Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2291: Fix internal links within reference 

Instead of using xlink:href="# use linkend="
This commit is contained in:
Rob Winch 2013-08-28 00:59:02 -05:00
parent 69aac09e1d
commit 4761614c9f
24 changed files with 257 additions and 257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/test/groovy/org/springframework/security/config/doc/XsdDocumentedTests.groovy
View File

@ -53,9 +53,9 @@ class XsdDocumentedTests extends Specification {
def id = delegate.@id.text().replace('-parents', '').replace('-children', '')
result.put(id,[])
delegate.children().breadthFirst().each { sectionChild ->
def href = sectionChild.@href.text()
def href = sectionChild.@linkend.text()
if(href) {
result.get(id).add(href[1..-1])
result.get(id).add(href)
}
}
}

8
docs/faq/src/docbook/faq.xml
View File

@ -286,7 +286,7 @@
<answer>
<para>
Note that the permissions for an LDAP directory often do not allow you to read the password
for a user. Hence it is often not possible to use the <link xlink:href="#faq-what-is-userdetailservice"><interfacename>UserDetailsService</interfacename>
for a user. Hence it is often not possible to use the <link linkend="faq-what-is-userdetailservice"><interfacename>UserDetailsService</interfacename>
approach</link> where Spring Security compares the stored password with the one submitted by the user.
The most common approach is to use LDAP <quote>bind</quote>, which is one of the operations
supported by <link xlink:href="http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">the LDAP protocol</link>.
@ -656,7 +656,7 @@
a <interfacename>UserDetailsService</interfacename> to allow it to load
the password (and other data) for a user in order to compare it with the
submitted value. Note that if you are using LDAP,
<link xlink:href="#faq-ldap-authentication">this approach may not work</link>.</para>
<link linkend="faq-ldap-authentication">this approach may not work</link>.</para>
<para> If you want to customize the authentication process then you should
implement <interfacename>AuthenticationProvider</interfacename>
yourself. See this <link
@ -766,7 +766,7 @@
</question>
<answer>
<para>You can't (and shouldn't). You are probably misunderstanding its purpose.
See <quote><link xlink:href="#faq-what-is-userdetailservice">What is a UserDetailsService?</link></quote>
See <quote><link linkend="faq-what-is-userdetailservice">What is a UserDetailsService?</link></quote>
above.
</para>
</answer>
@ -909,7 +909,7 @@
>Spring Reference Manual</link>. In order to do this, you need to know a
bit about which beans are created, so you should also read the blog
article in the above question on <link
xlink:href="#faq-namespace-to-bean-mapping">how the namespace maps to
linkend="faq-namespace-to-bean-mapping">how the namespace maps to
Spring beans</link>. </para>
<para> Normally, you would add the functionality you require to the
<methodname>postProcessBeforeInitialization</methodname> method of

2
docs/manual/src/docbook/anon-auth-provider.xml
View File

@ -126,7 +126,7 @@
interceptor configuration replaced with <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal>,
which is effectively the same thing when defining access controls. This is an example of
the use of the <classname>AuthenticatedVoter</classname> which we will see in the <link
xlink:href="#authz-authenticated-voter">authorization chapter</link>. It uses an
linkend="authz-authenticated-voter">authorization chapter</link>. It uses an
<interfacename>AuthenticationTrustResolver</interfacename> to process this particular
configuration attribute and grant access to anonymous users. The
<classname>AuthenticatedVoter</classname> approach is more powerful, since it allows you

4
docs/manual/src/docbook/appendix-db-schema.xml
View File

@ -58,7 +58,7 @@ create table group_members (
<section>
<title>Persistent Login (Remember-Me) Schema</title>
<para> This table is used to store data used by the more secure <link
xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
linkend="remember-me-persistent-token">persistent token</link> remember-me
implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
directly or through the namespace, then you will need this table.
<programlisting xml:id="db-schema-remeber-me">
@ -71,7 +71,7 @@ create table persistent_logins (
</section>
<section xml:id="dbschema-acl">
<title>ACL Schema</title>
<para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
<para>There are four tables used by the Spring Security <link linkend="domain-acls"
>ACL</link> implementation. <orderedlist>
<listitem>
<para><literal>acl_sid</literal> stores the security identities recognised by the

