SEC-625: Remove references to FilterToBeanProxy
This commit is contained in:
parent
1492918674
commit
5743763599
|
@ -43,8 +43,7 @@ import javax.servlet.http.HttpServletResponse;
|
|||
|
||||
/**
|
||||
* Detects if there is no <code>Authentication</code> object in the <code>SecurityContextHolder</code>, and
|
||||
* populates it with one if needed.<p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code>
|
||||
* to use the {@link org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
* populates it with one if needed.
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @version $Id$
|
||||
|
|
|
@ -45,8 +45,6 @@ import java.util.Collection;
|
|||
* <p>Delegates the actual channel security decisions and necessary actions to the configured
|
||||
* {@link ChannelDecisionManager}. If a response is committed by the <code>ChannelDecisionManager</code>,
|
||||
* the filter chain will not proceed.</p>
|
||||
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @version $Id$
|
||||
|
|
|
@ -73,10 +73,6 @@ import javax.servlet.http.HttpServletResponse;
|
|||
* <li><code>portResolver</code> is used to determine the "real" port that a
|
||||
* request was received on.</li>
|
||||
* </ul>
|
||||
* <p>
|
||||
* <b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the
|
||||
* {@link org.springframework.security.util.FilterToBeanProxy}.
|
||||
* </p>
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @author colin sampaleanu
|
||||
|
|
|
@ -81,8 +81,6 @@ import javax.servlet.http.HttpServletResponse;
|
|||
* <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
|
||||
* than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
|
||||
* authentication over Basic authentication, including commentary on the limitations that it still imposes.</p>
|
||||
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
*/
|
||||
public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
|
||||
//~ Static fields/initializers =====================================================================================
|
||||
|
|
|
@ -42,11 +42,7 @@ import org.springframework.util.StringUtils;
|
|||
* <p>
|
||||
* After logout, the URL specified by {@link #logoutSuccessUrl} will be shown.
|
||||
* </p>
|
||||
* <p>
|
||||
* <b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the
|
||||
* {@link org.springframework.security.util.FilterToBeanProxy}.
|
||||
* </p>
|
||||
*
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @version $Id$
|
||||
*/
|
||||
|
|
|
@ -50,8 +50,6 @@ import java.io.IOException;
|
|||
* org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application
|
||||
* context. No events will be published if authentication was unsuccessful, because this would generally be recorded
|
||||
* via an <code>AuthenticationManager</code>-specific application event.</p>
|
||||
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @version $Id$
|
||||
|
|
|
@ -35,10 +35,6 @@ import javax.servlet.http.HttpSession;
|
|||
* static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
|
||||
* The parameter names can also be changed by setting the <tt>usernameParameter</tt> and <tt>passwordParameter</tt>
|
||||
* properties.
|
||||
* </p>
|
||||
*
|
||||
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
*
|
||||
* @author Ben Alex
|
||||
* @author Colin Sampaleanu
|
||||
|
|
|
@ -32,17 +32,18 @@ import javax.servlet.http.HttpServletResponse;
|
|||
|
||||
/**
|
||||
* Extends Spring Security's AuthenticationProcessingFilter to pick up CA/Netegrity Siteminder headers.
|
||||
* <p>Also provides a backup form-based authentication and the ability set source key names.</p>
|
||||
* <p><b>Siteminder</b> must present two <b>headers</b> to this filter, a username and password. You must set the
|
||||
* <p>
|
||||
* Also provides a backup form-based authentication and the ability set source key names.
|
||||
* <p>
|
||||
* <b>Siteminder</b> must present two <b>headers</b> to this filter, a username and password. You must set the
|
||||
* header keys before this filter is used for authentication, otherwise Siteminder checks will be skipped. If the
|
||||
* Siteminder check is unsuccessful (i.e. if the headers are not found), then the form parameters will be checked (see
|
||||
* next paragraph). This allows applications to optionally function even when their Siteminder infrastructure is
|
||||
* unavailable, as is often the case during development.</p>
|
||||
* <p><b>Login forms</b> must present two <b>parameters</b> to this filter: a username and password. If not
|
||||
* unavailable, as is often the case during development.
