Spring Security（二）：一、Preface（前言）

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

Spring Security是一个功能强大且可高度自定义的身份验证和访问控制框架。它是保护基于Spring的应用程序的事实上的标准。

 

Spring Security provides a comprehensive security solution for Java EE-based enterprise software applications. As you will discover as you venture through this reference guide, we have tried to provide you a useful and highly configurable security system.

 

Spring Security为基于Java EE的企业软件应用程序提供了全面的安全解决方案。正如您在探索本参考指南时所发现的那样，我们试图为您提供一个有用且高度可配置的安全系统。

 

Security is an ever-moving target, and it’s important to pursue a comprehensive, system-wide approach. In security circles we encourage you to adopt "layers of security", so that each layer tries to be as secure as possible in its own right, with successive layers providing additional security.

 

安全是一个不断变化的目标，追求全面的系统范围的方法非常重要。在安全圈中，我们鼓励您采用“安全层”，以便每个层本身尽可能地保证安全，连续层提供额外的安全性。

 

The "tighter" the security of each layer, the more robust and safe your application will be. At the bottom level you’ll need to deal with issues such as transport security and system identification, in order to mitigate man-in-the-middle attacks. Next you’ll generally utilise firewalls, perhaps with VPNs or IP security to ensure only authorised systems can attempt to connect

 

每层的安全性“更严格”，您的应用程序将更加强大和安全。在底层，您需要处理运输安全和系统识别等问题，以减轻中间人攻击。接下来，您通常会使用防火墙，可能使用VPN或IP安全性，以确保只有经过授权的系统才能尝试连接

 

In corporate environments you may deploy a DMZ to separate public-facing servers from backend database and application servers. Your operating system will also play a critical part, addressing issues such as running processes as non-privileged users and maximising file system security. An operating system will usually also be configured with its own firewall

 

在企业环境中，您可以部署DMZ以将面向公众的服务器与后端数据库和应用程序服务器分开。您的操作系统也将发挥关键作用，解决诸如以非特权用户身份运行进程和最大化文件系统安全性等问题。操作系统通常也配置有自己的防火墙

 

Hopefully somewhere along the way you’ll be trying to prevent denial of service and brute force attacks against the system. An intrusion detection system will also be especially useful for monitoring and responding to attacks, with such systems able to take protective action such as blocking offending TCP/IP addresses in real-time

 

希望在某个地方你会试图阻止拒绝服务和对系统的暴力攻击。入侵检测系统对于监视和响应攻击也特别有用，这些系统能够采取保护措施，例如实时阻止违规的TCP / IP地址

 

 Moving to the higher layers, your Java Virtual Machine will hopefully be configured to minimize the permissions granted to different Java types, and then your application will add its own problem domain-specific security configuration. Spring Security makes this latter area - application security - much easier.

 

迁移到更高层，您的Java虚拟机有望配置为最小化授予不同Java类型的权限，然后您的应用程序将添加其自己的特定于域的安全配置问题。 Spring Security使后一个领域 - 应用程序安全性 - 变得更加容易。

 

Of course, you will need to properly address all security layers mentioned above, together with managerial factors that encompass every layer. A non-exhaustive list of such managerial factors would include security bulletin monitoring, patching, personnel vetting, audits, change control, engineering management systems, data backup, disaster recovery, performance benchmarking, load monitoring, centralised logging, incident response procedures etc.

 

当然，您需要正确处理上述所有安全层，以及包含每个层的管理因素。此类管理因素的非详尽列表包括安全公告监控，修补，人员审查，审计，变更控制，工程管理系统，数据备份，灾难恢复，性能基准测试，负载监控，集中式日志记录，事件响应程序等。

 

With Spring Security being focused on helping you with the enterprise application security layer, you will find that there are as many different requirements as there are business problem domains. A banking application has different needs from an ecommerce application. An ecommerce application has different needs from a corporate sales force automation tool. These custom requirements make application security interesting, challenging and rewarding.

 

由于Spring Security专注于帮助您使用企业应用程序安全层，您会发现存在与业务问题域一样多的不同需求。银行应用程序具有与电子商务应用程序不同的需求。电子商务应用程序具有与企业销售人员自动化工具不同的需求。这些自定义要求使应用程序安全性变得有趣，具有挑

 

Please read Chapter 1, Getting Started, in its entirety to begin with. This will introduce you to the framework and the namespace-based configuration system with which you can get up and running quite quickly. To get more of an understanding of how Spring Security works, and some of the classes you might need to use, you should then read Part II, “Architecture and Implementation”. 

 

请首先阅读第1章“入门”。这将向您介绍框架和基于命名空间的配置系统，您可以使用它快速启动和运行。为了更多地了解Spring Security的工作原理以及您可能需要使用的一些类，您应该阅读第二部分“架构和实现”。

 

The remaining parts of this guide are structured in a more traditional reference style, designed to be read on an as-required basis. We’d also recommend that you read up as much as possible on application security issues in general. 

 

本指南的其余部分采用更传统的参考风格，旨在根据需要进行阅读。我们还建议您尽可能多地阅读应用程序安全问题。

 

 Spring Security is not a panacea which will solve all security issues. It is important that the application is designed with security in mind from the start. Attempting to retrofit it is not a good idea. In particular, if you are building a web application, you should be aware of the many potential vulnerabilities such as cross-site scripting, request-forgery and session-hijacking which you should be taking into account from the start

 

Spring Security不是解决所有安全问题的灵丹妙药。重要的是，应用程序从一开始就考虑到安全性。试图改造它并不是一个好主意。特别是，如果您正在构建Web应用程序，您应该了解许多潜在的漏洞，例如跨站点脚本，请求伪造和会话劫持，您应该从一开始就考虑到这些漏洞

 

 The OWASP web site (http://www.owasp.org/) maintains a top ten list of web application vulnerabilities as well as a lot of useful reference information.

 

OWASP网站（http://www.owasp.org/）维护着十大Web应用程序漏洞列表以及许多有用的参考信息。

 

We hope that you find this reference guide useful, and we welcome your feedback and suggestions.

 

我们希望您发现此参考指南很有用，我们欢迎您提供反馈和建议。

 

Finally, welcome to the Spring Security community.

 

最后，欢迎来到Spring Security社区。