diff --git a/core/src/main/resources/META-INF/spring.schemas b/core/src/main/resources/META-INF/spring.schemas index 17e63ad535..5bf71855e0 100644 --- a/core/src/main/resources/META-INF/spring.schemas +++ b/core/src/main/resources/META-INF/spring.schemas @@ -1,3 +1,5 @@ +http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.0.4.xsd http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd +http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc index b07d514986..1838b46cc3 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.rnc @@ -46,6 +46,7 @@ password-encoder.attlist &= ref | (hash? & base64?) salt-source = + ## Password salting strategy. A system-wide constant or a property from the UserDetails object can be used. element salt-source {user-property | system-wide} user-property = ## A property of the UserDetails object which will be used as salt by a password encoder. Typically something like "username" might be used. @@ -69,8 +70,8 @@ ldap-server.attlist &= (url | port)? ldap-server.attlist &= ## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. attribute manager-dn {xsd:string}? - ## The password for the manager DN. ldap-server.attlist &= + ## The password for the manager DN. attribute manager-password {xsd:string}? ldap-server.attlist &= ## Explicitly specifies an ldif file resource to load into an embedded LDAP server @@ -91,9 +92,10 @@ group-search-base-attribute = ## Search base for group membership searches. Defaults to "ou=groups". attribute group-search-base {xsd:string} user-search-filter-attribute = + ## The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name. attribute user-search-filter {xsd:string} user-search-base-attribute = - ## Search base for user searches. Defaults to "". + ## Search base for user searches. Defaults to "". Only used with a 'user-search-filter'. attribute user-search-base {xsd:string} group-role-attribute-attribute = ## The LDAP attribute name which contains the role name which will be used within Spring Security. Defaults to "cn". @@ -191,6 +193,7 @@ global-method-security.attlist &= attribute access-decision-manager-ref {xsd:string}? custom-after-invocation-provider = + ## Used to decorate an AfterInvocationProvider to specify that it should be used with method security. element custom-after-invocation-provider {empty} protect-pointcut = @@ -371,7 +374,7 @@ remember-me-services-ref = ## Allows a custom implementation of RememberMeServices to be used. Note that this implementation should return RememberMeAuthenticationToken instances with the same "key" value as specified in the remember-me element. Alternatively it should register its own AuthenticationProvider. attribute services-ref {xsd:string}? remember-me-data-source-ref = - ## DataSource bean for the database that contains the token + ## DataSource bean for the database that contains the token repository schema. data-source-ref anonymous = @@ -430,6 +433,7 @@ ap.attlist &= user-service-ref? custom-authentication-provider = + ## Element used to decorate an AuthenticationProvider bean to add it to the internal AuthenticationManager maintained by the namespace. element custom-authentication-provider {cap.attlist} cap.attlist &= empty @@ -496,6 +500,6 @@ position = -named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SESSION_CONTEXT_INTEGRATION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_PROCESSING_FILTER" | "AUTHENTICATION_PROCESSING_FILTER" | "BASIC_PROCESSING_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "NTLM_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST" +named-security-filter = "FIRST" | "CHANNEL_FILTER" | "CONCURRENT_SESSION_FILTER" | "SESSION_CONTEXT_INTEGRATION_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_PROCESSING_FILTER" | "AUTHENTICATION_PROCESSING_FILTER" | "OPENID_PROCESSING_FILTER" |"BASIC_PROCESSING_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "NTLM_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST" diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.xsd new file mode 100644 index 0000000000..b9e9733af1 --- /dev/null +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.0.4.xsd @@ -0,0 +1,1461 @@ + + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + + + Specifies a URL. + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + Defines a reference to a Spring bean Id. + + + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + A reference to a DataSource bean + + + + + + + Defines a reference to a Spring bean Id. + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + A property of the UserDetails object which will be used as salt by a + password encoder. Typically something like "username" might be used. + + + + + + + A single value that will be used as the salt for a password encoder. + + + + + + + + + + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + Defines an LDAP server location or starts an embedded server. The url + indicates the location of a remote server. If no url is given, an embedded server will be + started, listening on the supplied port number. The port is optional and defaults to 33389. + A Spring LDAP ContextSource bean will be registered for the server with the id supplied. + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + Specifies a URL. + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + Username (DN) of the "manager" user identity which will be