|
||||
* <p>
|
||||
* <b>Login forms</b> must present two <b>parameters</b> to this filter: a username and password. If not
|
||||
* specified, the parameter names to use are contained in the static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY}
|
||||
* and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.</p>
|
||||
* <p><b>Do not use this class directly.</b> Instead, configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
* and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
|
||||
*/
|
||||
public class SiteminderAuthenticationProcessingFilter extends AuthenticationProcessingFilter {
|
||||
//~ Static fields/initializers =====================================================================================
|
||||
|
|
|
@ -62,8 +62,6 @@ import javax.servlet.FilterConfig;
|
|||
* org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application
|
||||
* context. No events will be published if authentication was unsuccessful, because this would generally be recorded
|
||||
* via an <code>AuthenticationManager</code>-specific application event.</p>
|
||||
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
|
||||
* org.springframework.security.util.FilterToBeanProxy}.</p>
|
||||
*
|
||||
* @author Luke Taylor
|
||||
* @deprecated Use <tt>X509PreAuthenticatedProcessingFilter</tt> from the preauth.x509 package instead
|
||||
|
|
|
@ -11,19 +11,16 @@
|
|||
<param-value>/WEB-INF/classes/log4j.properties</param-value>
|
||||
</context-param>
|
||||
|
||||
<filter>
|
||||
<filter-name>Acegi Filter Chain Proxy</filter-name>
|
||||
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<filter-mapping>
|
||||
<filter-name>Acegi Filter Chain Proxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<filter>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<listener>
|
||||
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
|
||||
</listener>
|
||||
|
|
|
@ -11,19 +11,16 @@
|
|||
<param-value>/WEB-INF/classes/log4j.properties</param-value>
|
||||
</context-param>
|
||||
|
||||
<filter>
|
||||
<filter-name>Acegi Filter Chain Proxy</filter-name>
|
||||
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<filter-mapping>
|
||||
<filter-name>Acegi Filter Chain Proxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<filter>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<listener>
|
||||
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
|
||||
</listener>
|
||||
|
|
24
ntlm/web.xml
24
ntlm/web.xml
|
@ -16,20 +16,16 @@
|
|||
</context-param>
|
||||
|
||||
<!-- 2. Setup the Spring Security Filter Chain Proxy -->
|
||||
<filter>
|
||||
<filter-name>Spring Security Filter Chain Proxy</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.util.FilterChainProxy</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Spring Security Filter Chain Proxy</filter-name>
|
||||
<url-pattern>/**</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<filter>
|
||||
<filter-name>filterChainProxy</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>filterChainProxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
<!-- 3. Setup three listeners -->
|
||||
<!-- a) Setup a listener to connect spring with the web context -->
|
||||
<listener>
|
||||
|
|
|
@ -41,57 +41,35 @@
|
|||
|
||||
<sect1 id="channel-security-config">
|
||||
<title>Configuration</title>
|
||||
|
||||
<para>To utilise Spring Security's channel security services, add the
|
||||
following lines to <literal>web.xml</literal>:</para>
|
||||
|
||||
<para><programlisting>
|
||||
<filter>
|
||||
<filter-name>Spring Security Channel Processing Filter</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.securechannel.ChannelProcessingFilter</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Spring Security Channel Processing Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
</programlisting></para>
|
||||
|
||||
<para>As usual when running <literal>FilterToBeanProxy</literal>, you
|
||||
will also need to configure the filter in your application
|
||||
<para>To use chanel security, you should define the following the filter in your application
|
||||
context:</para>
|
||||
|
||||
<para><programlisting>
|
||||
<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
|
||||
<property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property>
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A/j_spring_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
<para><programlisting><![CDATA[
|
||||
<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
|
||||
<property name="channelDecisionManager" ref="channelDecisionManager"/>
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<security:filter-invocation-definition-source path-type="regex">
|
||||
<security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
|
||||
<security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/>
|
||||
<security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
|
||||
<security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/>
|
||||
</security:filter-invocation-definition-source>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
|
||||
<property name="channelProcessors">
|
||||
<list>
|
||||
<ref bean="secureChannelProcessor"/>
