What's New in Spring Security 2?

Posted on December 6th, 2007 by Ben Alex in Spring.

Ben Alex

I was cruising the blogosphere today and encountered one of the shortest blogs I've ever read. To quote nearly the entire entry, "Every time you use Acegi, a fairy dies. The sad thing is there really isn't anything better around…".

Between our community forums, developer lists, JIRA, user conference BOFs, training, support, consulting and team blog, we receive a great deal of community feedback. There is little doubt that many people have sought improvements to the Spring Security (formerly Acegi) configuration format, and we've invested a lot of time in making that possible.

As I'll be presenting at next week's Spring Experience conference, Spring Security 2.0.0 M1 features tremendously simplified configuration. You will now be able to add Spring Security to your application by the following three steps:

  1. Add the required JARs to your classpath. Maven 2 users can simply specify a dependency in their POM, as we use Maven to build.
  2. Add a single filter and corresponding mapping to your web.xml.
  3. Add a few elements to your Spring container configuration file.

Adding the filter to web.xml requires the following code:

<filter>
    <filter-name>_filterChainProxy</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>_filterChainProxy</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

The third and final step requires you to add the new Spring Security 2 namespace to an existing configuration file, or create a new XML file containing your security configuration. For many users, the file will be very short and resemble:

<beans:beans namespace declarations>
    <annotation-driven />

    <http auto-config="true">
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBER" />
    </http>

    <repository>
        <user-service hash="md5:hex">
            <user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR,ROLE_USER" />
        </user-service>
    </repository>
</beans:beans>

The above configuration reliably delivers the following capabilities to your web application:

  • Form based login
  • A logout handler
  • Automatic generation of a login page
  • BASIC authentication support (ideal for remoting protocols and web services)
  • Remember-me support via cookies
  • Anonymous authentication (so all your anonymous users have a username and role)
  • Integration with your database-backed user repository (you can also specify them in XML with <user …/>)
  • Automatic enforcement of @Secured annotations on your Spring-managed objects
  • Servlet API integration (ie HttpServletRequest.isUserInRole(String) and HttpServletRequest.getPrincipal())
  • A requirement to logon to use any part of the application

As such, the <http auto-configure="true"> statement provides standard web applications with most of what they need in a single element. Naturally you can fine-tune the individual settings, such as specifying a different realm name (<http auto-configure="true" realm="My Application">), customizing your login page details (<form-login login-page="/myLogin.jsp" />), or switching to a more advanced remember-me token repository (<remember-me token-repository="persistedRepository" />).

Including the namespace declaration formalities, the above configuration file runs to about 16 lines. The old configuration style would have required around 120 lines of XML for comparable capabilities.

Whilst the configuration improvements are considerable, we also have other features in Spring Security 2.0.0 M1 as well! For one, you now have a choice of storing remember-me tokens in a database, which provides enhanced security. We also have hierarchical role support, which is a kind of granted authority aliasing strategy on steroids. Plus, the long-awaited user management API, NTLM support, portlet integration and much more.

If you'd like to learn more about Spring Security 2, come and see it in action at The Spring Experience. There are three sessions scheduled covering Spring Security 2, including an introduction, coverage of what's new and improved, plus how to use the new portlet security integration. For those of you who can't make it, you will be able to download the first milestone release late next week.

Hopefully these enhancements will save a few fairies.

 

18 responses

  1. Jeff says:

    Added on December 6th, 2007 at 5:31 pm -Quote

    Is Spring Security 2.0.0 M1 on any maven repository yet? I couldn't find it on the s3 repo usually used for spring milestones.

  2. Torgeir says:

    Added on December 6th, 2007 at 8:06 pm -Quote

    Am wondering, does Spring Security 2 provide a means of delegating to subsystems to decide if authentication is required or not?

    Locally, we're using a patched version of securityfilter that allows any page to return HTTP status 401 (Authorisation required), and securityfilter will then redirect the response to the login page similar to as if the URL was set up as a protected URL that required authorisation.

