Spring Security(二):2.1 Introduction What is Spring Security?
阿新 • • 發佈:2018-12-16
Spring Security provides comprehensive security services for Java EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading Java EE solution for enterprise software development.
Spring Security為基於Java EE的企業軟體應用程式提供全面的安全服務。特別強調支援使用Spring Framework構建的專案,Spring Framework是用於企業軟體開發的領先Java EE解決方案。 If you’re not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily. 如果您不使用Spring開發企業應用程式,我們熱烈鼓勵您仔細研究它。熟悉Spring - 特別是依賴注入原則 - 將幫助您更輕鬆地熟悉Spring Security。 People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios. 人們使用Spring Security有很多原因,但是在發現Java EE的Servlet規範或EJB規範的安全特性缺乏典型企業應用程式場景所需的深度之後,大多數人都被這個專案所吸引。 Whilst mentioning these standards, it’s important to recognise that they are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application’s security in the new target environment. 雖然提到這些標準,但重要的是要認識到它們不能在WAR或EAR級別上移植。因此,如果切換伺服器環境,在新的目標環境中重新配置應用程式的安全性通常需要做很多工作。 Using Spring Security overcomes these problems, and also brings you dozens of other useful, customisable security features. 使用Spring Security克服了這些問題,併為您提供了許多其他有用的,可自定義的安全功能。 As you probably know two major areas of application security are "authentication" and "authorization" (or "access-control"). These are the two main areas that Spring Security targets. "Authentication" is the process of establishing a principal is who they claim to be (a "principal" generally means a user, device or some other system which can perform an action in your application). 您可能知道應用程式安全性的兩個主要方面是“身份驗證”和“授權”(或“訪問控制”)。這是Spring Security目標的兩個主要領域。 “身份驗證”是建立委託人的過程,他們聲稱是誰(“委託人”通常是指使用者,裝置或其他可以在您的應用程式中執行操作的系統)。 ."Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application. To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process. These concepts are common, and not at all specific to Spring Security. “授權”是指決定是否允許委託人在您的申請中執行訴訟的過程。為了達到需要授權決定的程度,已經通過認證過程建立了委託人的身份。這些概念很常見,並不是Spring Security特有的。 At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force. 在身份驗證級別,Spring Security支援各種身份驗證模型。大多數這些身份驗證模型由第三方提供,或由相關標準機構(如Internet工程任務組)開發。 In addition, Spring Security provides its own set of authentication features. Specifically, Spring Security currently supports authentication integration with all of these technologies: 此外,Spring Security還提供了一組自己的身份驗證功能。具體來說,Spring Security目前支援與所有這些技術的身份驗證整合:- HTTP BASIC authentication headers (an IETF RFC-based standard)
- HTTP BASIC身份驗證標頭(基於IETF RFC的標準)
- HTTP Digest authentication headers (an IETF RFC-based standard)
- HTTP摘要式身份驗證標頭(基於IETF RFC的標準)
- HTTP X.509 client certificate exchange (an IETF RFC-based standard)
- HTTP X.509客戶端證書交換(基於IETF RFC的標準)
- LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
- LDAP(一種非常常見的跨平臺身份驗證方法,特別是在大型環境中)
- Form-based authentication (for simple user interface needs)
- 基於表單的身份驗證(用於簡單的使用者介面需求)
- OpenID authentication
- OpenID身份驗證
- Authentication based on pre-established request headers (such as Computer Associates Siteminder)
- 基於預先建立的請求標頭的身份驗證(例如Computer Associates Siteminder)
- Jasig Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)
- Jasig中央認證服務(也稱為CAS,是一種流行的開源單點登入系統)
- Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
- 遠端方法呼叫(RMI)和HttpInvoker(Spring遠端協議)的透明身份驗證上下文傳播
- Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
- 自動“記住我”身份驗證(因此您可以勾選一個框以避免在預定時間段內重新進行身份驗證)
- Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)
- 匿名身份驗證(允許每個未經身份驗證的呼叫自動承擔特定的安全身份)
- Run-as authentication (which is useful if one call should proceed with a different security identity)
- 執行身份驗證(如果一個呼叫應繼續使用不同的安全標識,則非常有用)
- Java Authentication and Authorization Service (JAAS)
- Java身份驗證和授權服務(JAAS)
- Java EE container authentication (so you can still use Container Managed Authentication if desired)
- Java EE容器身份驗證(如果需要,您仍然可以使用容器管理身份驗證)
- Kerberos
- kerberos的
- Java Open Source Single Sign-On (JOSSO) *
- Java開源單點登入(JOSSO)*
- OpenNMS Network Management Platform *
- OpenNMS網路管理平臺*
- AppFuse *
- AndroMDA *
- Mule ESB *
- Direct Web Request (DWR) *
- 直接Web請求(DWR)*
- Grails *
- Tapestry *
- JTrac *
- Jasypt *
- Roller *
- Elastic Path *
- Atlassian Crowd *
- Your own authentication systems (see below)
- 您自己的身份驗證系統(見下文)