296
docs/manual/src/docbook/appendix-namespace.xml
View File

@ -8,7 +8,7 @@
and information on the underlying beans they create (a knowledge of the individual classes
and how they work together is assumed - you can find more information in the project Javadoc
and elsewhere in this document). If you haven't used the namespace before, please read the
<link xlink:href="#ns-config">introductory chapter</link> on namespace configuration, as
<link linkend="ns-config">introductory chapter</link> on namespace configuration, as
this is intended as a supplement to the information there. Using a good quality XML editor
while editing a configuration based on the schema is recommended as this will provide
contextual information on which elements and attributes are available as well as comments
@ -33,11 +33,11 @@
created and the configuration within the element is used to build a filter chain within
<classname>FilterChainProxy</classname>. As of Spring Security 3.1, additional
<literal>http</literal> elements can be used to add extra filter chains <footnote>
<para>See the <link xlink:href="#ns-web-xml">introductory chapter</link> for how to set
<para>See the <link linkend="ns-web-xml">introductory chapter</link> for how to set
up the mapping from your <literal>web.xml</literal></para>
</footnote>. Some core filters are always created in a filter chain and others will be
added to the stack depending on the attributes and child elements which are present. The
positions of the standard filters are fixed (see <link xlink:href="#filter-stack">the
positions of the standard filters are fixed (see <link linkend="filter-stack">the
filter order table</link> in the namespace introduction), removing a common source of
errors with previous versions of the framework when users had to configure the filter
chain explicitly in the <classname>FilterChainProxy</classname> bean. You can, of course,
@ -45,7 +45,7 @@
<para> All filters which require a reference to the
<interfacename>AuthenticationManager</interfacename> will be automatically injected with
the internal instance created by the namespace configuration (see the <link
xlink:href="#ns-auth-manager">introductory chapter</link> for more on the
linkend="ns-auth-manager">introductory chapter</link> for more on the
<interfacename>AuthenticationManager</interfacename>). </para>
<para> Each <literal>&lt;http&gt;</literal> namespace block always creates an
<classname>SecurityContextPersistenceFilter</classname>, an
@ -67,7 +67,7 @@
</section>
<section xml:id="nsa-http-access-denied-page">
<title><literal>access-denied-page</literal></title>
<para> Deprecated in favour of the <link xlink:href="#nsa-access-denied-handler">access-denied-handler</link>
<para> Deprecated in favour of the <link linkend="nsa-access-denied-handler">access-denied-handler</link>
child element.</para>
</section>
<section xml:id="nsa-http-authentication-manager-ref">
@ -139,15 +139,15 @@
</section>
<section xml:id="nsa-http-path-type">
<title><literal>path-type</literal></title>
<para>Deprecated in favor of <link xlink:href="#nsa-http-request-matcher">request-matcher</link>.
<para>Deprecated in favor of <link linkend="nsa-http-request-matcher">request-matcher</link>.
</para>
</section>
<section xml:id="nsa-http-pattern">
<title><literal>pattern</literal></title>
<para>Defining a pattern for the <link xlink:href="#nsa-http">http</link> element controls the
<para>Defining a pattern for the <link linkend="nsa-http">http</link> element controls the
requests which will be filtered through the list of filters which it defines.
The interpretation is dependent on the configured <link
xlink:href="#nsa-http-request-matcher">request-matcher</link>. If no pattern is defined,
linkend="nsa-http-request-matcher">request-matcher</link>. If no pattern is defined,
all requests will be matched, so the most specific patterns should be declared
first.</para>
</section>
@ -165,9 +165,9 @@
currently <literal>ant</literal>, <literal>regex</literal> and
<literal>ciRegex</literal>, for ant, regular-expression and case-insensitive
regular-expression repsectively. A separate instance is created for each
<link xlink:href="#nsa-intercept-url">intercept-url</link> element using its
<link xlink:href="#nsa-intercept-url-pattern">pattern</link> and
<link xlink:href="#nsa-intercept-url-method">method</link> attributes. Ant paths
<link linkend="nsa-intercept-url">intercept-url</link> element using its
<link linkend="nsa-intercept-url-pattern">pattern</link> and
<link linkend="nsa-intercept-url-method">method</link> attributes. Ant paths
are matched using an <classname>AntPathRequestMatcher</classname> and regular expressions
are matched using a <classname>RegexRequestMatcher</classname>. See the Javadoc
for these classes for more details on exactly how the matching is preformed. Ant
@ -177,7 +177,7 @@
<title><literal>request-matcher-ref</literal></title>
<para>A referenece to a bean that implements <interfacename>RequestMatcher</interfacename> that
will determine if this <classname>FilterChain</classname> should be used. This is a more
powerful alternative to <link xlink:href="#nsa-http-pattern">pattern</link>.</para>
powerful alternative to <link linkend="nsa-http-pattern">pattern</link>.</para>
</section>
<section xml:id="nsa-http-security">
<title><literal>security</literal></title>
@ -202,30 +202,30 @@
<section xml:id="nsa-http-use-expressions">
<title><literal>use-expressions</literal></title>
<para>Enables EL-expressions in the <literal>access</literal> attribute, as
described in the chapter on <link xlink:href="#el-access-web">expression-based
described in the chapter on <link linkend="el-access-web">expression-based
access-control</link>.</para>
</section>
</section>
<section xml:id="nsa-http-children">
<title>Child Elements of &lt;http&gt;</title>
<itemizedlist>
<listitem><link xlink:href="#nsa-access-denied-handler">access-denied-handler</link></listitem>
<listitem><link xlink:href="#nsa-anonymous">anonymous</link></listitem>
<listitem><link xlink:href="#nsa-csrf">csrf</link></listitem>
<listitem><link xlink:href="#nsa-custom-filter">custom-filter</link></listitem>
<listitem><link xlink:href="#nsa-expression-handler">expression-handler</link></listitem>
<listitem><link xlink:href="#nsa-form-login">form-login</link></listitem>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link xlink:href="#nsa-http-basic">http-basic</link></listitem>
<listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
<listitem><link xlink:href="#nsa-jee">jee</link></listitem>
<listitem><link xlink:href="#nsa-logout">logout</link></listitem>
<listitem><link xlink:href="#nsa-openid-login">openid-login</link></listitem>
<listitem><link xlink:href="#nsa-port-mappings">port-mappings</link></listitem>
<listitem><link xlink:href="#nsa-remember-me">remember-me</link></listitem>
<listitem><link xlink:href="#nsa-request-cache">request-cache</link></listitem>
<listitem><link xlink:href="#nsa-session-management">session-management</link></listitem>
<listitem><link xlink:href="#nsa-x509">x509</link></listitem>
<listitem><link linkend="nsa-access-denied-handler">access-denied-handler</link></listitem>
<listitem><link linkend="nsa-anonymous">anonymous</link></listitem>
<listitem><link linkend="nsa-csrf">csrf</link></listitem>
<listitem><link linkend="nsa-custom-filter">custom-filter</link></listitem>
<listitem><link linkend="nsa-expression-handler">expression-handler</link></listitem>
<listitem><link linkend="nsa-form-login">form-login</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-http-basic">http-basic</link></listitem>
<listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
<listitem><link linkend="nsa-jee">jee</link></listitem>
<listitem><link linkend="nsa-logout">logout</link></listitem>
<listitem><link linkend="nsa-openid-login">openid-login</link></listitem>
<listitem><link linkend="nsa-port-mappings">port-mappings</link></listitem>
<listitem><link linkend="nsa-remember-me">remember-me</link></listitem>
<listitem><link linkend="nsa-request-cache">request-cache</link></listitem>
<listitem><link linkend="nsa-session-management">session-management</link></listitem>
<listitem><link linkend="nsa-x509">x509</link></listitem>
</itemizedlist>
</section>
</section>
@ -234,15 +234,15 @@
<para>This element allows you to set the <literal>errorPage</literal> property for the
default <interfacename>AccessDeniedHandler</interfacename> used by the
<classname>ExceptionTranslationFilter</classname>, using the
<link xlink:href="#nsa-access-denied-handler-error-page">error-page</link> attribute, or
<link linkend="nsa-access-denied-handler-error-page">error-page</link> attribute, or
to supply your own implementation using the
<link xlink:href="#nsa-access-denied-handler-ref">ref</link> attribute. This is discussed
in more detail in the section on the <link xlink:href="#access-denied-handler">
<link linkend="nsa-access-denied-handler-ref">ref</link> attribute. This is discussed
in more detail in the section on the <link linkend="access-denied-handler">
<classname>ExceptionTranslationFilter</classname></link>.</para>
<section xml:id="nsa-access-denied-handler-parents">
<title>Parent Elements of <literal>&lt;access-denied-handler&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-access-denied-handler-attributes">
@ -263,24 +263,24 @@
<title><literal>&lt;headers&gt;</literal></title>
<para>This element allows for configuring additional (security) headers to be send with the response.
It enables easy configuration for several headers and also allows for setting custom headers through
the <link xlink:href="#nsa-header">header</link> element.
the <link linkend="nsa-header">header</link> element.
<itemizedlist>
<listitem><literal>Cache-Control</literal> and <literal>Pragma</literal> - Can be set using the
<link xlink:href="#nsa-cache-control">cache-control</link> element. This ensures that the
<link linkend="nsa-cache-control">cache-control</link> element. This ensures that the
browser does not cache your secured pages.</listitem>
<listitem><literal>Strict-Transport-Security</literal> - Can be set using the
<link xlink:href="#nsa-hsts">hsts</link> element. This ensures that the
<link linkend="nsa-hsts">hsts</link> element. This ensures that the
browser automatically requests HTTPS for future requests.</listitem>
<listitem><literal>X-Frame-Options</literal> - Can be set using the
<link xlink:href="#nsa-frame-options">frame-options</link> element. The
<link linkend="nsa-frame-options">frame-options</link> element. The
<link xlink:href="http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options">X-Frame-Options
</link> header can be used to prevent clickjacking attacks.</listitem>
<listitem><literal>X-XSS-Protection</literal> - Can be set using the
<link xlink:href="#nsa-xss-protection">xss-protection</link> element.
<link linkend="nsa-xss-protection">xss-protection</link> element.
The <link xlink:href="http://en.wikipedia.org/wiki/Cross-site_scripting">X-XSS-Protection
</link> header can be used by browser to do basic control.</listitem>
<listitem><literal>X-Content-Type-Options</literal> - Can be set using the
<link xlink:href="#nsa-content-type-options">content-type-options</link> element. The
<link linkend="nsa-content-type-options">content-type-options</link> element. The
<link xlink:href="http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx">X-Content-Type-Options</link>
header prevents Internet Explorer from MIME-sniffing a response away from the declared
content-type. This also applies to Google Chrome, when downloading extensions. </listitem>
@ -289,18 +289,18 @@
<section xml:id="nsa-headers-parents">
<title>Parent Elements of <literal>&lt;headers&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-headers-children">
<title>Child Elements of <literal>&lt;headers&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-cache-control">cache-control</link></listitem>
<listitem><link xlink:href="#nsa-content-type-options">content-type-options</link></listitem>
<listitem><link xlink:href="#nsa-frame-options">frame-options</link></listitem>
<listitem><link xlink:href="#nsa-header">header</link></listitem>
<listitem><link xlink:href="#nsa-hsts">hsts</link></listitem>
<listitem><link xlink:href="#nsa-xss-protection">xss-protection</link></listitem>
<listitem><link linkend="nsa-cache-control">cache-control</link></listitem>
<listitem><link linkend="nsa-content-type-options">content-type-options</link></listitem>
<listitem><link linkend="nsa-frame-options">frame-options</link></listitem>
<listitem><link linkend="nsa-header">header</link></listitem>
<listitem><link linkend="nsa-hsts">hsts</link></listitem>
<listitem><link linkend="nsa-xss-protection">xss-protection</link></listitem>
</itemizedlist>
</section>
</section>
@ -311,7 +311,7 @@
<section xml:id="nsa-cache-control-parents">
<title>Parent Elements of <literal>&lt;cache-control&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
</itemizedlist>
</section>
</section>
@ -343,7 +343,7 @@
<section xml:id="nsa-hsts-parents">
<title>Parent Elements of <literal>&lt;hsts&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
</itemizedlist>
</section>
</section>
@ -361,7 +361,7 @@
the site attempting to do so. This is the default when frame-options-policy is specified.</listitem>
<listitem><literal>SAMEORIGIN</literal> The page can only be displayed in a frame on the
same origin as the page itself</listitem>
<listitem><literal>ALLOW-FROM <link xlink:href="#nsa-frame-options-origin">origin</link></literal>
<listitem><literal>ALLOW-FROM <link linkend="nsa-frame-options-origin">origin</link></literal>
The page can only be displayed in a frame on the specified origin.
</listitem>
</itemizedlist>
@ -377,17 +377,17 @@
Select the <classname>AllowFromStrategy</classname> to use when using the ALLOW-FROM policy.
<itemizedlist>
<listitem><literal>static</literal> Use a single static ALLOW-FROM value. The value can be set
through the <link xlink:href="#nsa-frame-options-value">value</link> attribute.
through the <link linkend="nsa-frame-options-value">value</link> attribute.
</listitem>
<listitem><literal>regexp</literal> Use a regelur expression to validate incoming requests and
if they are allowed. The regular expression can be set through the <link xlink:href="#nsa-frame-options-value">value</link>
if they are allowed. The regular expression can be set through the <link linkend="nsa-frame-options-value">value</link>
attribute. The request parameter used to retrieve the value to validate can be specified
using the <link xlink:href="#nsa-frame-options-from-parameter">from-parameter</link>.
using the <link linkend="nsa-frame-options-from-parameter">from-parameter</link>.
</listitem>
<listitem><literal>whitelist</literal>A comma-seperated list containing the allowed domains.
The comma-seperated list can be set through the <link xlink:href="#nsa-frame-options-value">value</link>
The comma-seperated list can be set through the <link linkend="nsa-frame-options-value">value</link>
