Spring Security provides comprehensive security services for Java EE-based enterprise software applications. There is a particular emphasis on supporting projects built using The Spring Framework, which is the leading Java EE solution for enterprise software development.

Spring Security為基於Java EE的企業軟體應用程式提供全面的安全服務。特別強調支援使用Spring Framework構建的專案，Spring Framework是用於企業軟體開發的領先Java EE解決方案。    If you’re not using Spring for developing enterprise applications, we warmly encourage you to take a closer look at it. Some familiarity with Spring - and in particular dependency injection principles - will help you get up to speed with Spring Security more easily.   如果您不使用Spring開發企業應用程式，我們熱烈鼓勵您仔細研究它。熟悉Spring - 特別是依賴注入原則 - 將幫助您更輕鬆地熟悉Spring Security。   People use Spring Security for many reasons, but most are drawn to the project after finding the security features of Java EE’s Servlet Specification or EJB Specification lack the depth required for typical enterprise application scenarios.   人們使用Spring Security有很多原因，但是在發現Java EE的Servlet規範或EJB規範的安全特性缺乏典型企業應用程式場景所需的深度之後，大多數人都被這個專案所吸引。   Whilst mentioning these standards, it’s important to recognise that they are not portable at a WAR or EAR level. Therefore, if you switch server environments, it is typically a lot of work to reconfigure your application’s security in the new target environment.    雖然提到這些標準，但重要的是要認識到它們不能在WAR或EAR級別上移植。因此，如果切換伺服器環境，在新的目標環境中重新配置應用程式的安全性通常需要做很多工作。   Using Spring Security overcomes these problems, and also brings you dozens of other useful, customisable security features.   使用Spring Security克服了這些問題，併為您提供了許多其他有用的，可自定義的安全功能。   As you probably know two major areas of application security are "authentication" and "authorization" (or "access-control"). These are the two main areas that Spring Security targets. "Authentication" is the process of establishing a principal is who they claim to be (a "principal" generally means a user, device or some other system which can perform an action in your application).   您可能知道應用程式安全性的兩個主要方面是“身份驗證”和“授權”（或“訪問控制”）。這是Spring Security目標的兩個主要領域。 “身份驗證”是建立委託人的過程，他們聲稱是誰（“委託人”通常是指使用者，裝置或其他可以在您的應用程式中執行操作的系統）。   ."Authorization" refers to the process of deciding whether a principal is allowed to perform an action within your application. To arrive at the point where an authorization decision is needed, the identity of the principal has already been established by the authentication process. These concepts are common, and not at all specific to Spring Security.   “授權”是指決定是否允許委託人在您的申請中執行訴訟的過程。為了達到需要授權決定的程度，已經通過認證過程建立了委託人的身份。這些概念很常見，並不是Spring Security特有的。   At an authentication level, Spring Security supports a wide range of authentication models. Most of these authentication models are either provided by third parties, or are developed by relevant standards bodies such as the Internet Engineering Task Force.   在身份驗證級別，Spring Security支援各種身份驗證模型。大多數這些身份驗證模型由第三方提供，或由相關標準機構（如Internet工程任務組）開發。   In addition, Spring Security provides its own set of authentication features. Specifically, Spring Security currently supports authentication integration with all of these technologies:   此外，Spring Security還提供了一組自己的身份驗證功能。具體來說，Spring Security目前支援與所有這些技術的身份驗證整合：  

• HTTP BASIC authentication headers (an IETF RFC-based standard)
• HTTP BASIC身份驗證標頭（基於IETF RFC的標準）

• HTTP Digest authentication headers (an IETF RFC-based standard)
• HTTP摘要式身份驗證標頭（基於IETF RFC的標準）

• HTTP X.509 client certificate exchange (an IETF RFC-based standard)
• HTTP X.509客戶端證書交換（基於IETF RFC的標準）

• LDAP (a very common approach to cross-platform authentication needs, especially in large environments)
• LDAP（一種非常常見的跨平臺身份驗證方法，特別是在大型環境中）

• Form-based authentication (for simple user interface needs)
• 基於表單的身份驗證（用於簡單的使用者介面需求）

