namespace document.

2025-07-02 16:52:14 +00:00 · 2007-11-07 18:40:51 +00:00 · 2007-11-07 18:40:51 +00:00 · 53253cf8f8
commit 53253cf8f8
parent 746f052d42
1 changed files with 159 additions and 0 deletions
--- a/src/site/apt/namespaces.apt
+++ b/src/site/apt/namespaces.apt
@ -0,0 +1,159 @@
+                                ----------------------------------------
+                                     Security Namespace Configuration
+                                ----------------------------------------
+                                         ------------------------
+                                           (2007-11-7 draft)
+                                         ------------------------
+
+
+Overview
+
+
+* Summary
+
+    Spring Security will make use of Spring 2.0 namespace-based configuration features to allow much more concise
+    configuration. This document outlines the current state of development and the features that have been
+    implemented so far and raises points for discussion. The features are still largely experimental and subject to
+    change.
+
+    The {{{http://acegisecurity.svn.sourceforge.net/svnroot/acegisecurity/spring-security/trunk/core/src/main/resources/org/springframework/security/config/}schema files}}
+    can be found in the core package.
+
+    For simplicity, a relax NG compact schema (the rnc file) has been used as it is easier to work with.
+    This is then coverted into a W3C schema using trang.
+
+* Design
+
+    The initial aim is to provide a relatively small set of namespace configuration options which capture the most
+    common uses of framework, especially for inexperienced users who don't require much in the way of customization.
+    The focus should be mainly on providing high-level components which logically match the different aspects of
+    securing an application. While it is also useful to have namespace options for simplifying the configuration of
+    existing framework beans, this is a somewhat orthogonal requirement, with different target users, and will be dealt
+    with separately. Only the most obvious customizations will be implemented to start with.
+
+    With these aims in mind, the design is largely based around the large-scale dependencies within the framework.
+    It can be divided up into the following areas:
+
+    * <<Web/HTTP Security>> - this is by far the largest and most complex area, consisting of
+
+        * Filter chain proxy
+
+        * HttpSessionContextIntegrationFilter - special filter which is of key importance.
+
+        * The filters which are responsible for most of Spring Security's web application features.
+
+        * ExceptionTranslationFilter and FilterSecurityInterceptor - other special filters.
+
+        * Authentication entry point(s).
+
+        * Concurrent session support (optional).
+
+        * Remember-me service (optional).
+
+    The only inward dependency here is that the AuthenticationManager must be made aware of the
+    ConcurrentSessionController (if configured). Apart from this, the other areas of the framework are unaware of
+    web-related functionality.
+
+    * <<Business Object (Method) Security>> - This is currently implemented using a bean decorator within the
+     business object bean, which is a relatively simple syntax.
+
+    * <<AuthenticationManager>> - this is the main dependency of other parts of the framework. The namespace
+    configuration creates an instance of ProviderManager as required and registers it under a known name. It assumes
+    that this will be used by all the configured beans. This currently happens automatically. It might be worth
+    introducing a
+
+---
+    <security:authentication-manager id="othername"/>
+---
+
+    element just to allow users to explicitly configure an authentication manager which they can use in other beans.
+    The additional name could be registered as an alias.
+
+    * <<AccessDecisionManager>> - The security interceptors (both for method and http security) require access to
+    an access decision manager. At the moment a default one is created and used by both, but they should additionally
+    support the use of an independently configured access manager, based on Id. The standard bean syntax should be
+    sufficient for the moment.
+
+    * <<AuthenticationProviders>> - these can be created individually and register themselves with the authentication
+    manager. Current namespace options are limited but each provider should be pretty much self-contained and hence
+    relatively simple to implement. There may be multiple providers within an application so some means of ordering will
+    be required.
+
+    * <<UserDetailsService>> - Closely related to the authentication providers, but often also required by other beans.
+    Again the implementations should be relatively straightforward. There may be multiple implementations within the
+    application.
+
+
+* Http Security
+
+   Probably the best starting point here is to look at the namespace configuration which is currently in use in the
+   sample application:
+
+--------------------------------------------------------------------------------------------------------------------
+
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:security="http://www.springframework.org/schema/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
+
+    <security:http>
+        <security:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
+        <security:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
+        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+
+        <security:form-login />
+        <security:http-basic realm="SpringSecurityTutorialApp"  />
+        <security:logout />
+        <security:concurrent-session-control maxSessions="1" exceptionIfMaximumExceeded="true"/>
+
+        <security:remember-me key="doesntmatter" tokenRepository="tokenRepo"/>
+    </security:http>
+
+    <bean name="tokenRepo" class="org.springframework.security.ui.rememberme.InMemoryTokenRepositoryImpl"/>
+
+    <security:authentication-provider>
+        <security:user-service>
+            <security:user name="bob" password="bobspassword" authorities="ROLE_SUPERVISOR" />
+            <security:user name="bill" password="billspassword" authorities="ROLE_A,ROLE_B" />
+        </security:user-service>
+    </security:authentication-provider>
+
+</beans>
+
+--------------------------------------------------------------------------------------------------------------------
+
+** \<security:http /\>
+
+    This element groups the other http-specific elements together and has attributes which allow the
+    session creation strategy to be set. It also allows you to specify the type of pattern that will be used for URL
+    definitions within the block. This defaults to ``ant'' since this is what users almost always use in practice.
+
+    The {{{./spring-security-core/xref/org/springframework/security/config/HttpSecurityBeanDefinitionParser.html}HttpSecurityBeanDefinitionParser}}
+    class is responsible for handling the contents. It creates a FilterChainProxy
+    instance, HttpSessionContextIntegrationFilter, FilterSecurityInterceptor and ExceptionTranslationFilter and parses
+    the child intercept-url elements (see below). It then delegates to separate parsers to handle the contents of other
+    child elements. These encapsulate the functionality of separate web application concerns which are implemented
+    by Spring Security and will typically each create a filter and possibly one or more other beans.
+
+    Finally a post processor (HttpSecurityConfigPostProcessor) is registered to handle issues which can't be done
+    until the application context has been completed. This includes assembling and ordering the filter chain. The core
+    filters now implement Ordered and a standard ordering has been established for them. Other filters in the
+    context must also implement Ordered to be considered, so it may be necessary to provide an element which can be
+    used to decorate filter beans to achieve this, if the user can't (or doesn't want to) make their code implement
+    Ordered explicitly.
+
+
+** \<security:intercept-url /\>
+
+    In a traditional, bean-configured setup, there are several beans which require the use of URL patterns -
+    FilterChainProxy, FilterSecurityInterceptor and ChannelProcessingFilter. These can now be specified using a
+    single construct and the appropriate beans created and assembled by the parser. This allows options to be combined
+    in a more logical fashion without duplication. The user picks the important URLs for their application, defines the
+    patterns for them and then specifies which filters should be used, what access configuration attributes
+    the FilterSecurityInterceptor should enforce and if any channel restrictions apply. Only the access decision part
+    has been implemented. The only option for filters is currently "none", which will omit the URL from the security
+    filter chain entirely. It's not clear how or if additional filter order customization should be implemented (other
+    than by allowing Ids to be set on the various child elements). Channel security should be straightforward.
+
+