|
||||
<ref bean="insecureChannelProcessor"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
|
||||
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
|
||||
<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
|
||||
<property name="channelProcessors">
|
||||
<list>
|
||||
<ref bean="secureChannelProcessor"/>
|
||||
<ref bean="insecureChannelProcessor"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
|
||||
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
|
||||
]]>
|
||||
</programlisting></para>
|
||||
|
||||
<para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
|
||||
|
|
|
@ -17,28 +17,29 @@
|
|||
user for them to login) plus BASIC authentication (ie so a web service
|
||||
or similar can access protected resources).</para>
|
||||
|
||||
<para>In the web.xml, this application will need a single Acegi
|
||||
<para>In the web.xml, this application will need a single Spring
|
||||
Security filter in order to use the FilterChainProxy. Nearly every
|
||||
Spring Security application will have such an entry, and it looks like
|
||||
this:</para>
|
||||
|
||||
<para><programlisting><filter>
|
||||
<filter-name>Spring Security Filter Chain Proxy</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.util.FilterChainProxy</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<para><programlisting>
|
||||
<![CDATA[
|
||||
<filter>
|
||||
<filter-name>filterChainProxy</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Spring Security Filter Chain Proxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting></para>
|
||||
<filter-mapping>
|
||||
<filter-name>filterChainProxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
]]></programlisting></para>
|
||||
|
||||
<para>The above declarations will cause every web request to be passed
|
||||
through to Spring Security's FilterChainProxy. As explained in the
|
||||
filters section of this reference guide, the
|
||||
through to the bean called <literal>filterChainProxy</literal>
|
||||
which will usually be an instance of Spring Security's
|
||||
<classname>FilterChainProxy</classname>.
|
||||
As explained in the filters section of this reference guide, the
|
||||
<classname>FilterChainProxy</classname> is a generally-useful class
|
||||
that enables web requests to be passed to different filters based on
|
||||
the URL patterns. Those delegated filters are managed inside the
|
||||
|
|
|
@ -21,35 +21,17 @@
|
|||
<para>The login form simply contains <literal>j_username</literal> and
|
||||
<literal>j_password</literal> input fields, and posts to a URL that is
|
||||
monitored by the filter (by default
|
||||
<literal>j_spring_security_check</literal>). The filter is defined in
|
||||
<literal>web.xml</literal> behind a
|
||||
<literal>FilterToBeanProxy</literal> as follows:</para>
|
||||
|
||||
<para><programlisting><filter>
|
||||
<filter-name>Acegi Authentication Processing Filter</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.ui.webapp.AuthenticationProcessingFilter</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Acegi Authentication Processing Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting></para>
|
||||
|
||||
<para>For a discussion of <literal>FilterToBeanProxy</literal>, please
|
||||
refer to the Filters section. The application context will need to
|
||||
define the <literal>AuthenticationProcessingFilter</literal>:</para>
|
||||
|
||||
<para><programlisting><bean id="authenticationProcessingFilter"
|
||||
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
|
||||
<property name="defaultTargetUrl"><value>/</value></property>
|
||||
<property name="filterProcessesUrl"><value>/j_spring_security_check</value></property>
|
||||
</bean> </programlisting></para>
|
||||
<literal>j_spring_security_check</literal>). You should add an
|
||||
<literal>AuthenticationProcessingFilter</literal> to you application context:
|
||||
<programlisting><![CDATA[
|
||||
<bean id="authenticationProcessingFilter"
|
||||
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
|
||||
<property name="defaultTargetUrl" value="/"/>
|
||||
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
|
||||
</bean> ]]>
|
||||
</programlisting></para>
|
||||
|
||||
<para>The configured <literal>AuthenticationManager</literal>
|
||||
processes each authentication request. If authentication fails, the
|
||||
|
@ -57,7 +39,7 @@
|
|||
<literal>authenticationFailureUrl</literal>. The
|
||||
<literal>AuthenticationException</literal> will be placed into the
|
||||
<literal>HttpSession</literal> attribute indicated by
|
||||
<literal>AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY</literal>,
|
||||
<literal>AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY</literal>,
|
||||
enabling a reason to be provided to the user on the error page.</para>
|
||||
|
||||
<para>If authentication is successful, the resulting
|
||||
|
@ -68,7 +50,7 @@
|
|||
updated, the browser will need to be redirected to the target URL. The
|
||||
target URL is usually indicated by the <literal>HttpSession</literal>
|
||||
attribute specified by
|
||||
<literal>AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY</literal>.
