diff --git a/core/src/main/java/org/springframework/security/config/RememberMeBeanDefinitionParser.java b/core/src/main/java/org/springframework/security/config/RememberMeBeanDefinitionParser.java
index acc18cc6a0..d38ee03405 100644
--- a/core/src/main/java/org/springframework/security/config/RememberMeBeanDefinitionParser.java
+++ b/core/src/main/java/org/springframework/security/config/RememberMeBeanDefinitionParser.java
@@ -27,6 +27,8 @@ public class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
static final String ATT_DATA_SOURCE = "data-source";
static final String ATT_TOKEN_REPOSITORY = "token-repository-ref";
+ static final String ATT_USER_SERVICE_REF = "user-service-ref";
+
protected final Log logger = LogFactory.getLog(getClass());
public BeanDefinition parse(Element element, ParserContext parserContext) {
@@ -34,11 +36,13 @@ public class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
String dataSource = null;
String key = null;
Object source = null;
+ String userServiceRef = null;
if (element != null) {
tokenRepository = element.getAttribute(ATT_TOKEN_REPOSITORY);
dataSource = element.getAttribute(ATT_DATA_SOURCE);
key = element.getAttribute(ATT_KEY);
+ userServiceRef = element.getAttribute(ATT_USER_SERVICE_REF);
source = parserContext.extractSource(element);
}
@@ -84,6 +88,10 @@ public class RememberMeBeanDefinitionParser implements BeanDefinitionParser {
services.setSource(source);
provider.setSource(source);
+ if (StringUtils.hasText(userServiceRef)) {
+ services.getPropertyValues().addPropertyValue("userDetailsService", new RuntimeBeanReference(userServiceRef));
+ }
+
provider.getPropertyValues().addPropertyValue(ATT_KEY, key);
services.getPropertyValues().addPropertyValue(ATT_KEY, key);
diff --git a/core/src/main/java/org/springframework/security/ui/FilterChainOrder.java b/core/src/main/java/org/springframework/security/ui/FilterChainOrder.java
index e6d5efa87f..5d45030a25 100644
--- a/core/src/main/java/org/springframework/security/ui/FilterChainOrder.java
+++ b/core/src/main/java/org/springframework/security/ui/FilterChainOrder.java
@@ -1,6 +1,5 @@
package org.springframework.security.ui;
-import org.springframework.core.Ordered;
import org.springframework.util.Assert;
import java.util.Map;
@@ -53,6 +52,7 @@ public abstract class FilterChainOrder {
filterNameToOrder.put("PRE_AUTH_FILTER", new Integer(PRE_AUTH_FILTER));
filterNameToOrder.put("CAS_PROCESSING_FILTER", new Integer(CAS_PROCESSING_FILTER));
filterNameToOrder.put("AUTHENTICATION_PROCESSING_FILTER", new Integer(AUTHENTICATION_PROCESSING_FILTER));
+ filterNameToOrder.put("OPENID_PROCESSING_FILTER", new Integer(OPENID_PROCESSING_FILTER));
filterNameToOrder.put("BASIC_PROCESSING_FILTER", new Integer(BASIC_PROCESSING_FILTER));
filterNameToOrder.put("SERVLET_API_SUPPORT_FILTER", new Integer(SERVLET_API_SUPPORT_FILTER));
filterNameToOrder.put("REMEMBER_ME_FILTER", new Integer(REMEMBER_ME_FILTER));
diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
index c0a7545a57..ba574adb9f 100644
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.rnc
@@ -319,6 +319,8 @@ remember-me =
element remember-me {remember-me.attlist}
remember-me.attlist &=
(attribute key {xsd:string} | (attribute token-repository-ref {xsd:string} | attribute data-source-ref {xsd:string}))
+remember-me.attlist &=
+ user-service-ref?
anonymous =
## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority.
diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
index ffb9f6fd90..b2ad905700 100644
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.xsd
@@ -1,1239 +1,1238 @@
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to
- "ant" if unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP
- server, for example.
