Spring Security 3.1 -- Table of Contents -- Spring Security 3.1 -- Credits -- About the Author -- Acknowledgement -- About the Reviewers -- www.PacktPub.com -- Support files, eBooks, discount offers and more -- Why Subscribe? -- Free Access for Packt account holders -- Preface -- What this book covers -- What you need for this book -- Who this book is for -- Conventions -- Reader feedback -- Customer support -- Downloading the example code -- Errata -- Piracy -- Questions -- 1. Anatomy of an Unsafe Application -- Security audit -- About the sample application -- The JBCP calendar application architecture -- Application technology -- Reviewing the audit results -- Authentication -- Authorization -- Database credential security -- Sensitive information -- Transport-level protection -- Using Spring Security 3.1 to address security concerns -- Why Spring Security -- Summary -- 2. Getting Started with Spring Security -- Hello Spring Security -- Importing the sample application -- Updating your dependencies -- Using Spring 3.1 and Spring Security 3.1 -- Implementing a Spring Security XML configuration file -- Updating your web.xml file -- ContextLoaderListener -- ContextLoaderListener versus DispatcherServlet -- springSecurityFilterChain -- DelegatingFilterProxy -- FilterChainProxy -- Running a secured application -- Common problems -- A little bit of polish -- Customizing login -- Configuring logout -- The page isn't redirecting properly -- Basic role-based authorization -- Expression-based authorization -- Conditionally displaying authentication information -- Customizing the behavior after login -- Summary -- 3. Custom Authentication -- JBCP Calendar architecture -- CalendarUser -- Event -- CalendarService -- UserContext -- SpringSecurityUserContext -- Logging in new users using SecurityContextHolder -- Managing users in Spring Security.

Logging in a new user to an application -- Updating SignupController -- Creating a custom UserDetailsService object -- CalendarUserDetailsService -- Configuring UserDetailsService -- Removing references to UserDetailsManager -- CalendarUserDetails -- SpringSecurityUserContext simplifications -- Displaying custom user attributes -- Creating a custom AuthenticationProvider object -- CalendarUserAuthenticationProvider -- Configuring CalendarUserAuthenticationProvider -- Authenticating with different parameters -- DomainUsernamePasswordAuthenticationToken -- Updating CalendarUserAuthenticationProvider -- Adding domain to the login page -- DomainUsernamePasswordAuthenticationFilter -- Updating our configuration -- Which authentication method to use -- Summary -- 4. JDBC-based Authentication -- Using Spring Security's default JDBC authentication -- Required dependencies -- Using the H2 database -- Provided JDBC scripts -- Configuring the H2-embedded database -- Configuring JDBC UserDetailsManager -- Spring Security's default user schema -- Defining users -- Defining user authorities -- UserDetailsManager -- What other features does UserDetailsManager provide out of the box -- Group-based access control -- Configuring group-based access control -- Configuring JdbcUserDetailsManager to use groups -- Utilize the GBAC JDBC scripts -- Group-based schema -- Group authority mappings -- Support for a custom schema -- Determining the correct JDBC SQL queries -- Updating the SQL scripts that are loaded -- CalendarUser authority SQL -- Insert custom authorities -- Configuring the JdbcUserDetailsManager to use custom SQL queries -- Configuring secure passwords -- PasswordEncoder -- Configuring password encoding -- Configuring the PasswordEncoder -- Making Spring Security aware of the PasswordEncoder -- Hashing the stored passwords -- Hashing a new user's passwords.