attribute. The request parameter used to retrieve the value to validate can be specified
using the <link xlink:href="#nsa-frame-options-from-parameter">from-parameter</link>.
using the <link linkend="nsa-frame-options-from-parameter">from-parameter</link>.
</listitem>
</itemizedlist>
</para>
@ -401,7 +401,7 @@
</section>
<section xml:id="nsa-frame-options-value">
<title><literal>frame-options-value</literal></title>
<para>The value to use when ALLOW-FROM is used a <link xlink:href="#nsa-frame-options-strategy">strategy</link>.</para>
<para>The value to use when ALLOW-FROM is used a <link linkend="nsa-frame-options-strategy">strategy</link>.</para>
</section>
<section xml:id="nsa-frame-options-from-parameter">
<title><literal>frame-options-from-parameter</literal></title>
@ -414,7 +414,7 @@
<section xml:id="nsa-frame-options-parents">
<title>Parent Elements of <literal>&lt;frame-options&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
</itemizedlist>
</section>
</section>
@ -439,7 +439,7 @@
<section xml:id="nsa-xss-protection-parents">
<title>Parent Elements of <literal>&lt;xss-protection&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
</itemizedlist>
</section>
</section>
@ -451,7 +451,7 @@
<section xml:id="nsa-content-type-options-parents">
<title>Parent Elements of <literal>&lt;content-type-options&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
</itemizedlist>
</section>
</section>
@ -476,7 +476,7 @@
<section xml:id="nsa-header-parents">
<title>Parent Elements of <literal>&lt;header&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
<listitem><link linkend="nsa-headers">headers</link></listitem>
</itemizedlist>
</section>
</section>
@ -488,7 +488,7 @@
<section xml:id="nsa-anonymous-parents">
<title>Parent Elements of <literal>&lt;anonymous&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-anonymous-attributes">
@ -527,7 +527,7 @@
<section xml:id="nsa-csrf-parents">
<title>Parent Elements of <literal>&lt;csrf&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-csrf-attributes">
@ -550,12 +550,12 @@
additional beans but is used to select a bean of type
<interfacename>javax.servlet.Filter</interfacename> which is already defined in the
application context and add that at a particular position in the filter chain
maintained by Spring Security. Full details can be found in the <link xlink:href="#ns-custom-filters">
maintained by Spring Security. Full details can be found in the <link linkend="ns-custom-filters">
namespace chapter</link>.</para>
<section xml:id="nsa-custom-filter-parents">
<title>Parent Elements of <literal>&lt;custom-filter&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-custom-filter-attributes">
@ -590,8 +590,8 @@
<section xml:id="nsa-expression-handler-parents">
<title>Parent Elements of <literal>&lt;expression-handler&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-expression-handler-attributes">
@ -615,12 +615,12 @@
<classname>DefaultLoginPageGeneratingFilter</classname> is responsible for
rendering the login page and will provide login forms for both normal form login
and/or OpenID if required.</para>
</footnote> The behaviour can be customized using the <link xlink:href="#nsa-form-login-attributes">
</footnote> The behaviour can be customized using the <link linkend="nsa-form-login-attributes">
<literal>&lt;form-login&gt;</literal> Attributes</link>.</para>
<section xml:id="nsa-form-login-parents">
<title>Parent Elements of <literal>&lt;form-login&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-form-login-attributes">
@ -628,7 +628,7 @@
<section xml:id="nsa-form-login-always-use-default-target">
<title><literal>always-use-default-target</literal></title>
<para>If set to <literal>true</literal>, the user will always start at the value given by
<link xlink:href="#nsa-form-login-default-target-url">default-target-url</link>, regardless
<link linkend="nsa-form-login-default-target-url">default-target-url</link>, regardless
of how they arrived at the login page. Maps to the <literal>alwaysUseDefaultTargetUrl</literal>
property of <classname>UsernamePasswordAuthenticationFilter</classname>. Default value is
<literal>false</literal>.</para>
@ -641,7 +641,7 @@
<section xml:id="nsa-form-login-authentication-failure-handler-ref">
<title><literal>authentication-failure-handler-ref</literal></title>
<para>Can be used as an alternative to
<link xlink:href="#nsa-form-login-authentication-failure-url">authentication-failure-url</link>,
<link linkend="nsa-form-login-authentication-failure-url">authentication-failure-url</link>,
giving you full control over the navigation flow after an authentication failure. The value
should be he name of an <interfacename>AuthenticationFailureHandler</interfacename> bean in the
application context.</para>
@ -657,13 +657,13 @@
<section xml:id="nsa-form-login-authentication-success-handler-ref">
<title><literal>authentication-success-handler-ref</literal></title>
<para>This can be used as an alternative to
<link xlink:href="#nsa-form-login-default-target-url">default-target-url</link>
and <link xlink:href="#nsa-form-login-always-use-default-target">always-use-default-target</link>,
<link linkend="nsa-form-login-default-target-url">default-target-url</link>
and <link linkend="nsa-form-login-always-use-default-target">always-use-default-target</link>,
giving you full control over the navigation flow after a successful authentication. The value
should be the name of an <interfacename>AuthenticationSuccessHandler</interfacename> bean in
the application context. By default, an implementation of
<classname>SavedRequestAwareAuthenticationSuccessHandler</classname> is used and
injected with the <link xlink:href="#nsa-form-login-default-target-url">default-target-url
injected with the <link linkend="nsa-form-login-default-target-url">default-target-url
</link>.</para>
</section>
<section xml:id="nsa-form-login-default-target-url">
@ -707,7 +707,7 @@
<section xml:id="nsa-http-basic-parents">
<title>Parent Elements of <literal>&lt;http-basic&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-http-basic-attributes">
@ -752,9 +752,9 @@
<section xml:id="nsa-intercept-url-parents">
<title>Parent Elements of <literal>&lt;intercept-url&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-filter-invocation-definition-source">filter-invocation-definition-source</link></listitem>
<listitem><link xlink:href="#nsa-filter-security-metadata-source">filter-security-metadata-source</link></listitem>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-filter-invocation-definition-source">filter-invocation-definition-source</link></listitem>
<listitem><link linkend="nsa-filter-security-metadata-source">filter-security-metadata-source</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-intercept-url-attributes">
@ -797,7 +797,7 @@
<classname>ChannelProcessingFilter</classname> will be added to the filter
stack and its additional dependencies added to the application
context.<!--See the chapter on <link
xlink:href="#channel-security-config">channel security</link> for an example
linkend="channel-security-config">channel security</link> for an example
configuration using traditional beans. --></para>
<para>If a <literal>&lt;port-mappings&gt;</literal> configuration is added, this
will be used to by the <classname>SecureChannelProcessor</classname> and
@ -813,7 +813,7 @@
<section xml:id="nsa-jee-parents">
<title>Parent Elements of <literal>&lt;jee&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-jee-attributes">
@ -835,7 +835,7 @@
<section xml:id="nsa-logout-parents">
<title>Parent Elements of <literal>&lt;logout&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-logout-attributes">
@ -886,7 +886,7 @@
<section xml:id="nsa-openid-login-parents">
<title>Parent Elements of <literal>&lt;openid-login&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-openid-login-attributes">
@ -915,8 +915,8 @@
<title><literal>authentication-success-handler-ref</literal></title>
<para>Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful
authentication request. Should not be used in combination with
<link xlink:href="#nsa-openid-login-default-target-url">default-target-url</link> (or
<link xlink:href="#nsa-openid-login-always-use-default-target">
<link linkend="nsa-openid-login-default-target-url">default-target-url</link> (or
<link linkend="nsa-openid-login-always-use-default-target">
always-use-default-target</link>) as the implementation should always deal with navigation
to the subsequent destination</para>
</section>
@ -952,7 +952,7 @@
<section xml:id="nsa-openid-login-children">
<title>Child Elements of &lt;openid-login&gt;</title>
<itemizedlist>
<listitem><link xlink:href="#nsa-attribute-exchange">attribute-exchange</link></listitem>
<listitem><link linkend="nsa-attribute-exchange">attribute-exchange</link></listitem>
</itemizedlist>
</section>
</section>
@ -960,7 +960,7 @@
<title><literal>&lt;attribute-exchange&gt;</literal></title>
<para>The <literal>attribute-exchange</literal> element defines the list of
attributes which should be requested from the identity provider. An example can be found
in the <link xlink:href="#ns-openid">OpenID Support</link> section of the namespace configuration
in the <link linkend="ns-openid">OpenID Support</link> section of the namespace configuration
chapter. More than one can be used, in which case each must have an <literal>identifier-match</literal>
attribute, containing a regular expression which is matched against the supplied
OpenID identifier. This allows different attribute lists to be fetched from
@ -968,7 +968,7 @@
<section xml:id="nsa-attribute-exchange-parents">
<title>Parent Elements of <literal>&lt;attribute-exchange&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-openid-login">openid-login</link></listitem>
<listitem><link linkend="nsa-openid-login">openid-login</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-attribute-exchange-attributes">
@ -982,7 +982,7 @@
<section xml:id="nsa-attribute-exchange-children">
<title>Child Elements of <literal>&lt;attribute-exchange&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-openid-attribute">openid-attribute</link></listitem>
<listitem><link linkend="nsa-openid-attribute">openid-attribute</link></listitem>
</itemizedlist>
</section>
</section>
@ -994,7 +994,7 @@
<section xml:id="nsa-openid-attribute-parents">
<title>Parent Elements of <literal>&lt;openid-attribute&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-attribute-exchange">attribute-exchange</link></listitem>
<listitem><link linkend="nsa-attribute-exchange">attribute-exchange</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-openid-attribute-attributes">
@ -1027,18 +1027,18 @@
can optionally be used to override the default mappings which that class defines.
Each child <literal>&lt;port-mapping&gt;</literal> element defines a pair of
HTTP:HTTPS ports. The default mappings are 80:443 and 8080:8443. An example of
overriding these can be found in the <link xlink:href="#ns-requires-channel"
overriding these can be found in the <link linkend="ns-requires-channel"
>namespace introduction</link>. </para>
<section xml:id="nsa-port-mappings-parents">
<title>Parent Elements of <literal>&lt;port-mappings&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-port-mappings-children">
<title>Child Elements of <literal>&lt;port-mappings&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-port-mapping">port-mapping</link></listitem>
<listitem><link linkend="nsa-port-mapping">port-mapping</link></listitem>
</itemizedlist>
</section>
</section>
@ -1048,7 +1048,7 @@
<section xml:id="nsa-port-mapping-parents">
<title>Parent Elements of <literal>&lt;port-mapping&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-port-mappings">port-mappings</link></listitem>
<listitem><link linkend="nsa-port-mappings">port-mappings</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-port-mapping-attributes">
@ -1074,7 +1074,7 @@
<section xml:id="nsa-remember-me-parents">
<title>Parent Elements of <literal>&lt;remember-me&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-remember-me-attributes">
@ -1166,7 +1166,7 @@
<section xml:id="nsa-request-cache-parents">
<title>Parent Elements of <literal>&lt;request-cache&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-request-cache-attributes">
@ -1184,7 +1184,7 @@
<section xml:id="nsa-session-management-parents">
<title>Parent Elements of <literal>&lt;session-management&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-session-management-attributes">
@ -1228,7 +1228,7 @@
<section xml:id="nsa-session-management-children">
<title>Child elements of <literal>&lt;session-management&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-concurrency-control">concurrency-control</link></listitem>
<listitem><link linkend="nsa-concurrency-control">concurrency-control</link></listitem>
</itemizedlist>
</section>
</section>
@ -1247,7 +1247,7 @@
<section xml:id="nsa-concurrency-control-parents">
<title>Parent Elements of <literal>&lt;concurrency-control&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-session-management">session-management</link></listitem>
<listitem><link linkend="nsa-session-management">session-management</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-concurrency-control-attributes">
@ -1301,7 +1301,7 @@
<section xml:id="nsa-x509-parents">
<title>Parent Elements of <literal>&lt;x509&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-http">http</link></listitem>
<listitem><link linkend="nsa-http">http</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-x509-attributes">
@ -1333,7 +1333,7 @@
<section xml:id="nsa-filter-chain-map-path-type">
<title><literal>path-type</literal></title>
<para>Superseded by the
<link xlink:href="#nsa-filter-chain-map-request-matcher">request-matcher</link> attribute</para>
<link linkend="nsa-filter-chain-map-request-matcher">request-matcher</link> attribute</para>
</section>
<section xml:id="nsa-filter-chain-map-request-matcher">
<title><literal>request-matcher</literal></title>
@ -1345,7 +1345,7 @@
<section xml:id="nsa-filter-chain-map-children">
<title>Child Elements of <literal>&lt;filter-chain-map&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-filter-chain">filter-chain</link></listitem>
<listitem><link linkend="nsa-filter-chain">filter-chain</link></listitem>
</itemizedlist>
</section>
</section>
@ -1357,7 +1357,7 @@
<section xml:id="nsa-filter-chain-parents">
<title>Parent Elements of <literal>&lt;filter-chain&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-filter-chain-map">filter-chain-map</link></listitem>
<listitem><link linkend="nsa-filter-chain-map">filter-chain-map</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-filter-chain-attributes">
@ -1372,7 +1372,7 @@
<section xml:id="nsa-filter-chain-pattern">
<title><literal>pattern</literal></title>
<para>A-pattern that creates RequestMatcher in combination with the
<link xlink:href="#nsa-filter-chain-map-request-matcher">request-matcher</link></para>