-
-
-
-
-
-
- Specifies a URL.
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
-
-
- Defines a reference to a cache for use with a UserDetailsService.
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean) Id
-
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
-
- A property of the UserDetails object which will be used as salt by
- a password encoder. Typically something like "username" might be used.
-
-
-
-
-
-
- A single value that will be used as the salt for a password
- encoder.
-
-
-
-
-
- Defines an LDAP server location or starts an embedded server. The url
- indicates the location of a remote server. If no url is given, an embedded server
- will be started, listening on the supplied port number. The port is optional and
- defaults to 33389. A Spring LDAP ContextSource bean will be registered for the
- server with the id supplied.
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- Specifies a URL.
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP
- server, for example.
-
-
-
-
- Username (DN) of the "manager" user identity which will be used to
- authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will
- be used.
-
-
-
-
-
- Explicitly specifies an ldif file resource to load into an
- embedded LDAP server
-
-
-
-
- Optional root suffix for the embedded LDAP server. Default is
- "dc=springframework,dc=org"
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server
- is registered (using <ldap-server> with no Id), that server will
- be used.
-
-
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The
- substituted parameter is the DN of the user.
-
-
-
-
-
-
- Search base for group membership searches. Defaults to
- "ou=groups".
-
-
-
-
-
-
-
-
-
- Search base for user searches. Defaults to "".
-
-
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server
- is registered (using <ldap-server> with no Id), that server will
- be used.
-
-
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The
- substituted parameter is the DN of the user.
-
-
-
-
- Search base for group membership searches. Defaults to
- "ou=groups".
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
- Defines a reference to a cache for use with a UserDetailsService.
-
-
-
-
-
- Sets up an ldap authentication provider
-
-
-
-
-
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server
- is registered (using <ldap-server> with no Id), that server will
- be used.
-
-
-
-
-
-
- Search base for group membership searches. Defaults to
- "ou=groups".
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The
- substituted parameter is the DN of the user.
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
- A specific pattern used to build the user's DN, for example
- "uid={0},ou=people". The key "{0}" must be present and will be substituted with
- the username.
-
-
-
-
-
- Specifies that an LDAP provider should use an LDAP compare operation
- of the user's password to authenticate the user
-
-
-
-
-
- element which defines a password encoding strategy. Used
- by an authentication provider to convert submitted passwords to hashed
- versions, for example.
-
-
-
-
-
-
-
- A property of the UserDetails object
- which will be used as salt by a password encoder.
- Typically something like "username" might be used.
-
-
-
-
- A single value that will be used as
- the salt for a password encoder.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The attribute in the directory which contains the user password.
- Defaults to "userPassword".
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Can be used inside a bean definition to add a security interceptor to
- the bean and set up access configuration attributes for the bean's methods
-
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to be used by the created
- method security interceptor.
-
-
-
-
-
- Defines a protected method and the access control configuration
- attributes that apply to it. We strongly advise you NOT to mix "protect"
- declarations with any services provided "global-method-security".
-
-
-
-
-
-
-
-
- A method name
-
-
-
-
- Access configuration attributes list that applies to the method,
- e.g. "ROLE_A,ROLE_B".
-
-
-
-
-
- Provides method security for all beans registered in the Spring
- application context. Specifically, beans will be scanned for Spring Security
- annotations and/or matches with the ordered list of "protect-pointcut" sub-elements.
- Where there is a match, the beans will automatically be proxied and security
- authorization applied to the methods accordingly. If you use and enable all three
- sources of method security metadata (ie "protect-pointcut" declarations, @Secured
- and also JSR 250 security annotations), the metadata sources will be queried in that
- order. In practical terms, this enables you to use XML to override method security
- metadata expressed by way of @Secured annotations, with @Secured annotations
- overriding method security metadata expressed by JSR 250 annotations. It is
- perfectly acceptable to mix and match, with a given Java type using a combination of
- XML, @Secured and JSR 250 to express method security metadata (albeit on different
- methods).