used to + authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. + + + + + + The password for the manager DN. + + + + + Explicitly specifies an ldif file resource to load into an embedded LDAP + server + + + + + Optional root suffix for the embedded LDAP server. Default is + "dc=springframework,dc=org" + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + + + Search base for group membership searches. Defaults to + "ou=groups". + + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + Search base for group membership searches. Defaults to + "ou=groups". + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + Sets up an ldap authentication provider + + + + + + Specifies that an LDAP provider should use an LDAP compare operation + of the user's password to authenticate the user + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a + property from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be + used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for a + password encoder. + + + + + + + + + + + + + + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for group membership searches. Defaults to + "ou=groups". + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + A specific pattern used to build the user's DN, for example + "uid={0},ou=people". The key "{0}" must be present and will be substituted with the + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + The attribute in the directory which contains the user password. Defaults + to "userPassword". + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + Can be used inside a bean definition to add a security interceptor to the + bean and set up access configuration attributes for the bean's methods + + + + + + Defines a protected method and the access control configuration + attributes that apply to it. We strongly advise you NOT to mix "protect" declarations + with any services provided "global-method-security". + + + + + + + + + + + + + Optional AccessDecisionManager bean ID to be used by the created method + security interceptor. + + + + + + + A method name + + + + + Access configuration attributes list that applies to the method, e.g. + "ROLE_A,ROLE_B". + + + + + + Provides method security for all beans registered in the Spring application + context. Specifically, beans will be scanned for Spring Security annotations and/or matches + with the ordered list of "protect-pointcut" sub-elements. Where there is a match, the beans + will automatically be proxied and security authorization applied to the methods accordingly. + If you use and enable all three sources of method security metadata (ie "protect-pointcut" + declarations, @Secured and also JSR 250 security annotations), the metadata sources will be + queried in that order. In practical terms, this enables you to use XML to override method + security metadata expressed by way of @Secured annotations, with @Secured annotations + overriding method security metadata expressed by JSR 250 annotations. It is perfectly + acceptable to mix and match, with a given Java type using a combination of XML, @Secured and + JSR 250 to express method security metadata (albeit on different + methods). + + + + + + Defines a protected pointcut and the access control configuration + attributes that apply to it. Every bean registered in the Spring application context + that provides a method that matches the pointcut will receive security + authorization. + + + + + + + + + + + + + Specifies whether the use of Spring Security's @Secured annotations should + be enabled for this application context. Please ensure you have the + spring-security-tiger-xxx.jar on the classpath. Defaults to "disabled". + + + + + + + + + + + Specifies whether JSR-250 style attributes are to be used (for example + "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. + Defaults to "disabled". + + + + + + + + + + + Optional AccessDecisionManager bean ID to override the default used for + method security. + + + + + + Used to decorate an AfterInvocationProvider to specify that it should be + used with method security. + + + + + + + An AspectJ expression, including the 'execution' keyword. For example, + 'execution(int com.foo.TargetObject.countLength(String))' (without the + quotes). + + + + + Access configuration attributes list that applies to all methods matching + the pointcut, e.g. "ROLE_A,ROLE_B" + + + + + + Container element for HTTP security configuration + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + Sets up a form login configuration for authentication with a username + and password + + + + + + + + + Adds support for X.509 client authentication. + + + + + + + + Adds support for basic authentication (this is an element to permit + future expansion, such as supporting an "ignoreFailure" attribute) + + + + + + Incorporates a logout processing filter. Most web applications require + a logout filter, although you may not require one if you write a controller to + provider similar logic. + + + + + + + + Adds support for concurrent session control, allowing limits to be + placed on the number of sessions a user can have. + + + + + + + + Sets up remember-me authentication. If used with the "key" attribute + (or no attributes) the cookie-only implementation will be used. Specifying + "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, + persisten token approach. + + + + + + + + Adds