<link linkend="nsa-filter-chain-map-request-matcher">request-matcher</link></para>
</section>
<section xml:id="nsa-filter-chain-request-matcher-ref">
<title><literal>request-matcher-ref</literal></title>
@ -1397,7 +1397,7 @@
<section xml:id="nsa-filter-invocation-definition-source-path-type">
<title><literal>path-type</literal></title>
<para>Superseded by
<link xlink:href="#nsa-filter-invocation-definition-source-request-matcher">request-matcher</link></para>
<link linkend="nsa-filter-invocation-definition-source-request-matcher">request-matcher</link></para>
</section>
<section xml:id="nsa-filter-invocation-definition-source-request-matcher">
<title><literal>request-matcher</literal></title>
@ -1416,7 +1416,7 @@
<section xml:id="nsa-filter-invocation-definition-source-children">
<title>Child Elements of <literal>&lt;filter-invocation-definition-source&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
<listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
</itemizedlist>
</section>
</section>
@ -1439,7 +1439,7 @@
<section xml:id="nsa-filter-security-metadata-source-path-type">
<title><literal>path-type</literal></title>
<para>Superseded by
<link xlink:href="#nsa-filter-security-metadata-source-request-matcher">request-matcher</link>
<link linkend="nsa-filter-security-metadata-source-request-matcher">request-matcher</link>
</para>
</section>
<section xml:id="nsa-filter-security-metadata-source-request-matcher">
@ -1459,7 +1459,7 @@
<section xml:id="nsa-filter-security-metadata-source-children">
<title>Child Elements of <literal>&lt;filter-security-metadata-source&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
<listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
</itemizedlist>
</section>
</section>
@ -1489,7 +1489,7 @@
<title><literal>alias</literal></title>
<para>This attribute allows you to define an alias name for the
internal instance for use in your own configuration. Its use is described in the
<link xlink:href="#ns-auth-manager">namespace introduction</link>.</para>
<link linkend="ns-auth-manager">namespace introduction</link>.</para>
</section>
<section xml:id="nsa-authentication-manager-erase-credentials">
<title><literal>erase-credentials</literal></title>
@ -1497,7 +1497,7 @@
returned Authentication object, once the user has been authenticated. Literally it maps to
the <literal>eraseCredentialsAfterAuthentication</literal> property of the
<classname>ProviderManager</classname>. This is discussed in the <link
xlink:href="#core-services-erasing-credentials">Core Services</link> chapter.</para>
linkend="core-services-erasing-credentials">Core Services</link> chapter.</para>
</section>
<section xml:id="nsa-authentication-manager-id">
<title><literal>id</literal></title>
@ -1509,15 +1509,15 @@
<section xml:id="nsa-authentication-manager-children">
<title>Child Elements of <literal>&lt;authentication-manager&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-authentication-provider">authentication-provider</link></listitem>
<listitem><link xlink:href="#nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
<listitem><link linkend="nsa-authentication-provider">authentication-provider</link></listitem>
<listitem><link linkend="nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
</itemizedlist>
</section>
</section>
<section xml:id="nsa-authentication-provider">
<title><literal>&lt;authentication-provider&gt;</literal></title>
<para> Unless used with a <literal>ref</literal> attribute, this element is
shorthand for configuring a <link xlink:href="#core-services-dao-provider"
shorthand for configuring a <link linkend="core-services-dao-provider"
><classname>DaoAuthenticationProvider</classname></link>.
<classname>DaoAuthenticationProvider</classname> loads user information from a
<interfacename>UserDetailsService</interfacename> and compares the
@ -1526,12 +1526,12 @@
by using an available namespace element (<literal>jdbc-user-service</literal> or
by using the <literal>user-service-ref</literal> attribute to point to a bean
defined elsewhere in the application context). You can find examples of these
variations in the <link xlink:href="#ns-auth-providers">namespace
variations in the <link linkend="ns-auth-providers">namespace
introduction</link>. </para>
<section xml:id="nsa-authentication-provider-parents">
<title>Parent Elements of <literal>&lt;authentication-provider&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-authentication-manager">authentication-manager</link></listitem>
<listitem><link linkend="nsa-authentication-manager">authentication-manager</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-authentication-provider-attributes">
@ -1560,10 +1560,10 @@
<section xml:id="nsa-authentication-provider-children">
<title>Child Elements of <literal>&lt;authentication-provider&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-jdbc-user-service">jdbc-user-service</link></listitem>
<listitem><link xlink:href="#nsa-ldap-user-service">ldap-user-service</link></listitem>
<listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
<listitem><link xlink:href="#nsa-user-service">user-service</link></listitem>
<listitem><link linkend="nsa-jdbc-user-service">jdbc-user-service</link></listitem>
<listitem><link linkend="nsa-ldap-user-service">ldap-user-service</link></listitem>
<listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
<listitem><link linkend="nsa-user-service">user-service</link></listitem>
</itemizedlist>
</section>
</section>
@ -1617,7 +1617,7 @@ where
<section xml:id="nsa-password-encoder">
<title><literal>&lt;password-encoder&gt;</literal></title>
<para>Authentication providers can optionally be configured to use a password
encoder as described in the <link xlink:href="#ns-password-encoder"
encoder as described in the <link linkend="ns-password-encoder"
>namespace introduction</link>. This will result in the bean being injected
with the appropriate <interfacename>PasswordEncoder</interfacename>
instance, potentially with an accompanying
@ -1626,8 +1626,8 @@ where
<section xml:id="nsa-password-encoder-parents">
<title>Parent Elements of <literal>&lt;password-encoder&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-authentication-provider">authentication-provider</link></listitem>
<listitem><link xlink:href="#nsa-password-compare">password-compare</link></listitem>
<listitem><link linkend="nsa-authentication-provider">authentication-provider</link></listitem>
<listitem><link linkend="nsa-password-compare">password-compare</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-password-encoder-attributes">
@ -1650,7 +1650,7 @@ where
<section xml:id="nsa-password-encoder-children">
<title>Child Elements of <literal>&lt;password-encoder&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-salt-source">salt-source</link></listitem>
<listitem><link linkend="nsa-salt-source">salt-source</link></listitem>
</itemizedlist>
</section>
</section>
@ -1661,7 +1661,7 @@ where
<section xml:id="nsa-salt-source-parents">
<title>Parent Elements of <literal>&lt;salt-source&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
<listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-salt-source-attributes">
@ -1701,7 +1701,7 @@ where
<section xml:id="nsa-user-service-children">
<title>Child Elements of <literal>&lt;user-service&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-user">user</link></listitem>
<listitem><link linkend="nsa-user">user</link></listitem>
</itemizedlist>
</section>
</section>
@ -1711,7 +1711,7 @@ where
<section xml:id="nsa-user-parents">
<title>Parent Elements of <literal>&lt;user&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-user-service">user-service</link></listitem>
<listitem><link linkend="nsa-user-service">user-service</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-user-attributes">
@ -1820,10 +1820,10 @@ where
<section xml:id="nsa-global-method-security-children">
<title>Child Elements of <literal>&lt;global-method-security&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-after-invocation-provider">after-invocation-provider</link></listitem>
<listitem><link xlink:href="#nsa-expression-handler">expression-handler</link></listitem>
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
<listitem><link xlink:href="#nsa-protect-pointcut">protect-pointcut</link></listitem>
<listitem><link linkend="nsa-after-invocation-provider">after-invocation-provider</link></listitem>
<listitem><link linkend="nsa-expression-handler">expression-handler</link></listitem>
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
<listitem><link linkend="nsa-protect-pointcut">protect-pointcut</link></listitem>
</itemizedlist>
</section>
</section>
@ -1840,7 +1840,7 @@ where
<section xml:id="nsa-after-invocation-provider-parents">
<title>Parent Elements of <literal>&lt;after-invocation-provider&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-after-invocation-provider-attributes">
@ -1860,15 +1860,15 @@ where
<section xml:id="nsa-pre-post-annotation-handling-parents">
<title>Parent Elements of <literal>&lt;pre-post-annotation-handling&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-pre-post-annotation-handling-children">
<title>Child Elements of <literal>&lt;pre-post-annotation-handling&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-invocation-attribute-factory">invocation-attribute-factory</link></listitem>
<listitem><link xlink:href="#nsa-post-invocation-advice">post-invocation-advice</link></listitem>
<listitem><link xlink:href="#nsa-pre-invocation-advice">pre-invocation-advice</link></listitem>
<listitem><link linkend="nsa-invocation-attribute-factory">invocation-attribute-factory</link></listitem>
<listitem><link linkend="nsa-post-invocation-advice">post-invocation-advice</link></listitem>
<listitem><link linkend="nsa-pre-invocation-advice">pre-invocation-advice</link></listitem>
</itemizedlist>
</section>
</section>
@ -1879,7 +1879,7 @@ where
<section xml:id="nsa-invocation-attribute-factory-parents">
<title>Parent Elements of <literal>&lt;invocation-attribute-factory&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-invocation-attribute-factory-attributes">
@ -1898,7 +1898,7 @@ where
<section xml:id="nsa-post-invocation-advice-parents">
<title>Parent Elements of <literal>&lt;post-invocation-advice&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-post-invocation-advice-attributes">
@ -1917,7 +1917,7 @@ where
<section xml:id="nsa-pre-invocation-advice-parents">
<title>Parent Elements of <literal>&lt;pre-invocation-advice&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-pre-invocation-advice-attributes">
@ -1935,11 +1935,11 @@ where
cross-cutting security constraints across whole sets of methods and interfaces
in your service layer using the <literal>&lt;protect-pointcut&gt;</literal>
element. You can find an example in the <link
xlink:href="#ns-protect-pointcut">namespace introduction</link>.</para>
linkend="ns-protect-pointcut">namespace introduction</link>.</para>
<section xml:id="nsa-protect-pointcut-parents">
<title>Parent Elements of <literal>&lt;protect-pointcut&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-protect-pointcut-attributes">
@ -1970,7 +1970,7 @@ where
<section xml:id="nsa-intercept-methods-children">
<title>Child Elements of <literal>&lt;intercept-methods&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-protect">protect</link></listitem>
<listitem><link linkend="nsa-protect">protect</link></listitem>
</itemizedlist>
</section>
</section>
@ -1994,7 +1994,7 @@ where
<section xml:id="nsa-method-security-metadata-source-children">
<title>Child Elements of <literal>&lt;method-security-metadata-source&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-protect">protect</link></listitem>
<listitem><link linkend="nsa-protect">protect</link></listitem>
</itemizedlist>
</section>
</section>
@ -2005,8 +2005,8 @@ where
<section xml:id="nsa-protect-parents">
<title>Parent Elements of <literal>&lt;protect&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-intercept-methods">intercept-methods</link></listitem>
<listitem><link xlink:href="#nsa-method-security-metadata-source">method-security-metadata-source</link></listitem>
<listitem><link linkend="nsa-intercept-methods">intercept-methods</link></listitem>
<listitem><link linkend="nsa-method-security-metadata-source">method-security-metadata-source</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-protect-attributes">
@ -2024,7 +2024,7 @@ where
</section>
<section xml:id="nsa-ldap">
<title>LDAP Namespace Options</title>
<para> LDAP is covered in some details in <link xlink:href="#ldap">its own
<para> LDAP is covered in some details in <link linkend="ldap">its own
chapter</link>. We will expand on that here with some explanation of how the
namespace options map to Spring beans. The LDAP implementation uses Spring LDAP
extensively, so some familiarity with that project's API may be useful. </para>
@ -2036,7 +2036,7 @@ where
defining the location of the LDAP server and other information (such as a
username and password, if it doesn't allow anonymous access) for connecting to
it. It can also be used to create an embedded server for testing. Details of the
syntax for both options are covered in the <link xlink:href="#ldap-server">LDAP
syntax for both options are covered in the <link linkend="ldap-server">LDAP
chapter</link>. The actual <interfacename>ContextSource</interfacename>
implementation is <classname>DefaultSpringSecurityContextSource</classname>
which extends Spring LDAP's <classname>LdapContextSource</classname> class. The
@ -2097,7 +2097,7 @@ where
<section xml:id="nsa-ldap-authentication-provider-parents">
<title>Parent Elements of <literal>&lt;ldap-authentication-provider&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-authentication-manager">authentication-manager</link></listitem>
<listitem><link linkend="nsa-authentication-manager">authentication-manager</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-ldap-authentication-provider-attributes">
@ -2185,7 +2185,7 @@ where
<section xml:id="nsa-ldap-authentication-provider-children">
<title>Child Elements of <literal>&lt;ldap-authentication-provider&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-password-compare">password-compare</link></listitem>
<listitem><link linkend="nsa-password-compare">password-compare</link></listitem>
</itemizedlist>
</section>
</section>
@ -2198,7 +2198,7 @@ where
<section xml:id="nsa-password-compare-parents">
<title>Parent Elements of <literal>&lt;password-compare&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
<listitem><link linkend="nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
</itemizedlist>
</section>
<section xml:id="nsa-password-compare-attributes">
@ -2217,7 +2217,7 @@ where
<section xml:id="nsa-password-compare-children">
<title>Child Elements of <literal>&lt;password-compare&gt;</literal></title>
<itemizedlist>
<listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
<listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
</itemizedlist>
</section>
</section>