-
-
-
-
-
- Defines a protected pointcut and the access control
- configuration attributes that apply to it. Every bean registered in the
- Spring application context that provides a method that matches the
- pointcut will receive security authorization.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's @Secured
- annotations should be enabled for this application context. Please ensure you
- have the spring-security-tiger-xxx.jar on the classpath. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether JSR-250 style attributes are to be used (for
- example "RolesAllowed"). This will require the javax.annotation.security classes
- on the classpath. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to override the default
- used for method security.
-
-
-
-
-
-
-
- An AspectJ expression, including the 'execution' keyword. For
- example, 'execution(int com.foo.TargetObject.countLength(String))' (without the
- quotes).
-
-
-
-
- Access configuration attributes list that applies to all methods
- matching the pointcut, e.g. "ROLE_A,ROLE_B"
-
-
-
-
-
- Container element for HTTP security configuration
-
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
- Sets up a form login configuration for authentication with
- a username and password
-
-
-
-
-
-
-
-
- Adds support for X.509 client authentication.
-
-
-
-
-
-
-
- Adds support for basic authentication (this is an element
- to permit future expansion, such as supporting an "ignoreFailure"
- attribute)
-
-
-
-
-
- Incorporates a logout processing filter. Most web
- applications require a logout filter, although you may not require one
- if you write a controller to provider similar logic.
-
-
-
-
-
-
-
- Adds support for concurrent session control, allowing
- limits to be placed on the number of sessions a user can have.
-
-
-
-
-
-
-
-
-
-
-
-
- Adds support for automatically granting all anonymous web
- requests a particular principal identity and a corresponding granted
- authority.
-
-
-
-
-
-
-
- Defines the list of mappings between http and https ports
- for use in redirects
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Automatically registers a login form, BASIC authentication,
- anonymous authentication, logout services, remember-me and
- servlet-api-integration. If set to "true", all of these capabilities are added
- (although you can still customize the configuration of each by providing the
- respective element). If unspecified, defaults to "false".
-
-
-
-
-
-
-
-
-
-
- Controls the eagerness with which an HTTP session is created. If
- not set, defaults to "ifRequired".
-
-
-
-
-
-
-
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to
- "ant" if unspecified.
-
-
-
-
-
-
-
-
-
-
- Whether test URLs should be converted to lower case prior to
- comparing with defined path patterns. If unspecified, defaults to "true".
-
-
-
-
-
-
-
-
-
-
- Provides versions of HttpServletRequest security methods such as
- isUserInRole() and getPrincipal() which are implemented by accessing the Spring
- SecurityContext. Defaults to "true".
-
-
-
-
-
-
-
-
-
-
- Optional attribute specifying the ID of the AccessDecisionManager
- implementation which should be used for authorizing HTTP requests.
-
-
-
-
- Optional attribute specifying the realm name that will be used for
- all authentication features that require a realm name (eg BASIC and Digest
- authentication). If unspecified, defaults to "Spring Security Application".
-
-
-
-
- Indicates whether an existing session should be invalidated when a
- user authenticates and a new session started. If set to "none" no change will be
- made. "newSession" will create a new empty session. "migrateSession" will create
- a new session and copy the session attributes to the new session. Defaults to
- "migrateSession".
-
-
-
-
-
-
-
-
-
-
-
- Allows a customized AuthenticationEntryPoint to be used.
-
-
-
-
-
-
-
- The pattern which defines the URL path. The content will depend on
- the type set in the containing http element, so will default to ant path syntax.
-
-
-
-
- The access configuration attributes that apply for the configured
- path.
-
-
-
-
- The HTTP Method for which the access configuration attributes
- should apply. If not specified, the attributes will apply to any method.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The filter list for the path. Currently can be set to "none" to
- remove a path from having any filters applied. The full filter stack (consisting
- of all defined filters, will be applied to any other paths).
