mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-05-31 09:12:14 +00:00
SEC-2291: Fix internal links within reference
Instead of using xlink:href="# use linkend="
This commit is contained in:
Rob Winch
parent
69aac09e1d
commit
4761614c9f
@ -53,9 +53,9 @@ class XsdDocumentedTests extends Specification {
|
|||||||
def id = delegate.@id.text().replace('-parents', '').replace('-children', '')
|
def id = delegate.@id.text().replace('-parents', '').replace('-children', '')
|
||||||
result.put(id,[])
|
result.put(id,[])
|
||||||
delegate.children().breadthFirst().each { sectionChild ->
|
delegate.children().breadthFirst().each { sectionChild ->
|
||||||
def href = sectionChild.@href.text()
|
def href = sectionChild.@linkend.text()
|
||||||
if(href) {
|
if(href) {
|
||||||
result.get(id).add(href[1..-1])
|
result.get(id).add(href)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -286,7 +286,7 @@
|
|||||||
<answer>
|
<answer>
|
||||||
<para>
|
<para>
|
||||||
Note that the permissions for an LDAP directory often do not allow you to read the password
|
Note that the permissions for an LDAP directory often do not allow you to read the password
|
||||||
for a user. Hence it is often not possible to use the <link xlink:href="#faq-what-is-userdetailservice"><interfacename>UserDetailsService</interfacename>
|
for a user. Hence it is often not possible to use the <link linkend="faq-what-is-userdetailservice"><interfacename>UserDetailsService</interfacename>
|
||||||
approach</link> where Spring Security compares the stored password with the one submitted by the user.
|
approach</link> where Spring Security compares the stored password with the one submitted by the user.
|
||||||
The most common approach is to use LDAP <quote>bind</quote>, which is one of the operations
|
The most common approach is to use LDAP <quote>bind</quote>, which is one of the operations
|
||||||
supported by <link xlink:href="http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">the LDAP protocol</link>.
|
supported by <link xlink:href="http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol">the LDAP protocol</link>.
|
||||||
@ -656,7 +656,7 @@
|
|||||||
a <interfacename>UserDetailsService</interfacename> to allow it to load
|
a <interfacename>UserDetailsService</interfacename> to allow it to load
|
||||||
the password (and other data) for a user in order to compare it with the
|
the password (and other data) for a user in order to compare it with the
|
||||||
submitted value. Note that if you are using LDAP,
|
submitted value. Note that if you are using LDAP,
|
||||||
<link xlink:href="#faq-ldap-authentication">this approach may not work</link>.</para>
|
<link linkend="faq-ldap-authentication">this approach may not work</link>.</para>
|
||||||
<para> If you want to customize the authentication process then you should
|
<para> If you want to customize the authentication process then you should
|
||||||
implement <interfacename>AuthenticationProvider</interfacename>
|
implement <interfacename>AuthenticationProvider</interfacename>
|
||||||
yourself. See this <link
|
yourself. See this <link
|
||||||
@ -766,7 +766,7 @@
|
|||||||
</question>
|
</question>
|
||||||
<answer>
|
<answer>
|
||||||
<para>You can't (and shouldn't). You are probably misunderstanding its purpose.
|
<para>You can't (and shouldn't). You are probably misunderstanding its purpose.
|
||||||
See <quote><link xlink:href="#faq-what-is-userdetailservice">What is a UserDetailsService?</link></quote>
|
See <quote><link linkend="faq-what-is-userdetailservice">What is a UserDetailsService?</link></quote>
|
||||||
above.
|
above.
|
||||||
</para>
|
</para>
|
||||||
</answer>
|
</answer>
|
||||||
@ -909,7 +909,7 @@
|
|||||||
>Spring Reference Manual</link>. In order to do this, you need to know a
|
>Spring Reference Manual</link>. In order to do this, you need to know a
|
||||||
bit about which beans are created, so you should also read the blog
|
bit about which beans are created, so you should also read the blog
|
||||||
article in the above question on <link
|
article in the above question on <link
|
||||||
xlink:href="#faq-namespace-to-bean-mapping">how the namespace maps to
|
linkend="faq-namespace-to-bean-mapping">how the namespace maps to
|
||||||
Spring beans</link>. </para>
|
Spring beans</link>. </para>
|
||||||
<para> Normally, you would add the functionality you require to the
|
<para> Normally, you would add the functionality you require to the
|
||||||
<methodname>postProcessBeforeInitialization</methodname> method of
|
<methodname>postProcessBeforeInitialization</methodname> method of
|
||||||
|
|||||||
@ -126,7 +126,7 @@
|
|||||||
interceptor configuration replaced with <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal>,
|
interceptor configuration replaced with <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal>,
|
||||||
which is effectively the same thing when defining access controls. This is an example of
|
which is effectively the same thing when defining access controls. This is an example of
|
||||||
the use of the <classname>AuthenticatedVoter</classname> which we will see in the <link
|
the use of the <classname>AuthenticatedVoter</classname> which we will see in the <link
|
||||||
xlink:href="#authz-authenticated-voter">authorization chapter</link>. It uses an
|
linkend="authz-authenticated-voter">authorization chapter</link>. It uses an
|
||||||
<interfacename>AuthenticationTrustResolver</interfacename> to process this particular
|
<interfacename>AuthenticationTrustResolver</interfacename> to process this particular
|
||||||
configuration attribute and grant access to anonymous users. The
|
configuration attribute and grant access to anonymous users. The
|
||||||
<classname>AuthenticatedVoter</classname> approach is more powerful, since it allows you
|
<classname>AuthenticatedVoter</classname> approach is more powerful, since it allows you
|
||||||
|
|||||||
@ -58,7 +58,7 @@ create table group_members (
|
|||||||
<section>
|
<section>
|
||||||
<title>Persistent Login (Remember-Me) Schema</title>
|
<title>Persistent Login (Remember-Me) Schema</title>
|
||||||
<para> This table is used to store data used by the more secure <link
|
<para> This table is used to store data used by the more secure <link
|
||||||
xlink:href="#remember-me-persistent-token">persistent token</link> remember-me
|
linkend="remember-me-persistent-token">persistent token</link> remember-me
|
||||||
implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
|
implementation. If you are using <classname>JdbcTokenRepositoryImpl</classname> either
|
||||||
directly or through the namespace, then you will need this table.
|
directly or through the namespace, then you will need this table.
|
||||||
<programlisting xml:id="db-schema-remeber-me">
|
<programlisting xml:id="db-schema-remeber-me">
|
||||||
@ -71,7 +71,7 @@ create table persistent_logins (
|
|||||||
</section>
|
</section>
|
||||||
<section xml:id="dbschema-acl">
|
<section xml:id="dbschema-acl">
|
||||||
<title>ACL Schema</title>
|
<title>ACL Schema</title>
|
||||||
<para>There are four tables used by the Spring Security <link xlink:href="#domain-acls"
|
<para>There are four tables used by the Spring Security <link linkend="domain-acls"
|
||||||
>ACL</link> implementation. <orderedlist>
|
>ACL</link> implementation. <orderedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><literal>acl_sid</literal> stores the security identities recognised by the
|
<para><literal>acl_sid</literal> stores the security identities recognised by the
|
||||||
|
|||||||
@ -8,7 +8,7 @@
|
|||||||
and information on the underlying beans they create (a knowledge of the individual classes
|
and information on the underlying beans they create (a knowledge of the individual classes
|
||||||
and how they work together is assumed - you can find more information in the project Javadoc
|
and how they work together is assumed - you can find more information in the project Javadoc
|
||||||
and elsewhere in this document). If you haven't used the namespace before, please read the
|
and elsewhere in this document). If you haven't used the namespace before, please read the
|
||||||
<link xlink:href="#ns-config">introductory chapter</link> on namespace configuration, as
|
<link linkend="ns-config">introductory chapter</link> on namespace configuration, as
|
||||||
this is intended as a supplement to the information there. Using a good quality XML editor
|
this is intended as a supplement to the information there. Using a good quality XML editor
|
||||||
while editing a configuration based on the schema is recommended as this will provide
|
while editing a configuration based on the schema is recommended as this will provide
|
||||||
contextual information on which elements and attributes are available as well as comments
|
contextual information on which elements and attributes are available as well as comments
|
||||||
@ -33,11 +33,11 @@
|
|||||||
created and the configuration within the element is used to build a filter chain within
|
created and the configuration within the element is used to build a filter chain within
|
||||||
<classname>FilterChainProxy</classname>. As of Spring Security 3.1, additional
|
<classname>FilterChainProxy</classname>. As of Spring Security 3.1, additional
|
||||||
<literal>http</literal> elements can be used to add extra filter chains <footnote>
|
<literal>http</literal> elements can be used to add extra filter chains <footnote>
|
||||||
<para>See the <link xlink:href="#ns-web-xml">introductory chapter</link> for how to set
|
<para>See the <link linkend="ns-web-xml">introductory chapter</link> for how to set
|
||||||
up the mapping from your <literal>web.xml</literal></para>
|
up the mapping from your <literal>web.xml</literal></para>
|
||||||
</footnote>. Some core filters are always created in a filter chain and others will be
|
</footnote>. Some core filters are always created in a filter chain and others will be
|
||||||
added to the stack depending on the attributes and child elements which are present. The
|
added to the stack depending on the attributes and child elements which are present. The
|
||||||
positions of the standard filters are fixed (see <link xlink:href="#filter-stack">the
|
positions of the standard filters are fixed (see <link linkend="filter-stack">the
|
||||||
filter order table</link> in the namespace introduction), removing a common source of
|
filter order table</link> in the namespace introduction), removing a common source of
|
||||||
errors with previous versions of the framework when users had to configure the filter
|
errors with previous versions of the framework when users had to configure the filter
|
||||||
chain explicitly in the <classname>FilterChainProxy</classname> bean. You can, of course,
|
chain explicitly in the <classname>FilterChainProxy</classname> bean. You can, of course,
|
||||||
@ -45,7 +45,7 @@
|
|||||||
<para> All filters which require a reference to the
|
<para> All filters which require a reference to the
|
||||||
<interfacename>AuthenticationManager</interfacename> will be automatically injected with
|
<interfacename>AuthenticationManager</interfacename> will be automatically injected with
|
||||||
the internal instance created by the namespace configuration (see the <link
|
the internal instance created by the namespace configuration (see the <link
|
||||||
xlink:href="#ns-auth-manager">introductory chapter</link> for more on the
|
linkend="ns-auth-manager">introductory chapter</link> for more on the
|
||||||
<interfacename>AuthenticationManager</interfacename>). </para>
|
<interfacename>AuthenticationManager</interfacename>). </para>
|
||||||
<para> Each <literal><http></literal> namespace block always creates an
|
<para> Each <literal><http></literal> namespace block always creates an
|
||||||
<classname>SecurityContextPersistenceFilter</classname>, an
|
<classname>SecurityContextPersistenceFilter</classname>, an
|
||||||
@ -67,7 +67,7 @@
|
|||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-access-denied-page">
|
<section xml:id="nsa-http-access-denied-page">
|
||||||
<title><literal>access-denied-page</literal></title>
|
<title><literal>access-denied-page</literal></title>
|
||||||
<para> Deprecated in favour of the <link xlink:href="#nsa-access-denied-handler">access-denied-handler</link>
|
<para> Deprecated in favour of the <link linkend="nsa-access-denied-handler">access-denied-handler</link>
|
||||||
child element.</para>
|
child element.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-authentication-manager-ref">
|
<section xml:id="nsa-http-authentication-manager-ref">
|
||||||
@ -139,15 +139,15 @@
|
|||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-path-type">
|
<section xml:id="nsa-http-path-type">
|
||||||
<title><literal>path-type</literal></title>
|
<title><literal>path-type</literal></title>
|
||||||
<para>Deprecated in favor of <link xlink:href="#nsa-http-request-matcher">request-matcher</link>.
|
<para>Deprecated in favor of <link linkend="nsa-http-request-matcher">request-matcher</link>.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-pattern">
|
<section xml:id="nsa-http-pattern">
|
||||||
<title><literal>pattern</literal></title>
|
<title><literal>pattern</literal></title>
|
||||||
<para>Defining a pattern for the <link xlink:href="#nsa-http">http</link> element controls the
|
<para>Defining a pattern for the <link linkend="nsa-http">http</link> element controls the
|
||||||
requests which will be filtered through the list of filters which it defines.
|
requests which will be filtered through the list of filters which it defines.
|
||||||
The interpretation is dependent on the configured <link
|
The interpretation is dependent on the configured <link
|
||||||
xlink:href="#nsa-http-request-matcher">request-matcher</link>. If no pattern is defined,
|
linkend="nsa-http-request-matcher">request-matcher</link>. If no pattern is defined,
|
||||||
all requests will be matched, so the most specific patterns should be declared
|
all requests will be matched, so the most specific patterns should be declared
|
||||||
first.</para>
|
first.</para>
|
||||||
</section>
|
</section>
|
||||||
@ -165,9 +165,9 @@
|
|||||||
currently <literal>ant</literal>, <literal>regex</literal> and
|
currently <literal>ant</literal>, <literal>regex</literal> and
|
||||||
<literal>ciRegex</literal>, for ant, regular-expression and case-insensitive
|
<literal>ciRegex</literal>, for ant, regular-expression and case-insensitive
|
||||||
regular-expression repsectively. A separate instance is created for each
|
regular-expression repsectively. A separate instance is created for each
|
||||||
<link xlink:href="#nsa-intercept-url">intercept-url</link> element using its
|
<link linkend="nsa-intercept-url">intercept-url</link> element using its
|
||||||
<link xlink:href="#nsa-intercept-url-pattern">pattern</link> and
|
<link linkend="nsa-intercept-url-pattern">pattern</link> and
|
||||||
<link xlink:href="#nsa-intercept-url-method">method</link> attributes. Ant paths
|
<link linkend="nsa-intercept-url-method">method</link> attributes. Ant paths
|
||||||
are matched using an <classname>AntPathRequestMatcher</classname> and regular expressions
|
are matched using an <classname>AntPathRequestMatcher</classname> and regular expressions
|
||||||
are matched using a <classname>RegexRequestMatcher</classname>. See the Javadoc
|
are matched using a <classname>RegexRequestMatcher</classname>. See the Javadoc
|
||||||
for these classes for more details on exactly how the matching is preformed. Ant
|
for these classes for more details on exactly how the matching is preformed. Ant
|
||||||
@ -177,7 +177,7 @@
|
|||||||
<title><literal>request-matcher-ref</literal></title>
|
<title><literal>request-matcher-ref</literal></title>
|
||||||
<para>A referenece to a bean that implements <interfacename>RequestMatcher</interfacename> that
|
<para>A referenece to a bean that implements <interfacename>RequestMatcher</interfacename> that
|
||||||
will determine if this <classname>FilterChain</classname> should be used. This is a more
|
will determine if this <classname>FilterChain</classname> should be used. This is a more
|
||||||
powerful alternative to <link xlink:href="#nsa-http-pattern">pattern</link>.</para>
|
powerful alternative to <link linkend="nsa-http-pattern">pattern</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-security">
|
<section xml:id="nsa-http-security">
|
||||||
<title><literal>security</literal></title>
|
<title><literal>security</literal></title>
|
||||||
@ -202,30 +202,30 @@
|
|||||||
<section xml:id="nsa-http-use-expressions">
|
<section xml:id="nsa-http-use-expressions">
|
||||||
<title><literal>use-expressions</literal></title>
|
<title><literal>use-expressions</literal></title>
|
||||||
<para>Enables EL-expressions in the <literal>access</literal> attribute, as
|
<para>Enables EL-expressions in the <literal>access</literal> attribute, as
|
||||||
described in the chapter on <link xlink:href="#el-access-web">expression-based
|
described in the chapter on <link linkend="el-access-web">expression-based
|
||||||
access-control</link>.</para>
|
access-control</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-children">
|
<section xml:id="nsa-http-children">
|
||||||
<title>Child Elements of <http></title>
|
<title>Child Elements of <http></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-access-denied-handler">access-denied-handler</link></listitem>
|
<listitem><link linkend="nsa-access-denied-handler">access-denied-handler</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-anonymous">anonymous</link></listitem>
|
<listitem><link linkend="nsa-anonymous">anonymous</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-csrf">csrf</link></listitem>
|
<listitem><link linkend="nsa-csrf">csrf</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-custom-filter">custom-filter</link></listitem>
|
<listitem><link linkend="nsa-custom-filter">custom-filter</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-expression-handler">expression-handler</link></listitem>
|
<listitem><link linkend="nsa-expression-handler">expression-handler</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-form-login">form-login</link></listitem>
|
<listitem><link linkend="nsa-form-login">form-login</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-http-basic">http-basic</link></listitem>
|
<listitem><link linkend="nsa-http-basic">http-basic</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
|
<listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-jee">jee</link></listitem>
|
<listitem><link linkend="nsa-jee">jee</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-logout">logout</link></listitem>
|
<listitem><link linkend="nsa-logout">logout</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-openid-login">openid-login</link></listitem>
|
<listitem><link linkend="nsa-openid-login">openid-login</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-port-mappings">port-mappings</link></listitem>
|
<listitem><link linkend="nsa-port-mappings">port-mappings</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-remember-me">remember-me</link></listitem>
|
<listitem><link linkend="nsa-remember-me">remember-me</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-request-cache">request-cache</link></listitem>
|
<listitem><link linkend="nsa-request-cache">request-cache</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-session-management">session-management</link></listitem>
|
<listitem><link linkend="nsa-session-management">session-management</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-x509">x509</link></listitem>
|
<listitem><link linkend="nsa-x509">x509</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -234,15 +234,15 @@
|
|||||||
<para>This element allows you to set the <literal>errorPage</literal> property for the
|
<para>This element allows you to set the <literal>errorPage</literal> property for the
|
||||||
default <interfacename>AccessDeniedHandler</interfacename> used by the
|
default <interfacename>AccessDeniedHandler</interfacename> used by the
|
||||||
<classname>ExceptionTranslationFilter</classname>, using the
|
<classname>ExceptionTranslationFilter</classname>, using the
|
||||||
<link xlink:href="#nsa-access-denied-handler-error-page">error-page</link> attribute, or
|
<link linkend="nsa-access-denied-handler-error-page">error-page</link> attribute, or
|
||||||
to supply your own implementation using the
|
to supply your own implementation using the
|
||||||
<link xlink:href="#nsa-access-denied-handler-ref">ref</link> attribute. This is discussed
|
<link linkend="nsa-access-denied-handler-ref">ref</link> attribute. This is discussed
|
||||||
in more detail in the section on the <link xlink:href="#access-denied-handler">
|
in more detail in the section on the <link linkend="access-denied-handler">
|
||||||
<classname>ExceptionTranslationFilter</classname></link>.</para>
|
<classname>ExceptionTranslationFilter</classname></link>.</para>
|
||||||
<section xml:id="nsa-access-denied-handler-parents">
|
<section xml:id="nsa-access-denied-handler-parents">
|
||||||
<title>Parent Elements of <literal><access-denied-handler></literal></title>
|
<title>Parent Elements of <literal><access-denied-handler></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-access-denied-handler-attributes">
|
<section xml:id="nsa-access-denied-handler-attributes">
|
||||||
@ -263,24 +263,24 @@
|
|||||||
<title><literal><headers></literal></title>
|
<title><literal><headers></literal></title>
|
||||||
<para>This element allows for configuring additional (security) headers to be send with the response.
|
<para>This element allows for configuring additional (security) headers to be send with the response.
|
||||||
It enables easy configuration for several headers and also allows for setting custom headers through
|
It enables easy configuration for several headers and also allows for setting custom headers through
|
||||||
the <link xlink:href="#nsa-header">header</link> element.
|
the <link linkend="nsa-header">header</link> element.
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><literal>Cache-Control</literal> and <literal>Pragma</literal> - Can be set using the
|
<listitem><literal>Cache-Control</literal> and <literal>Pragma</literal> - Can be set using the
|
||||||
<link xlink:href="#nsa-cache-control">cache-control</link> element. This ensures that the
|
<link linkend="nsa-cache-control">cache-control</link> element. This ensures that the
|
||||||
browser does not cache your secured pages.</listitem>
|
browser does not cache your secured pages.</listitem>
|
||||||
<listitem><literal>Strict-Transport-Security</literal> - Can be set using the
|
<listitem><literal>Strict-Transport-Security</literal> - Can be set using the
|
||||||
<link xlink:href="#nsa-hsts">hsts</link> element. This ensures that the
|
<link linkend="nsa-hsts">hsts</link> element. This ensures that the
|
||||||
browser automatically requests HTTPS for future requests.</listitem>
|
browser automatically requests HTTPS for future requests.</listitem>
|
||||||
<listitem><literal>X-Frame-Options</literal> - Can be set using the
|
<listitem><literal>X-Frame-Options</literal> - Can be set using the
|
||||||
<link xlink:href="#nsa-frame-options">frame-options</link> element. The
|
<link linkend="nsa-frame-options">frame-options</link> element. The
|
||||||
<link xlink:href="http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options">X-Frame-Options
|
<link xlink:href="http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options">X-Frame-Options
|
||||||
</link> header can be used to prevent clickjacking attacks.</listitem>
|
</link> header can be used to prevent clickjacking attacks.</listitem>
|
||||||
<listitem><literal>X-XSS-Protection</literal> - Can be set using the
|
<listitem><literal>X-XSS-Protection</literal> - Can be set using the
|
||||||
<link xlink:href="#nsa-xss-protection">xss-protection</link> element.
|
<link linkend="nsa-xss-protection">xss-protection</link> element.
|
||||||
The <link xlink:href="http://en.wikipedia.org/wiki/Cross-site_scripting">X-XSS-Protection
|
The <link xlink:href="http://en.wikipedia.org/wiki/Cross-site_scripting">X-XSS-Protection
|
||||||
</link> header can be used by browser to do basic control.</listitem>
|
</link> header can be used by browser to do basic control.</listitem>
|
||||||
<listitem><literal>X-Content-Type-Options</literal> - Can be set using the
|
<listitem><literal>X-Content-Type-Options</literal> - Can be set using the
|
||||||
<link xlink:href="#nsa-content-type-options">content-type-options</link> element. The
|
<link linkend="nsa-content-type-options">content-type-options</link> element. The
|
||||||
<link xlink:href="http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx">X-Content-Type-Options</link>
|
<link xlink:href="http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx">X-Content-Type-Options</link>
|
||||||
header prevents Internet Explorer from MIME-sniffing a response away from the declared
|
header prevents Internet Explorer from MIME-sniffing a response away from the declared
|
||||||
content-type. This also applies to Google Chrome, when downloading extensions. </listitem>
|
content-type. This also applies to Google Chrome, when downloading extensions. </listitem>
|
||||||
@ -289,18 +289,18 @@
|
|||||||
<section xml:id="nsa-headers-parents">
|
<section xml:id="nsa-headers-parents">
|
||||||
<title>Parent Elements of <literal><headers></literal></title>
|
<title>Parent Elements of <literal><headers></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-headers-children">
|
<section xml:id="nsa-headers-children">
|
||||||
<title>Child Elements of <literal><headers></literal></title>
|
<title>Child Elements of <literal><headers></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-cache-control">cache-control</link></listitem>
|
<listitem><link linkend="nsa-cache-control">cache-control</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-content-type-options">content-type-options</link></listitem>
|
<listitem><link linkend="nsa-content-type-options">content-type-options</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-frame-options">frame-options</link></listitem>
|
<listitem><link linkend="nsa-frame-options">frame-options</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-header">header</link></listitem>
|
<listitem><link linkend="nsa-header">header</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-hsts">hsts</link></listitem>
|
<listitem><link linkend="nsa-hsts">hsts</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-xss-protection">xss-protection</link></listitem>
|
<listitem><link linkend="nsa-xss-protection">xss-protection</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -311,7 +311,7 @@
|
|||||||
<section xml:id="nsa-cache-control-parents">
|
<section xml:id="nsa-cache-control-parents">
|
||||||
<title>Parent Elements of <literal><cache-control></literal></title>
|
<title>Parent Elements of <literal><cache-control></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -343,7 +343,7 @@
|
|||||||
<section xml:id="nsa-hsts-parents">
|
<section xml:id="nsa-hsts-parents">
|
||||||
<title>Parent Elements of <literal><hsts></literal></title>
|
<title>Parent Elements of <literal><hsts></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -361,7 +361,7 @@
|
|||||||
the site attempting to do so. This is the default when frame-options-policy is specified.</listitem>
|
the site attempting to do so. This is the default when frame-options-policy is specified.</listitem>
|
||||||
<listitem><literal>SAMEORIGIN</literal> The page can only be displayed in a frame on the
|
<listitem><literal>SAMEORIGIN</literal> The page can only be displayed in a frame on the
|
||||||
same origin as the page itself</listitem>
|
same origin as the page itself</listitem>
|
||||||
<listitem><literal>ALLOW-FROM <link xlink:href="#nsa-frame-options-origin">origin</link></literal>
|
<listitem><literal>ALLOW-FROM <link linkend="nsa-frame-options-origin">origin</link></literal>
|
||||||
The page can only be displayed in a frame on the specified origin.
|
The page can only be displayed in a frame on the specified origin.
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
@ -377,17 +377,17 @@
|
|||||||
Select the <classname>AllowFromStrategy</classname> to use when using the ALLOW-FROM policy.
|
Select the <classname>AllowFromStrategy</classname> to use when using the ALLOW-FROM policy.
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><literal>static</literal> Use a single static ALLOW-FROM value. The value can be set
|
<listitem><literal>static</literal> Use a single static ALLOW-FROM value. The value can be set
|
||||||
through the <link xlink:href="#nsa-frame-options-value">value</link> attribute.
|
through the <link linkend="nsa-frame-options-value">value</link> attribute.
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem><literal>regexp</literal> Use a regelur expression to validate incoming requests and
|
<listitem><literal>regexp</literal> Use a regelur expression to validate incoming requests and
|
||||||
if they are allowed. The regular expression can be set through the <link xlink:href="#nsa-frame-options-value">value</link>
|
if they are allowed. The regular expression can be set through the <link linkend="nsa-frame-options-value">value</link>
|
||||||
attribute. The request parameter used to retrieve the value to validate can be specified
|
attribute. The request parameter used to retrieve the value to validate can be specified
|
||||||
using the <link xlink:href="#nsa-frame-options-from-parameter">from-parameter</link>.
|
using the <link linkend="nsa-frame-options-from-parameter">from-parameter</link>.
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem><literal>whitelist</literal>A comma-seperated list containing the allowed domains.
|
<listitem><literal>whitelist</literal>A comma-seperated list containing the allowed domains.
|
||||||
The comma-seperated list can be set through the <link xlink:href="#nsa-frame-options-value">value</link>
|
The comma-seperated list can be set through the <link linkend="nsa-frame-options-value">value</link>
|
||||||
attribute. The request parameter used to retrieve the value to validate can be specified
|
attribute. The request parameter used to retrieve the value to validate can be specified
|
||||||
using the <link xlink:href="#nsa-frame-options-from-parameter">from-parameter</link>.
|
using the <link linkend="nsa-frame-options-from-parameter">from-parameter</link>.
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</para>
|
</para>
|
||||||
@ -401,7 +401,7 @@
|
|||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-frame-options-value">
|
<section xml:id="nsa-frame-options-value">
|
||||||
<title><literal>frame-options-value</literal></title>
|
<title><literal>frame-options-value</literal></title>
|
||||||
<para>The value to use when ALLOW-FROM is used a <link xlink:href="#nsa-frame-options-strategy">strategy</link>.</para>
|
<para>The value to use when ALLOW-FROM is used a <link linkend="nsa-frame-options-strategy">strategy</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-frame-options-from-parameter">
|
<section xml:id="nsa-frame-options-from-parameter">
|
||||||
<title><literal>frame-options-from-parameter</literal></title>
|
<title><literal>frame-options-from-parameter</literal></title>
|
||||||
@ -414,7 +414,7 @@
|
|||||||
<section xml:id="nsa-frame-options-parents">
|
<section xml:id="nsa-frame-options-parents">
|
||||||
<title>Parent Elements of <literal><frame-options></literal></title>
|
<title>Parent Elements of <literal><frame-options></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -439,7 +439,7 @@
|
|||||||
<section xml:id="nsa-xss-protection-parents">
|
<section xml:id="nsa-xss-protection-parents">
|
||||||
<title>Parent Elements of <literal><xss-protection></literal></title>
|
<title>Parent Elements of <literal><xss-protection></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -451,7 +451,7 @@
|
|||||||
<section xml:id="nsa-content-type-options-parents">
|
<section xml:id="nsa-content-type-options-parents">
|
||||||
<title>Parent Elements of <literal><content-type-options></literal></title>
|
<title>Parent Elements of <literal><content-type-options></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -476,7 +476,7 @@
|
|||||||
<section xml:id="nsa-header-parents">
|
<section xml:id="nsa-header-parents">
|
||||||
<title>Parent Elements of <literal><header></literal></title>
|
<title>Parent Elements of <literal><header></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-headers">headers</link></listitem>
|
<listitem><link linkend="nsa-headers">headers</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -488,7 +488,7 @@
|
|||||||
<section xml:id="nsa-anonymous-parents">
|
<section xml:id="nsa-anonymous-parents">
|
||||||
<title>Parent Elements of <literal><anonymous></literal></title>
|
<title>Parent Elements of <literal><anonymous></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-anonymous-attributes">
|
<section xml:id="nsa-anonymous-attributes">
|
||||||
@ -527,7 +527,7 @@
|
|||||||
<section xml:id="nsa-csrf-parents">
|
<section xml:id="nsa-csrf-parents">
|
||||||
<title>Parent Elements of <literal><csrf></literal></title>
|
<title>Parent Elements of <literal><csrf></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-csrf-attributes">
|
<section xml:id="nsa-csrf-attributes">
|
||||||
@ -550,12 +550,12 @@
|
|||||||
additional beans but is used to select a bean of type
|
additional beans but is used to select a bean of type
|
||||||
<interfacename>javax.servlet.Filter</interfacename> which is already defined in the
|
<interfacename>javax.servlet.Filter</interfacename> which is already defined in the
|
||||||
application context and add that at a particular position in the filter chain
|
application context and add that at a particular position in the filter chain
|
||||||
maintained by Spring Security. Full details can be found in the <link xlink:href="#ns-custom-filters">
|
maintained by Spring Security. Full details can be found in the <link linkend="ns-custom-filters">
|
||||||
namespace chapter</link>.</para>
|
namespace chapter</link>.</para>
|
||||||
<section xml:id="nsa-custom-filter-parents">
|
<section xml:id="nsa-custom-filter-parents">
|
||||||
<title>Parent Elements of <literal><custom-filter></literal></title>
|
<title>Parent Elements of <literal><custom-filter></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-custom-filter-attributes">
|
<section xml:id="nsa-custom-filter-attributes">
|
||||||
@ -590,8 +590,8 @@
|
|||||||
<section xml:id="nsa-expression-handler-parents">
|
<section xml:id="nsa-expression-handler-parents">
|
||||||
<title>Parent Elements of <literal><expression-handler></literal></title>
|
<title>Parent Elements of <literal><expression-handler></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
|
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-expression-handler-attributes">
|
<section xml:id="nsa-expression-handler-attributes">
|
||||||
@ -615,12 +615,12 @@
|
|||||||
<classname>DefaultLoginPageGeneratingFilter</classname> is responsible for
|
<classname>DefaultLoginPageGeneratingFilter</classname> is responsible for
|
||||||
rendering the login page and will provide login forms for both normal form login
|
rendering the login page and will provide login forms for both normal form login
|
||||||
and/or OpenID if required.</para>
|
and/or OpenID if required.</para>
|
||||||
</footnote> The behaviour can be customized using the <link xlink:href="#nsa-form-login-attributes">
|
</footnote> The behaviour can be customized using the <link linkend="nsa-form-login-attributes">
|
||||||
<literal><form-login></literal> Attributes</link>.</para>
|
<literal><form-login></literal> Attributes</link>.</para>
|
||||||
<section xml:id="nsa-form-login-parents">
|
<section xml:id="nsa-form-login-parents">
|
||||||
<title>Parent Elements of <literal><form-login></literal></title>
|
<title>Parent Elements of <literal><form-login></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-form-login-attributes">
|
<section xml:id="nsa-form-login-attributes">
|
||||||
@ -628,7 +628,7 @@
|
|||||||
<section xml:id="nsa-form-login-always-use-default-target">
|
<section xml:id="nsa-form-login-always-use-default-target">
|
||||||
<title><literal>always-use-default-target</literal></title>
|
<title><literal>always-use-default-target</literal></title>
|
||||||
<para>If set to <literal>true</literal>, the user will always start at the value given by
|
<para>If set to <literal>true</literal>, the user will always start at the value given by
|
||||||
<link xlink:href="#nsa-form-login-default-target-url">default-target-url</link>, regardless
|
<link linkend="nsa-form-login-default-target-url">default-target-url</link>, regardless
|
||||||
of how they arrived at the login page. Maps to the <literal>alwaysUseDefaultTargetUrl</literal>
|
of how they arrived at the login page. Maps to the <literal>alwaysUseDefaultTargetUrl</literal>
|
||||||
property of <classname>UsernamePasswordAuthenticationFilter</classname>. Default value is
|
property of <classname>UsernamePasswordAuthenticationFilter</classname>. Default value is
|
||||||
<literal>false</literal>.</para>
|
<literal>false</literal>.</para>
|
||||||
@ -641,7 +641,7 @@
|
|||||||
<section xml:id="nsa-form-login-authentication-failure-handler-ref">
|
<section xml:id="nsa-form-login-authentication-failure-handler-ref">
|
||||||
<title><literal>authentication-failure-handler-ref</literal></title>
|
<title><literal>authentication-failure-handler-ref</literal></title>
|
||||||
<para>Can be used as an alternative to
|
<para>Can be used as an alternative to
|
||||||
<link xlink:href="#nsa-form-login-authentication-failure-url">authentication-failure-url</link>,
|
<link linkend="nsa-form-login-authentication-failure-url">authentication-failure-url</link>,
|
||||||
giving you full control over the navigation flow after an authentication failure. The value
|
giving you full control over the navigation flow after an authentication failure. The value
|
||||||
should be he name of an <interfacename>AuthenticationFailureHandler</interfacename> bean in the
|
should be he name of an <interfacename>AuthenticationFailureHandler</interfacename> bean in the
|
||||||
application context.</para>
|
application context.</para>
|
||||||
@ -657,13 +657,13 @@
|
|||||||
<section xml:id="nsa-form-login-authentication-success-handler-ref">
|
<section xml:id="nsa-form-login-authentication-success-handler-ref">
|
||||||
<title><literal>authentication-success-handler-ref</literal></title>
|
<title><literal>authentication-success-handler-ref</literal></title>
|
||||||
<para>This can be used as an alternative to
|
<para>This can be used as an alternative to
|
||||||
<link xlink:href="#nsa-form-login-default-target-url">default-target-url</link>
|
<link linkend="nsa-form-login-default-target-url">default-target-url</link>
|
||||||
and <link xlink:href="#nsa-form-login-always-use-default-target">always-use-default-target</link>,
|
and <link linkend="nsa-form-login-always-use-default-target">always-use-default-target</link>,
|
||||||
giving you full control over the navigation flow after a successful authentication. The value
|
giving you full control over the navigation flow after a successful authentication. The value
|
||||||
should be the name of an <interfacename>AuthenticationSuccessHandler</interfacename> bean in
|
should be the name of an <interfacename>AuthenticationSuccessHandler</interfacename> bean in
|
||||||
the application context. By default, an implementation of
|
the application context. By default, an implementation of
|
||||||
<classname>SavedRequestAwareAuthenticationSuccessHandler</classname> is used and
|
<classname>SavedRequestAwareAuthenticationSuccessHandler</classname> is used and
|
||||||
injected with the <link xlink:href="#nsa-form-login-default-target-url">default-target-url
|
injected with the <link linkend="nsa-form-login-default-target-url">default-target-url
|
||||||
</link>.</para>
|
</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-form-login-default-target-url">
|
<section xml:id="nsa-form-login-default-target-url">
|
||||||
@ -707,7 +707,7 @@
|
|||||||
<section xml:id="nsa-http-basic-parents">
|
<section xml:id="nsa-http-basic-parents">
|
||||||
<title>Parent Elements of <literal><http-basic></literal></title>
|
<title>Parent Elements of <literal><http-basic></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-http-basic-attributes">
|
<section xml:id="nsa-http-basic-attributes">
|
||||||
@ -752,9 +752,9 @@
|
|||||||
<section xml:id="nsa-intercept-url-parents">
|
<section xml:id="nsa-intercept-url-parents">
|
||||||
<title>Parent Elements of <literal><intercept-url></literal></title>
|
<title>Parent Elements of <literal><intercept-url></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-filter-invocation-definition-source">filter-invocation-definition-source</link></listitem>
|
<listitem><link linkend="nsa-filter-invocation-definition-source">filter-invocation-definition-source</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-filter-security-metadata-source">filter-security-metadata-source</link></listitem>
|
<listitem><link linkend="nsa-filter-security-metadata-source">filter-security-metadata-source</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-intercept-url-attributes">
|
<section xml:id="nsa-intercept-url-attributes">
