Spring Security

Spring Security is a Java/Java EE framework that provides authentication, authorization and other security features for enterprise applications. The project was started in late 2003 as 'Acegi Security' (pronounced Ah-see-gee /ɑːsiːdʒiː/, whose letters are the first, third, fifth and seventh characters from the English alphabet, in order to prevent name conflicts^[2]) by Ben Alex, with it being publicly released under the Apache License in March 2004. Subsequently, Acegi was incorporated into the Spring portfolio as Spring Security, an official Spring sub-project. The first public release under the new name was Spring Security 2.0.0 in April 2008, with commercial support and training available from SpringSource.

Diagram 1 shows the basic flow of an authentication request using the Spring Security system. It shows the different filters and how they interact from the initial browser request, to either a successful authentication or an HTTP 403 error.

• LDAP (using both bind-based and password comparison strategies) for centralization of authentication information.
• Single sign-on capabilities using the popular Central Authentication Service.
• Java Authentication and Authorization Service (JAAS) LoginModule, a standards-based method for authentication used within Java. Note this feature is only a delegation to a JAAS Loginmodule.
• Basic access authentication as defined through RFC 1945.
• Digest access authentication as defined through RFC 2617 and RFC 2069.
• X.509 client certificate presentation over the Secure Sockets Layer standard.
• CA, Inc SiteMinder for authentication (a popular commercial access management product).
• Su (Unix)-like support for switching principal identity over a HTTP or HTTPS connection.
• Run-as replacement, which enables an operation to assume a different security identity.
• Anonymous authentication, which means that even unauthenticated principals are allocated a security identity.
• Container adapter (custom realm) support for Apache Tomcat, Resin, JBoss and Jetty (web server).
• Windows NTLM to enable browser integration (experimental).
• Web form authentication, similar to the Servlet container specification.
• "Remember-me" support via HTTP cookies.
• Concurrent session support, which limits the number of simultaneous logins permitted by a principal.
• Full support for customization and plugging in custom authentication implementations.

• AspectJ method invocation authorization.
• HTTP authorization of web request URLs using a choice of Apache Ant paths or regular expressions.

• Used for specifying access control lists applicable to domain objects.
• Spring Security offers a repository for storing, retrieving, and modifying ACLs in a database.
• Authorization features are provided to enforce policies before and after method invocations.

• Software localization so user interface messages can be in any language.
• Channel security, to automatically switch between HTTP and HTTPS upon meeting particular rules.
• Caching in all database-touching areas of the framework.
• Publishing of messages to facilitate event-driven programming.
• Support for performing integration testing via JUnit.
• Spring Security itself has comprehensive JUnit isolation tests.
• Several sample applications, detailed JavaDocs and a reference guide.
• Web framework independence.

• 2.0.0 (April 2008)
• 3.0.0 (December 2009)
• 3.1.0 (December 07, 2011)
• 3.1.2 (August 10, 2012)
• 3.2.0 (December 16, 2013)
• 4.0.0 (March 26, 2015)
• 4.1.3 (August 24, 2016)
• 4.2.0 (November 10, 2016)
• 3.2.10, 4.1.4, 4.2.1 (December 22, 2016)
• 4.2.2 (March 02, 2017)
• 4.2.3 (June 08, 2017)
• 5.0.0 (November 28, 2017)
• 5.0.8, 4.2.8 (September 11, 2018)^[3]
• 5.1.0 GA (September 27, 2018)^[4]
• 5.1.1, 5.0.9, 4.2.9 (October 16, 2018)^[5]
• 5.1.2, 5.0.10, 4.2.10 (November 29, 2018)^[6]
• 5.1.3, 5.0.11, 4.2.11 (January 11, 2019)^[7]
• 5.1.4 (February 14, 2019)^[8]
• 5.1.5, 5.0.12, 4.2.12 (April 3, 2019)^[9]

• Official website