|
||||
<literal>AbstractProcessingFilter.SPRING_SECURITY_TARGET_URL_KEY</literal>.
|
||||
This attribute is automatically set by the
|
||||
<literal>ExceptionTranslationFilter</literal> when an
|
||||
<literal>AuthenticationException</literal> occurs, so that after login
|
||||
|
|
|
@ -343,56 +343,37 @@ if (this.securityInterceptor == null)
|
|||
<sect1 id="filter-invocation-authorization">
|
||||
<title>FilterInvocation Security Interceptor</title>
|
||||
|
||||
<para>To secure <literal>FilterInvocation</literal>s, developers need
|
||||
to add a filter to their <literal>web.xml</literal> that delegates to
|
||||
the <literal>FilterSecurityInterceptor</literal>. A typical
|
||||
configuration example is provided below:</para>
|
||||
|
||||
<programlisting><filter>
|
||||
<filter-name>Spring Security HTTP Request Security Filter</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.intercept.web.FilterSecurityInterceptor</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Spring Security HTTP Request Security Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting>
|
||||
|
||||
<para>Notice that the filter is actually a
|
||||
<literal>FilterToBeanProxy</literal>. Most of the filters used by
|
||||
Spring Security use this class. Refer to the Filters section to learn
|
||||
more about this bean.</para>
|
||||
<para>To secure <classname>FilterInvocation</classname>s, developers need
|
||||
to add a <literal>FilterSecurityInterceptor</literal> to their filter chain.
|
||||
A typical configuration example is provided below:</para>
|
||||
|
||||
<para>In the application context you will need to configure three
|
||||
beans:</para>
|
||||
|
||||
<programlisting><bean id="exceptionTranslationFilter"
|
||||
class="org.springframework.security.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
|
||||
</bean>
|
||||
<programlisting><![CDATA[
|
||||
<bean id="exceptionTranslationFilter"
|
||||
class="org.springframework.security.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationEntryPoint"
|
||||
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
<property name="forceHttps"><value>false</value></property>
|
||||
</bean>
|
||||
<bean id="authenticationEntryPoint"
|
||||
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
<property name="forceHttps"><value>false</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="filterSecurityInterceptor"
|
||||
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/super/.*\Z=ROLE_WE_DONT_HAVE
|
||||
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
||||
</value>
|
||||
</property>
|
||||
</bean> </programlisting>
|
||||
<bean id="filterSecurityInterceptor"
|
||||
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<security:filter-invocation-definition-source path-type="regex">
|
||||
<security:intercept-url pattern="\A/secure/super/.*\Z" access="ROLE_WE_DONT_HAVE"/>
|
||||
<security:intercept-url pattern="\A/secure/.*\" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
|
||||
</security:filter-invocation-definition-source>
|
||||
</property>
|
||||
</bean> ]]> </programlisting>
|
||||
|
||||
<para>The <classname>ExceptionTranslationFilter</classname> provides
|
||||
the bridge between Java exceptions and HTTP responses. It is solely
|
||||
|
|
|
@ -83,43 +83,35 @@
|
|||
<para>Spring Security uses many filters, as referred to throughout the
|
||||
remainder of this reference guide. You have a choice in how these
|
||||
filters are added to your web application, in that you can use either
|
||||
<literal>FilterToBeanProxy</literal> or
|
||||
Spring's <literal>DelegatingFilterProxy</literal> or
|
||||
<literal>FilterChainProxy</literal>. We'll look at both below.</para>
|
||||
|
||||
<para>When using <literal>DelegatingFilterProxy</literal>, you will see
|
||||
something like this in the web.xml file:
|
||||
|
||||
<programlisting>
|
||||
<![CDATA[
|
||||
<filter>
|
||||
<filter-name>myFilter</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<para>Most filters are configured using the
|
||||
<literal>FilterToBeanProxy</literal>. An example configuration from
|
||||
<literal>web.xml</literal> follows:</para>
|
||||
|
||||