  3. Sebastian says:

    Added on December 7th, 2007 at 2:07 am -Quote

    Is there an easy way to use salted passwords with Spring Security?

    http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/

  4. Sakuraba says:

    Added on December 7th, 2007 at 7:01 am -Quote

    The name "Acegi" was sooooo much cooler than Spring Security. :(

    R.I.P. ASITSCHI !!

  5. Daniel Fernández Garrido says:

    Added on December 7th, 2007 at 9:39 am -Quote

    I am a little "worried" about that 'hash="md5:hex"' attribute… will this mean that the default PasswordEncoders (the ones provided with Spring Security) will be the only ones that can be used with this new configuration style?

    What if I want to apply one of Jasypt's (http://www.jasypt.org/springsecurity.html) password encryptors for, like Sebastian asks, applying a correct random salt mechanism to password encoding?

    Regards,
    Daniel.

  6. Andreas Schildbach says:

    Added on December 7th, 2007 at 10:03 am -Quote

    Will Spring Security 2 feature support for OpenID, or is something like this planned?

  7. Dan Diephouse says:

    Added on December 7th, 2007 at 10:12 am -Quote

    Do you have any links to actual documention (as opposed to links to the conference)? Or isn't there any yet?

  8. Brian Ehmann says:

    Added on December 7th, 2007 at 5:44 pm -Quote

    Wow, VERY exciting. I could always get Acegi to do what I needed, but it felt a little like slaying a dragon.

    Thank you very much!!!

  9. Cameron says:

    Added on December 9th, 2007 at 11:52 pm -Quote

    Where is the maven repository that has these jars ?

    I checked both of the amazon s3 repositories

    * http://s3.amazonaws.com/maven.springframework.org/snapshot - using browser at http://s3browse.com/explore/maven.springframework.org/snapshot
    * http://s3.amazonaws.com/maven.springframework.org/milestone - using browser at http://s3browse.com/explore/maven.springframework.org/milestone

    I also checked the acegi security site, forums, mailing list archives and the springframework site, forums and mailing lists.

    Cheers.

  10. Dave Macpherson says:

    Added on December 10th, 2007 at 11:16 am -Quote

    On December 7, 2007 at 2:07 am, Sebastian said:

    Is there an easy way to use salted passwords with Spring Security?

    http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/

    Yes…I hope that Rod's password really isn't "koala" (smile)

  11. Ross McDonald says:

    Added on December 15th, 2007 at 3:03 pm -Quote

    Yep, same question as Dan, is there any documentation? This sounds great, exactly what I need, looking forward to more information soon.

  12. S Dewar says:

    Added on December 19th, 2007 at 10:59 am -Quote

    Can anyone tell me when we can expect a production release of Spring Security 2.0??

    Thanks.

  13. Cameron says:

    Added on December 21st, 2007 at 7:22 am -Quote

    Will there be a version of spring-security that works with spring 2.5 ?

  14. Will says:

    Added on December 24th, 2007 at 2:36 pm -Quote

    How did the presentation go? Would it be possible for you to post your slides somewhere? Are there plans for providing some migration documentation from the current Acegi configuration to the new, simpler Spring Security configuration?

  15. seak.lv says:

    Added on April 6th, 2008 at 11:30 am -Quote

    The below configuration:"hash" attribute is not allowed to appear in element "user-service"

    why?

  16. Ankit Joshi says:

    Added on April 14th, 2008 at 5:08 am -Quote

    Is any good concrete documentation about Spring Security 2.0 available ?

  17. Brooks Lyrette says:

    Added on April 17th, 2008 at 8:57 am -Quote

    I was wondering why 2.0 no longer has the captcha jars. This was in M2 but seems to have been missed in RC1 and this new release

  18. Ben Alex says:

    Added on April 17th, 2008 at 3:51 pm -Quote

    Ankit, http://static.springframework.org/spring-security/site/reference.html contains the documentation.

    Seak, you're best off asking support questions in our community forum at http://forum.springframework.org.

    Brooks, http://jira.springframework.org/browse/SEC-737 explains why we removed the Captcha JARs. It was by design. We will be reviewing and refactoring the code in a subsequent release.

    Useful links for Spring Security 2.0 are available at http://springframework.org/security.

9 trackbacks

Leave a Reply

Quote selected text