


  • http@name

    The http element now has the name attribute, which can used for referring to the bean elsewhere in the context.

    	<http name="">


  • http@request-matcher-ref and filter-chain@request-matcher-ref

    The request-matcher-ref attribute points to a bean that implements the RequestMatcher interface that will determine if this filter chain should be used. This is a more powerful alternative to http@pattern. You can use the built-in ELRequestMatcher or IpAddressMatcher, or you can create your own custom RequestMatcher.

    	<http request-matcher-ref="...">


  • AuthenticationDetailsSource in Namespace

    Added Support for setting the AuthenticationDetailsSource using the namespace which will be used by the authentication filter. An AuthenticationDetailsSource provides a Authentication.getDetails() object for a given web request. See form-login@authentication-details-source-ref, openid-login@authentication-details-source-ref, http-basic@authentication-details-source-ref, and x509@authentication-details-source-ref.

  • http/expression-handler

    Added support for http/expression-handler for custom expression-based access control. Defines a reference to a Spring bean that implements SecurityExpressionHandler which will be used if expression-based access-control is enabled. A default implementation with no ACL support will be used if not supplied.

    	<global-method-security expression-handler="...">
    	<http expression-handler="...">


  • http-basic@entry-point-ref

    Sets the AuthenticationEntryPoint for BasicAuthenticationFilter. BasicAuthenticationFilter processes the request's BASIC authorization headers, putting the result into the SecurityContextHolder.

    		<http-basic entry-point-ref="..." />


  • remember-me@authentication-success-handler-ref

    The authentication-success-handler-ref attribute sets the authenticationSuccessHandler property on the RememberMeAuthenticationFilter if custom navigation is required. The value should be the name of a AuthenticationSuccessHandler bean used to handle a successful user authentication. The most common use case is to control the navigation to the subsequent destination using a redirect or a forward.

    		<remember-me key="..." authentication-success-handler-ref="..." />


  • method-security-metadata-source and global-method-security@metadata-source-ref

    The method-security-metadata-source element creates a MethodSecurityMetadataSource instance, which is a SecurityMetadataSource implementation that is designed to perform lookups keyed on Methods. The MethodSecurityMetadataSource instance supplied will take priority over other sources like the default annotations. The use-expressions attribute enables the use of expressions in the 'access' attributes in elements.

    	<global-method-security metadata-source-ref="id">
    	<method-security-metadata-source id="id" use-expressions="..." />


  • global-method-security@mode

    The mode attribute can be set to specify that AspectJ should be used instead of the default Spring AOP.

    	<global-method-security mode="aspectj">


  • attribute-exchange

    The attribute-exchange element defines the list of attributes to be fetched from the OpenID provider. Multiple attribute-exchange elements can be used, in which case each must have an identifier-match attribute which is matched against the OpenID identifier. This allows different attribute lists to be requested from different identity providers.

    				<openid-attribute name="..." type="..." />


  • http@jaas-api-provision

    If available, runs the request as the Subject acquired from the JaasAuthenticationToken which is implemented by adding a JaasApiIntegrationFilter bean to the stack. This is false by default.

    	<http jaas-api-provision="...">


  • form-login@username-parameter and form-login@password-parameter

    You can now specify the request parameters for the form-login element. The username-parameter attribute specifies the request parameter which contains the username, which by default is "j_username". The password-parameter attribute specifies the request parameter which contains the password, which by defaults is "j_password".

    		<form-login username-parameter="..." password-parameter="..." />


You can get started by downloading the release from the Spring Community Downloads area. For Maven users, use the groupId, artifactId pattern spring-security-* and dependency version 3.1.0. Don't forget to use the new Spring Security schema, in your Spring Security XML, to take advantage of the namespace enhancements.

For more information, visit the official Spring Security 3.1 Reference Documentation You can clone the source code from the Spring Security Git repository at git://

Rate this Article