Spring Security provides comprehensive security services for Java EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading Java EE solution for enterprise software development.
Spring Security为基于Java EE的企业软件应用程序提供全面的安全服务。特别强调支持使用Spring Framework构建的项目,Spring Framework是用于企业软件开发的领先Java EE解决方案。
If you’re not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.
如果您不使用Spring开发企业应用程序,我们热烈鼓励您仔细研究它。熟悉Spring - 特别是依赖注入原则 - 将帮助您更轻松地熟悉Spring Security。
People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios.
人们使用Spring Security有很多原因,但是在发现Java EE的Servlet规范或EJB规范的安全特性缺乏典型企业应用程序场景所需的深度之后,大多数人都被这个项目所吸引。
Whilst mentioning these standards, it’s important to recognise that they are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application’s security in the new target environment.
虽然提到这些标准,但重要的是要认识到它们不能在WAR或EAR级别上移植。因此,如果切换服务器环境,在新的目标环境中重新配置应用程序的安全性通常需要做很多工作。
Using Spring Security overcomes these problems, and also brings you dozens of other useful, customisable security features.
使用Spring Security克服了这些问题,并为您提供了许多其他有用的,可自定义的安全功能。
As you probably know two major areas of application security are "authentication" and "authorization" (or "access-control"). These are the two main areas that Spring Security targets. "Authentication" is the process of establishing a principal is who they claim to be (a "principal" generally means a user, device or some other system which can perform an action in your application).
您可能知道应用程序安全性的两个主要方面是“身份验证”和“授权”(或“访问控制”)。这是Spring Security目标的两个主要领域。 “身份验证”是建立委托人的过程,他们声称是谁(“委托人”通常是指用户,设备或其他可以在您的应用程序中执行操作的系统)。
."Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application. To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process. These concepts are common, and not at all specific to Spring Security.
“授权”是指决定是否允许委托人在您的申请中执行诉讼的过程。为了达到需要授权决定的程度,已经通过认证过程建立了委托人的身份。这些概念很常见,并不是Spring Security特有的。
At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force.
在身份验证级别,Spring Security支持各种身份验证模型。大多数这些身份验证模型由第三方提供,或由相关标准机构(如Internet工程任务组)开发。
In addition, Spring Security provides its own set of authentication features. Specifically, Spring Security currently supports authentication integration with all of these technologies:
此外,Spring Security还提供了一组自己的身份验证功能。具体来说,Spring Security目前支持与所有这些技术的身份验证集成:
- HTTP BASIC authentication headers (an IETF RFC-based standard)
-
HTTP BASIC身份验证标头(基于IETF RFC的标准)
- HTTP Digest authentication headers (an IETF RFC-based standard)
-
HTTP摘要式身份验证标头(基于IETF RFC的标准)
- HTTP X.509 client certificate exchange (an IETF RFC-based standard)
-
HTTP X.509客户端证书交换(基于IETF RFC的标准)
- LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
-
LDAP(一种非常常见的跨平台身份验证方法,特别是在大型环境中)
- Form-based authentication (for simple user interface needs)
-
基于表单的身份验证(用于简单的用户界面需求)
- OpenID authentication
-
OpenID身份验证
- Authentication based on pre-established request headers (such as Computer Associates Siteminder)
-
基于预先建立的请求标头的身份验证(例如Computer Associates Siteminder)
- Jasig Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)
-
Jasig中央认证服务(也称为CAS,是一种流行的开源单点登录系统)
- Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
-
远程方法调用(RMI)和HttpInvoker(Spring远程协议)的透明身份验证上下文传播
- Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
-
自动“记住我”身份验证(因此您可以勾选一个框以避免在预定时间段内重新进行身份验证)
- Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)
-
匿名身份验证(允许每个未经身份验证的呼叫自动承担特定的安全身份)
- Run-as authentication (which is useful if one call should proceed with a different security identity)
-
运行身份验证(如果一个调用应继续使用不同的安全标识,则非常有用)
- Java Authentication and Authorization Service (JAAS)
-
Java身份验证和授权服务(JAAS)
- Java EE container authentication (so you can still use Container Managed Authentication if desired)
-
Java EE容器身份验证(如果需要,您仍然可以使用容器管理身份验证)
- Kerberos
- kerberos的
- Java Open Source Single Sign-On (JOSSO) *
-
Java开源单点登录(JOSSO)*
- OpenNMS Network Management Platform *
-
OpenNMS网络管理平台*
- AppFuse *
- AndroMDA *
- Mule ESB *
- Direct Web Request (DWR) *
-
直接Web请求(DWR)*
- Grails *
- Tapestry *
- JTrac *
- Jasypt *
- Roller *
- Elastic Path *
- Atlassian Crowd *
- Your own authentication systems (see below)
-
您自己的身份验证系统(见下文)
* Denotes provided by a third party
表示由第三方提供
Many independent software vendors (ISVs) adopt Spring Security because of this significant choice of flexible authentication models. Doing so allows them to quickly integrate their solutions with whatever their end clients need, without undertaking a lot of engineering or requiring the client to change their environment
许多独立软件供应商(ISV)采用Spring Security,因为这种灵活的身份验证模型的选择很多。这样做可以让他们快速地将他们的解决方案与他们最终客户的需求集成在一起,而无需进行大量工程或要求客户改变他们的环境
If none of the above authentication mechanisms suit your needs, Spring Security is an open platform and it is quite simple to write your own authentication mechanism.
如果上述认证机制都不适合您的需求,Spring Security是一个开放平台,编写自己的认证机制非常简单。
Many corporate users of Spring Security need to integrate with "legacy" systems that don’t follow any particular security standards, and Spring Security is happy to "play nicely" with such systems.
Spring Security的许多企业用户需要与不遵循任何特定安全标准的“遗留”系统集成,Spring Security很乐意与这些系统“很好地”合作。
Irrespective of the authentication mechanism, Spring Security provides a deep set of authorization capabilities. There are three main areas of interest: authorizing web requests, authorizing whether methods can be invoked and authorizing access to individual domain object instances.
无论身份验证机制如何,Spring Security都提供了一组深层授权功能。主要有三个方面:授权Web请求,授权是否可以调用方法以及授权访问单个域对象实例。
To help you understand the differences, consider the authorization capabilities found in the Servlet Specification web pattern security, EJB Container Managed Security and file system security respectively. Spring Security provides deep capabilities in all of these important areas, which we’ll explore later in this reference guide.
为帮助您了解这些差异,请分别考虑Servlet规范Web模式安全性,EJB容器管理安全性和文件系统安全性中的授权功能。 Spring Security在所有这些重要领域提供了深入的功能,我们将在本参考指南的后面部分进行探讨。