6
docs/manual/src/docbook/authorization-common.xml
View File

@ -7,7 +7,7 @@
<info>
<title>Authorities</title>
</info>
<para>As we saw in the <link xlink:href="#tech-granted-authority">technical overview</link>,
<para>As we saw in the <link linkend="tech-granted-authority">technical overview</link>,
all <interfacename>Authentication</interfacename> implementations store a list of
<interfacename>GrantedAuthority</interfacename> objects. These represent the authorities
that have been granted to the principal. The
@ -51,7 +51,7 @@
<info>
<title>Pre-Invocation Handling</title>
</info>
<para> As we've also seen in the <link xlink:href="#secure-objects">Technical
<para> As we've also seen in the <link linkend="secure-objects">Technical
Overview</link> chapter, Spring Security provides interceptors which control access to
secure objects such as method invocations or web requests. A pre-invocation decision on
whether the invocation is allowed to proceed is made by the
@ -307,7 +307,7 @@ boolean supports(Class clazz);
</para>
<para>
The use of a role-hierarchy allows you to configure which roles (or authorities) should include others.
An extended version of Spring Security's <link xlink:href="#authz-role-voter"><classname>RoleVoter</classname></link>,
An extended version of Spring Security's <link linkend="authz-role-voter"><classname>RoleVoter</classname></link>,
<classname>RoleHierarchyVoter</classname>, is configured with a <interfacename>RoleHierarchy</interfacename>,
from which it obtains all the <quote>reachable authorities</quote> which the user is assigned.
A typical configuration might look like this:

10
docs/manual/src/docbook/cas-auth-provider.xml
View File

@ -196,7 +196,7 @@
<listitem>
<para>The user's browser is redirected to the original page that
caused the <classname>AuthenticationException</classname> (or a
<link xlink:href="#form-login-flow-handling">custom destination</link> depending on
<link linkend="form-login-flow-handling">custom destination</link> depending on
the configuration).</para>
</listitem>
</orderedlist>
@ -213,7 +213,7 @@
already know the basics of using Spring Security, so these are not covered again below.
We'll assume a namespace based configuration is being used and add in the CAS beans as
required. Each section builds upon the previous section. A full
<link xlink:href="#cas-sample">CAS sample application</link> can be found in the Spring
<link linkend="cas-sample">CAS sample application</link> can be found in the Spring
Security Samples.</para>
<section xml:id="cas-st">
<info>
@ -259,7 +259,7 @@
<para>For CAS to operate, the <classname>ExceptionTranslationFilter</classname> must have
its <literal>authenticationEntryPoint</literal> property set to the
<classname>CasAuthenticationEntryPoint</classname> bean. This can easily be done using
<link xlink:href="#ns-entry-point-ref"><literal>entry-point-ref</literal></link> as is
<link linkend="ns-entry-point-ref"><literal>entry-point-ref</literal></link> as is
done in the example above. The <classname>CasAuthenticationEntryPoint</classname> must refer to the
<classname>ServiceProperties</classname> bean (discussed above), which provides the URL
to the enterprise's CAS login server. This is where the user's browser will be
@ -300,7 +300,7 @@
here. Note that the <classname>CasAuthenticationProvider</classname> does not actually use
the password for authentication, but it does use the authorities.</para>
<para>The beans are all reasonably self-explanatory if you refer back to the
<link xlink:href="#cas-how-it-works">How CAS Works</link> section.</para>
<link linkend="cas-how-it-works">How CAS Works</link> section.</para>
<para>This completes the most basic configuration for CAS. If you haven't made any
mistakes, your web application should happily work within the
framework of CAS single sign on. No other parts of Spring Security
@ -448,7 +448,7 @@
<title>Calling a Stateless Service Using a Proxy Ticket</title>
</info>
<para>Now that Spring Security obtains PGTs, you can use them to create proxy tickets which can be used to authenticate
to a stateless service. The <link xlink:href="#cas-sample">CAS sample application</link> contains a working example in
to a stateless service. The <link linkend="cas-sample">CAS sample application</link> contains a working example in
the <classname>ProxyTicketSampleServlet</classname>. Example code can be found below:
<programlisting language="xml"><![CDATA[
protected void doGet(HttpServletRequest request, HttpServletResponse response)

2
docs/manual/src/docbook/channel-security.xml
View File

@ -32,7 +32,7 @@
<info>
<title>Configuration</title>
</info>
<para>Channel security is supported by the <link xlink:href="#ns-requires-channel">security
<para>Channel security is supported by the <link linkend="ns-requires-channel">security
namespace</link> by means of the <literal>requires-channel</literal> attribute on the
<literal>&lt;intercept-url&gt;</literal> element and this is the simplest (and
recommended approach).</para>

12
docs/manual/src/docbook/core-filters.xml
View File

@ -8,7 +8,7 @@
<section xml:id="filter-security-interceptor">
<title><classname>FilterSecurityInterceptor</classname></title>
<para>We've already seen <classname>FilterSecurityInterceptor</classname> briefly when
discussing <link xlink:href="#tech-intro-access-control">access-control in
discussing <link linkend="tech-intro-access-control">access-control in
general</link>, and we've already used it with the namespace where the
<literal>&lt;intercept-url></literal> elements are combined to configure it internally.
Now we'll see how to explicitly configure it for use with a
@ -31,7 +31,7 @@
<interfacename>AuthenticationManager</interfacename> and an
<interfacename>AccessDecisionManager</interfacename>. It is also supplied with
configuration attributes that apply to different HTTP URL requests. Refer back to <link
xlink:href="#tech-intro-config-attributes">the original discussion on these</link> in
linkend="tech-intro-config-attributes">the original discussion on these</link> in
the technical introduction.</para>
<para>The <classname>FilterSecurityInterceptor</classname> can be configured with
configuration attributes in two ways. The first, which is shown above, is using the
@ -165,7 +165,7 @@
can implement the interface yourself and use your own implementation. </para>
<para>It's also possible to supply a custom
<interfacename>AccessDeniedHandler</interfacename> when you're using the namespace
to configure your application. See <link xlink:href="#nsa-access-denied-handler">the
to configure your application. See <link linkend="nsa-access-denied-handler">the
namespace appendix</link> for more details.</para>
</section>
<section xml:id="request-caching">
@ -173,10 +173,10 @@
<para>Another of <classname>ExceptionTranslationFilter</classname>'s responsibilities is
to save the current request before invoking the <interfacename>AuthenticationEntryPoint</interfacename>.
This allows the request to be restored after the use has authenticated (see previous overview
of <link xlink:href="#tech-intro-web-authentication">web authentication</link>).
of <link linkend="tech-intro-web-authentication">web authentication</link>).
A typical example would be where the user logs in with a form, and is then redirected to the
original URL by the default <classname>SavedRequestAwareAuthenticationSuccessHandler</classname>
(see <link xlink:href="#form-login-flow-handling">below</link>).
(see <link linkend="form-login-flow-handling">below</link>).
</para>
<para>The <interfacename>RequestCache</interfacename> encapsulates the functionality required for storing
and retrieving <interfacename>HttpServletRequest</interfacename> instances. By default
@ -196,7 +196,7 @@
<section xml:id="security-context-persistence-filter">
<title><classname>SecurityContextPersistenceFilter</classname></title>
<para> We covered the purpose of this all-important filter in the <link
xlink:href="#tech-intro-sec-context-persistence">Technical Overview</link> chapter so
linkend="tech-intro-sec-context-persistence">Technical Overview</link> chapter so
you might want to re-read that section at this point. Let's first take a look at how you
would configure it for use with a <classname>FilterChainProxy</classname>. A basic
configuration only requires the bean itself <programlisting language="xml"><![CDATA[

10
docs/manual/src/docbook/core-services.xml
View File

@ -34,7 +34,7 @@
successful authentication and stored in the <classname>SecurityContext</classname>. </para>
<para> If you are using the namespace, an instance of <classname>ProviderManager</classname>
is created and maintained internally, and you add providers to it by using the namespace
authentication provider elements (see <link xlink:href="#ns-auth-manager">the namespace
authentication provider elements (see <link linkend="ns-auth-manager">the namespace
chapter</link>). In this case, you should not declare a
<classname>ProviderManager</classname> bean in your application context. However, if you
are not using the namespace then you would declare it like so: <programlisting language="xml"><![CDATA[
@ -111,7 +111,7 @@
<interfacename>PasswordEncoder</interfacename> provides encoding and decoding of
passwords presented in the <interfacename>UserDetails</interfacename> object that is
returned from the configured <interfacename>UserDetailsService</interfacename>. This
will be discussed in more detail <link xlink:href="#core-services-password-encoding"
will be discussed in more detail <link linkend="core-services-password-encoding"
>below</link>. </para>
</section>
</section>
@ -149,7 +149,7 @@
Security, when you don't really want to spend time configuring databases or writing
<interfacename>UserDetailsService</interfacename> implementations. For this sort of
situation, a simple option is to use the <literal>user-service</literal> element
from the security <link xlink:href="#ns-minimal">namespace</link>: <programlisting language="xml"><![CDATA[
from the security <link linkend="ns-minimal">namespace</link>: <programlisting language="xml"><![CDATA[
<user-service id="userDetailsService">
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
@ -196,7 +196,7 @@
<title>Authority Groups</title>
<para>By default, <classname>JdbcDaoImpl</classname> loads the authorities for a
single user with the assumption that the authorities are mapped directly to
users (see the <link xlink:href="#appendix-schema">database schema
users (see the <link linkend="appendix-schema">database schema
appendix</link>). An alternative approach is to partition the authorities into
groups and assign groups to the user. Some people prefer this approach as a
means of administering user rights. See the <classname>JdbcDaoImpl</classname>
@ -217,7 +217,7 @@
</section>
<section xml:id="core-services-password-encoding">
<title>Password Encoding</title>
<para xlink:href="#spring-security-crypto-passwordencoders">Spring Security's
<para linkend="spring-security-crypto-passwordencoders">Spring Security's
<interfacename>PasswordEncoder</interfacename> interface is used to support the use of
passwords which are encoded in some way in persistent storage. You should never store
passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt

10
docs/manual/src/docbook/csrf.xml
View File

@ -71,13 +71,13 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
Security's CSRF protection are outlined below:</para>
<orderedlist inheritnum="ignore" continuation="restarts">
<listitem>
<para><link xlink:href="#csrf-use-proper-verbs">Use proper HTTP verbs</link></para>
<para><link linkend="csrf-use-proper-verbs">Use proper HTTP verbs</link></para>
</listitem>
<listitem>
<para><link xlink:href="#csrf-configure">Configure CSRF Protection</link></para>
<para><link linkend="csrf-configure">Configure CSRF Protection</link></para>
</listitem>
<listitem>
<para><link xlink:href="#csrf-include-csrf-token">Include the CSRF Token</link></para>
<para><link linkend="csrf-include-csrf-token">Include the CSRF Token</link></para>
</listitem>
</orderedlist>
<section xml:id="csrf-use-proper-verbs">
@ -89,7 +89,7 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
<section xml:id="csrf-configure">
<title>Configure CSRF Protection</title>
<para>The next step is to include Spring Security's CSRF protection within your application. If you are using the XML configuration, this can be done
using the <link xlink:href="#nsa-csrf">&lt;csrf /&gt;</link> element:</para>
using the <link linkend="nsa-csrf">&lt;csrf /&gt;</link> element:</para>
<programlisting language="xml"><![CDATA[<http ...>
...
<csrf />
@ -196,7 +196,7 @@ public class WebSecurityConfig extends
<para>Spring Security's goal is to provide defaults that protect your users from exploits. This does not mean that you are forced to accept all of its defaults.</para>
<para>For example, you can provide a custom CsrfTokenRepository to override the way in which the <interfacename>CsrfToken</interfacename> is stored.</para>
<para>You can also specify a custom RequestMatcher to determine which requests are protected by CSRF (i.e. perhaps you don't care if log out is exploited). In short, if
Spring Security's CSRF protection doesn't behave exactly as you want it, you are able to customize the behavior. Refer to the <link xlink:href="#nsa-csrf">&lt;csrf /&gt;</link>
Spring Security's CSRF protection doesn't behave exactly as you want it, you are able to customize the behavior. Refer to the <link linkend="nsa-csrf">&lt;csrf /&gt;</link>
documentation for details on how to make these customizations with XML and the <classname>CsrfConfigurer</classname> javadoc for details on how to make these
customizations when using Java configuration.</para>
</section>

2
docs/manual/src/docbook/el-access.xml
View File

@ -150,7 +150,7 @@
whether the current user has the <quote>admin</quote>permission for the given
contact. The built-in <literal>hasPermission()</literal> expression is linked
into the Spring Security ACL module through the application context, as we'll
<link xlink:href="#el-permission-evaluator">see below</link>. You can access any
<link linkend="el-permission-evaluator">see below</link>. You can access any
of the method arguments by name as expression variables, provided your code has
debug information compiled in. Any Spring-EL functionality is available within
the expression, so you can also access properties on the arguments. For example,

4
docs/manual/src/docbook/index.xml
View File

@ -70,8 +70,8 @@
ten list of web application vulnerabilities as well as a lot of useful reference
information. </para>
<para>We hope that you find this reference guide useful, and we welcome your feedback and
<link xlink:href="#jira">suggestions</link>. </para>
<para>Finally, welcome to the Spring Security <link xlink:href="#community"
<link linkend="jira">suggestions</link>. </para>
<para>Finally, welcome to the Spring Security <link linkend="community"
>community</link>. </para>
</partintro>
</preface>

2
docs/manual/src/docbook/jaas-auth-provider.xml
View File

@ -225,7 +225,7 @@ JAASTest {
Subject subject = Subject.getSubject(AccessController.getContext());
]]></programlisting>
This integration can easily be configured using the
<link xlink:href="#nsa-http-jaas-api-provision">jaas-api-provision</link> attribute. This
<link linkend="nsa-http-jaas-api-provision">jaas-api-provision</link> attribute. This
feature is useful when integrating with legacy or external API's that rely on the
JAAS Subject being populated.</para>
</section>

46
docs/manual/src/docbook/namespace-config.xml
View File

@ -23,7 +23,7 @@
attributes on the <literal>ldap-server</literal> element and the user is isolated from
worrying about which beans they need to create and what the bean property names are. <footnote>
<para>You can find out more about the use of the <literal>ldap-server</literal> element
in the chapter on <link xlink:href="#ldap">LDAP</link>.</para>
in the chapter on <link linkend="ldap">LDAP</link>.</para>
</footnote>. Use of a good XML editor while editing the application context file should
provide information on the attributes and elements that are available. We would
recommend that you try out the <link
@ -147,7 +147,7 @@
functionality. The <literal>&lt;intercept-url></literal> element defines a
<literal>pattern</literal> which is matched against the URLs of incoming requests
using an ant path style syntax<footnote>
<para>See the section on <link xlink:href="#request-matching">Request
<para>See the section on <link linkend="request-matching">Request
Matching</link> in the Web Application Infrastructure chapter for more details
on how matches are actually performed.</para>
</footnote>. You can also use regular-expression matching as an alternative (see the
@ -162,9 +162,9 @@
attributes). We'll see later how the interpretation can vary<footnote>
<para>The interpretation of the comma-separated values in the
<literal>access</literal> attribute depends on the implementation of the <link
xlink:href="#ns-access-manager">AccessDecisionManager</link> which is used. In
linkend="ns-access-manager">AccessDecisionManager</link> which is used. In
Spring Security 3.0, the attribute can also be populated with an <link
xlink:href="#el-access">EL expression</link>.</para>
linkend="el-access">EL expression</link>.</para>
</footnote>.</para>
<note>
<para>You can use multiple <literal>&lt;intercept-url&gt;</literal> elements to
@ -202,7 +202,7 @@
<literal>&lt;authentication-manager></literal> element, which creates a
<classname>ProviderManager</classname> and registers the authentication
providers with it. You can find more detailed information on the beans that are
created in the <link xlink:href="#appendix-namespace">namespace appendix</link>.
created in the <link linkend="appendix-namespace">namespace appendix</link>.
It's worth cross-checking this if you want to start understanding what the
important classes in the framework are and how they are used, particularly if
you want to customise things later.</para>
@ -211,7 +211,7 @@
the application (which will be used for access control). It is also possible to load
user information from a standard properties file using the
<literal>properties</literal> attribute on <literal>user-service</literal>. See the
section on <link xlink:href="#core-services-in-memory-service">in-memory
section on <link linkend="core-services-in-memory-service">in-memory
authentication</link> for more details on the file format. Using the
<literal>&lt;authentication-provider&gt;</literal> element means that the user
information will be used by the authentication manager to process authentication
@ -241,8 +241,8 @@
</programlisting> Also note
that we've added an extra <literal>intercept-url</literal> element to say that any
requests for the login page should be available to anonymous users <footnote>
<para>See the chapter on <link xlink:href="#anonymous">anonymous
authentication</link> and also the <link xlink:href="#authz-authenticated-voter"
<para>See the chapter on <link linkend="anonymous">anonymous
authentication</link> and also the <link linkend="authz-authenticated-voter"
>AuthenticatedVoter</link> class for more details on how the value
<literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> is processed.</para>
</footnote>. Otherwise the request would be matched by the pattern
@ -273,7 +273,7 @@
<literal>intercept-url</literal> element is incompatible with this change and is
no longer supported in 3.1.</para>
</footnote>. We'll look at this new syntax in more detail in the chapter on the
<link xlink:href="#filter-chains-with-ns">Security Filter Chain</link>. </para>
<link linkend="filter-chains-with-ns">Security Filter Chain</link>. </para>
<para> It's important to realise that these unsecured requests will be completely
oblivious to any Spring Security web-related configuration or additional attributes
such as <literal>requires-channel</literal>, so you will not be able to access
@ -313,7 +313,7 @@
<literal>authentication-success-handler-ref</literal> attribute as an
alternative to <literal>default-target-url</literal>. The referenced bean should
be an instance of <interfacename>AuthenticationSuccessHandler</interfacename>.
You'll find more on this in the <link xlink:href="#form-login-flow-handling"
You'll find more on this in the <link linkend="form-login-flow-handling"
>Core Filters</link> chapter and also in the namespace appendix, as well as
information on how to customize the flow when authentication fails. </para>
</section>
@ -331,7 +331,7 @@
<para> In practice you will need a more scalable source of user information than a few
names added to the application context file. Most likely you will want to store your
user information in something like a database or an LDAP server. LDAP namespace
configuration is dealt with in the <link xlink:href="#ldap">LDAP chapter</link>, so
configuration is dealt with in the <link linkend="ldap">LDAP chapter</link>, so
we won't cover it here. If you have a custom implementation of Spring Security's
<classname>UserDetailsService</classname>, called "myUserDetailsService" in your
application context, then you can authenticate against this using <programlisting language="xml"><![CDATA[
@ -349,7 +349,7 @@
</programlisting> Where <quote>securityDataSource</quote> is the name of a
<classname>DataSource</classname> bean in the application context, pointing at a
database containing the standard Spring Security <link
xlink:href="#db_schema_users_authorities">user data tables</link>. Alternatively,
linkend="db_schema_users_authorities">user data tables</link>. Alternatively,
you could configure a Spring Security <classname>JdbcDaoImpl</classname> bean and
point at that using the <literal>user-service-ref</literal> attribute: <programlisting language="xml"><![CDATA[
<authentication-manager>
@ -408,7 +408,7 @@
<title>Advanced Web Features</title>
<section xml:id="ns-remember-me">
<title>Remember-Me Authentication</title>
<para>See the separate <link xlink:href="#remember-me">Remember-Me chapter</link> for
<para>See the separate <link linkend="remember-me">Remember-Me chapter</link> for
information on remember-me namespace configuration.</para>
</section>
<section xml:id="ns-requires-channel">
@ -515,7 +515,7 @@
<literal>session-management</literal> element. </para>
<para>If you are using a customized authentication filter for form-based login, then
you have to configure concurrent session control support explicitly. More
details can be found in the <link xlink:href="#session-mgmt">Session Management
details can be found in the <link linkend="session-mgmt">Session Management
chapter</link>. </para>
</section>
<section xml:id="ns-session-fixation">
@ -559,7 +559,7 @@
will <emphasis>also</emphasis> result in any
<classname>javax.servlet.http.HttpSessionIdListener</classname>s being notified, so
use caution if your code listens for both events. See the
<link xlink:href="#session-mgmt">Session Management</link> chapter for additional
<link linkend="session-mgmt">Session Management</link> chapter for additional
information.
</para>
</section>
@ -580,7 +580,7 @@
authenticate. It is also possible to select a specific
<interfacename>UserDetailsService</interfacename> bean for use OpenID by setting the
<literal>user-service-ref</literal> attribute on the <literal>openid-login</literal>
element. See the previous section on <link xlink:href="#ns-auth-providers"
element. See the previous section on <link linkend="ns-auth-providers"
>authentication providers</link> for more information. Note that we have omitted the
password attribute from the above user configuration, since this set of user data is
only being used to load the authorities for the user. A random password will be
@ -613,7 +613,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
retrieved value (or values in the case of multi-valued attributes). We'll see
more about how the <classname>SecurityContextHolder</classname> class is used
when we look at core Spring Security components in the <link
xlink:href="#core-components">technical overview</link> chapter. Multiple
linkend="core-components">technical overview</link> chapter. Multiple
attribute exchange configurations are also be supported, if you wish to use
multiple identity providers. You can supply multiple
<literal>attribute-exchange</literal> elements, using an
@ -659,7 +659,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
</http>]]>
</programlisting>
</para>
<para>For additional information on how to customize the headers element refer to the <link xlink:href="#nsa-headers">headers</link>
<para>For additional information on how to customize the headers element refer to the <link linkend="nsa-headers">headers</link>
section of the Security Namespace appendix.</para>
</section>
<section xml:id="ns-custom-filters">
@ -826,7 +826,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<classname>FilterSecurityInterceptor</classname>. Some other filters are added
by default, but you can disable them. An <classname>AnonymousAuthenticationFilter</classname>
is added by default and unless you have
<link xlink:href="#ns-session-fixation">session-fixation protection</link>
<link linkend="ns-session-fixation">session-fixation protection</link>
disabled, a <classname>SessionManagementFilter</classname> will also be added
to the filter chain.
</para>
@ -847,7 +847,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<para> The CAS sample application is a good example of the use of custom beans with
the namespace, including this syntax. If you aren't familiar with authentication
entry points, they are discussed in the <link
xlink:href="#tech-intro-auth-entry-point">technical overview</link> chapter.
linkend="tech-intro-auth-entry-point">technical overview</link> chapter.
</para>
</section>
</section>
@ -857,7 +857,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<para>From version 2.0 onwards Spring Security has improved support substantially for adding
security to your service layer methods. It provides support for JSR-250 annotation
security as well as the framework's original <literal>@Secured</literal> annotation.
From 3.0 you can also make use of new <link xlink:href="#el-access">expression-based
From 3.0 you can also make use of new <link linkend="el-access">expression-based
annotations</link>. You can apply security to a single bean, using the
<literal>intercept-methods</literal> element to decorate the bean declaration, or you
can secure multiple beans across the entire service layer using the AspectJ style
@ -963,7 +963,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<para> The default strategy is to use an <classname>AffirmativeBased</classname>
<interfacename>AccessDecisionManager</interfacename> with a
<classname>RoleVoter</classname> and an <classname>AuthenticatedVoter</classname>. You
can find out more about these in the chapter on <link xlink:href="#authz-arch"
can find out more about these in the chapter on <link linkend="authz-arch"
>authorization</link>.</para>
<section xml:id="ns-custom-access-mgr">
<title>Customizing the AccessDecisionManager</title>
@ -992,7 +992,7 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<interfacename>AuthenticationManager</interfacename>. This is usually an instance of
Spring Security's <classname>ProviderManager</classname> class, which you may already be
familiar with if you've used the framework before. If not, it will be covered later, in
the <link xlink:href="#tech-intro-authentication">technical overview chapter</link>. The
the <link linkend="tech-intro-authentication">technical overview chapter</link>. The
bean instance is registered using the <literal>authentication-manager</literal>
namespace element. You can't use a custom <classname>AuthenticationManager</classname>
if you are using either HTTP or method security through the namespace, but this should