<para><programlisting><filter>
|
||||
<filter-name>Spring Security HTTP Request Security Filter</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.ClassThatImplementsFilter</param-value>
|
||||
</init-param>
|
||||
</filter></programlisting></para>
|
||||
|
||||
<para>Notice that the filter in <literal>web.xml</literal> is actually
|
||||
a <literal>FilterToBeanProxy</literal>, and not the filter that will
|
||||
actually implement the logic of the filter. What
|
||||
<literal>FilterToBeanProxy</literal> does is delegate the
|
||||
<filter-mapping>
|
||||
<filter-name>myFilter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
Notice that the filter is actually a <literal>DelegatingFilterProxy</literal>,
|
||||
and not the filter that will actually implement the logic of the filter. What
|
||||
<literal>DelegatingFilterProxy</literal> does is delegate the
|
||||
<literal>Filter</literal>'s methods through to a bean which is
|
||||
obtained from the Spring application context. This enables the bean to
|
||||
benefit from the Spring application context lifecycle support and
|
||||
benefit from the Spring web application context lifecycle support and
|
||||
configuration flexibility. The bean must implement
|
||||
<literal>javax.servlet.Filter</literal>.</para>
|
||||
|
||||
<para>The <literal>FilterToBeanProxy</literal> only requires a single
|
||||
initialization parameter, <literal>targetClass</literal> or
|
||||
<literal>targetBean</literal>. The <literal>targetClass</literal>
|
||||
parameter locates the first object in the application context of the
|
||||
specified class, whilst <literal>targetBean</literal> locates the
|
||||
object by bean name. Like standard Spring web applications, the
|
||||
<literal>FilterToBeanProxy</literal> accesses the application context
|
||||
via<literal>
|
||||
WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>,
|
||||
so you should configure a <literal>ContextLoaderListener</literal> in
|
||||
<literal>web.xml</literal>.</para>
|
||||
<literal>javax.servlet.Filter</literal> and it must have the same name as that in
|
||||
the <literal>filter-name</literal> element.</para>
|
||||
|
||||
<para>There is a lifecycle issue to consider when hosting
|
||||
<literal>Filter</literal>s in an IoC container instead of a servlet
|
||||
|
@ -139,39 +131,31 @@
|
|||
Spring interfaces (eg the <literal>destroy-method</literal> attribute
|
||||
in Spring XML). For this reason we recommend the use of Spring
|
||||
lifecycle services instead of servlet container lifecycle services
|
||||
wherever possible. By default <literal>FilterToBeanProxy</literal>
|
||||
will not delegate <literal>init(FilterConfig)</literal> and
|
||||
<literal>destroy()</literal> methods through to the proxied bean. If
|
||||
you do require such invocations to be delegated, set the
|
||||
<literal>lifecycle</literal> initialization parameter to
|
||||
<literal>servlet-container-managed</literal>.</para>
|
||||
wherever possible. Read the Javadoc for <classname>DelegatingFilterProxy</classname>
|
||||
for more information</para>
|
||||
|
||||
<para>Rather than using <literal>FilterToBeanProxy</literal>, we
|
||||
<para>Rather than using <literal>DelegatingFilterProxy</literal>, we
|
||||
strongly recommend to use <literal>FilterChainProxy</literal> instead.
|
||||
Whilst <literal>FilterToBeanProxy</literal> is a very useful class,
|
||||
the problem is that the lines of code required for
|
||||
Whilst <literal>DelegatingFilterProxy</literal> is a very useful class,
|
||||
the problem is that the number of lines of code required for
|
||||
<literal><filter></literal> and
|
||||
<literal><filter-mapping></literal> entries in
|
||||
<literal>web.xml</literal> explodes when using more than a few
|
||||
filters. To overcome this issue, Spring Security provides a
|
||||
<literal>FilterChainProxy</literal> class. It is wired using a
|
||||
<literal>FilterToBeanProxy</literal> (just like in the example above),
|
||||
<literal>DelegatingFilterProxy</literal> (just like in the example above),
|
||||
but the target class is
|
||||
<literal>org.springframework.security.util.FilterChainProxy</literal>.