-
-
-
-
-
-
-
-
-
- Used to specify that a URL must be accessed over http or https
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies the URL that will cause a logout. Spring Security will
- initialize a filter that responds to this particular URL. Defaults to
- /j_spring_security_logout if unspecified.
-
-
-
-
- Specifies the URL to display once the user has logged out. If not
- specified, defaults to /.
-
-
-
-
- Specifies whether a logout also causes HttpSession invalidation,
- which is generally desirable. If unspecified, defaults to true.
-
-
-
-
-
-
-
-
-
-
-
-
-
- The URL that the login form is posted to. If unspecified, it
- defaults to /j_spring_security_check.
-
-
-
-
- The URL that will be redirected to after successful
- authentication, if the user's previous action could not be resumed. This
- generally happens if the user visits a login page without having first requested
- a secured operation that triggers authentication. If unspecified, defaults to
- the root of the application.
-
-
-
-
- The URL for the login page. If no login URL is specified, Spring
- Security will automatically create a login URL at /spring_security_login and a
- corresponding filter to render that login URL when requested.
-
-
-
-
- The URL for the login failure page. If no login failure URL is
- specified, Spring Security will automatically create a failure login URL at
- /spring_security_login?login_error and a corresponding filter to render that
- login failure URL when requested.
-
-
-
-
-
- Sets up form login for authentication with an Open ID identity
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean) Id
-
-
-
-
-
-
- Used to explicitly configure a FilterChainProxy instance with a
- FilterChainMap
-
-
-
-
-
- Used within filter-chain-map to define a specific URL
- pattern and the list of filters which apply to the URLs matching that
- pattern. When multiple filter-chain elements are used within a
- filter-chain-map element, the most specific patterns must be placed at
- the top of the list, with most general ones at the bottom.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Used to explicitly configure a FilterInvocationDefinitionSource bean
- for use with a FilterSecurityInterceptor. Usually only needed if you are configuring
- a FilterChainProxy explicitly, rather than using the <http> element.
- The intercept-url elements used should only contain pattern, method and access
- attributes. Any others will result in a configuration error.
-
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- as for http element
-
-
-
-
-
-
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to
- "ant" if unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Allows you to define an alias for the SessionRegistry bean in
- order to access it in your own configuration
-
-
-
-
-
-
-
-
-
-
-
-
-
- The key shared between the provider and filter. This generally
- does not need to be set. If unset, it will default to "doesNotMatter".
-
-
-
-
- The username that should be assigned to the anonymous request.
- This allows the principal to be identified, which may be important for logging
- and auditing. if unset, defaults to "anonymousUser".
-
-
-
-
- The granted authority that should be assigned to the anonymous
- request. Commonly this is used to assign the anonymous request particular roles,
- which can subsequently be used in authorization decisions. If unset, defaults to
- "ROLE_ANONYMOUS".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The regular expression used to obtain the username from the
- certificate's subject. Defaults to matching on the common name using the pattern
- "CN=(.*?),".
-
-
-
-
- A reference to a user-service (or UserDetailsService bean) Id
-
-
-
-
-
- If you are using namespace configuration with Spring Security, an
- AuthenticationManager will automatically be registered. This element simple allows
- you to define an alias to allow you to reference the authentication-manager in your
- own beans.
-
-
-
-
-
-
-
- The alias you wish to use for the AuthenticationManager bean
-
-
-
-
-
- Indicates that the contained user-service should be used as an
- authentication source.
-
-
-
-
-
-
- element which defines a password encoding strategy. Used
- by an authentication provider to convert submitted passwords to hashed
- versions, for example.
-
-
-
-
-
-
-
- A property of the UserDetails object
- which will be used as salt by a password encoder.
- Typically something like "username" might be used.
-
-
-
-
- A single value that will be used as
- the salt for a password encoder.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean) Id
-
-
-
-
-
-
-
-
- Creates an in-memory UserDetailsService from a properties file or a
- list of "user" child elements.
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in
- the context.
-
-
-
-
-
-
-
-
-
-
- Represents a user in the application.
-
-
-
-
-
-
-
-
- The username assigned to the user.
-
-
-
-
- The password assigned to the user. This may be hashed if the
- corresponding authentication provider supports hashing (remember to set the
- "hash" attribute of the "user-service" element).
-
-
-
-
- One of more authorities granted to the user. Separate authorities
- with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
-
-
-
-
- Can be set to "true" to mark an account as locked and unusable.
-
-
-
-
-
-
-
-
-
-
-
- Causes creation of a JDBC-based UserDetailsService.
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in
- the context.
-
-
-
-
-
-
-
-
- The bean ID of the DataSource which provides the required tables.
-
-
-
-
- Defines a reference to a cache for use with a UserDetailsService.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Used to indicate that a filter bean declaration should be incorporated
- into the security filter chain. If neither the 'after' or 'before' options are
- supplied, then the filter must implement the Ordered interface directly.
-
-
-
-
- The filter immediately after which the custom-filter should be
- placed in the chain. This feature will only be needed by advanced users who
- wish to mix their own filters into the security filter chain and have some
- knowledge of the standard Spring Security filters. The filter names map to
- specific Spring Security implementation filters.
-
-
-
-
- The filter immediately before which the custom-filter should
- be placed in the chain
-
-
-
-
-
-
-
- The filter immediately after which the custom-filter should be
- placed in the chain. This feature will only be needed by advanced users who wish
- to mix their own filters into the security filter chain and have some knowledge
- of the standard Spring Security filters. The filter names map to specific Spring
- Security implementation filters.
-
-
-
-
-
-
- The filter immediately before which the custom-filter should be
- placed in the chain
-
-
-
-
+ xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified"
+ targetNamespace="http://www.springframework.org/schema/security">
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
-
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP server,
+ for example.
+
+
+
+
+
+
+ Specifies a URL.
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ A property of the UserDetails object which will be used as salt by a
+ password encoder. Typically something like "username" might be used.
+
+
+
+
+
+
+ A single value that will be used as the salt for a password encoder.
+
+
+
+
+
+
+ Defines an LDAP server location or starts an embedded server. The url
+ indicates the location of a remote server. If no url is given, an embedded server will be
+ started, listening on the supplied port number. The port is optional and defaults to 33389.
+ A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ Specifies a URL.
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP server,
+ for example.
+
+
+
+
+ Username (DN) of the "manager" user identity which will be used to
+ authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
+
+
+
+
+
+
+ Explicitly specifies an ldif file resource to load into an embedded LDAP
+ server
+
+
+
+
+ Optional root suffix for the embedded LDAP server. Default is
+ "dc=springframework,dc=org"
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+
+
+ Search base for group membership searches. Defaults to
+ "ou=groups".
+
+
+
+
+
+
+
+
+
+ Search base for user searches. Defaults to "".
+
+
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ Search base for group membership searches. Defaults to
+ "ou=groups".
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+
+ Sets up an ldap authentication provider
+
+
+
+
+
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+
+
+ Search base for group membership searches. Defaults to
+ "ou=groups".
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+ A specific pattern used to build the user's DN, for example
+ "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
+ username.
+
+
+
+
+
+ Specifies that an LDAP provider should use an LDAP compare operation of the
+ user's password to authenticate the user
+
+
+
+
+
+ element which defines a password encoding strategy. Used by an
+ authentication provider to convert submitted passwords to hashed versions, for
+ example.
+
+
+
+
+
+
+
+ A property of the UserDetails object which will be used as
+ salt by a password encoder. Typically something like "username" might be
+ used.
+
+
+
+
+ A single value that will be used as the salt for a password
+ encoder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The attribute in the directory which contains the user password. Defaults
+ to "userPassword".
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Can be used inside a bean definition to add a security interceptor to the
+ bean and set up access configuration attributes for the bean's methods
+
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to be used by the created method
+ security interceptor.
