When we talk about enterprise security, three major areas of security—authentication, authorization, and access control list (ACL)—will play a major role. The Spring Framework 4.0.3 has a seven-layered architecture that includes a core container, context, Aspect-Oriented Programming (AOP), Data Access Object (DAO), Object-relational mapping (ORM), Web, and Model-View-Controller (MVC). To provide security features to all these layers, we have The Spring Security 3.2.3 module, which will provide security facilities such as user authentication and authorization, role-based authorization, database configuration, password encryption, and others.
In general, Spring developers focus on the seven layers to develop the web applications, and most of them will not be able to master the security mechanisms involved in different layers with different implementations as they might have to call the abstract programs in which the security implementations are built.
Spring 3.2.3 supports various authentication approaches for different industry standard connectivity for Java EE-based enterprise applications. Many people use Spring Security in the layers of Java EE's Servlet Specification and Enterprise Java Beans (EJB) Specification, which will limit the usage of proper Spring Security implementations. Due to this, many enterprise security scenarios are left unattended. Authentication is the process of creating a principal in the enterprise system for which a user needs to provide credentials. The role-based access privileges will be decided on a predefined role authorizer system from which the core system will read the access rights for the given principal. The advanced techniques of the Spring Security mechanisms are as follows:
Custom user realms
Custom authorization constraints
Method-based authorization
Instance-based authorization
Building a security layer for RESTful web services
The following modules of Spring 3.2.3 support the implementation of enterprise security:
Spring Security Core
Spring Security remoting
Spring Security Web
Spring Security configuration
Spring Security LDAP
Spring Security ACL
Spring Security CAS
Spring Security OpenID
Additionally, we will cover specific techniques such as JavaServer Faces (JSF) 2.0, Wicket, and Java Authentication and Authorization Service (JAAS). The following are the new security features provided in Spring 4.0, which we will talk about later:
Most of these authentication levels are from third parties or developed by relevant standard bodies such as Internet Engineering Task Force (IETF). Spring Security has its own authentication features that will be useful to establish connections securely with third-party request headers, protocols, and single sign-on systems. We will have a detailed description of each system and mechanism in the following chapters.