Not quite secure -- Would you like some salt with that password -- Using salt in Spring Security -- Updating the Spring Security configuration -- Migrating existing passwords -- Updating DefaultCalendarUserService -- Trying out the salted passwords -- Summary -- 5. LDAP Directory Services -- Understanding LDAP -- LDAP -- Common LDAP attribute names -- Updating our dependencies -- Configuring embedded LDAP integration -- Configuring an LDAP server reference -- Enabling the LDAP AuthenticationProviderNext interface -- Troubleshooting embedded LDAP -- Understanding how Spring LDAP authentication works -- Authenticating user credentials -- Demonstrating authentication with Apache Directory Studio -- Binding anonymously to LDAP -- Searching for the user -- Binding as a user to LDAP -- Determining user role membership -- Determining roles with Apache Directory Studio -- Mapping additional attributes of UserDetails -- Advanced LDAP configuration -- Sample JBCP LDAP users -- Password comparison versus bind authentication -- Configuring basic password comparison -- LDAP password encoding and storage -- The drawbacks of a password comparison authenticator -- Configuring UserDetailsContextMapper -- Implicit configuration of UserDetailsContextMapper -- Viewing additional user details -- Using an alternate password attribute -- Using LDAP as UserDetailsService -- Configuring LdapUserDetailsService -- Updating AccountController to use LdapUserDetailsService -- Integrating with an external LDAP server -- Explicit LDAP bean configuration -- Configuring an external LDAP server reference -- Configuring LdapAuthenticationProvider -- Delegating role discovery to UserDetailsService -- Integrating with Microsoft Active Directory via LDAP -- Built-In Active Directory support in Spring Security 3.1 -- Summary -- 6. Remember-me Services -- What is remember-me -- Dependencies.

The token-based remember-me feature -- Configuring the token-based remember-me feature -- How the token-based remember-me feature works -- MD5 -- Remember-me signature -- Token-based remember-me configuration directives -- Is remember-me secure -- Authorization rules for remember-me -- Persistent remember-me -- Using the persistent-based remember-me feature -- Adding SQL to create the remember-me schema -- Initializing the data source with the remember-me schema -- Configuring the persistent-based remember-me feature -- How does the persistent-based remember-me feature work -- Are database-backed persistent tokens more secure -- Cleaning up the expired remember-me sessions -- Remember-me architecture -- Remember-me and the user lifecycle -- Restricting the remember-me feature to an IP address -- Custom cookie and HTTP parameter names -- Summary -- 7. Client Certificate Authentication -- How client certificate authentication works -- Setting up client certificate authentication infrastructure -- Understanding the purpose of a public key infrastructure -- Creating a client certificate key pair -- Configuring the Tomcat trust store -- Importing the certificate key pair into a browser -- Using Firefox -- Using Chrome -- Using Internet Explorer -- Wrapping up testing -- Troubleshooting client certificate authentication -- Configuring client certificate authentication in Spring Security -- Configuring client certificate authentication using the security namespace -- How Spring Security uses certificate information -- How Spring Security certificate authentication works -- Handling unauthenticated requests with AuthenticationEntryPoint -- Supporting dual-mode authentication -- Configuring client certificate authentication using Spring Beans -- Additional capabilities of bean-based configuration.

Considerations when implementing Client Certificate authentication -- Summary -- 8. Opening up to OpenID -- The promising world of OpenID -- Signing up for an OpenID -- Enabling OpenID authentication with Spring Security -- Additional required dependencies -- Configuring OpenID support in Spring Security -- Adding OpenID users -- CalendarUserDetailsService lookup by OpenID -- The OpenID user registration problem -- How are OpenID identifiers resolved -- Implementing user registration with OpenID -- Registering OpenIDAuthenticationUserDetailsService -- Attribute Exchange -- Enabling AX in Spring Security OpenID -- Configuring different attributes for each OpenID Provider -- Usability enhancements -- Automatic redirection to the OpenID Provider -- Conditional automatic redirection -- Is OpenID Secure -- Summary -- 9. Single Sign-on with Central Authentication Service -- Introducing Central Authentication Service -- High-level CAS authentication flow -- Spring Security and CAS -- Required dependencies -- CAS installation and configuration -- Configuring basic CAS integration -- Creating the CAS ServiceProperties object -- Adding the CasAuthenticationEntryPoint -- Enabling CAS ticket verification -- Proving authenticity with the CasAuthenticationProvider -- Single logout -- Configuring single logout -- Clustered environments -- Proxy ticket authentication for stateless services -- Configuring proxy ticket authentication -- Using proxy tickets -- Authenticating proxy tickets -- Customizing the CAS Server -- CAS Maven WAR Overlay -- How CAS internal authentication works -- Configuring CAS to connect to our embedded LDAP server -- Getting UserDetails from a CAS assertion -- Returning LDAP attributes in the CAS Response -- Mapping LDAP attributes to CAS attributes -- Authorizing CAS Services to access custom attributes.

Getting UserDetails from a CAS assertion.