+
+
+
+
+
+ Defines a protected method and the access control configuration attributes
+ that apply to it. We strongly advise you NOT to mix "protect" declarations with any services
+ provided "global-method-security".
+
+
+
+
+
+
+
+
+ A method name
+
+
+
+
+ Access configuration attributes list that applies to the method, e.g.
+ "ROLE_A,ROLE_B".
+
+
+
+
+
+ Provides method security for all beans registered in the Spring application
+ context. Specifically, beans will be scanned for Spring Security annotations and/or matches
+ with the ordered list of "protect-pointcut" sub-elements. Where there is a match, the beans
+ will automatically be proxied and security authorization applied to the methods accordingly.
+ If you use and enable all three sources of method security metadata (ie "protect-pointcut"
+ declarations, @Secured and also JSR 250 security annotations), the metadata sources will be
+ queried in that order. In practical terms, this enables you to use XML to override method
+ security metadata expressed by way of @Secured annotations, with @Secured annotations
+ overriding method security metadata expressed by JSR 250 annotations. It is perfectly
+ acceptable to mix and match, with a given Java type using a combination of XML, @Secured and
+ JSR 250 to express method security metadata (albeit on different
+ methods).
+
+
+
+
+
+ Defines a protected pointcut and the access control configuration
+ attributes that apply to it. Every bean registered in the Spring application context
+ that provides a method that matches the pointcut will receive security
+ authorization.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's @Secured annotations should
+ be enabled for this application context. Please ensure you have the
+ spring-security-tiger-xxx.jar on the classpath. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether JSR-250 style attributes are to be used (for example
+ "RolesAllowed"). This will require the javax.annotation.security classes on the classpath.
+ Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to override the default used for
+ method security.
+
+
+
+
+
+
+ An AspectJ expression, including the 'execution' keyword. For example,
+ 'execution(int com.foo.TargetObject.countLength(String))' (without the
+ quotes).
+
+
+
+
+ Access configuration attributes list that applies to all methods matching
+ the pointcut, e.g. "ROLE_A,ROLE_B"
+
+
+
+
+
+ Container element for HTTP security configuration
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+ Sets up a form login configuration for authentication with a username
+ and password
+
+
+
+
+
+
+
+
+ Adds support for X.509 client authentication.
+
+
+
+
+
+
+
+ Adds support for basic authentication (this is an element to permit
+ future expansion, such as supporting an "ignoreFailure" attribute)
+
+
+
+
+
+ Incorporates a logout processing filter. Most web applications require
+ a logout filter, although you may not require one if you write a controller to
+ provider similar logic.
+
+
+
+
+
+
+
+ Adds support for concurrent session control, allowing limits to be
+ placed on the number of sessions a user can have.
+
+
+
+
+
+
+
+
+
+
+
+
+ Adds support for automatically granting all anonymous web requests a
+ particular principal identity and a corresponding granted
+ authority.
+
+
+
+
+
+
+
+ Defines the list of mappings between http and https ports for use in
+ redirects
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatically registers a login form, BASIC authentication, anonymous
+ authentication, logout services, remember-me and servlet-api-integration. If set to
+ "true", all of these capabilities are added (although you can still customize the
+ configuration of each by providing the respective element). If unspecified, defaults to
+ "false".
+
+
+
+
+
+
+
+
+
+
+ Controls the eagerness with which an HTTP session is created. If not set,
+ defaults to "ifRequired".
+
+
+
+
+
+
+
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+ Whether test URLs should be converted to lower case prior to comparing
+ with defined path patterns. If unspecified, defaults to "true".
+
+
+
+
+
+
+
+
+
+
+ Provides versions of HttpServletRequest security methods such as
+ isUserInRole() and getPrincipal() which are implemented by accessing the Spring
+ SecurityContext. Defaults to "true".
+
+
+
+
+
+
+
+
+
+
+ Optional attribute specifying the ID of the AccessDecisionManager
+ implementation which should be used for authorizing HTTP requests.