|
||||||
@ -797,7 +797,7 @@
|
|||||||
<classname>ChannelProcessingFilter</classname> will be added to the filter
|
<classname>ChannelProcessingFilter</classname> will be added to the filter
|
||||||
stack and its additional dependencies added to the application
|
stack and its additional dependencies added to the application
|
||||||
context.<!--See the chapter on <link
|
context.<!--See the chapter on <link
|
||||||
xlink:href="#channel-security-config">channel security</link> for an example
|
linkend="channel-security-config">channel security</link> for an example
|
||||||
configuration using traditional beans. --></para>
|
configuration using traditional beans. --></para>
|
||||||
<para>If a <literal><port-mappings></literal> configuration is added, this
|
<para>If a <literal><port-mappings></literal> configuration is added, this
|
||||||
will be used to by the <classname>SecureChannelProcessor</classname> and
|
will be used to by the <classname>SecureChannelProcessor</classname> and
|
||||||
@ -813,7 +813,7 @@
|
|||||||
<section xml:id="nsa-jee-parents">
|
<section xml:id="nsa-jee-parents">
|
||||||
<title>Parent Elements of <literal><jee></literal></title>
|
<title>Parent Elements of <literal><jee></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-jee-attributes">
|
<section xml:id="nsa-jee-attributes">
|
||||||
@ -835,7 +835,7 @@
|
|||||||
<section xml:id="nsa-logout-parents">
|
<section xml:id="nsa-logout-parents">
|
||||||
<title>Parent Elements of <literal><logout></literal></title>
|
<title>Parent Elements of <literal><logout></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-logout-attributes">
|
<section xml:id="nsa-logout-attributes">
|
||||||
@ -886,7 +886,7 @@
|
|||||||
<section xml:id="nsa-openid-login-parents">
|
<section xml:id="nsa-openid-login-parents">
|
||||||
<title>Parent Elements of <literal><openid-login></literal></title>
|
<title>Parent Elements of <literal><openid-login></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-openid-login-attributes">
|
<section xml:id="nsa-openid-login-attributes">
|
||||||
@ -915,8 +915,8 @@
|
|||||||
<title><literal>authentication-success-handler-ref</literal></title>
|
<title><literal>authentication-success-handler-ref</literal></title>
|
||||||
<para>Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful
|
<para>Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful
|
||||||
authentication request. Should not be used in combination with
|
authentication request. Should not be used in combination with
|
||||||
<link xlink:href="#nsa-openid-login-default-target-url">default-target-url</link> (or
|
<link linkend="nsa-openid-login-default-target-url">default-target-url</link> (or
|
||||||
<link xlink:href="#nsa-openid-login-always-use-default-target">
|
<link linkend="nsa-openid-login-always-use-default-target">
|
||||||
always-use-default-target</link>) as the implementation should always deal with navigation
|
always-use-default-target</link>) as the implementation should always deal with navigation
|
||||||
to the subsequent destination</para>
|
to the subsequent destination</para>
|
||||||
</section>
|
</section>
|
||||||
@ -952,7 +952,7 @@
|
|||||||
<section xml:id="nsa-openid-login-children">
|
<section xml:id="nsa-openid-login-children">
|
||||||
<title>Child Elements of <openid-login></title>
|
<title>Child Elements of <openid-login></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-attribute-exchange">attribute-exchange</link></listitem>
|
<listitem><link linkend="nsa-attribute-exchange">attribute-exchange</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -960,7 +960,7 @@
|
|||||||
<title><literal><attribute-exchange></literal></title>
|
<title><literal><attribute-exchange></literal></title>
|
||||||
<para>The <literal>attribute-exchange</literal> element defines the list of
|
<para>The <literal>attribute-exchange</literal> element defines the list of
|
||||||
attributes which should be requested from the identity provider. An example can be found
|
attributes which should be requested from the identity provider. An example can be found
|
||||||
in the <link xlink:href="#ns-openid">OpenID Support</link> section of the namespace configuration
|
in the <link linkend="ns-openid">OpenID Support</link> section of the namespace configuration
|
||||||
chapter. More than one can be used, in which case each must have an <literal>identifier-match</literal>
|
chapter. More than one can be used, in which case each must have an <literal>identifier-match</literal>
|
||||||
attribute, containing a regular expression which is matched against the supplied
|
attribute, containing a regular expression which is matched against the supplied
|
||||||
OpenID identifier. This allows different attribute lists to be fetched from
|
OpenID identifier. This allows different attribute lists to be fetched from
|
||||||
@ -968,7 +968,7 @@
|
|||||||
<section xml:id="nsa-attribute-exchange-parents">
|
<section xml:id="nsa-attribute-exchange-parents">
|
||||||
<title>Parent Elements of <literal><attribute-exchange></literal></title>
|
<title>Parent Elements of <literal><attribute-exchange></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-openid-login">openid-login</link></listitem>
|
<listitem><link linkend="nsa-openid-login">openid-login</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-attribute-exchange-attributes">
|
<section xml:id="nsa-attribute-exchange-attributes">
|
||||||
@ -982,7 +982,7 @@
|
|||||||
<section xml:id="nsa-attribute-exchange-children">
|
<section xml:id="nsa-attribute-exchange-children">
|
||||||
<title>Child Elements of <literal><attribute-exchange></literal></title>
|
<title>Child Elements of <literal><attribute-exchange></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-openid-attribute">openid-attribute</link></listitem>
|
<listitem><link linkend="nsa-openid-attribute">openid-attribute</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -994,7 +994,7 @@
|
|||||||
<section xml:id="nsa-openid-attribute-parents">
|
<section xml:id="nsa-openid-attribute-parents">
|
||||||
<title>Parent Elements of <literal><openid-attribute></literal></title>
|
<title>Parent Elements of <literal><openid-attribute></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-attribute-exchange">attribute-exchange</link></listitem>
|
<listitem><link linkend="nsa-attribute-exchange">attribute-exchange</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-openid-attribute-attributes">
|
<section xml:id="nsa-openid-attribute-attributes">
|
||||||
@ -1027,18 +1027,18 @@
|
|||||||
can optionally be used to override the default mappings which that class defines.
|
can optionally be used to override the default mappings which that class defines.
|
||||||
Each child <literal><port-mapping></literal> element defines a pair of
|
Each child <literal><port-mapping></literal> element defines a pair of
|
||||||
HTTP:HTTPS ports. The default mappings are 80:443 and 8080:8443. An example of
|
HTTP:HTTPS ports. The default mappings are 80:443 and 8080:8443. An example of
|
||||||
overriding these can be found in the <link xlink:href="#ns-requires-channel"
|
overriding these can be found in the <link linkend="ns-requires-channel"
|
||||||
>namespace introduction</link>. </para>
|
>namespace introduction</link>. </para>
|
||||||
<section xml:id="nsa-port-mappings-parents">
|
<section xml:id="nsa-port-mappings-parents">
|
||||||
<title>Parent Elements of <literal><port-mappings></literal></title>
|
<title>Parent Elements of <literal><port-mappings></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-port-mappings-children">
|
<section xml:id="nsa-port-mappings-children">
|
||||||
<title>Child Elements of <literal><port-mappings></literal></title>
|
<title>Child Elements of <literal><port-mappings></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-port-mapping">port-mapping</link></listitem>
|
<listitem><link linkend="nsa-port-mapping">port-mapping</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1048,7 +1048,7 @@
|
|||||||
<section xml:id="nsa-port-mapping-parents">
|
<section xml:id="nsa-port-mapping-parents">
|
||||||
<title>Parent Elements of <literal><port-mapping></literal></title>
|
<title>Parent Elements of <literal><port-mapping></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-port-mappings">port-mappings</link></listitem>
|
<listitem><link linkend="nsa-port-mappings">port-mappings</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-port-mapping-attributes">
|
<section xml:id="nsa-port-mapping-attributes">
|
||||||
@ -1074,7 +1074,7 @@
|
|||||||
<section xml:id="nsa-remember-me-parents">
|
<section xml:id="nsa-remember-me-parents">
|
||||||
<title>Parent Elements of <literal><remember-me></literal></title>
|
<title>Parent Elements of <literal><remember-me></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-remember-me-attributes">
|
<section xml:id="nsa-remember-me-attributes">
|
||||||
@ -1166,7 +1166,7 @@
|
|||||||
<section xml:id="nsa-request-cache-parents">
|
<section xml:id="nsa-request-cache-parents">
|
||||||
<title>Parent Elements of <literal><request-cache></literal></title>
|
<title>Parent Elements of <literal><request-cache></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-request-cache-attributes">
|
<section xml:id="nsa-request-cache-attributes">
|
||||||
@ -1184,7 +1184,7 @@
|
|||||||
<section xml:id="nsa-session-management-parents">
|
<section xml:id="nsa-session-management-parents">
|
||||||
<title>Parent Elements of <literal><session-management></literal></title>
|
<title>Parent Elements of <literal><session-management></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-session-management-attributes">
|
<section xml:id="nsa-session-management-attributes">
|
||||||
@ -1228,7 +1228,7 @@
|
|||||||
<section xml:id="nsa-session-management-children">
|
<section xml:id="nsa-session-management-children">
|
||||||
<title>Child elements of <literal><session-management></literal></title>
|
<title>Child elements of <literal><session-management></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-concurrency-control">concurrency-control</link></listitem>
|
<listitem><link linkend="nsa-concurrency-control">concurrency-control</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1247,7 +1247,7 @@
|
|||||||
<section xml:id="nsa-concurrency-control-parents">
|
<section xml:id="nsa-concurrency-control-parents">
|
||||||
<title>Parent Elements of <literal><concurrency-control></literal></title>
|
<title>Parent Elements of <literal><concurrency-control></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-session-management">session-management</link></listitem>
|
<listitem><link linkend="nsa-session-management">session-management</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-concurrency-control-attributes">
|
<section xml:id="nsa-concurrency-control-attributes">
|
||||||
@ -1301,7 +1301,7 @@
|
|||||||
<section xml:id="nsa-x509-parents">
|
<section xml:id="nsa-x509-parents">
|
||||||
<title>Parent Elements of <literal><x509></literal></title>
|
<title>Parent Elements of <literal><x509></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-http">http</link></listitem>
|
<listitem><link linkend="nsa-http">http</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-x509-attributes">
|
<section xml:id="nsa-x509-attributes">
|
||||||
@ -1333,7 +1333,7 @@
|
|||||||
<section xml:id="nsa-filter-chain-map-path-type">
|
<section xml:id="nsa-filter-chain-map-path-type">
|
||||||
<title><literal>path-type</literal></title>
|
<title><literal>path-type</literal></title>
|
||||||
<para>Superseded by the
|
<para>Superseded by the
|
||||||
<link xlink:href="#nsa-filter-chain-map-request-matcher">request-matcher</link> attribute</para>
|
<link linkend="nsa-filter-chain-map-request-matcher">request-matcher</link> attribute</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-filter-chain-map-request-matcher">
|
<section xml:id="nsa-filter-chain-map-request-matcher">
|
||||||
<title><literal>request-matcher</literal></title>
|
<title><literal>request-matcher</literal></title>
|
||||||
@ -1345,7 +1345,7 @@
|
|||||||
<section xml:id="nsa-filter-chain-map-children">
|
<section xml:id="nsa-filter-chain-map-children">
|
||||||
<title>Child Elements of <literal><filter-chain-map></literal></title>
|
<title>Child Elements of <literal><filter-chain-map></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-filter-chain">filter-chain</link></listitem>
|
<listitem><link linkend="nsa-filter-chain">filter-chain</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1357,7 +1357,7 @@
|
|||||||
<section xml:id="nsa-filter-chain-parents">
|
<section xml:id="nsa-filter-chain-parents">
|
||||||
<title>Parent Elements of <literal><filter-chain></literal></title>
|
<title>Parent Elements of <literal><filter-chain></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-filter-chain-map">filter-chain-map</link></listitem>
|
<listitem><link linkend="nsa-filter-chain-map">filter-chain-map</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-filter-chain-attributes">
|
<section xml:id="nsa-filter-chain-attributes">
|
||||||
@ -1372,7 +1372,7 @@
|
|||||||
<section xml:id="nsa-filter-chain-pattern">
|
<section xml:id="nsa-filter-chain-pattern">
|
||||||
<title><literal>pattern</literal></title>
|
<title><literal>pattern</literal></title>
|
||||||
<para>A-pattern that creates RequestMatcher in combination with the
|
<para>A-pattern that creates RequestMatcher in combination with the
|
||||||
<link xlink:href="#nsa-filter-chain-map-request-matcher">request-matcher</link></para>
|
<link linkend="nsa-filter-chain-map-request-matcher">request-matcher</link></para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-filter-chain-request-matcher-ref">
|
<section xml:id="nsa-filter-chain-request-matcher-ref">
|
||||||
<title><literal>request-matcher-ref</literal></title>
|
<title><literal>request-matcher-ref</literal></title>
|
||||||
@ -1397,7 +1397,7 @@
|
|||||||
<section xml:id="nsa-filter-invocation-definition-source-path-type">
|
<section xml:id="nsa-filter-invocation-definition-source-path-type">
|
||||||
<title><literal>path-type</literal></title>
|
<title><literal>path-type</literal></title>
|
||||||
<para>Superseded by
|
<para>Superseded by
|
||||||
<link xlink:href="#nsa-filter-invocation-definition-source-request-matcher">request-matcher</link></para>
|
<link linkend="nsa-filter-invocation-definition-source-request-matcher">request-matcher</link></para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-filter-invocation-definition-source-request-matcher">
|
<section xml:id="nsa-filter-invocation-definition-source-request-matcher">
|
||||||
<title><literal>request-matcher</literal></title>
|
<title><literal>request-matcher</literal></title>
|
||||||
@ -1416,7 +1416,7 @@
|
|||||||
<section xml:id="nsa-filter-invocation-definition-source-children">
|
<section xml:id="nsa-filter-invocation-definition-source-children">
|
||||||
<title>Child Elements of <literal><filter-invocation-definition-source></literal></title>
|
<title>Child Elements of <literal><filter-invocation-definition-source></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
|
<listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1439,7 +1439,7 @@
|
|||||||
<section xml:id="nsa-filter-security-metadata-source-path-type">
|
<section xml:id="nsa-filter-security-metadata-source-path-type">
|
||||||
<title><literal>path-type</literal></title>
|
<title><literal>path-type</literal></title>
|
||||||
<para>Superseded by
|
<para>Superseded by
|
||||||
<link xlink:href="#nsa-filter-security-metadata-source-request-matcher">request-matcher</link>
|
<link linkend="nsa-filter-security-metadata-source-request-matcher">request-matcher</link>
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-filter-security-metadata-source-request-matcher">
|
<section xml:id="nsa-filter-security-metadata-source-request-matcher">
|
||||||
@ -1459,7 +1459,7 @@
|
|||||||
<section xml:id="nsa-filter-security-metadata-source-children">
|
<section xml:id="nsa-filter-security-metadata-source-children">
|
||||||
<title>Child Elements of <literal><filter-security-metadata-source></literal></title>
|
<title>Child Elements of <literal><filter-security-metadata-source></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-intercept-url">intercept-url</link></listitem>
|
<listitem><link linkend="nsa-intercept-url">intercept-url</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1489,7 +1489,7 @@
|
|||||||
<title><literal>alias</literal></title>
|
<title><literal>alias</literal></title>
|
||||||
<para>This attribute allows you to define an alias name for the
|
<para>This attribute allows you to define an alias name for the
|
||||||
internal instance for use in your own configuration. Its use is described in the
|
internal instance for use in your own configuration. Its use is described in the
|
||||||
<link xlink:href="#ns-auth-manager">namespace introduction</link>.</para>
|
<link linkend="ns-auth-manager">namespace introduction</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-authentication-manager-erase-credentials">
|
<section xml:id="nsa-authentication-manager-erase-credentials">
|
||||||
<title><literal>erase-credentials</literal></title>
|
<title><literal>erase-credentials</literal></title>
|
||||||
@ -1497,7 +1497,7 @@
|
|||||||
returned Authentication object, once the user has been authenticated. Literally it maps to
|
returned Authentication object, once the user has been authenticated. Literally it maps to
|
||||||
the <literal>eraseCredentialsAfterAuthentication</literal> property of the
|
the <literal>eraseCredentialsAfterAuthentication</literal> property of the
|
||||||
<classname>ProviderManager</classname>. This is discussed in the <link
|
<classname>ProviderManager</classname>. This is discussed in the <link
|
||||||
xlink:href="#core-services-erasing-credentials">Core Services</link> chapter.</para>
|
linkend="core-services-erasing-credentials">Core Services</link> chapter.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-authentication-manager-id">
|
<section xml:id="nsa-authentication-manager-id">
|
||||||
<title><literal>id</literal></title>
|
<title><literal>id</literal></title>
|
||||||
@ -1509,15 +1509,15 @@
|
|||||||
<section xml:id="nsa-authentication-manager-children">
|
<section xml:id="nsa-authentication-manager-children">
|
||||||
<title>Child Elements of <literal><authentication-manager></literal></title>
|
<title>Child Elements of <literal><authentication-manager></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-authentication-provider">authentication-provider</link></listitem>
|
<listitem><link linkend="nsa-authentication-provider">authentication-provider</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
|
<listitem><link linkend="nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-authentication-provider">
|
<section xml:id="nsa-authentication-provider">
|
||||||
<title><literal><authentication-provider></literal></title>
|
<title><literal><authentication-provider></literal></title>
|
||||||
<para> Unless used with a <literal>ref</literal> attribute, this element is
|
<para> Unless used with a <literal>ref</literal> attribute, this element is
|
||||||
shorthand for configuring a <link xlink:href="#core-services-dao-provider"
|
shorthand for configuring a <link linkend="core-services-dao-provider"
|
||||||
><classname>DaoAuthenticationProvider</classname></link>.