56
docs/manual/src/docbook/new-3-1.xml
View File

@ -32,36 +32,36 @@
<title>Spring Security 3.1 namespace updates</title>
<para>Below you can find a summary of updates to the Spring Security 3.1 namespace.</para>
<itemizedlist>
<listitem>Added support for multiple <link xlink:href="#nsa-http">&lt;http&gt;</link> elements and support for determining which one to use with
<link xlink:href="#nsa-http-pattern">http@pattern</link>, <link xlink:href="#nsa-http-request-matcher">http@request-matcher</link>, and
<link xlink:href="#nsa-http-security">http@security</link>.
Further information can be found in <link xlink:href="#ns-config">Namespace Configuration</link> section of the reference.</listitem>
<listitem>Added stateless option for <link xlink:href="#nsa-http-create-session">http@create-session</link></listitem>
<listitem>Added support for <link xlink:href="#nsa-http-authentication-manager-ref">http@authentication-manager-ref</link>
and <link xlink:href="#nsa-global-method-security-authentication-manager-ref">global-method-security@authentication-manager-ref</link>.</listitem>
<listitem>Added <link xlink:href="#nsa-http-name">http@name</link></listitem>
<listitem>Added <link xlink:href="#nsa-http-request-matcher-ref">http@request-matcher-ref</link> and
<link xlink:href="#nsa-filter-chain-request-matcher-ref">filter-chain@request-matcher-ref</link></listitem>
<listitem>Added <link xlink:href="#nsa-debug">&lt;debug&gt;</link></listitem>
<listitem>Added support for multiple <link linkend="nsa-http">&lt;http&gt;</link> elements and support for determining which one to use with
<link linkend="nsa-http-pattern">http@pattern</link>, <link linkend="nsa-http-request-matcher">http@request-matcher</link>, and
<link linkend="nsa-http-security">http@security</link>.
Further information can be found in <link linkend="ns-config">Namespace Configuration</link> section of the reference.</listitem>
<listitem>Added stateless option for <link linkend="nsa-http-create-session">http@create-session</link></listitem>
<listitem>Added support for <link linkend="nsa-http-authentication-manager-ref">http@authentication-manager-ref</link>
and <link linkend="nsa-global-method-security-authentication-manager-ref">global-method-security@authentication-manager-ref</link>.</listitem>
<listitem>Added <link linkend="nsa-http-name">http@name</link></listitem>
<listitem>Added <link linkend="nsa-http-request-matcher-ref">http@request-matcher-ref</link> and
<link linkend="nsa-filter-chain-request-matcher-ref">filter-chain@request-matcher-ref</link></listitem>
<listitem>Added <link linkend="nsa-debug">&lt;debug&gt;</link></listitem>
<listitem>Added Support for setting the AuthenticationDetailsSource using the namespace. See
<link xlink:href="#nsa-form-login-authentication-details-source-ref">form-login@authentication-details-source-ref</link>,
<link xlink:href="#nsa-openid-login-authentication-details-source-ref">openid-login@authentication-details-source-ref</link>,
<link xlink:href="#nsa-http-basic-authentication-details-source-ref">http-basic@authentication-details-source-ref</link>, and
<link xlink:href="#nsa-x509-authentication-details-source-ref">x509@authentication-details-source-ref</link>.</listitem>
<link linkend="nsa-form-login-authentication-details-source-ref">form-login@authentication-details-source-ref</link>,
<link linkend="nsa-openid-login-authentication-details-source-ref">openid-login@authentication-details-source-ref</link>,
<link linkend="nsa-http-basic-authentication-details-source-ref">http-basic@authentication-details-source-ref</link>, and
<link linkend="nsa-x509-authentication-details-source-ref">x509@authentication-details-source-ref</link>.</listitem>
<listitem>Added support for http/expression-handler. This allows
<link xlink:href="#nsa-expression-handler">&lt;expression-handler&gt;</link> to be used for web access expressions.</listitem>
<listitem>Added <link xlink:href="#nsa-authentication-manager-erase-credentials">authentication-manager@erase-credentials</link></listitem>
<listitem>Added <link xlink:href="#nsa-http-basic-entry-point-ref">http-basic@entry-point-ref</link></listitem>
<listitem>Added <link xlink:href="#nsa-logout-delete-cookies">logout@delete-cookies</link></listitem>
<listitem>Added <link xlink:href="#nsa-remember-me-authentication-success-handler-ref">remember-me@authentication-success-handler-ref</link></listitem>
<listitem>Added <link xlink:href="#nsa-method-security-metadata-source">&lt;metadata-source-ref&gt;</link></listitem>
<listitem>Added <link xlink:href="#nsa-global-method-security-metadata-source-ref">global-method-security@metadata-source-ref</link></listitem>
<listitem>Added <link xlink:href="#nsa-global-method-security-mode">global-method-security@mode</link></listitem>
<listitem>Added <link xlink:href="#nsa-attribute-exchange">&lt;attribute-exchange&gt;</link></listitem>
<listitem>Added <link xlink:href="#nsa-remember-me-use-secure-cookie">remember-me@use-secure-cookie</link></listitem>
<listitem>Added <link xlink:href="#nsa-http-jaas-api-provision">http@jaas-api-provision</link></listitem>
<listitem>Added <link xlink:href="#nsa-form-login-username-parameter">form-login@username-parameter</link> and
<link xlink:href="#nsa-form-login-password-parameter">form-login@password-parameter</link></listitem>
<link linkend="nsa-expression-handler">&lt;expression-handler&gt;</link> to be used for web access expressions.</listitem>
<listitem>Added <link linkend="nsa-authentication-manager-erase-credentials">authentication-manager@erase-credentials</link></listitem>
<listitem>Added <link linkend="nsa-http-basic-entry-point-ref">http-basic@entry-point-ref</link></listitem>
<listitem>Added <link linkend="nsa-logout-delete-cookies">logout@delete-cookies</link></listitem>
<listitem>Added <link linkend="nsa-remember-me-authentication-success-handler-ref">remember-me@authentication-success-handler-ref</link></listitem>
<listitem>Added <link linkend="nsa-method-security-metadata-source">&lt;metadata-source-ref&gt;</link></listitem>
<listitem>Added <link linkend="nsa-global-method-security-metadata-source-ref">global-method-security@metadata-source-ref</link></listitem>
<listitem>Added <link linkend="nsa-global-method-security-mode">global-method-security@mode</link></listitem>
<listitem>Added <link linkend="nsa-attribute-exchange">&lt;attribute-exchange&gt;</link></listitem>
<listitem>Added <link linkend="nsa-remember-me-use-secure-cookie">remember-me@use-secure-cookie</link></listitem>
<listitem>Added <link linkend="nsa-http-jaas-api-provision">http@jaas-api-provision</link></listitem>
<listitem>Added <link linkend="nsa-form-login-username-parameter">form-login@username-parameter</link> and
<link linkend="nsa-form-login-password-parameter">form-login@password-parameter</link></listitem>
</itemizedlist>
</section>
</chapter>

8
docs/manual/src/docbook/preauth.xml
View File

@ -29,7 +29,7 @@
pre-authenticated authentication providers. This removes duplication and allows new
implementations to be added in a structured fashion, without having to write everything
from scratch. You don't need to know about these classes if you want to use something
like <link xlink:href="#x509">X.509 authentication</link>, as it already has a namespace
like <link linkend="x509">X.509 authentication</link>, as it already has a namespace
configuration option which is simpler to use and get started with. If you need to use
explicit bean configuration or are planning on writing your own implementation then an
understanding of how the provided implementations work will be useful. You will find
@ -107,7 +107,7 @@
<section>
<title>Http403ForbiddenEntryPoint</title>
<para> The <interfacename>AuthenticationEntryPoint</interfacename> was discussed in the
<link xlink:href="#tech-intro-auth-entry-point">technical overview</link> chapter.
<link linkend="tech-intro-auth-entry-point">technical overview</link> chapter.
Normally it is responsible for kick-starting the authentication process for an
unauthenticated user (when they try to access a protected resource), but in the
pre-authenticated case this doesn't apply. You would only configure the
@ -121,7 +121,7 @@
</section>
<section>
<title>Concrete Implementations</title>
<para> X.509 authentication is covered in its <link xlink:href="#x509">own chapter</link>.
<para> X.509 authentication is covered in its <link linkend="x509">own chapter</link>.
Here we'll look at some classes which provide support for other pre-authenticated
scenarios. </para>
<section>
@ -169,7 +169,7 @@ class="org.springframework.security.web.authentication.preauth.PreAuthenticatedA
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
]]>
</programlisting> We've assumed here that the <link xlink:href="#ns-config">security namespace</link>
</programlisting> We've assumed here that the <link linkend="ns-config">security namespace</link>
is being used for configuration. It's also assumed that you have added a
<interfacename>UserDetailsService</interfacename> (called
<quote>userDetailsService</quote>) to your configuration to load the user's

2
docs/manual/src/docbook/remember-me-authentication.xml
View File

@ -45,7 +45,7 @@
more significant security is needed you should use the approach described in the next
section. Alternatively remember-me services should simply not be used at all.</para>
<para>If you are familiar with the topics discussed in the chapter on <link
xlink:href="#ns-config">namespace configuration</link>, you can enable remember-me
linkend="ns-config">namespace configuration</link>, you can enable remember-me
authentication just by adding the <literal>&lt;remember-me&gt;</literal> element: <programlisting language="xml"><![CDATA[
<http>
...

12
docs/manual/src/docbook/samples.xml
View File

@ -6,7 +6,7 @@
<para> There are several sample web applications that are available with the project. To avoid
an overly large download, only the "tutorial" and "contacts" samples are included in the
distribution zip file. The others can be built directly from the source which you can obtain
as described in <link xlink:href="#get-source">the introduction</link>. It's easy to build
as described in <link linkend="get-source">the introduction</link>. It's easy to build
the project yourself and there's more information on the project web site at <link
xlink:href="http://www.springsource.org/security/">
http://www.springsource.org/security/ </link>. All paths referred to in this chapter are
@ -17,8 +17,8 @@
namespace configuration throughout. The compiled application is included in the
distribution zip file, ready to be deployed into your web container
(<filename>spring-security-samples-tutorial-3.1.x.war</filename>). The <link
xlink:href="#ns-form-and-basic">form-based</link> authentication mechanism is used in
combination with the commonly-used <link xlink:href="#remember-me">remember-me</link>
linkend="ns-form-and-basic">form-based</link> authentication mechanism is used in
combination with the commonly-used <link linkend="remember-me">remember-me</link>
authentication provider to automatically remember the login using cookies.</para>
<para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
follow. Most importantly, you can easily add this one XML file (and its corresponding
@ -122,7 +122,7 @@ Success! Your web filters appear to be properly configured!
<title>CAS Sample</title>
<para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
included in the distribution so you should check out the project code as described in
<link xlink:href="#get-source">the introduction</link>. You'll find the relevant files
<link linkend="get-source">the introduction</link>. You'll find the relevant files
under the <filename>sample/cas</filename> directory. There's also a
<filename>Readme.txt</filename> file in there which explains how to run both the server
and the client directly from the source tree, complete with SSL support.</para>
@ -132,12 +132,12 @@ Success! Your web filters appear to be properly configured!
<para>The JAAS sample is very simple example of how to use a JAAS LoginModule with Spring Security. The provided LoginModule will
successfully authenticate a user if the username equals the password otherwise a LoginException is thrown. The AuthorityGranter
used in this example always grants the role ROLE_USER. The sample application also demonstrates how to run as the JAAS Subject
returned by the LoginModule by setting <link xlink:href="#nsa-http-jaas-api-provision">jaas-api-provision</link> equal to "true".</para>
returned by the LoginModule by setting <link linkend="nsa-http-jaas-api-provision">jaas-api-provision</link> equal to "true".</para>
</section>
<section xml:id="preauth-sample">
<title>Pre-Authentication Sample</title>
<para> This sample application demonstrates how to wire up beans from the <link
xlink:href="#preauth">pre-authentication</link> framework to make use of login
linkend="preauth">pre-authentication</link> framework to make use of login
information from a J2EE container. The user name and roles are those setup by the
container. </para>
<para> The code is in <filename>samples/preauth</filename>. </para>

2
docs/manual/src/docbook/secured-objects.xml
View File

@ -9,7 +9,7 @@
</info>
<para> Prior to Spring Security 2.0, securing <classname>MethodInvocation</classname>s
needed quite a lot of boiler plate configuration. Now the recommended approach for
method security is to use <link xlink:href="#ns-method-security">namespace
method security is to use <link linkend="ns-method-security">namespace
configuration</link>. This way the method security infrastructure beans are configured
automatically for you so you don't really need to know about the implementation classes.
We'll just provide a quick overview of the classes that are involved here. </para>

4
docs/manual/src/docbook/security-filter-chain.xml
View File

@ -12,7 +12,7 @@
<para> Spring Security maintains a filter chain internally where each of the filters has a
particular responsibility and filters are added or removed from the configuration depending
on which services are required. The ordering of the filters is important as there are
dependencies between them. If you have been using <link xlink:href="#ns-config">namespace
dependencies between them. If you have been using <link linkend="ns-config">namespace
configuration</link>, then the filters are automatically configured for you and you don't
have to define any Spring beans explicitly but here may be times when you want full control
over the security filter chain, either because you are using features which aren't supported
@ -111,7 +111,7 @@
lifecycle methods on the filters it is configured with. We recommend you use
Spring's application context lifecycle interfaces as an alternative, just as you
would for any other Spring bean.</para>
<para> When we looked at how to set up web security using <link xlink:href="#ns-web-xml"
<para> When we looked at how to set up web security using <link linkend="ns-web-xml"
>namespace configuration</link>, we used a <literal>DelegatingFilterProxy</literal> with
the name <quote>springSecurityFilterChain</quote>. You should now be able to see that
this is the name of the <classname>FilterChainProxy</classname> which is created by the

2
docs/manual/src/docbook/session-mgmt.xml
View File

@ -33,7 +33,7 @@
is just to redirect to a fixed URL and this is encapsulated in the standard implementation
<classname>SimpleRedirectInvalidSessionStrategy</classname>. The latter is also used
when configuring an invalid session URL through the namespace,
<link xlink:href="#ns-session-mgmt">as described earlier</link>.</para>
<link linkend="ns-session-mgmt">as described earlier</link>.</para>
</section>
<section>
<title><interfacename>SessionAuthenticationStrategy</interfacename></title>

2
docs/manual/src/docbook/taglibs.xml
View File

@ -16,7 +16,7 @@
Spring Security 3.0, it can be used in two ways <footnote>
<para>The legacy options from Spring Security 2.0 are also supported, but
discouraged.</para>
</footnote>. The first approach uses a <link xlink:href="#el-access-web">web-security
</footnote>. The first approach uses a <link linkend="el-access-web">web-security
expression</link>, specified in the <literal>access</literal> attribute of the tag. The
expression evaluation will be delegated to the
<interfacename>SecurityExpressionHandler&lt;FilterInvocation&gt;</interfacename> defined in the application

8
docs/manual/src/docbook/technical-overview.xml
View File

@ -115,7 +115,7 @@ if (principal instanceof UserDetails) {
<para> On successful authentication, <interfacename>UserDetails</interfacename> is used
to build the <interfacename>Authentication</interfacename> object that is stored in
the <classname>SecurityContextHolder</classname> (more on this <link
xlink:href="#tech-intro-authentication">below</link>). The good news is that we
linkend="tech-intro-authentication">below</link>). The good news is that we
provide a number of <interfacename>UserDetailsService</interfacename>
implementations, including one that uses an in-memory map
(<classname>InMemoryDaoImpl</classname>) and another that uses JDBC
@ -132,7 +132,7 @@ if (principal instanceof UserDetails) {
to other components within the framework. In particular, it <emphasis>does not</emphasis>
authenticate the user, which is done by the <interfacename>AuthenticationManager</interfacename>.
In many cases it makes more sense to
<link xlink:href="#core-services-authentication-manager">implement <interfacename>AuthenticationProvider</interfacename></link>
<link linkend="core-services-authentication-manager">implement <interfacename>AuthenticationProvider</interfacename></link>
directly if you require a custom authentication process.
</para>
</note>
@ -355,7 +355,7 @@ Successfully authenticated. Security context contains: \
</para>
<para> If you're wondering how the <interfacename>AuthenticationManager</interfacename>
is implemented in a real world example, we'll look at that in the <link
xlink:href="#core-services-authentication-manager">core services
linkend="core-services-authentication-manager">core services
chapter</link>.</para>
</section>
</section>
@ -600,7 +600,7 @@ Successfully authenticated. Security context contains: \
<classname>RoleVoter</classname>. This is only relevant when a voter-based
<interfacename>AccessDecisionManager</interfacename> is in use. We'll see how
the <interfacename>AccessDecisionManager</interfacename> is implemented in the
<link xlink:href="#authz-arch">authorization chapter</link>.</para>
<link linkend="authz-arch">authorization chapter</link>.</para>
</section>
<section>
<title>RunAsManager</title>