+
+
+
+
+ Optional attribute specifying the realm name that will be used for all
+ authentication features that require a realm name (eg BASIC and Digest authentication). If
+ unspecified, defaults to "Spring Security Application".
+
+
+
+
+ Indicates whether an existing session should be invalidated when a user
+ authenticates and a new session started. If set to "none" no change will be made.
+ "newSession" will create a new empty session. "migrateSession" will create a new session
+ and copy the session attributes to the new session. Defaults to
+ "migrateSession".
+
+
+
+
+
+
+
+
+
+
+
+ Allows a customized AuthenticationEntryPoint to be
+ used.
+
+
+
+
+
+
+ The pattern which defines the URL path. The content will depend on the
+ type set in the containing http element, so will default to ant path
+ syntax.
+
+
+
+
+ The access configuration attributes that apply for the configured
+ path.
+
+
+
+
+ The HTTP Method for which the access configuration attributes should
+ apply. If not specified, the attributes will apply to any method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filter list for the path. Currently can be set to "none" to remove a
+ path from having any filters applied. The full filter stack (consisting of all defined
+ filters, will be applied to any other paths).
+
+
+
+
+
+
+
+
+
+ Used to specify that a URL must be accessed over http or
+ https
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the URL that will cause a logout. Spring Security will
+ initialize a filter that responds to this particular URL. Defaults to
+ /j_spring_security_logout if unspecified.
+
+
+
+
+ Specifies the URL to display once the user has logged out. If not
+ specified, defaults to /.
+
+
+
+
+ Specifies whether a logout also causes HttpSession invalidation, which is
+ generally desirable. If unspecified, defaults to true.
+
+
+
+
+
+
+
+
+
+
+
+
+ The URL that the login form is posted to. If unspecified, it defaults to
+ /j_spring_security_check.
+
+
+
+
+ The URL that will be redirected to after successful authentication, if the
+ user's previous action could not be resumed. This generally happens if the user visits a
+ login page without having first requested a secured operation that triggers
+ authentication. If unspecified, defaults to the root of the
+ application.
+
+
+
+
+ The URL for the login page. If no login URL is specified, Spring Security
+ will automatically create a login URL at /spring_security_login and a corresponding filter
+ to render that login URL when requested.
+
+
+
+
+ The URL for the login failure page. If no login failure URL is specified,
+ Spring Security will automatically create a failure login URL at
+ /spring_security_login?login_error and a corresponding filter to render that login failure
+ URL when requested.
+
+
+
+
+
+ Sets up form login for authentication with an Open ID
+ identity
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ Used to explicitly configure a FilterChainProxy instance with a
+ FilterChainMap
+
+
+
+
+
+ Used within filter-chain-map to define a specific URL pattern and the
+ list of filters which apply to the URLs matching that pattern. When multiple
+ filter-chain elements are used within a filter-chain-map element, the most specific
+ patterns must be placed at the top of the list, with most general ones at the
+ bottom.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Used to explicitly configure a FilterInvocationDefinitionSource bean for use
+ with a FilterSecurityInterceptor. Usually only needed if you are configuring a
+ FilterChainProxy explicitly, rather than using the <http> element. The
+ intercept-url elements used should only contain pattern, method and access attributes. Any
+ others will result in a configuration error.
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ as for http element
+
+
+
+
+
+
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows you to define an alias for the SessionRegistry bean in order to
+ access it in your own configuration
+
+
+
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ The key shared between the provider and filter. This generally does not
+ need to be set. If unset, it will default to "doesNotMatter".
+
+
+
+
+ The username that should be assigned to the anonymous request. This allows
+ the principal to be identified, which may be important for logging and auditing. if unset,
+ defaults to "anonymousUser".
+
+
+
+
+ The granted authority that should be assigned to the anonymous request.