support for automatically granting all anonymous web requests a + particular principal identity and a corresponding granted + authority. + + + + + + + + Defines the list of mappings between http and https ports for use in + redirects + + + + + + + + + + + + + + + Automatically registers a login form, BASIC authentication, anonymous + authentication, logout services, remember-me and servlet-api-integration. If set to + "true", all of these capabilities are added (although you can still customize the + configuration of each by providing the respective element). If unspecified, defaults to + "false". + + + + + Controls the eagerness with which an HTTP session is created. If not set, + defaults to "ifRequired". + + + + + + + + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + Whether test URLs should be converted to lower case prior to comparing + with defined path patterns. If unspecified, defaults to "true". + + + + + Provides versions of HttpServletRequest security methods such as + isUserInRole() and getPrincipal() which are implemented by accessing the Spring + SecurityContext. Defaults to "true". + + + + + Optional attribute specifying the ID of the AccessDecisionManager + implementation which should be used for authorizing HTTP requests. + + + + + Optional attribute specifying the realm name that will be used for all + authentication features that require a realm name (eg BASIC and Digest authentication). If + unspecified, defaults to "Spring Security Application". + + + + + Indicates whether an existing session should be invalidated when a user + authenticates and a new session started. If set to "none" no change will be made. + "newSession" will create a new empty session. "migrateSession" will create a new session + and copy the session attributes to the new session. Defaults to + "migrateSession". + + + + + + + + + + + + Allows a customized AuthenticationEntryPoint to be + used. + + + + + Corresponds to the observeOncePerRequest property of + FilterSecurityInterceptor. Defaults to "true" + + + + + Allows the access denied page to be set (the user will be redirected here + if an AccessDeniedException is raised). + + + + + + + The pattern which defines the URL path. The content will depend on the + type set in the containing http element, so will default to ant path + syntax. + + + + + The access configuration attributes that apply for the configured + path. + + + + + The HTTP Method for which the access configuration attributes should + apply. If not specified, the attributes will apply to any method. + + + + + + + + + + + + + + + + The filter list for the path. Currently can be set to "none" to remove a + path from having any filters applied. The full filter stack (consisting of all filters + created by the namespace configuration, and any added using 'custom-filter'), will be + applied to any other paths. + + + + + + + + + + Used to specify that a URL must be accessed over http or + https + + + + + + + + + + + + + + Specifies the URL that will cause a logout. Spring Security will + initialize a filter that responds to this particular URL. Defaults to + /j_spring_security_logout if unspecified. + + + + + Specifies the URL to display once the user has logged out. If not + specified, defaults to /. + + + + + Specifies whether a logout also causes HttpSession invalidation, which is + generally desirable. If unspecified, defaults to true. + + + + + + + The URL that the login form is posted to. If unspecified, it defaults to + /j_spring_security_check. + + + + + The URL that will be redirected to after successful authentication, if the + user's previous action could not be resumed. This generally happens if the user visits a + login page without having first requested a secured operation that triggers + authentication. If unspecified, defaults to the root of the + application. + + + + + Whether the user should always be redirected to the default-target-url + after login. + + + + + The URL for the login page. If no login URL is specified, Spring Security + will automatically create a login URL at /spring_security_login and a corresponding filter + to render that login URL when requested. + + + + + The URL for the login failure page. If no login failure URL is specified, + Spring Security will automatically create a failure login URL at + /spring_security_login?login_error and a corresponding filter to render that login failure + URL when requested. + + + + + + Sets up form login for authentication with an Open ID + identity + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + Used to explicitly configure a FilterChainProxy instance with a + FilterChainMap + + + + + + Used within filter-chain-map to define a specific URL pattern and the + list of filters which apply to the URLs matching that pattern. When multiple + filter-chain elements are used within a filter-chain-map element, the most specific + patterns must be placed at the top of the list, with most general ones at the + bottom. + + + + + + + + + + + + + + + + + + + Used to explicitly configure a FilterInvocationDefinitionSource bean for use + with a FilterSecurityInterceptor. Usually only needed if you are configuring a + FilterChainProxy explicitly, rather than using the <http> element. The + intercept-url elements used should only contain pattern, method and access attributes. Any + others will result