• OpenID authentication
• OpenID身份驗證 

• Authentication based on pre-established request headers (such as Computer Associates Siteminder)
• 基於預先建立的請求標頭的身份驗證（例如Computer Associates Siteminder）  

• Jasig Central Authentication Service (otherwise known as CAS, which is a popular open source single sign-on system)
• Jasig中央認證服務（也稱為CAS，是一種流行的開源單點登入系統） 

• Transparent authentication context propagation for Remote Method Invocation (RMI) and HttpInvoker (a Spring remoting protocol)
• 遠端方法呼叫（RMI）和HttpInvoker（Spring遠端協議）的透明身份驗證上下文傳播

• Automatic "remember-me" authentication (so you can tick a box to avoid re-authentication for a predetermined period of time)
• 自動“記住我”身份驗證（因此您可以勾選一個框以避免在預定時間段內重新進行身份驗證）  
• Anonymous authentication (allowing every unauthenticated call to automatically assume a particular security identity)
• 匿名身份驗證（允許每個未經身份驗證的呼叫自動承擔特定的安全身份）  
• Run-as authentication (which is useful if one call should proceed with a different security identity)
• 執行身份驗證（如果一個呼叫應繼續使用不同的安全標識，則非常有用）  
• Java Authentication and Authorization Service (JAAS)
• Java身份驗證和授權服務（JAAS）  
• Java EE container authentication (so you can still use Container Managed Authentication if desired)
• Java EE容器身份驗證（如果需要，您仍然可以使用容器管理身份驗證）  
• Kerberos
• kerberos的
• Java Open Source Single Sign-On (JOSSO) *
• Java開源單點登入（JOSSO）*  
• OpenNMS Network Management Platform *
• OpenNMS網路管理平臺*  
• AppFuse *
• AndroMDA *
• Mule ESB *
• Direct Web Request (DWR) *
• 直接Web請求（DWR）*  
• Grails *
• Tapestry *
• JTrac *
• Jasypt *
• Roller *
• Elastic Path *
• Atlassian Crowd *
• Your own authentication systems (see below)
• 您自己的身份驗證系統（見下文）  

 *   Denotes provided by a third party       表示由第三方提供    Many independent software vendors (ISVs) adopt Spring Security because of this significant choice of flexible authentication models. Doing so allows them to quickly integrate their solutions with whatever their end clients need, without undertaking a lot of engineering or requiring the client to change their environment   許多獨立軟體供應商（ISV）採用Spring Security，因為這種靈活的身份驗證模型的選擇很多。這樣做可以讓他們快速地將他們的解決方案與他們最終客戶的需求整合在一起，而無需進行大量工程或要求客戶改變他們的環境   If none of the above authentication mechanisms suit your needs, Spring Security is an open platform and it is quite simple to write your own authentication mechanism.    如果上述認證機制都不適合您的需求，Spring Security是一個開放平臺，編寫自己的認證機制非常簡單。   Many corporate users of Spring Security need to integrate with "legacy" systems that don’t follow any particular security standards, and Spring Security is happy to "play nicely" with such systems.   Spring Security的許多企業使用者需要與不遵循任何特定安全標準的“遺留”系統整合，Spring Security很樂意與這些系統“很好地”合作。   Irrespective of the authentication mechanism, Spring Security provides a deep set of authorization capabilities. There are three main areas of interest: authorizing web requests, authorizing whether methods can be invoked and authorizing access to individual domain object instances.   無論身份驗證機制如何，Spring Security都提供了一組深層授權功能。主要有三個方面：授權Web請求，授權是否可以呼叫方法以及授權訪問單個域物件例項。    To help you understand the differences, consider the authorization capabilities found in the Servlet Specification web pattern security, EJB Container Managed Security and file system security respectively. Spring Security provides deep capabilities in all of these important areas, which we’ll explore later in this reference guide.   為幫助您瞭解這些差異，請分別考慮Servlet規範Web模式安全性，EJB容器管理安全性和檔案系統安全性中的授權功能。 Spring Security在所有這些重要領域提供了深入的功能，我們將在本參考指南的後面部分進行探討。