+ Commonly this is used to assign the anonymous request particular roles, which can
+ subsequently be used in authorization decisions. If unset, defaults to
+ "ROLE_ANONYMOUS".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The regular expression used to obtain the username from the certificate's
+ subject. Defaults to matching on the common name using the pattern
+ "CN=(.*?),".
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+ If you are using namespace configuration with Spring Security, an
+ AuthenticationManager will automatically be registered. This element simple allows you to
+ define an alias to allow you to reference the authentication-manager in your own beans.
+
+
+
+
+
+
+
+
+ The alias you wish to use for the AuthenticationManager
+ bean
+
+
+
+
+
+ Indicates that the contained user-service should be used as an
+ authentication source.
+
+
+
+
+
+
+ element which defines a password encoding strategy. Used by an
+ authentication provider to convert submitted passwords to hashed versions, for
+ example.
+
+
+
+
+
+
+
+ A property of the UserDetails object which will be used as
+ salt by a password encoder. Typically something like "username" might be
+ used.
+
+
+
+
+ A single value that will be used as the salt for a password
+ encoder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+
+
+ Creates an in-memory UserDetailsService from a properties file or a list of
+ "user" child elements.
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+
+
+
+
+ Represents a user in the application.
+
+
+
+
+
+
+
+
+ The username assigned to the user.
+
+
+
+
+ The password assigned to the user. This may be hashed if the corresponding
+ authentication provider supports hashing (remember to set the "hash" attribute of the
+ "user-service" element).
+
+
+
+
+ One of more authorities granted to the user. Separate authorities with a
+ comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
+
+
+
+
+ Can be set to "true" to mark an account as locked and
+ unusable.
+
+
+
+
+
+
+
+
+
+
+
+ Causes creation of a JDBC-based UserDetailsService.
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+
+
+ The bean ID of the DataSource which provides the required
+ tables.
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+
+
+
+
+
+
+
+ Used to indicate that a filter bean declaration should be incorporated into
+ the security filter chain. If neither the 'after' or 'before' options are supplied, then the
+ filter must implement the Ordered interface directly.
+
+
+
+
+ The filter immediately after which the custom-filter should be placed in
+ the chain. This feature will only be needed by advanced users who wish to mix their own
+ filters into the security filter chain and have some knowledge of the standard Spring
+ Security filters. The filter names map to specific Spring Security implementation
+ filters.
+
+
+
+
+ The filter immediately before which the custom-filter should be placed
+ in the chain
+
+
+
+
+
+
+
+ The filter immediately after which the custom-filter should be placed in
+ the chain. This feature will only be needed by advanced users who wish to mix their own
+ filters into the security filter chain and have some knowledge of the standard Spring
+ Security filters. The filter names map to specific Spring Security implementation filters.
+
+
+
+
+
+
+
+ The filter immediately before which the custom-filter should be placed in
+ the chain
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
index 97d9311c38..0c7b339b81 100644
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -35,6 +35,7 @@ import org.springframework.security.ui.WebAuthenticationDetails;
import org.springframework.security.ui.basicauth.BasicProcessingFilter;
import org.springframework.security.ui.logout.LogoutFilter;
import org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter;
+import org.springframework.security.ui.rememberme.AbstractRememberMeServices;
import org.springframework.security.ui.rememberme.PersistentTokenBasedRememberMeServices;
import org.springframework.security.ui.rememberme.RememberMeProcessingFilter;
import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;
@@ -247,6 +248,17 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(rememberMeServices instanceof PersistentTokenBasedRememberMeServices);
}
+ @Test
+ public void rememberMeServiceConfigurationParsesWithCustomUserService() {
+ setContext(
+ "" +
+ " " +
+ "" +
+ " " + AUTH_PROVIDER_XML);
+// AbstractRememberMeServices rememberMeServices = (AbstractRememberMeServices) appContext.getBean(BeanIds.REMEMBER_ME_SERVICES);
+ }
+
@Test
public void x509SupportAddsFilterAtExpectedPosition() throws Exception {
setContext(