in a configuration error. + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + as for http element + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + + The URL a user will be redirected to if they attempt to use a session + which has been "expired" by the concurrent session controller. + + + + + Specifies that an exception should be raised when a user attempts to login + twice. The default behaviour is to expire the original session. + + + + + Allows you to define an alias for the SessionRegistry bean in order to + access it in your own configuration + + + + + A reference to an external SessionRegistry implementation which will be + used in place of the standard one. + + + + + + + The "key" used to identify cookies from a specific token-based remember-me + application. You should set this to a unique value for your + application. + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + A reference to a DataSource bean + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + The period (in seconds) for which the remember-me cookie should be valid. + + + + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + + + Allows a custom implementation of RememberMeServices to be used. Note that + this implementation should return RememberMeAuthenticationToken instances with the same + "key" value as specified in the remember-me element. Alternatively it should register its + own AuthenticationProvider. + + + + + + + + + + The key shared between the provider and filter. This generally does not + need to be set. If unset, it will default to "doesNotMatter". + + + + + The username that should be assigned to the anonymous request. This allows + the principal to be identified, which may be important for logging and auditing. if unset, + defaults to "anonymousUser". + + + + + The granted authority that should be assigned to the anonymous request. + Commonly this is used to assign the anonymous request particular roles, which can + subsequently be used in authorization decisions. If unset, defaults to + "ROLE_ANONYMOUS". + + + + + + + + + + + + + + + + + + + The regular expression used to obtain the username from the certificate's + subject. Defaults to matching on the common name using the pattern + "CN=(.*?),". + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + If you are using namespace configuration with Spring Security, an + AuthenticationManager will automatically be registered. This element allows you to define an + alias to allow you to reference the authentication-manager in your own beans. + + + + + + + + + + The alias you wish to use for the AuthenticationManager + bean + + + + + Allows the session controller to be set on the internal + AuthenticationManager. This should not be used with the <concurrent-session-control + /> element + + + + + + Indicates that the contained user-service should be used as an + authentication source. + + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a property + from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be used as + salt by a password encoder. Typically something like "username" might be + used. + + + + + A single value that will be used as the salt for a password + encoder. + + + + + + + + + + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + Element used to decorate an AuthenticationProvider bean to add it to the + internal AuthenticationManager maintained by the namespace. + + + + + + Creates an in-memory UserDetailsService from a properties file or a list of + "user" child elements. + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + + + Represents a user in the application. + + + + + + + + + The username assigned to the user. + + + + + The password assigned to the user. This may be hashed if the corresponding + authentication provider supports hashing (remember to set the "hash" attribute of the + "user-service" element). + + + + + One of more authorities granted to the user. Separate authorities with a + comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" + + + + + Can be set to "true" to mark an account as locked and + unusable. + + + + + Can be set to "true" to mark an account as disabled and + unusable. + + + + + + Causes creation of a JDBC-based UserDetailsService. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + The bean ID of the DataSource which provides the required + tables. + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + An SQL statement to query a username, password, and enabled status given a + username + + + + + An SQL statement to query for a user's granted authorities given a + username. + + + + + An SQL statement to query user's group authorities given a + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + + + + + + Used to indicate that a filter bean declaration should be incorporated into + the security filter chain. If neither the 'after' or 'before' options are supplied, then the + filter must implement the Ordered interface directly. + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation + filters. + + + + + The filter immediately before which the custom-filter should be placed + in the chain + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation filters. + + + + + + + + The filter immediately before which the custom-filter should be placed in + the chain + + + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + + + + + + + + + + + + + + + + + + + +