Spring Security 3

Screamy said
Mularien has a comfortable writing style and the book is a lot less dry than several other Spring
books I've read.

The first topics covered are a Authorization/Authentication, XML configuration, the login/logout process and the overall architecture of secured web requests. You are then walked through configuring Spring Security for an example "pet store" web application, which starts off using an "in-memory" user credential store (configured via XML). Next, you progressively face-lift the example for more real-world usage, where your first stop is hooking up an actual database for storing user credentials. For simplicity, Mularien uses an HSQL embedded database, where enough setup/configuration information is provided to ensure success. Following his configuration examples, I was able to point Spring Security to a local MySQL instance instead and everything worked just fine.

Out-of-the box, JDBC-based user management is covered next, where Spring Security's simplified "namespace" configuration tags are used. You then slowly progress towards using your own custom/legacy schema with database-resident authentication. Also covered are secure user passwords, password encryption types, SALT usage/configuration (for extra password security), SSL use/setup via Tomcat and securing portions of your web app via Spring Security's "requires-channel" feature.

Fine-grained access control and authorization is next, with plenty of good coverage on Annotations and AOP expressions. There's also an explanation on JSR-250 compliant annotations vs. Spring Security's annotation set and the differences between them.

From there, Mularien goes on to advanced configuration and extension of Spring Security. You're walked through writing and wiring-up a custom security filter, writing a custom AuthenitcationProvider, Session management/concurrency, exception handling, authentication event handling and most importantly, how to manually configure Spring Infrastructure beans for performing security tasks outside the scope of Spring Security's configuration "namespace" tags.

He also goes on to cover Access Control Lists, LDAP integration, Single-Signon (via CAS), Client Certificate Authentication (as well has how to create your own key pairs), Open ID and Kerberos.

Lastly, roughly 8 pages are devoted to migration from Spring Security v2.x to v3.x. I started out with Spring 3, so this info wasn't useful to me; regardless, I read through this chapter and think it would be helpful to those migrating.