From 1af9f8efea468e67210c4ed28256ca71248beb45 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 22 Dec 2009 13:40:05 +0000 Subject: [PATCH] SEC-1327: Minor doc update --- docs/manual/src/docbook/core-filters.xml | 109 +++++++++++++---------- 1 file changed, 60 insertions(+), 49 deletions(-) diff --git a/docs/manual/src/docbook/core-filters.xml b/docs/manual/src/docbook/core-filters.xml index 8934c99b54..5dd7a4b4ae 100644 --- a/docs/manual/src/docbook/core-filters.xml +++ b/docs/manual/src/docbook/core-filters.xml @@ -157,14 +157,14 @@ AccessDeniedHandlerImpl is used, which just sends a 403 (Forbidden) response to the client. Alternatively you can configure an instance explicitly (as in the above example) and set an error page URL which it will - forwards the request to We use a forward so that the - SecurityContextHolder still contains details of the principal, which may be - useful for displaying to the user. In old releases of Spring Security we - relied upon the servlet container to handle a 403 error message, which - lacked this useful contextual information.. This can be a - simple access denied page, such as a JSP, or it could be a more - complex handler such as an MVC controller. And of course, you can implement the - interface yourself and use your own implementation. + forwards the request to + We use a forward so that the SecurityContextHolder still contains details + of the principal, which may be useful for displaying to the user. In old + releases of Spring Security we relied upon the servlet container to handle a + 403 error message, which lacked this useful contextual information. + . This can be a simple access denied page, such as a JSP, + or it could be a more complex handler such as an MVC controller. And of course, you + can implement the interface yourself and use your own implementation. It's also possible to supply a custom AccessDeniedHandler when you're using the namespace to configure your application. See <classname>SecurityContextPersistenceFilter</classname> We covered the purpose of this all-important filter in the Technical Overview chapter - so you might want to re-read that section at this point. Let's first take a look at how - you would configure it for use with a FilterChainProxy. A basic + xlink:href="#tech-intro-sec-context-persistence">Technical Overview chapter + so you might want to re-read that section at this point. Let's first take a look at how + you would configure it for use with a FilterChainProxy. A basic configuration only requires the bean itself @@ -205,20 +205,20 @@ public interface SecurityContextRepository { with wrapper classes. The returned contents will be passed to the filter chain. The default implementation is HttpSessionSecurityContextRepository, which stores the - security context as an HttpSession attribute - In Spring Security 2.0 and earlier, this filter was called + security context as an HttpSession attribute + In Spring Security 2.0 and earlier, this filter was called HttpSessionContextIntegrationFilter and performed all the work of storing the context was performed by the filter itself. If you were familiar with this class, then most of the configuration options which were available can now be found on - HttpSessionSecurityContextRepository. - . The most important configuration parameter for this - implementation is the allowSessionCreation property, which - defaults to true, thus allowing the class to create a session if - it needs one to store the security context for an authenticated user (it won't - create one unless authentication has taken place and the contents of the security - context have changed). If you don't want a session to be created, then you can set - this property to false: HttpSessionSecurityContextRepository. + . The most important configuration parameter for this implementation is + the allowSessionCreation property, which defaults to + true, thus allowing the class to create a session if it needs + one to store the security context for an authenticated user (it won't create one + unless authentication has taken place and the contents of the security context have + changed). If you don't want a session to be created, then you can set this property + to false: @@ -228,7 +228,9 @@ class="org.springframework.security.web.context.SecurityContextPersistenceFilter ]]> Alternatively you could provide a null implementation of the - SecurityContextRepository interface. + SecurityContextRepository interface, which will + prevent the security context from being stored, even if a session has already been + created during the request.
@@ -238,27 +240,35 @@ class="org.springframework.security.web.context.SecurityContextPersistenceFilter namespace <http> element and cannot be substituted with alternatives. The only thing that's missing now is an actual authentication mechanism, something that will allow a user to authenticate. This filter is the most commonly used - authentication filter and the one that is most often customized For - historical reasons, prior to Spring Security 3.0, this filter was called + authentication filter and the one that is most often customized + For historical reasons, prior to Spring Security 3.0, this filter was called AuthenticationProcessingFilter and the entry point was called AuthenticationProcessingFilterEntryPoint. Since the framework now supports many different forms of authentication, they - have both been given more specific names in 3.0.. It also - provides the implementation used by the <form-login> element from the namespace. - There are three stages required to configure it. Configure - a LoginUrlAuthenticationEntryPoint with the URL of - the login page, just as we did above, and set it on the - ExceptionTranslationFilter. - Implement the login page (using a JSP or - MVC controller).Configure an instance of + have both been given more specific names in 3.0. + . It also provides the implementation used by the <form-login> element + from the namespace. There are three stages required to configure it. + + Configure a LoginUrlAuthenticationEntryPoint with + the URL of the login page, just as we did above, and set it on the + ExceptionTranslationFilter. + + + Implement the login page (using a JSP or MVC controller). + + + Configure an instance of UsernamePasswordAuthenticationFilter in the - application contextAdd the filter bean to - your filter chain proxy (making sure you pay attention to the order). - The login form simply - contains j_username and j_password input fields, - and posts to the URL that is monitored by the filter (by default this is - /j_spring_security_check). The basic filter configuration looks - something like this: + + + Add the filter bean to your filter chain proxy (making sure you pay + attention to the order). + + The login form simply contains j_username and + j_password input fields, and posts to the URL that is monitored + by the filter (by default this is /j_spring_security_check). The + basic filter configuration looks something like this: @@ -274,12 +284,13 @@ class="org.springframework.security.web.context.SecurityContextPersistenceFilter AuthenticationSuccessHandler and AuthenticationFailureHandler strategy interfaces, respectively. The filter has properties which allow you to set these so you can - customize the behaviour completely In versions prior to 3.0, the - application flow at this point had evolved to a stage was controlled by a - mix of properties on this class and strategy plugins. The decision was made - for 3.0 to refactor the code to make these two strategies entirely - responsible. . Some standard implementations are supplied - such as SimpleUrlAuthenticationSuccessHandler, + customize the behaviour completely + In versions prior to 3.0, the application flow at this point had evolved + to a stage was controlled by a mix of properties on this class and strategy + plugins. The decision was made for 3.0 to refactor the code to make these + two strategies entirely responsible. + . Some standard implementations are supplied such as + SimpleUrlAuthenticationSuccessHandler, SavedRequestAwareAuthenticationSuccessHandler, SimpleUrlAuthenticationFailureHandler and ExceptionMappingAuthenticationFailureHandler. Have a look @@ -291,12 +302,12 @@ class="org.springframework.security.web.context.SecurityContextPersistenceFilter user to the approprate destination. By default a SavedRequestAwareAuthenticationSuccessHandler is used, which means that the user will be redirected to the original destination they - requested before they were asked to login. The - ExceptionTranslationFilter caches the original + requested before they were asked to login. + The ExceptionTranslationFilter caches the original request a user makes. When the user authenticates, the request handler makes use of this cached request to obtain the original URL and redirect to it. - The original request is then rebuilt and used as an alternative. - If authentication fails, the configured + The original request is then rebuilt and used as an alternative. + If authentication fails, the configured AuthenticationFailureHandler will be invoked.