|
||||
The filter chain is then declared in the application context, using
|
||||
code such as this:</para>
|
||||
|
||||
<para><programlisting><bean id="filterChainProxy"
|
||||
class="org.springframework.security.util.FilterChainProxy">
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
PATTERN_TYPE_APACHE_ANT
|
||||
/webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
|
||||
/**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
|
||||
</value>
|
||||
</property>
|
||||
</bean> </programlisting></para>
|
||||
<para><programlisting><![CDATA[
|
||||
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
|
||||
<sec:filter-chain-map path-type="ant">
|
||||
<sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
|
||||
<sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
|
||||
</sec:filter-chain-map>
|
||||
</bean> ]]> </programlisting></para>
|
||||
|
||||
<para>You may notice similarities with the way
|
||||
<literal>FilterSecurityInterceptor</literal> is declared. Both regular
|
||||
|
@ -221,11 +205,11 @@
|
|||
irrespective of how many times it is declared by the
|
||||
<literal>FilterInvocationDefinitionSource</literal>. You control the
|
||||
overall choice as to whether these methods are called or not via the
|
||||
<literal>lifecycle</literal> initialization parameter of the
|
||||
<literal>FilterToBeanProxy</literal> that proxies
|
||||
<literal>FilterChainProxy</literal>. As discussed above, by default
|
||||
<literal>targetFilterLifecycle</literal> initialization parameter of the
|
||||
<literal>DelegatingFilterProxy</literal> that proxies
|
||||
<literal>DelegatingFilterProxy</literal>. As discussed above, by default
|
||||
any servlet container lifecycle invocations are not delegated through
|
||||
to <literal>FilterChainProxy</literal>.</para>
|
||||
to <literal>DelegatingFilterProxy</literal>.</para>
|
||||
|
||||
<para>You can also omit a URI pattern from the filter chain by using
|
||||
the token <literal>#NONE#</literal> on the right-hand side of the
|
||||
|
@ -317,12 +301,12 @@
|
|||
</orderedlist>
|
||||
|
||||
<para>All of the above filters use
|
||||
<literal>FilterToBeanProxy</literal> or
|
||||
<literal>DelegatingFilterProxy</literal> or
|
||||
<literal>FilterChainProxy</literal>. It is recommended that a single
|
||||
<literal>FilterToBeanProxy</literal> proxy through to a single
|
||||
<literal>DelegatingFilterProxy</literal> proxy through to a single
|
||||
<literal>FilterChainProxy</literal> for each application, with that
|
||||
<literal>FilterChainProxy</literal> defining all of Spring Security
|
||||
<literal>Filter</literal>s.</para>
|
||||
filters.</para>
|
||||
|
||||
<para>If you're using SiteMesh, ensure Spring Security filters execute
|
||||
before the SiteMesh filters are called. This enables the
|
||||
|
|
|
@ -55,19 +55,15 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE
|
|||
|
||||
+------------------------------------------------------
|
||||
|
||||
<filter>
|
||||
<filter-name>Spring Security Filter Chain Proxy</filter-name>
|
||||
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.springframework.security.util.FilterChainProxy</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
<filter>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Spring Security Filter Chain Proxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
<filter-mapping>
|
||||
<filter-name>springSecurityFilterChain</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
+------------------------------------------------------
|
||||
|
||||
|
@ -80,7 +76,7 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE
|
|||
<param-name>contextConfigLocation</param-name>
|
||||
<param-value>
|
||||
/WEB-INF/applicationContext-jdbc.xml
|
||||
/WEB-INF/applicationContext-acegi-security.xml
|
||||
/WEB-INF/applicationContext-security-ns.xml
|
||||
</param-value>
|
||||
</context-param>
|
||||
|
||||
|
|
Loading…
Reference in New Issue