|
><classname>DaoAuthenticationProvider</classname></link>.
|
||||||
<classname>DaoAuthenticationProvider</classname> loads user information from a
|
<classname>DaoAuthenticationProvider</classname> loads user information from a
|
||||||
<interfacename>UserDetailsService</interfacename> and compares the
|
<interfacename>UserDetailsService</interfacename> and compares the
|
||||||
@ -1526,12 +1526,12 @@
|
|||||||
by using an available namespace element (<literal>jdbc-user-service</literal> or
|
by using an available namespace element (<literal>jdbc-user-service</literal> or
|
||||||
by using the <literal>user-service-ref</literal> attribute to point to a bean
|
by using the <literal>user-service-ref</literal> attribute to point to a bean
|
||||||
defined elsewhere in the application context). You can find examples of these
|
defined elsewhere in the application context). You can find examples of these
|
||||||
variations in the <link xlink:href="#ns-auth-providers">namespace
|
variations in the <link linkend="ns-auth-providers">namespace
|
||||||
introduction</link>. </para>
|
introduction</link>. </para>
|
||||||
<section xml:id="nsa-authentication-provider-parents">
|
<section xml:id="nsa-authentication-provider-parents">
|
||||||
<title>Parent Elements of <literal><authentication-provider></literal></title>
|
<title>Parent Elements of <literal><authentication-provider></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-authentication-manager">authentication-manager</link></listitem>
|
<listitem><link linkend="nsa-authentication-manager">authentication-manager</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-authentication-provider-attributes">
|
<section xml:id="nsa-authentication-provider-attributes">
|
||||||
@ -1560,10 +1560,10 @@
|
|||||||
<section xml:id="nsa-authentication-provider-children">
|
<section xml:id="nsa-authentication-provider-children">
|
||||||
<title>Child Elements of <literal><authentication-provider></literal></title>
|
<title>Child Elements of <literal><authentication-provider></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-jdbc-user-service">jdbc-user-service</link></listitem>
|
<listitem><link linkend="nsa-jdbc-user-service">jdbc-user-service</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-ldap-user-service">ldap-user-service</link></listitem>
|
<listitem><link linkend="nsa-ldap-user-service">ldap-user-service</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
|
<listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-user-service">user-service</link></listitem>
|
<listitem><link linkend="nsa-user-service">user-service</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1617,7 +1617,7 @@ where
|
|||||||
<section xml:id="nsa-password-encoder">
|
<section xml:id="nsa-password-encoder">
|
||||||
<title><literal><password-encoder></literal></title>
|
<title><literal><password-encoder></literal></title>
|
||||||
<para>Authentication providers can optionally be configured to use a password
|
<para>Authentication providers can optionally be configured to use a password
|
||||||
encoder as described in the <link xlink:href="#ns-password-encoder"
|
encoder as described in the <link linkend="ns-password-encoder"
|
||||||
>namespace introduction</link>. This will result in the bean being injected
|
>namespace introduction</link>. This will result in the bean being injected
|
||||||
with the appropriate <interfacename>PasswordEncoder</interfacename>
|
with the appropriate <interfacename>PasswordEncoder</interfacename>
|
||||||
instance, potentially with an accompanying
|
instance, potentially with an accompanying
|
||||||
@ -1626,8 +1626,8 @@ where
|
|||||||
<section xml:id="nsa-password-encoder-parents">
|
<section xml:id="nsa-password-encoder-parents">
|
||||||
<title>Parent Elements of <literal><password-encoder></literal></title>
|
<title>Parent Elements of <literal><password-encoder></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-authentication-provider">authentication-provider</link></listitem>
|
<listitem><link linkend="nsa-authentication-provider">authentication-provider</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-password-compare">password-compare</link></listitem>
|
<listitem><link linkend="nsa-password-compare">password-compare</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-password-encoder-attributes">
|
<section xml:id="nsa-password-encoder-attributes">
|
||||||
@ -1650,7 +1650,7 @@ where
|
|||||||
<section xml:id="nsa-password-encoder-children">
|
<section xml:id="nsa-password-encoder-children">
|
||||||
<title>Child Elements of <literal><password-encoder></literal></title>
|
<title>Child Elements of <literal><password-encoder></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-salt-source">salt-source</link></listitem>
|
<listitem><link linkend="nsa-salt-source">salt-source</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1661,7 +1661,7 @@ where
|
|||||||
<section xml:id="nsa-salt-source-parents">
|
<section xml:id="nsa-salt-source-parents">
|
||||||
<title>Parent Elements of <literal><salt-source></literal></title>
|
<title>Parent Elements of <literal><salt-source></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
|
<listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-salt-source-attributes">
|
<section xml:id="nsa-salt-source-attributes">
|
||||||
@ -1701,7 +1701,7 @@ where
|
|||||||
<section xml:id="nsa-user-service-children">
|
<section xml:id="nsa-user-service-children">
|
||||||
<title>Child Elements of <literal><user-service></literal></title>
|
<title>Child Elements of <literal><user-service></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-user">user</link></listitem>
|
<listitem><link linkend="nsa-user">user</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1711,7 +1711,7 @@ where
|
|||||||
<section xml:id="nsa-user-parents">
|
<section xml:id="nsa-user-parents">
|
||||||
<title>Parent Elements of <literal><user></literal></title>
|
<title>Parent Elements of <literal><user></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-user-service">user-service</link></listitem>
|
<listitem><link linkend="nsa-user-service">user-service</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-user-attributes">
|
<section xml:id="nsa-user-attributes">
|
||||||
@ -1820,10 +1820,10 @@ where
|
|||||||
<section xml:id="nsa-global-method-security-children">
|
<section xml:id="nsa-global-method-security-children">
|
||||||
<title>Child Elements of <literal><global-method-security></literal></title>
|
<title>Child Elements of <literal><global-method-security></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-after-invocation-provider">after-invocation-provider</link></listitem>
|
<listitem><link linkend="nsa-after-invocation-provider">after-invocation-provider</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-expression-handler">expression-handler</link></listitem>
|
<listitem><link linkend="nsa-expression-handler">expression-handler</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-protect-pointcut">protect-pointcut</link></listitem>
|
<listitem><link linkend="nsa-protect-pointcut">protect-pointcut</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1840,7 +1840,7 @@ where
|
|||||||
<section xml:id="nsa-after-invocation-provider-parents">
|
<section xml:id="nsa-after-invocation-provider-parents">
|
||||||
<title>Parent Elements of <literal><after-invocation-provider></literal></title>
|
<title>Parent Elements of <literal><after-invocation-provider></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
|
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-after-invocation-provider-attributes">
|
<section xml:id="nsa-after-invocation-provider-attributes">
|
||||||
@ -1860,15 +1860,15 @@ where
|
|||||||
<section xml:id="nsa-pre-post-annotation-handling-parents">
|
<section xml:id="nsa-pre-post-annotation-handling-parents">
|
||||||
<title>Parent Elements of <literal><pre-post-annotation-handling></literal></title>
|
<title>Parent Elements of <literal><pre-post-annotation-handling></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
|
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-pre-post-annotation-handling-children">
|
<section xml:id="nsa-pre-post-annotation-handling-children">
|
||||||
<title>Child Elements of <literal><pre-post-annotation-handling></literal></title>
|
<title>Child Elements of <literal><pre-post-annotation-handling></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-invocation-attribute-factory">invocation-attribute-factory</link></listitem>
|
<listitem><link linkend="nsa-invocation-attribute-factory">invocation-attribute-factory</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-post-invocation-advice">post-invocation-advice</link></listitem>
|
<listitem><link linkend="nsa-post-invocation-advice">post-invocation-advice</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-pre-invocation-advice">pre-invocation-advice</link></listitem>
|
<listitem><link linkend="nsa-pre-invocation-advice">pre-invocation-advice</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1879,7 +1879,7 @@ where
|
|||||||
<section xml:id="nsa-invocation-attribute-factory-parents">
|
<section xml:id="nsa-invocation-attribute-factory-parents">
|
||||||
<title>Parent Elements of <literal><invocation-attribute-factory></literal></title>
|
<title>Parent Elements of <literal><invocation-attribute-factory></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-invocation-attribute-factory-attributes">
|
<section xml:id="nsa-invocation-attribute-factory-attributes">
|
||||||
@ -1898,7 +1898,7 @@ where
|
|||||||
<section xml:id="nsa-post-invocation-advice-parents">
|
<section xml:id="nsa-post-invocation-advice-parents">
|
||||||
<title>Parent Elements of <literal><post-invocation-advice></literal></title>
|
<title>Parent Elements of <literal><post-invocation-advice></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-post-invocation-advice-attributes">
|
<section xml:id="nsa-post-invocation-advice-attributes">
|
||||||
@ -1917,7 +1917,7 @@ where
|
|||||||
<section xml:id="nsa-pre-invocation-advice-parents">
|
<section xml:id="nsa-pre-invocation-advice-parents">
|
||||||
<title>Parent Elements of <literal><pre-invocation-advice></literal></title>
|
<title>Parent Elements of <literal><pre-invocation-advice></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
<listitem><link linkend="nsa-pre-post-annotation-handling">pre-post-annotation-handling</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-pre-invocation-advice-attributes">
|
<section xml:id="nsa-pre-invocation-advice-attributes">
|
||||||
@ -1935,11 +1935,11 @@ where
|
|||||||
cross-cutting security constraints across whole sets of methods and interfaces
|
cross-cutting security constraints across whole sets of methods and interfaces
|
||||||
in your service layer using the <literal><protect-pointcut></literal>
|
in your service layer using the <literal><protect-pointcut></literal>
|
||||||
element. You can find an example in the <link
|
element. You can find an example in the <link
|
||||||
xlink:href="#ns-protect-pointcut">namespace introduction</link>.</para>
|
linkend="ns-protect-pointcut">namespace introduction</link>.</para>
|
||||||
<section xml:id="nsa-protect-pointcut-parents">
|
<section xml:id="nsa-protect-pointcut-parents">
|
||||||
<title>Parent Elements of <literal><protect-pointcut></literal></title>
|
<title>Parent Elements of <literal><protect-pointcut></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-global-method-security">global-method-security</link></listitem>
|
<listitem><link linkend="nsa-global-method-security">global-method-security</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-protect-pointcut-attributes">
|
<section xml:id="nsa-protect-pointcut-attributes">
|
||||||
@ -1970,7 +1970,7 @@ where
|
|||||||
<section xml:id="nsa-intercept-methods-children">
|
<section xml:id="nsa-intercept-methods-children">
|
||||||
<title>Child Elements of <literal><intercept-methods></literal></title>
|
<title>Child Elements of <literal><intercept-methods></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-protect">protect</link></listitem>
|
<listitem><link linkend="nsa-protect">protect</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -1994,7 +1994,7 @@ where
|
|||||||
<section xml:id="nsa-method-security-metadata-source-children">
|
<section xml:id="nsa-method-security-metadata-source-children">
|
||||||
<title>Child Elements of <literal><method-security-metadata-source></literal></title>
|
<title>Child Elements of <literal><method-security-metadata-source></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-protect">protect</link></listitem>
|
<listitem><link linkend="nsa-protect">protect</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -2005,8 +2005,8 @@ where
|
|||||||
<section xml:id="nsa-protect-parents">
|
<section xml:id="nsa-protect-parents">
|
||||||
<title>Parent Elements of <literal><protect></literal></title>
|
<title>Parent Elements of <literal><protect></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-intercept-methods">intercept-methods</link></listitem>
|
<listitem><link linkend="nsa-intercept-methods">intercept-methods</link></listitem>
|
||||||
<listitem><link xlink:href="#nsa-method-security-metadata-source">method-security-metadata-source</link></listitem>
|
<listitem><link linkend="nsa-method-security-metadata-source">method-security-metadata-source</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-protect-attributes">
|
<section xml:id="nsa-protect-attributes">
|
||||||
@ -2024,7 +2024,7 @@ where
|
|||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-ldap">
|
<section xml:id="nsa-ldap">
|
||||||
<title>LDAP Namespace Options</title>
|
<title>LDAP Namespace Options</title>
|
||||||
<para> LDAP is covered in some details in <link xlink:href="#ldap">its own
|
<para> LDAP is covered in some details in <link linkend="ldap">its own
|
||||||
chapter</link>. We will expand on that here with some explanation of how the
|
chapter</link>. We will expand on that here with some explanation of how the
|
||||||
namespace options map to Spring beans. The LDAP implementation uses Spring LDAP
|
namespace options map to Spring beans. The LDAP implementation uses Spring LDAP
|
||||||
extensively, so some familiarity with that project's API may be useful. </para>
|
extensively, so some familiarity with that project's API may be useful. </para>
|
||||||
@ -2036,7 +2036,7 @@ where
|
|||||||
defining the location of the LDAP server and other information (such as a
|
defining the location of the LDAP server and other information (such as a
|
||||||
username and password, if it doesn't allow anonymous access) for connecting to
|
username and password, if it doesn't allow anonymous access) for connecting to
|
||||||
it. It can also be used to create an embedded server for testing. Details of the
|
it. It can also be used to create an embedded server for testing. Details of the
|
||||||
syntax for both options are covered in the <link xlink:href="#ldap-server">LDAP
|
syntax for both options are covered in the <link linkend="ldap-server">LDAP
|
||||||
chapter</link>. The actual <interfacename>ContextSource</interfacename>
|
chapter</link>. The actual <interfacename>ContextSource</interfacename>
|
||||||
implementation is <classname>DefaultSpringSecurityContextSource</classname>
|
implementation is <classname>DefaultSpringSecurityContextSource</classname>
|
||||||
which extends Spring LDAP's <classname>LdapContextSource</classname> class. The
|
which extends Spring LDAP's <classname>LdapContextSource</classname> class. The
|
||||||
@ -2097,7 +2097,7 @@ where
|
|||||||
<section xml:id="nsa-ldap-authentication-provider-parents">
|
<section xml:id="nsa-ldap-authentication-provider-parents">
|
||||||
<title>Parent Elements of <literal><ldap-authentication-provider></literal></title>
|
<title>Parent Elements of <literal><ldap-authentication-provider></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-authentication-manager">authentication-manager</link></listitem>
|
<listitem><link linkend="nsa-authentication-manager">authentication-manager</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-ldap-authentication-provider-attributes">
|
<section xml:id="nsa-ldap-authentication-provider-attributes">
|
||||||
@ -2185,7 +2185,7 @@ where
|
|||||||
<section xml:id="nsa-ldap-authentication-provider-children">
|
<section xml:id="nsa-ldap-authentication-provider-children">
|
||||||
<title>Child Elements of <literal><ldap-authentication-provider></literal></title>
|
<title>Child Elements of <literal><ldap-authentication-provider></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-password-compare">password-compare</link></listitem>
|
<listitem><link linkend="nsa-password-compare">password-compare</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -2198,7 +2198,7 @@ where
|
|||||||
<section xml:id="nsa-password-compare-parents">
|
<section xml:id="nsa-password-compare-parents">
|
||||||
<title>Parent Elements of <literal><password-compare></literal></title>
|
<title>Parent Elements of <literal><password-compare></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
|
<listitem><link linkend="nsa-ldap-authentication-provider">ldap-authentication-provider</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="nsa-password-compare-attributes">
|
<section xml:id="nsa-password-compare-attributes">
|
||||||
@ -2217,7 +2217,7 @@ where
|
|||||||
<section xml:id="nsa-password-compare-children">
|
<section xml:id="nsa-password-compare-children">
|
||||||
<title>Child Elements of <literal><password-compare></literal></title>
|
<title>Child Elements of <literal><password-compare></literal></title>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem><link xlink:href="#nsa-password-encoder">password-encoder</link></listitem>
|
<listitem><link linkend="nsa-password-encoder">password-encoder</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|||||||
@ -7,7 +7,7 @@
|
|||||||
<info>
|
<info>
|
||||||
<title>Authorities</title>
|
<title>Authorities</title>
|
||||||
</info>
|
</info>
|
||||||
<para>As we saw in the <link xlink:href="#tech-granted-authority">technical overview</link>,
|
<para>As we saw in the <link linkend="tech-granted-authority">technical overview</link>,
|
||||||
all <interfacename>Authentication</interfacename> implementations store a list of
|
all <interfacename>Authentication</interfacename> implementations store a list of
|
||||||
<interfacename>GrantedAuthority</interfacename> objects. These represent the authorities
|
<interfacename>GrantedAuthority</interfacename> objects. These represent the authorities
|
||||||
that have been granted to the principal. The
|
that have been granted to the principal. The
|
||||||
@ -51,7 +51,7 @@
|
|||||||
<info>
|
<info>
|
||||||
<title>Pre-Invocation Handling</title>
|
<title>Pre-Invocation Handling</title>
|
||||||
</info>
|
</info>
|
||||||
<para> As we've also seen in the <link xlink:href="#secure-objects">Technical
|
<para> As we've also seen in the <link linkend="secure-objects">Technical
|
||||||
Overview</link> chapter, Spring Security provides interceptors which control access to
|
Overview</link> chapter, Spring Security provides interceptors which control access to
|
||||||
secure objects such as method invocations or web requests. A pre-invocation decision on
|
secure objects such as method invocations or web requests. A pre-invocation decision on
|
||||||
whether the invocation is allowed to proceed is made by the
|
whether the invocation is allowed to proceed is made by the
|
||||||
@ -307,7 +307,7 @@ boolean supports(Class clazz);
|
|||||||
</para>
|
</para>
|
||||||
<para>
|
<para>
|
||||||
The use of a role-hierarchy allows you to configure which roles (or authorities) should include others.
|
The use of a role-hierarchy allows you to configure which roles (or authorities) should include others.
|
||||||
An extended version of Spring Security's <link xlink:href="#authz-role-voter"><classname>RoleVoter</classname></link>,
|
An extended version of Spring Security's <link linkend="authz-role-voter"><classname>RoleVoter</classname></link>,
|
||||||
<classname>RoleHierarchyVoter</classname>, is configured with a <interfacename>RoleHierarchy</interfacename>,
|
<classname>RoleHierarchyVoter</classname>, is configured with a <interfacename>RoleHierarchy</interfacename>,
|
||||||
from which it obtains all the <quote>reachable authorities</quote> which the user is assigned.
|
from which it obtains all the <quote>reachable authorities</quote> which the user is assigned.
|
||||||
A typical configuration might look like this:
|
A typical configuration might look like this:
|
||||||
|
|||||||
@ -196,7 +196,7 @@
|
|||||||
<listitem>
|
<listitem>
|
||||||
<para>The user's browser is redirected to the original page that
|
<para>The user's browser is redirected to the original page that
|
||||||
caused the <classname>AuthenticationException</classname> (or a
|
caused the <classname>AuthenticationException</classname> (or a
|
||||||
<link xlink:href="#form-login-flow-handling">custom destination</link> depending on
|
<link linkend="form-login-flow-handling">custom destination</link> depending on
|
||||||
the configuration).</para>
|
the configuration).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
@ -213,7 +213,7 @@
|
|||||||
already know the basics of using Spring Security, so these are not covered again below.
|
already know the basics of using Spring Security, so these are not covered again below.
|
||||||
We'll assume a namespace based configuration is being used and add in the CAS beans as
|
We'll assume a namespace based configuration is being used and add in the CAS beans as
|
||||||
required. Each section builds upon the previous section. A full
|
required. Each section builds upon the previous section. A full
|
||||||
<link xlink:href="#cas-sample">CAS sample application</link> can be found in the Spring
|
<link linkend="cas-sample">CAS sample application</link> can be found in the Spring
|
||||||
Security Samples.</para>
|
Security Samples.</para>
|
||||||
<section xml:id="cas-st">
|
<section xml:id="cas-st">
|
||||||
<info>
|
<info>
|
||||||
@ -259,7 +259,7 @@
|
|||||||
<para>For CAS to operate, the <classname>ExceptionTranslationFilter</classname> must have
|
<para>For CAS to operate, the <classname>ExceptionTranslationFilter</classname> must have
|
||||||
its <literal>authenticationEntryPoint</literal> property set to the
|
its <literal>authenticationEntryPoint</literal> property set to the
|
||||||
<classname>CasAuthenticationEntryPoint</classname> bean. This can easily be done using
|
<classname>CasAuthenticationEntryPoint</classname> bean. This can easily be done using
|
||||||
<link xlink:href="#ns-entry-point-ref"><literal>entry-point-ref</literal></link> as is
|
<link linkend="ns-entry-point-ref"><literal>entry-point-ref</literal></link> as is
|
||||||
done in the example above. The <classname>CasAuthenticationEntryPoint</classname> must refer to the
|
done in the example above. The <classname>CasAuthenticationEntryPoint</classname> must refer to the
|
||||||
<classname>ServiceProperties</classname> bean (discussed above), which provides the URL
|
<classname>ServiceProperties</classname> bean (discussed above), which provides the URL
|
||||||
to the enterprise's CAS login server. This is where the user's browser will be
|
to the enterprise's CAS login server. This is where the user's browser will be
|
||||||
@ -300,7 +300,7 @@
|
|||||||
here. Note that the <classname>CasAuthenticationProvider</classname> does not actually use
|
here. Note that the <classname>CasAuthenticationProvider</classname> does not actually use
|
||||||
the password for authentication, but it does use the authorities.</para>
|
the password for authentication, but it does use the authorities.</para>
|
||||||
<para>The beans are all reasonably self-explanatory if you refer back to the
|
<para>The beans are all reasonably self-explanatory if you refer back to the
|
||||||
<link xlink:href="#cas-how-it-works">How CAS Works</link> section.</para>
|
<link linkend="cas-how-it-works">How CAS Works</link> section.</para>
|
||||||
<para>This completes the most basic configuration for CAS. If you haven't made any
|
<para>This completes the most basic configuration for CAS. If you haven't made any
|
||||||
mistakes, your web application should happily work within the
|
mistakes, your web application should happily work within the
|
||||||
framework of CAS single sign on. No other parts of Spring Security
|
framework of CAS single sign on. No other parts of Spring Security
|
||||||
@ -448,7 +448,7 @@
|
|||||||
<title>Calling a Stateless Service Using a Proxy Ticket</title>
|
<title>Calling a Stateless Service Using a Proxy Ticket</title>
|
||||||
</info>
|
</info>
|
||||||
<para>Now that Spring Security obtains PGTs, you can use them to create proxy tickets which can be used to authenticate
|
<para>Now that Spring Security obtains PGTs, you can use them to create proxy tickets which can be used to authenticate
|
||||||
to a stateless service. The <link xlink:href="#cas-sample">CAS sample application</link> contains a working example in
|
to a stateless service. The <link linkend="cas-sample">CAS sample application</link> contains a working example in
|
||||||
the <classname>ProxyTicketSampleServlet</classname>. Example code can be found below:
|
the <classname>ProxyTicketSampleServlet</classname>. Example code can be found below:
|
||||||
<programlisting language="xml"><![CDATA[
|
<programlisting language="xml"><![CDATA[
|
||||||
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
protected void doGet(HttpServletRequest request, HttpServletResponse response)
|
||||||
|
|||||||
@ -32,7 +32,7 @@
|
|||||||
<info>
|
<info>
|
||||||
<title>Configuration</title>
|
<title>Configuration</title>
|
||||||
</info>
|
</info>
|
||||||
<para>Channel security is supported by the <link xlink:href="#ns-requires-channel">security
|
<para>Channel security is supported by the <link linkend="ns-requires-channel">security
|
||||||
namespace</link> by means of the <literal>requires-channel</literal> attribute on the
|
namespace</link> by means of the <literal>requires-channel</literal> attribute on the
|
||||||
<literal><intercept-url></literal> element and this is the simplest (and
|
<literal><intercept-url></literal> element and this is the simplest (and
|
||||||
recommended approach).</para>
|
recommended approach).</para>
|
||||||
|
|||||||
@ -8,7 +8,7 @@
|
|||||||
<section xml:id="filter-security-interceptor">
|
<section xml:id="filter-security-interceptor">
|
||||||
<title><classname>FilterSecurityInterceptor</classname></title>
|
<title><classname>FilterSecurityInterceptor</classname></title>
|
||||||
<para>We've already seen <classname>FilterSecurityInterceptor</classname> briefly when
|
<para>We've already seen <classname>FilterSecurityInterceptor</classname> briefly when
|
||||||
discussing <link xlink:href="#tech-intro-access-control">access-control in
|
discussing <link linkend="tech-intro-access-control">access-control in
|
||||||
general</link>, and we've already used it with the namespace where the
|
general</link>, and we've already used it with the namespace where the
|
||||||
<literal><intercept-url></literal> elements are combined to configure it internally.
|
<literal><intercept-url></literal> elements are combined to configure it internally.
|
||||||
Now we'll see how to explicitly configure it for use with a
|
Now we'll see how to explicitly configure it for use with a
|
||||||
@ -31,7 +31,7 @@
|
|||||||
<interfacename>AuthenticationManager</interfacename> and an
|
<interfacename>AuthenticationManager</interfacename> and an
|
||||||
<interfacename>AccessDecisionManager</interfacename>. It is also supplied with
|
<interfacename>AccessDecisionManager</interfacename>. It is also supplied with
|
||||||
configuration attributes that apply to different HTTP URL requests. Refer back to <link
|
configuration attributes that apply to different HTTP URL requests. Refer back to <link
|
||||||
xlink:href="#tech-intro-config-attributes">the original discussion on these</link> in
|
linkend="tech-intro-config-attributes">the original discussion on these</link> in
|
||||||
the technical introduction.</para>
|
the technical introduction.</para>
|
||||||
<para>The <classname>FilterSecurityInterceptor</classname> can be configured with
|
<para>The <classname>FilterSecurityInterceptor</classname> can be configured with
|
||||||
configuration attributes in two ways. The first, which is shown above, is using the
|
configuration attributes in two ways. The first, which is shown above, is using the
|
||||||
@ -165,7 +165,7 @@
|
|||||||
can implement the interface yourself and use your own implementation. </para>
|
can implement the interface yourself and use your own implementation. </para>
|
||||||
<para>It's also possible to supply a custom
|
<para>It's also possible to supply a custom
|
||||||
<interfacename>AccessDeniedHandler</interfacename> when you're using the namespace
|
<interfacename>AccessDeniedHandler</interfacename> when you're using the namespace
|
||||||
to configure your application. See <link xlink:href="#nsa-access-denied-handler">the
|
to configure your application. See <link linkend="nsa-access-denied-handler">the
|
||||||
namespace appendix</link> for more details.</para>
|
namespace appendix</link> for more details.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="request-caching">
|
<section xml:id="request-caching">
|
||||||
@ -173,10 +173,10 @@
|
|||||||
<para>Another of <classname>ExceptionTranslationFilter</classname>'s responsibilities is
|
<para>Another of <classname>ExceptionTranslationFilter</classname>'s responsibilities is
|
||||||
to save the current request before invoking the <interfacename>AuthenticationEntryPoint</interfacename>.
|
to save the current request before invoking the <interfacename>AuthenticationEntryPoint</interfacename>.
|
||||||
This allows the request to be restored after the use has authenticated (see previous overview
|
This allows the request to be restored after the use has authenticated (see previous overview
|
||||||
of <link xlink:href="#tech-intro-web-authentication">web authentication</link>).
|
of <link linkend="tech-intro-web-authentication">web authentication</link>).
|
||||||
A typical example would be where the user logs in with a form, and is then redirected to the
|
A typical example would be where the user logs in with a form, and is then redirected to the
|
||||||
original URL by the default <classname>SavedRequestAwareAuthenticationSuccessHandler</classname>
|
original URL by the default <classname>SavedRequestAwareAuthenticationSuccessHandler</classname>
|
||||||
(see <link xlink:href="#form-login-flow-handling">below</link>).
|
(see <link linkend="form-login-flow-handling">below</link>).
|
||||||
</para>
|
</para>
|
||||||
<para>The <interfacename>RequestCache</interfacename> encapsulates the functionality required for storing
|
<para>The <interfacename>RequestCache</interfacename> encapsulates the functionality required for storing
|
||||||
and retrieving <interfacename>HttpServletRequest</interfacename> instances. By default
|
and retrieving <interfacename>HttpServletRequest</interfacename> instances. By default
|
||||||
@ -196,7 +196,7 @@
|
|||||||
<section xml:id="security-context-persistence-filter">
|
<section xml:id="security-context-persistence-filter">
|
||||||
<title><classname>SecurityContextPersistenceFilter</classname></title>
|
<title><classname>SecurityContextPersistenceFilter</classname></title>
|
||||||
<para> We covered the purpose of this all-important filter in the <link
|
<para> We covered the purpose of this all-important filter in the <link
|
||||||
xlink:href="#tech-intro-sec-context-persistence">Technical Overview</link> chapter so
|
linkend="tech-intro-sec-context-persistence">Technical Overview</link> chapter so
|
||||||
you might want to re-read that section at this point. Let's first take a look at how you
|
you might want to re-read that section at this point. Let's first take a look at how you
|
||||||
would configure it for use with a <classname>FilterChainProxy</classname>. A basic
|
would configure it for use with a <classname>FilterChainProxy</classname>. A basic
|
||||||
configuration only requires the bean itself <programlisting language="xml"><![CDATA[
|
configuration only requires the bean itself <programlisting language="xml"><![CDATA[
|
||||||
|
|||||||
@ -34,7 +34,7 @@
|
|||||||
successful authentication and stored in the <classname>SecurityContext</classname>. </para>
|
successful authentication and stored in the <classname>SecurityContext</classname>. </para>
|
||||||
<para> If you are using the namespace, an instance of <classname>ProviderManager</classname>
|
<para> If you are using the namespace, an instance of <classname>ProviderManager</classname>
|
||||||
is created and maintained internally, and you add providers to it by using the namespace
|
is created and maintained internally, and you add providers to it by using the namespace
|
||||||
authentication provider elements (see <link xlink:href="#ns-auth-manager">the namespace
|
authentication provider elements (see <link linkend="ns-auth-manager">the namespace
|
||||||
chapter</link>). In this case, you should not declare a
|
chapter</link>). In this case, you should not declare a
|
||||||
<classname>ProviderManager</classname> bean in your application context. However, if you
|
<classname>ProviderManager</classname> bean in your application context. However, if you
|
||||||
are not using the namespace then you would declare it like so: <programlisting language="xml"><![CDATA[
|
are not using the namespace then you would declare it like so: <programlisting language="xml"><![CDATA[
|
||||||
@ -111,7 +111,7 @@
|
|||||||
<interfacename>PasswordEncoder</interfacename> provides encoding and decoding of
|
<interfacename>PasswordEncoder</interfacename> provides encoding and decoding of
|
||||||
passwords presented in the <interfacename>UserDetails</interfacename> object that is
|
passwords presented in the <interfacename>UserDetails</interfacename> object that is
|
||||||
returned from the configured <interfacename>UserDetailsService</interfacename>. This
|
returned from the configured <interfacename>UserDetailsService</interfacename>. This
|
||||||
will be discussed in more detail <link xlink:href="#core-services-password-encoding"
|
will be discussed in more detail <link linkend="core-services-password-encoding"
|
||||||
>below</link>. </para>
|
>below</link>. </para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -149,7 +149,7 @@
|
|||||||
Security, when you don't really want to spend time configuring databases or writing
|
Security, when you don't really want to spend time configuring databases or writing
|
||||||
<interfacename>UserDetailsService</interfacename> implementations. For this sort of
|
<interfacename>UserDetailsService</interfacename> implementations. For this sort of
|
||||||
situation, a simple option is to use the <literal>user-service</literal> element
|
situation, a simple option is to use the <literal>user-service</literal> element
|
||||||
from the security <link xlink:href="#ns-minimal">namespace</link>: <programlisting language="xml"><![CDATA[
|
from the security <link linkend="ns-minimal">namespace</link>: <programlisting language="xml"><![CDATA[
|
||||||
<user-service id="userDetailsService">
|
<user-service id="userDetailsService">
|
||||||
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
|
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
|
||||||
@ -196,7 +196,7 @@
|
|||||||
<title>Authority Groups</title>
|
<title>Authority Groups</title>
|
||||||
<para>By default, <classname>JdbcDaoImpl</classname> loads the authorities for a
|
<para>By default, <classname>JdbcDaoImpl</classname> loads the authorities for a
|
||||||
single user with the assumption that the authorities are mapped directly to
|
single user with the assumption that the authorities are mapped directly to
|
||||||
users (see the <link xlink:href="#appendix-schema">database schema
|
users (see the <link linkend="appendix-schema">database schema
|
||||||
appendix</link>). An alternative approach is to partition the authorities into
|
appendix</link>). An alternative approach is to partition the authorities into
|
||||||
groups and assign groups to the user. Some people prefer this approach as a
|
groups and assign groups to the user. Some people prefer this approach as a
|
||||||
means of administering user rights. See the <classname>JdbcDaoImpl</classname>
|
means of administering user rights. See the <classname>JdbcDaoImpl</classname>
|
||||||
@ -217,7 +217,7 @@
|
|||||||
</section>
|
</section>
|
||||||
<section xml:id="core-services-password-encoding">
|
<section xml:id="core-services-password-encoding">
|
||||||
<title>Password Encoding</title>
|
<title>Password Encoding</title>
|
||||||
<para xlink:href="#spring-security-crypto-passwordencoders">Spring Security's
|
<para linkend="spring-security-crypto-passwordencoders">Spring Security's
|
||||||
<interfacename>PasswordEncoder</interfacename> interface is used to support the use of
|
<interfacename>PasswordEncoder</interfacename> interface is used to support the use of
|
||||||
passwords which are encoded in some way in persistent storage. You should never store
|
passwords which are encoded in some way in persistent storage. You should never store
|
||||||
passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt
|
passwords in plain text. Always use a one-way password hashing algorithm such as bcrypt
|
||||||
|
|||||||
@ -71,13 +71,13 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
|
|||||||
Security's CSRF protection are outlined below:</para>
|
Security's CSRF protection are outlined below:</para>
|
||||||
<orderedlist inheritnum="ignore" continuation="restarts">
|
<orderedlist inheritnum="ignore" continuation="restarts">
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><link xlink:href="#csrf-use-proper-verbs">Use proper HTTP verbs</link></para>
|
<para><link linkend="csrf-use-proper-verbs">Use proper HTTP verbs</link></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><link xlink:href="#csrf-configure">Configure CSRF Protection</link></para>
|
<para><link linkend="csrf-configure">Configure CSRF Protection</link></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para><link xlink:href="#csrf-include-csrf-token">Include the CSRF Token</link></para>
|
<para><link linkend="csrf-include-csrf-token">Include the CSRF Token</link></para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</orderedlist>
|
</orderedlist>
|
||||||
<section xml:id="csrf-use-proper-verbs">
|
<section xml:id="csrf-use-proper-verbs">
|
||||||
@ -89,7 +89,7 @@ amount=100.00&routingNumber=1234&account=9876&_csrf=<secure-random>
|
|||||||
<section xml:id="csrf-configure">
|
<section xml:id="csrf-configure">
|
||||||
<title>Configure CSRF Protection</title>
|
<title>Configure CSRF Protection</title>
|
||||||
<para>The next step is to include Spring Security's CSRF protection within your application. If you are using the XML configuration, this can be done
|
<para>The next step is to include Spring Security's CSRF protection within your application. If you are using the XML configuration, this can be done
|
||||||
using the <link xlink:href="#nsa-csrf"><csrf /></link> element:</para>
|
using the <link linkend="nsa-csrf"><csrf /></link> element:</para>
|
||||||
<programlisting language="xml"><![CDATA[<http ...>
|
<programlisting language="xml"><![CDATA[<http ...>
|
||||||
...
|
...
|
||||||
<csrf />
|
<csrf />
|
||||||
@ -196,7 +196,7 @@ public class WebSecurityConfig extends
|
|||||||
<para>Spring Security's goal is to provide defaults that protect your users from exploits. This does not mean that you are forced to accept all of its defaults.</para>
|
<para>Spring Security's goal is to provide defaults that protect your users from exploits. This does not mean that you are forced to accept all of its defaults.</para>
|
||||||
<para>For example, you can provide a custom CsrfTokenRepository to override the way in which the <interfacename>CsrfToken</interfacename> is stored.</para>
|
<para>For example, you can provide a custom CsrfTokenRepository to override the way in which the <interfacename>CsrfToken</interfacename> is stored.</para>
|
||||||
<para>You can also specify a custom RequestMatcher to determine which requests are protected by CSRF (i.e. perhaps you don't care if log out is exploited). In short, if
|
<para>You can also specify a custom RequestMatcher to determine which requests are protected by CSRF (i.e. perhaps you don't care if log out is exploited). In short, if
|
||||||
Spring Security's CSRF protection doesn't behave exactly as you want it, you are able to customize the behavior. Refer to the <link xlink:href="#nsa-csrf"><csrf /></link>
|
Spring Security's CSRF protection doesn't behave exactly as you want it, you are able to customize the behavior. Refer to the <link linkend="nsa-csrf"><csrf /></link>
|
||||||
documentation for details on how to make these customizations with XML and the <classname>CsrfConfigurer</classname> javadoc for details on how to make these
|
documentation for details on how to make these customizations with XML and the <classname>CsrfConfigurer</classname> javadoc for details on how to make these
|
||||||
customizations when using Java configuration.</para>
|
customizations when using Java configuration.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|||||||
@ -150,7 +150,7 @@
|
|||||||
whether the current user has the <quote>admin</quote>permission for the given
|
whether the current user has the <quote>admin</quote>permission for the given
|
||||||
contact. The built-in <literal>hasPermission()</literal> expression is linked
|
contact. The built-in <literal>hasPermission()</literal> expression is linked
|
||||||
into the Spring Security ACL module through the application context, as we'll
|
into the Spring Security ACL module through the application context, as we'll
|
||||||
<link xlink:href="#el-permission-evaluator">see below</link>. You can access any
|
<link linkend="el-permission-evaluator">see below</link>. You can access any
|
||||||
of the method arguments by name as expression variables, provided your code has
|
of the method arguments by name as expression variables, provided your code has
|
||||||
debug information compiled in. Any Spring-EL functionality is available within
|
debug information compiled in. Any Spring-EL functionality is available within
|
||||||
the expression, so you can also access properties on the arguments. For example,
|
the expression, so you can also access properties on the arguments. For example,
|
||||||
|
|||||||
@ -70,8 +70,8 @@
|
|||||||
ten list of web application vulnerabilities as well as a lot of useful reference
|
ten list of web application vulnerabilities as well as a lot of useful reference
|
||||||
information. </para>
|
information. </para>
|
||||||
<para>We hope that you find this reference guide useful, and we welcome your feedback and
|
<para>We hope that you find this reference guide useful, and we welcome your feedback and
|
||||||
<link xlink:href="#jira">suggestions</link>. </para>
|
<link linkend="jira">suggestions</link>. </para>
|
||||||
<para>Finally, welcome to the Spring Security <link xlink:href="#community"
|
<para>Finally, welcome to the Spring Security <link linkend="community"
|
||||||
>community</link>. </para>
|
>community</link>. </para>
|
||||||
</partintro>
|
</partintro>
|
||||||
</preface>
|
</preface>
|
||||||
|
|||||||
@ -225,7 +225,7 @@ JAASTest {
|
|||||||
Subject subject = Subject.getSubject(AccessController.getContext());
|
Subject subject = Subject.getSubject(AccessController.getContext());
|
||||||
]]></programlisting>
|
]]></programlisting>
|
||||||
This integration can easily be configured using the
|
This integration can easily be configured using the
|
||||||
<link xlink:href="#nsa-http-jaas-api-provision">jaas-api-provision</link> attribute. This
|
<link linkend="nsa-http-jaas-api-provision">jaas-api-provision</link> attribute. This
|
||||||
feature is useful when integrating with legacy or external API's that rely on the
|
feature is useful when integrating with legacy or external API's that rely on the
|
||||||
JAAS Subject being populated.</para>
|
JAAS Subject being populated.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|||||||
@ -23,7 +23,7 @@
|
|||||||
attributes on the <literal>ldap-server</literal> element and the user is isolated from
|
attributes on the <literal>ldap-server</literal> element and the user is isolated from
|
||||||
worrying about which beans they need to create and what the bean property names are. <footnote>
|
worrying about which beans they need to create and what the bean property names are. <footnote>
|
||||||
<para>You can find out more about the use of the <literal>ldap-server</literal> element
|
<para>You can find out more about the use of the <literal>ldap-server</literal> element
|
||||||
in the chapter on <link xlink:href="#ldap">LDAP</link>.</para>
|
in the chapter on <link linkend="ldap">LDAP</link>.</para>
|
||||||
</footnote>. Use of a good XML editor while editing the application context file should
|
</footnote>. Use of a good XML editor while editing the application context file should
|
||||||
provide information on the attributes and elements that are available. We would
|
provide information on the attributes and elements that are available. We would
|
||||||
recommend that you try out the <link
|
recommend that you try out the <link
|
||||||
@ -147,7 +147,7 @@
|
|||||||
functionality. The <literal><intercept-url></literal> element defines a
|
functionality. The <literal><intercept-url></literal> element defines a
|
||||||
<literal>pattern</literal> which is matched against the URLs of incoming requests
|
<literal>pattern</literal> which is matched against the URLs of incoming requests
|
||||||
using an ant path style syntax<footnote>
|
using an ant path style syntax<footnote>
|
||||||
<para>See the section on <link xlink:href="#request-matching">Request
|
<para>See the section on <link linkend="request-matching">Request
|
||||||
Matching</link> in the Web Application Infrastructure chapter for more details
|
Matching</link> in the Web Application Infrastructure chapter for more details
|
||||||
on how matches are actually performed.</para>
|
on how matches are actually performed.</para>
|
||||||
</footnote>. You can also use regular-expression matching as an alternative (see the
|
</footnote>. You can also use regular-expression matching as an alternative (see the
|
||||||
@ -162,9 +162,9 @@
|
|||||||
attributes). We'll see later how the interpretation can vary<footnote>
|
attributes). We'll see later how the interpretation can vary<footnote>
|
||||||
<para>The interpretation of the comma-separated values in the
|
<para>The interpretation of the comma-separated values in the
|
||||||
<literal>access</literal> attribute depends on the implementation of the <link
|
<literal>access</literal> attribute depends on the implementation of the <link
|
||||||
xlink:href="#ns-access-manager">AccessDecisionManager</link> which is used. In
|
linkend="ns-access-manager">AccessDecisionManager</link> which is used. In
|
||||||
Spring Security 3.0, the attribute can also be populated with an <link
|
Spring Security 3.0, the attribute can also be populated with an <link
|
||||||
xlink:href="#el-access">EL expression</link>.</para>
|
linkend="el-access">EL expression</link>.</para>
|
||||||
</footnote>.</para>
|
</footnote>.</para>
|
||||||
<note>
|
<note>
|
||||||
<para>You can use multiple <literal><intercept-url></literal> elements to
|
<para>You can use multiple <literal><intercept-url></literal> elements to
|
||||||
@ -202,7 +202,7 @@
|
|||||||
<literal><authentication-manager></literal> element, which creates a
|
<literal><authentication-manager></literal> element, which creates a
|
||||||
<classname>ProviderManager</classname> and registers the authentication
|
<classname>ProviderManager</classname> and registers the authentication
|
||||||
providers with it. You can find more detailed information on the beans that are
|
providers with it. You can find more detailed information on the beans that are
|
||||||
created in the <link xlink:href="#appendix-namespace">namespace appendix</link>.
|
created in the <link linkend="appendix-namespace">namespace appendix</link>.
|
||||||
It's worth cross-checking this if you want to start understanding what the
|
It's worth cross-checking this if you want to start understanding what the
|
||||||
important classes in the framework are and how they are used, particularly if
|
important classes in the framework are and how they are used, particularly if
|
||||||
you want to customise things later.</para>
|
you want to customise things later.</para>
|
||||||
@ -211,7 +211,7 @@
|
|||||||
the application (which will be used for access control). It is also possible to load
|
the application (which will be used for access control). It is also possible to load
|
||||||
user information from a standard properties file using the
|
user information from a standard properties file using the
|
||||||
<literal>properties</literal> attribute on <literal>user-service</literal>. See the
|
<literal>properties</literal> attribute on <literal>user-service</literal>. See the
|
||||||
section on <link xlink:href="#core-services-in-memory-service">in-memory
|
section on <link linkend="core-services-in-memory-service">in-memory
|
||||||
authentication</link> for more details on the file format. Using the
|
authentication</link> for more details on the file format. Using the
|
||||||
<literal><authentication-provider></literal> element means that the user
|
<literal><authentication-provider></literal> element means that the user
|
||||||
information will be used by the authentication manager to process authentication
|
information will be used by the authentication manager to process authentication
|
||||||
@ -241,8 +241,8 @@
|
|||||||
</programlisting> Also note
|
</programlisting> Also note
|
||||||
that we've added an extra <literal>intercept-url</literal> element to say that any
|
that we've added an extra <literal>intercept-url</literal> element to say that any
|
||||||
requests for the login page should be available to anonymous users <footnote>
|
requests for the login page should be available to anonymous users <footnote>
|
||||||
<para>See the chapter on <link xlink:href="#anonymous">anonymous
|
<para>See the chapter on <link linkend="anonymous">anonymous
|
||||||
authentication</link> and also the <link xlink:href="#authz-authenticated-voter"
|
authentication</link> and also the <link linkend="authz-authenticated-voter"
|
||||||
>AuthenticatedVoter</link> class for more details on how the value
|
>AuthenticatedVoter</link> class for more details on how the value
|
||||||
<literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> is processed.</para>
|
<literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> is processed.</para>
|
||||||
</footnote>. Otherwise the request would be matched by the pattern
|
</footnote>. Otherwise the request would be matched by the pattern
|
||||||
@ -273,7 +273,7 @@
|
|||||||
<literal>intercept-url</literal> element is incompatible with this change and is
|
<literal>intercept-url</literal> element is incompatible with this change and is
|
||||||
no longer supported in 3.1.</para>
|
no longer supported in 3.1.</para>
|
||||||
</footnote>. We'll look at this new syntax in more detail in the chapter on the
|
</footnote>. We'll look at this new syntax in more detail in the chapter on the
|
||||||
<link xlink:href="#filter-chains-with-ns">Security Filter Chain</link>. </para>
|
<link linkend="filter-chains-with-ns">Security Filter Chain</link>. </para>
|
||||||
<para> It's important to realise that these unsecured requests will be completely
|
<para> It's important to realise that these unsecured requests will be completely
|
||||||
oblivious to any Spring Security web-related configuration or additional attributes
|
oblivious to any Spring Security web-related configuration or additional attributes
|
||||||
such as <literal>requires-channel</literal>, so you will not be able to access
|
such as <literal>requires-channel</literal>, so you will not be able to access
|
||||||
@ -313,7 +313,7 @@
|
|||||||
<literal>authentication-success-handler-ref</literal> attribute as an
|
<literal>authentication-success-handler-ref</literal> attribute as an
|
||||||
alternative to <literal>default-target-url</literal>. The referenced bean should
|
alternative to <literal>default-target-url</literal>. The referenced bean should
|
||||||
be an instance of <interfacename>AuthenticationSuccessHandler</interfacename>.
|
be an instance of <interfacename>AuthenticationSuccessHandler</interfacename>.
|
||||||
You'll find more on this in the <link xlink:href="#form-login-flow-handling"
|
You'll find more on this in the <link linkend="form-login-flow-handling"
|
||||||
>Core Filters</link> chapter and also in the namespace appendix, as well as
|
>Core Filters</link> chapter and also in the namespace appendix, as well as
|
||||||
information on how to customize the flow when authentication fails. </para>
|
information on how to customize the flow when authentication fails. </para>
|
||||||
</section>
|
</section>
|
||||||
@ -331,7 +331,7 @@
|
|||||||
<para> In practice you will need a more scalable source of user information than a few
|
<para> In practice you will need a more scalable source of user information than a few
|
||||||
names added to the application context file. Most likely you will want to store your
|
names added to the application context file. Most likely you will want to store your
|
||||||
user information in something like a database or an LDAP server. LDAP namespace
|
user information in something like a database or an LDAP server. LDAP namespace
|
||||||
configuration is dealt with in the <link xlink:href="#ldap">LDAP chapter</link>, so
|
configuration is dealt with in the <link linkend="ldap">LDAP chapter</link>, so
|
||||||
we won't cover it here. If you have a custom implementation of Spring Security's
|
we won't cover it here. If you have a custom implementation of Spring Security's
|
||||||
<classname>UserDetailsService</classname>, called "myUserDetailsService" in your
|
<classname>UserDetailsService</classname>, called "myUserDetailsService" in your
|
||||||
application context, then you can authenticate against this using <programlisting language="xml"><![CDATA[
|
application context, then you can authenticate against this using <programlisting language="xml"><![CDATA[
|
||||||
@ -349,7 +349,7 @@
|
|||||||
</programlisting> Where <quote>securityDataSource</quote> is the name of a
|
</programlisting> Where <quote>securityDataSource</quote> is the name of a
|
||||||
<classname>DataSource</classname> bean in the application context, pointing at a
|
<classname>DataSource</classname> bean in the application context, pointing at a
|
||||||
database containing the standard Spring Security <link
|
database containing the standard Spring Security <link
|
||||||
xlink:href="#db_schema_users_authorities">user data tables</link>. Alternatively,
|
linkend="db_schema_users_authorities">user data tables</link>. Alternatively,
|
||||||
you could configure a Spring Security <classname>JdbcDaoImpl</classname> bean and
|
you could configure a Spring Security <classname>JdbcDaoImpl</classname> bean and
|
||||||
point at that using the <literal>user-service-ref</literal> attribute: <programlisting language="xml"><![CDATA[
|
point at that using the <literal>user-service-ref</literal> attribute: <programlisting language="xml"><![CDATA[
|
||||||
<authentication-manager>
|
<authentication-manager>
|
||||||
@ -408,7 +408,7 @@
|
|||||||
<title>Advanced Web Features</title>
|
<title>Advanced Web Features</title>
|
||||||
<section xml:id="ns-remember-me">
|
<section xml:id="ns-remember-me">
|
||||||
<title>Remember-Me Authentication</title>
|
<title>Remember-Me Authentication</title>
|
||||||
<para>See the separate <link xlink:href="#remember-me">Remember-Me chapter</link> for
|
<para>See the separate <link linkend="remember-me">Remember-Me chapter</link> for
|
||||||
information on remember-me namespace configuration.</para>
|
information on remember-me namespace configuration.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="ns-requires-channel">
|
<section xml:id="ns-requires-channel">
|
||||||
@ -515,7 +515,7 @@
|
|||||||
<literal>session-management</literal> element. </para>
|
<literal>session-management</literal> element. </para>
|
||||||
<para>If you are using a customized authentication filter for form-based login, then
|
<para>If you are using a customized authentication filter for form-based login, then
|
||||||
you have to configure concurrent session control support explicitly. More
|
you have to configure concurrent session control support explicitly. More
|
||||||
details can be found in the <link xlink:href="#session-mgmt">Session Management
|
details can be found in the <link linkend="session-mgmt">Session Management
|
||||||
chapter</link>. </para>
|
chapter</link>. </para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="ns-session-fixation">
|
<section xml:id="ns-session-fixation">
|
||||||
@ -559,7 +559,7 @@
|
|||||||
will <emphasis>also</emphasis> result in any
|
will <emphasis>also</emphasis> result in any
|
||||||
<classname>javax.servlet.http.HttpSessionIdListener</classname>s being notified, so
|
<classname>javax.servlet.http.HttpSessionIdListener</classname>s being notified, so
|
||||||
use caution if your code listens for both events. See the
|
use caution if your code listens for both events. See the
|
||||||
<link xlink:href="#session-mgmt">Session Management</link> chapter for additional
|
<link linkend="session-mgmt">Session Management</link> chapter for additional
|
||||||
information.
|
information.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
@ -580,7 +580,7 @@
|
|||||||
authenticate. It is also possible to select a specific
|
authenticate. It is also possible to select a specific
|
||||||
<interfacename>UserDetailsService</interfacename> bean for use OpenID by setting the
|
<interfacename>UserDetailsService</interfacename> bean for use OpenID by setting the
|
||||||
<literal>user-service-ref</literal> attribute on the <literal>openid-login</literal>
|
<literal>user-service-ref</literal> attribute on the <literal>openid-login</literal>
|
||||||
element. See the previous section on <link xlink:href="#ns-auth-providers"
|
element. See the previous section on <link linkend="ns-auth-providers"
|
||||||
>authentication providers</link> for more information. Note that we have omitted the
|
>authentication providers</link> for more information. Note that we have omitted the
|
||||||
password attribute from the above user configuration, since this set of user data is
|
password attribute from the above user configuration, since this set of user data is
|
||||||
only being used to load the authorities for the user. A random password will be
|
only being used to load the authorities for the user. A random password will be
|
||||||
@ -613,7 +613,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
retrieved value (or values in the case of multi-valued attributes). We'll see
|
retrieved value (or values in the case of multi-valued attributes). We'll see
|
||||||
more about how the <classname>SecurityContextHolder</classname> class is used
|
more about how the <classname>SecurityContextHolder</classname> class is used
|
||||||
when we look at core Spring Security components in the <link
|
when we look at core Spring Security components in the <link
|
||||||
xlink:href="#core-components">technical overview</link> chapter. Multiple
|
linkend="core-components">technical overview</link> chapter. Multiple
|
||||||
attribute exchange configurations are also be supported, if you wish to use
|
attribute exchange configurations are also be supported, if you wish to use
|
||||||
multiple identity providers. You can supply multiple
|
multiple identity providers. You can supply multiple
|
||||||
<literal>attribute-exchange</literal> elements, using an
|
<literal>attribute-exchange</literal> elements, using an
|
||||||
@ -659,7 +659,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
</http>]]>
|
</http>]]>
|
||||||
</programlisting>
|
</programlisting>
|
||||||
</para>
|
</para>
|
||||||
<para>For additional information on how to customize the headers element refer to the <link xlink:href="#nsa-headers">headers</link>
|
<para>For additional information on how to customize the headers element refer to the <link linkend="nsa-headers">headers</link>
|
||||||
section of the Security Namespace appendix.</para>
|
section of the Security Namespace appendix.</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="ns-custom-filters">
|
<section xml:id="ns-custom-filters">
|
||||||
@ -826,7 +826,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
<classname>FilterSecurityInterceptor</classname>. Some other filters are added
|
<classname>FilterSecurityInterceptor</classname>. Some other filters are added
|
||||||
by default, but you can disable them. An <classname>AnonymousAuthenticationFilter</classname>
|
by default, but you can disable them. An <classname>AnonymousAuthenticationFilter</classname>
|
||||||
is added by default and unless you have
|
is added by default and unless you have
|
||||||
<link xlink:href="#ns-session-fixation">session-fixation protection</link>
|
<link linkend="ns-session-fixation">session-fixation protection</link>
|
||||||
disabled, a <classname>SessionManagementFilter</classname> will also be added
|
disabled, a <classname>SessionManagementFilter</classname> will also be added
|
||||||
to the filter chain.
|
to the filter chain.
|
||||||
</para>
|
</para>
|
||||||
@ -847,7 +847,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
<para> The CAS sample application is a good example of the use of custom beans with
|
<para> The CAS sample application is a good example of the use of custom beans with
|
||||||
the namespace, including this syntax. If you aren't familiar with authentication
|
the namespace, including this syntax. If you aren't familiar with authentication
|
||||||
entry points, they are discussed in the <link
|
entry points, they are discussed in the <link
|
||||||
xlink:href="#tech-intro-auth-entry-point">technical overview</link> chapter.
|
linkend="tech-intro-auth-entry-point">technical overview</link> chapter.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -857,7 +857,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
<para>From version 2.0 onwards Spring Security has improved support substantially for adding
|
<para>From version 2.0 onwards Spring Security has improved support substantially for adding
|
||||||
security to your service layer methods. It provides support for JSR-250 annotation
|
security to your service layer methods. It provides support for JSR-250 annotation
|
||||||
security as well as the framework's original <literal>@Secured</literal> annotation.
|
security as well as the framework's original <literal>@Secured</literal> annotation.
|
||||||
From 3.0 you can also make use of new <link xlink:href="#el-access">expression-based
|
From 3.0 you can also make use of new <link linkend="el-access">expression-based
|
||||||
annotations</link>. You can apply security to a single bean, using the
|
annotations</link>. You can apply security to a single bean, using the
|
||||||
<literal>intercept-methods</literal> element to decorate the bean declaration, or you
|
<literal>intercept-methods</literal> element to decorate the bean declaration, or you
|
||||||
can secure multiple beans across the entire service layer using the AspectJ style
|
can secure multiple beans across the entire service layer using the AspectJ style
|
||||||
@ -963,7 +963,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
<para> The default strategy is to use an <classname>AffirmativeBased</classname>
|
<para> The default strategy is to use an <classname>AffirmativeBased</classname>
|
||||||
<interfacename>AccessDecisionManager</interfacename> with a
|
<interfacename>AccessDecisionManager</interfacename> with a
|
||||||
<classname>RoleVoter</classname> and an <classname>AuthenticatedVoter</classname>. You
|
<classname>RoleVoter</classname> and an <classname>AuthenticatedVoter</classname>. You
|
||||||
can find out more about these in the chapter on <link xlink:href="#authz-arch"
|
can find out more about these in the chapter on <link linkend="authz-arch"
|
||||||
>authorization</link>.</para>
|
>authorization</link>.</para>
|
||||||
<section xml:id="ns-custom-access-mgr">
|
<section xml:id="ns-custom-access-mgr">
|
||||||
<title>Customizing the AccessDecisionManager</title>
|
<title>Customizing the AccessDecisionManager</title>
|
||||||
@ -992,7 +992,7 @@ List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
|||||||
<interfacename>AuthenticationManager</interfacename>. This is usually an instance of
|
<interfacename>AuthenticationManager</interfacename>. This is usually an instance of
|
||||||
Spring Security's <classname>ProviderManager</classname> class, which you may already be
|
Spring Security's <classname>ProviderManager</classname> class, which you may already be
|
||||||
familiar with if you've used the framework before. If not, it will be covered later, in
|
familiar with if you've used the framework before. If not, it will be covered later, in
|
||||||
the <link xlink:href="#tech-intro-authentication">technical overview chapter</link>. The
|
the <link linkend="tech-intro-authentication">technical overview chapter</link>. The
|
||||||
bean instance is registered using the <literal>authentication-manager</literal>
|
bean instance is registered using the <literal>authentication-manager</literal>
|
||||||
namespace element. You can't use a custom <classname>AuthenticationManager</classname>
|
namespace element. You can't use a custom <classname>AuthenticationManager</classname>
|
||||||
if you are using either HTTP or method security through the namespace, but this should
|
if you are using either HTTP or method security through the namespace, but this should
|
||||||
|
|||||||
@ -32,36 +32,36 @@
|
|||||||
<title>Spring Security 3.1 namespace updates</title>
|
<title>Spring Security 3.1 namespace updates</title>
|
||||||
<para>Below you can find a summary of updates to the Spring Security 3.1 namespace.</para>
|
<para>Below you can find a summary of updates to the Spring Security 3.1 namespace.</para>
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>Added support for multiple <link xlink:href="#nsa-http"><http></link> elements and support for determining which one to use with
|
<listitem>Added support for multiple <link linkend="nsa-http"><http></link> elements and support for determining which one to use with
|
||||||
<link xlink:href="#nsa-http-pattern">http@pattern</link>, <link xlink:href="#nsa-http-request-matcher">http@request-matcher</link>, and
|
<link linkend="nsa-http-pattern">http@pattern</link>, <link linkend="nsa-http-request-matcher">http@request-matcher</link>, and
|
||||||
<link xlink:href="#nsa-http-security">http@security</link>.
|
<link linkend="nsa-http-security">http@security</link>.
|
||||||
Further information can be found in <link xlink:href="#ns-config">Namespace Configuration</link> section of the reference.</listitem>
|
Further information can be found in <link linkend="ns-config">Namespace Configuration</link> section of the reference.</listitem>
|
||||||
<listitem>Added stateless option for <link xlink:href="#nsa-http-create-session">http@create-session</link></listitem>
|
<listitem>Added stateless option for <link linkend="nsa-http-create-session">http@create-session</link></listitem>
|
||||||
<listitem>Added support for <link xlink:href="#nsa-http-authentication-manager-ref">http@authentication-manager-ref</link>
|
<listitem>Added support for <link linkend="nsa-http-authentication-manager-ref">http@authentication-manager-ref</link>
|
||||||
and <link xlink:href="#nsa-global-method-security-authentication-manager-ref">global-method-security@authentication-manager-ref</link>.</listitem>
|
and <link linkend="nsa-global-method-security-authentication-manager-ref">global-method-security@authentication-manager-ref</link>.</listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-http-name">http@name</link></listitem>
|
<listitem>Added <link linkend="nsa-http-name">http@name</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-http-request-matcher-ref">http@request-matcher-ref</link> and
|
<listitem>Added <link linkend="nsa-http-request-matcher-ref">http@request-matcher-ref</link> and
|
||||||
<link xlink:href="#nsa-filter-chain-request-matcher-ref">filter-chain@request-matcher-ref</link></listitem>
|
<link linkend="nsa-filter-chain-request-matcher-ref">filter-chain@request-matcher-ref</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-debug"><debug></link></listitem>
|
<listitem>Added <link linkend="nsa-debug"><debug></link></listitem>
|
||||||
<listitem>Added Support for setting the AuthenticationDetailsSource using the namespace. See
|
<listitem>Added Support for setting the AuthenticationDetailsSource using the namespace. See
|
||||||
<link xlink:href="#nsa-form-login-authentication-details-source-ref">form-login@authentication-details-source-ref</link>,
|
<link linkend="nsa-form-login-authentication-details-source-ref">form-login@authentication-details-source-ref</link>,
|
||||||
<link xlink:href="#nsa-openid-login-authentication-details-source-ref">openid-login@authentication-details-source-ref</link>,
|
<link linkend="nsa-openid-login-authentication-details-source-ref">openid-login@authentication-details-source-ref</link>,
|
||||||
<link xlink:href="#nsa-http-basic-authentication-details-source-ref">http-basic@authentication-details-source-ref</link>, and
|
<link linkend="nsa-http-basic-authentication-details-source-ref">http-basic@authentication-details-source-ref</link>, and
|
||||||
<link xlink:href="#nsa-x509-authentication-details-source-ref">x509@authentication-details-source-ref</link>.</listitem>
|
<link linkend="nsa-x509-authentication-details-source-ref">x509@authentication-details-source-ref</link>.</listitem>
|
||||||
<listitem>Added support for http/expression-handler. This allows
|
<listitem>Added support for http/expression-handler. This allows
|
||||||
<link xlink:href="#nsa-expression-handler"><expression-handler></link> to be used for web access expressions.</listitem>
|
<link linkend="nsa-expression-handler"><expression-handler></link> to be used for web access expressions.</listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-authentication-manager-erase-credentials">authentication-manager@erase-credentials</link></listitem>
|
<listitem>Added <link linkend="nsa-authentication-manager-erase-credentials">authentication-manager@erase-credentials</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-http-basic-entry-point-ref">http-basic@entry-point-ref</link></listitem>
|
<listitem>Added <link linkend="nsa-http-basic-entry-point-ref">http-basic@entry-point-ref</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-logout-delete-cookies">logout@delete-cookies</link></listitem>
|
<listitem>Added <link linkend="nsa-logout-delete-cookies">logout@delete-cookies</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-remember-me-authentication-success-handler-ref">remember-me@authentication-success-handler-ref</link></listitem>
|
<listitem>Added <link linkend="nsa-remember-me-authentication-success-handler-ref">remember-me@authentication-success-handler-ref</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-method-security-metadata-source"><metadata-source-ref></link></listitem>
|
<listitem>Added <link linkend="nsa-method-security-metadata-source"><metadata-source-ref></link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-global-method-security-metadata-source-ref">global-method-security@metadata-source-ref</link></listitem>
|
<listitem>Added <link linkend="nsa-global-method-security-metadata-source-ref">global-method-security@metadata-source-ref</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-global-method-security-mode">global-method-security@mode</link></listitem>
|
<listitem>Added <link linkend="nsa-global-method-security-mode">global-method-security@mode</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-attribute-exchange"><attribute-exchange></link></listitem>
|
<listitem>Added <link linkend="nsa-attribute-exchange"><attribute-exchange></link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-remember-me-use-secure-cookie">remember-me@use-secure-cookie</link></listitem>
|
<listitem>Added <link linkend="nsa-remember-me-use-secure-cookie">remember-me@use-secure-cookie</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-http-jaas-api-provision">http@jaas-api-provision</link></listitem>
|
<listitem>Added <link linkend="nsa-http-jaas-api-provision">http@jaas-api-provision</link></listitem>
|
||||||
<listitem>Added <link xlink:href="#nsa-form-login-username-parameter">form-login@username-parameter</link> and
|
<listitem>Added <link linkend="nsa-form-login-username-parameter">form-login@username-parameter</link> and
|
||||||
<link xlink:href="#nsa-form-login-password-parameter">form-login@password-parameter</link></listitem>
|
<link linkend="nsa-form-login-password-parameter">form-login@password-parameter</link></listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
</chapter>
|
</chapter>
|
||||||
|
|||||||
@ -29,7 +29,7 @@
|
|||||||
pre-authenticated authentication providers. This removes duplication and allows new
|
pre-authenticated authentication providers. This removes duplication and allows new
|
||||||
implementations to be added in a structured fashion, without having to write everything
|
implementations to be added in a structured fashion, without having to write everything
|
||||||
from scratch. You don't need to know about these classes if you want to use something
|
from scratch. You don't need to know about these classes if you want to use something
|
||||||
like <link xlink:href="#x509">X.509 authentication</link>, as it already has a namespace
|
like <link linkend="x509">X.509 authentication</link>, as it already has a namespace
|
||||||
configuration option which is simpler to use and get started with. If you need to use
|
configuration option which is simpler to use and get started with. If you need to use
|
||||||
explicit bean configuration or are planning on writing your own implementation then an
|
explicit bean configuration or are planning on writing your own implementation then an
|
||||||
understanding of how the provided implementations work will be useful. You will find
|
understanding of how the provided implementations work will be useful. You will find
|
||||||
@ -107,7 +107,7 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Http403ForbiddenEntryPoint</title>
|
<title>Http403ForbiddenEntryPoint</title>
|
||||||
<para> The <interfacename>AuthenticationEntryPoint</interfacename> was discussed in the
|
<para> The <interfacename>AuthenticationEntryPoint</interfacename> was discussed in the
|
||||||
<link xlink:href="#tech-intro-auth-entry-point">technical overview</link> chapter.
|
<link linkend="tech-intro-auth-entry-point">technical overview</link> chapter.
|
||||||
Normally it is responsible for kick-starting the authentication process for an
|
Normally it is responsible for kick-starting the authentication process for an
|
||||||
unauthenticated user (when they try to access a protected resource), but in the
|
unauthenticated user (when they try to access a protected resource), but in the
|
||||||
pre-authenticated case this doesn't apply. You would only configure the
|
pre-authenticated case this doesn't apply. You would only configure the
|
||||||
@ -121,7 +121,7 @@
|
|||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<title>Concrete Implementations</title>
|
<title>Concrete Implementations</title>
|
||||||
<para> X.509 authentication is covered in its <link xlink:href="#x509">own chapter</link>.
|
<para> X.509 authentication is covered in its <link linkend="x509">own chapter</link>.
|
||||||
Here we'll look at some classes which provide support for other pre-authenticated
|
Here we'll look at some classes which provide support for other pre-authenticated
|
||||||
scenarios. </para>
|
scenarios. </para>
|
||||||
<section>
|
<section>
|
||||||
@ -169,7 +169,7 @@ class="org.springframework.security.web.authentication.preauth.PreAuthenticatedA
|
|||||||
<security:authentication-provider ref="preauthAuthProvider" />
|
<security:authentication-provider ref="preauthAuthProvider" />
|
||||||
</security:authentication-manager>
|
</security:authentication-manager>
|
||||||
]]>
|
]]>
|
||||||
</programlisting> We've assumed here that the <link xlink:href="#ns-config">security namespace</link>
|
</programlisting> We've assumed here that the <link linkend="ns-config">security namespace</link>
|
||||||
is being used for configuration. It's also assumed that you have added a
|
is being used for configuration. It's also assumed that you have added a
|
||||||
<interfacename>UserDetailsService</interfacename> (called
|
<interfacename>UserDetailsService</interfacename> (called
|
||||||
<quote>userDetailsService</quote>) to your configuration to load the user's
|
<quote>userDetailsService</quote>) to your configuration to load the user's
|
||||||
|
|||||||
@ -45,7 +45,7 @@
|
|||||||
more significant security is needed you should use the approach described in the next
|
more significant security is needed you should use the approach described in the next
|
||||||
section. Alternatively remember-me services should simply not be used at all.</para>
|
section. Alternatively remember-me services should simply not be used at all.</para>
|
||||||
<para>If you are familiar with the topics discussed in the chapter on <link
|
<para>If you are familiar with the topics discussed in the chapter on <link
|
||||||
xlink:href="#ns-config">namespace configuration</link>, you can enable remember-me
|
linkend="ns-config">namespace configuration</link>, you can enable remember-me
|
||||||
authentication just by adding the <literal><remember-me></literal> element: <programlisting language="xml"><![CDATA[
|
authentication just by adding the <literal><remember-me></literal> element: <programlisting language="xml"><![CDATA[
|
||||||
<http>
|
<http>
|
||||||
...
|
...
|
||||||
|
|||||||
@ -6,7 +6,7 @@
|
|||||||
<para> There are several sample web applications that are available with the project. To avoid
|
<para> There are several sample web applications that are available with the project. To avoid
|
||||||
an overly large download, only the "tutorial" and "contacts" samples are included in the
|
an overly large download, only the "tutorial" and "contacts" samples are included in the
|
||||||
distribution zip file. The others can be built directly from the source which you can obtain
|
distribution zip file. The others can be built directly from the source which you can obtain
|
||||||
as described in <link xlink:href="#get-source">the introduction</link>. It's easy to build
|
as described in <link linkend="get-source">the introduction</link>. It's easy to build
|
||||||
the project yourself and there's more information on the project web site at <link
|
the project yourself and there's more information on the project web site at <link
|
||||||
xlink:href="http://www.springsource.org/security/">
|
xlink:href="http://www.springsource.org/security/">
|
||||||
http://www.springsource.org/security/ </link>. All paths referred to in this chapter are
|
http://www.springsource.org/security/ </link>. All paths referred to in this chapter are
|
||||||
@ -17,8 +17,8 @@
|
|||||||
namespace configuration throughout. The compiled application is included in the
|
namespace configuration throughout. The compiled application is included in the
|
||||||
distribution zip file, ready to be deployed into your web container
|
distribution zip file, ready to be deployed into your web container
|
||||||
(<filename>spring-security-samples-tutorial-3.1.x.war</filename>). The <link
|
(<filename>spring-security-samples-tutorial-3.1.x.war</filename>). The <link
|
||||||
xlink:href="#ns-form-and-basic">form-based</link> authentication mechanism is used in
|
linkend="ns-form-and-basic">form-based</link> authentication mechanism is used in
|
||||||
combination with the commonly-used <link xlink:href="#remember-me">remember-me</link>
|
combination with the commonly-used <link linkend="remember-me">remember-me</link>
|
||||||
authentication provider to automatically remember the login using cookies.</para>
|
authentication provider to automatically remember the login using cookies.</para>
|
||||||
<para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
|
<para>We recommend you start with the tutorial sample, as the XML is minimal and easy to
|
||||||
follow. Most importantly, you can easily add this one XML file (and its corresponding
|
follow. Most importantly, you can easily add this one XML file (and its corresponding
|
||||||
@ -122,7 +122,7 @@ Success! Your web filters appear to be properly configured!
|
|||||||
<title>CAS Sample</title>
|
<title>CAS Sample</title>
|
||||||
<para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
|
<para> The CAS sample requires that you run both a CAS server and CAS client. It isn't
|
||||||
included in the distribution so you should check out the project code as described in
|
included in the distribution so you should check out the project code as described in
|
||||||
<link xlink:href="#get-source">the introduction</link>. You'll find the relevant files
|
<link linkend="get-source">the introduction</link>. You'll find the relevant files
|
||||||
under the <filename>sample/cas</filename> directory. There's also a
|
under the <filename>sample/cas</filename> directory. There's also a
|
||||||
<filename>Readme.txt</filename> file in there which explains how to run both the server
|
<filename>Readme.txt</filename> file in there which explains how to run both the server
|
||||||
and the client directly from the source tree, complete with SSL support.</para>
|
and the client directly from the source tree, complete with SSL support.</para>
|
||||||
@ -132,12 +132,12 @@ Success! Your web filters appear to be properly configured!
|
|||||||
<para>The JAAS sample is very simple example of how to use a JAAS LoginModule with Spring Security. The provided LoginModule will
|
<para>The JAAS sample is very simple example of how to use a JAAS LoginModule with Spring Security. The provided LoginModule will
|
||||||
successfully authenticate a user if the username equals the password otherwise a LoginException is thrown. The AuthorityGranter
|
successfully authenticate a user if the username equals the password otherwise a LoginException is thrown. The AuthorityGranter
|
||||||
used in this example always grants the role ROLE_USER. The sample application also demonstrates how to run as the JAAS Subject
|
used in this example always grants the role ROLE_USER. The sample application also demonstrates how to run as the JAAS Subject
|
||||||
returned by the LoginModule by setting <link xlink:href="#nsa-http-jaas-api-provision">jaas-api-provision</link> equal to "true".</para>
|
returned by the LoginModule by setting <link linkend="nsa-http-jaas-api-provision">jaas-api-provision</link> equal to "true".</para>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="preauth-sample">
|
<section xml:id="preauth-sample">
|
||||||
<title>Pre-Authentication Sample</title>
|
<title>Pre-Authentication Sample</title>
|
||||||
<para> This sample application demonstrates how to wire up beans from the <link
|
<para> This sample application demonstrates how to wire up beans from the <link
|
||||||
xlink:href="#preauth">pre-authentication</link> framework to make use of login
|
linkend="preauth">pre-authentication</link> framework to make use of login
|
||||||
information from a J2EE container. The user name and roles are those setup by the
|
information from a J2EE container. The user name and roles are those setup by the
|
||||||
container. </para>
|
container. </para>
|
||||||
<para> The code is in <filename>samples/preauth</filename>. </para>
|
<para> The code is in <filename>samples/preauth</filename>. </para>
|
||||||
|
|||||||
@ -9,7 +9,7 @@
|
|||||||
</info>
|
</info>
|
||||||
<para> Prior to Spring Security 2.0, securing <classname>MethodInvocation</classname>s
|
<para> Prior to Spring Security 2.0, securing <classname>MethodInvocation</classname>s
|
||||||
needed quite a lot of boiler plate configuration. Now the recommended approach for
|
needed quite a lot of boiler plate configuration. Now the recommended approach for
|
||||||
method security is to use <link xlink:href="#ns-method-security">namespace
|
method security is to use <link linkend="ns-method-security">namespace
|
||||||
configuration</link>. This way the method security infrastructure beans are configured
|
configuration</link>. This way the method security infrastructure beans are configured
|
||||||
automatically for you so you don't really need to know about the implementation classes.
|
automatically for you so you don't really need to know about the implementation classes.
|
||||||
We'll just provide a quick overview of the classes that are involved here. </para>
|
We'll just provide a quick overview of the classes that are involved here. </para>
|
||||||
|
|||||||
@ -12,7 +12,7 @@
|
|||||||
<para> Spring Security maintains a filter chain internally where each of the filters has a
|
<para> Spring Security maintains a filter chain internally where each of the filters has a
|
||||||
particular responsibility and filters are added or removed from the configuration depending
|
particular responsibility and filters are added or removed from the configuration depending
|
||||||
on which services are required. The ordering of the filters is important as there are
|
on which services are required. The ordering of the filters is important as there are
|
||||||
dependencies between them. If you have been using <link xlink:href="#ns-config">namespace
|
dependencies between them. If you have been using <link linkend="ns-config">namespace
|
||||||
configuration</link>, then the filters are automatically configured for you and you don't
|
configuration</link>, then the filters are automatically configured for you and you don't
|
||||||
have to define any Spring beans explicitly but here may be times when you want full control
|
have to define any Spring beans explicitly but here may be times when you want full control
|
||||||
over the security filter chain, either because you are using features which aren't supported
|
over the security filter chain, either because you are using features which aren't supported
|
||||||
@ -111,7 +111,7 @@
|
|||||||
lifecycle methods on the filters it is configured with. We recommend you use
|
lifecycle methods on the filters it is configured with. We recommend you use
|
||||||
Spring's application context lifecycle interfaces as an alternative, just as you
|
Spring's application context lifecycle interfaces as an alternative, just as you
|
||||||
would for any other Spring bean.</para>
|
would for any other Spring bean.</para>
|
||||||
<para> When we looked at how to set up web security using <link xlink:href="#ns-web-xml"
|
<para> When we looked at how to set up web security using <link linkend="ns-web-xml"
|
||||||
>namespace configuration</link>, we used a <literal>DelegatingFilterProxy</literal> with
|
>namespace configuration</link>, we used a <literal>DelegatingFilterProxy</literal> with
|
||||||
the name <quote>springSecurityFilterChain</quote>. You should now be able to see that
|
the name <quote>springSecurityFilterChain</quote>. You should now be able to see that
|
||||||
this is the name of the <classname>FilterChainProxy</classname> which is created by the
|
this is the name of the <classname>FilterChainProxy</classname> which is created by the
|
||||||
|
|||||||
@ -33,7 +33,7 @@
|
|||||||
is just to redirect to a fixed URL and this is encapsulated in the standard implementation
|
is just to redirect to a fixed URL and this is encapsulated in the standard implementation
|
||||||
<classname>SimpleRedirectInvalidSessionStrategy</classname>. The latter is also used
|
<classname>SimpleRedirectInvalidSessionStrategy</classname>. The latter is also used
|
||||||
when configuring an invalid session URL through the namespace,
|
when configuring an invalid session URL through the namespace,
|
||||||
<link xlink:href="#ns-session-mgmt">as described earlier</link>.</para>
|
<link linkend="ns-session-mgmt">as described earlier</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<title><interfacename>SessionAuthenticationStrategy</interfacename></title>
|
<title><interfacename>SessionAuthenticationStrategy</interfacename></title>
|
||||||
|
|||||||
@ -16,7 +16,7 @@
|
|||||||
Spring Security 3.0, it can be used in two ways <footnote>
|
Spring Security 3.0, it can be used in two ways <footnote>
|
||||||
<para>The legacy options from Spring Security 2.0 are also supported, but
|
<para>The legacy options from Spring Security 2.0 are also supported, but
|
||||||
discouraged.</para>
|
discouraged.</para>
|
||||||
</footnote>. The first approach uses a <link xlink:href="#el-access-web">web-security
|
</footnote>. The first approach uses a <link linkend="el-access-web">web-security
|
||||||
expression</link>, specified in the <literal>access</literal> attribute of the tag. The
|
expression</link>, specified in the <literal>access</literal> attribute of the tag. The
|
||||||
expression evaluation will be delegated to the
|
expression evaluation will be delegated to the
|
||||||
<interfacename>SecurityExpressionHandler<FilterInvocation></interfacename> defined in the application
|
<interfacename>SecurityExpressionHandler<FilterInvocation></interfacename> defined in the application
|
||||||
|
|||||||
@ -115,7 +115,7 @@ if (principal instanceof UserDetails) {
|
|||||||
<para> On successful authentication, <interfacename>UserDetails</interfacename> is used
|
<para> On successful authentication, <interfacename>UserDetails</interfacename> is used
|
||||||
to build the <interfacename>Authentication</interfacename> object that is stored in
|
to build the <interfacename>Authentication</interfacename> object that is stored in
|
||||||
the <classname>SecurityContextHolder</classname> (more on this <link
|
the <classname>SecurityContextHolder</classname> (more on this <link
|
||||||
xlink:href="#tech-intro-authentication">below</link>). The good news is that we
|
linkend="tech-intro-authentication">below</link>). The good news is that we
|
||||||
provide a number of <interfacename>UserDetailsService</interfacename>
|
provide a number of <interfacename>UserDetailsService</interfacename>
|
||||||
implementations, including one that uses an in-memory map
|
implementations, including one that uses an in-memory map
|
||||||
(<classname>InMemoryDaoImpl</classname>) and another that uses JDBC
|
(<classname>InMemoryDaoImpl</classname>) and another that uses JDBC
|
||||||
@ -132,7 +132,7 @@ if (principal instanceof UserDetails) {
|
|||||||
to other components within the framework. In particular, it <emphasis>does not</emphasis>
|
to other components within the framework. In particular, it <emphasis>does not</emphasis>
|
||||||
authenticate the user, which is done by the <interfacename>AuthenticationManager</interfacename>.
|
authenticate the user, which is done by the <interfacename>AuthenticationManager</interfacename>.
|
||||||
In many cases it makes more sense to
|
In many cases it makes more sense to
|
||||||
<link xlink:href="#core-services-authentication-manager">implement <interfacename>AuthenticationProvider</interfacename></link>
|
<link linkend="core-services-authentication-manager">implement <interfacename>AuthenticationProvider</interfacename></link>
|
||||||
directly if you require a custom authentication process.
|
directly if you require a custom authentication process.
|
||||||
</para>
|
</para>
|
||||||
</note>
|
</note>
|
||||||
@ -355,7 +355,7 @@ Successfully authenticated. Security context contains: \
|
|||||||
</para>
|
</para>
|
||||||
<para> If you're wondering how the <interfacename>AuthenticationManager</interfacename>
|
<para> If you're wondering how the <interfacename>AuthenticationManager</interfacename>
|
||||||
is implemented in a real world example, we'll look at that in the <link
|
is implemented in a real world example, we'll look at that in the <link
|
||||||
xlink:href="#core-services-authentication-manager">core services
|
linkend="core-services-authentication-manager">core services
|
||||||
chapter</link>.</para>
|
chapter</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
@ -600,7 +600,7 @@ Successfully authenticated. Security context contains: \
|
|||||||
<classname>RoleVoter</classname>. This is only relevant when a voter-based
|
<classname>RoleVoter</classname>. This is only relevant when a voter-based
|
||||||
<interfacename>AccessDecisionManager</interfacename> is in use. We'll see how
|
<interfacename>AccessDecisionManager</interfacename> is in use. We'll see how
|
||||||
the <interfacename>AccessDecisionManager</interfacename> is implemented in the
|
the <interfacename>AccessDecisionManager</interfacename> is implemented in the
|
||||||
<link xlink:href="#authz-arch">authorization chapter</link>.</para>
|
<link linkend="authz-arch">authorization chapter</link>.</para>
|
||||||
</section>
|
</section>
|
||||||
<section>
|
<section>
|
||||||
<title>RunAsManager</title>
|
<title>RunAsManager</title>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user