From 57437635992bb1da8986943c510be8761520a283 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 13 Mar 2008 18:52:31 +0000 Subject: [PATCH] SEC-625: Remove references to FilterToBeanProxy --- .../anonymous/AnonymousProcessingFilter.java | 3 +- .../ChannelProcessingFilter.java | 2 - .../ui/ExceptionTranslationFilter.java | 4 - .../ui/digestauth/DigestProcessingFilter.java | 2 - .../security/ui/logout/LogoutFilter.java | 6 +- .../RememberMeProcessingFilter.java | 2 - .../AuthenticationProcessingFilter.java | 4 - ...eminderAuthenticationProcessingFilter.java | 15 +-- .../ui/x509/X509ProcessingFilter.java | 2 - .../src/test/resources/webxml/NoRoles.web.xml | 23 ++-- .../src/test/resources/webxml/Role1-4.web.xml | 23 ++-- ntlm/web.xml | 24 ++-- src/docbkx/channel-security.xml | 70 ++++-------- src/docbkx/common-auth-services.xml | 31 +++--- src/docbkx/form-authentication.xml | 44 +++----- src/docbkx/secured-objects.xml | 69 +++++------- src/docbkx/supporting-infrastructure.xml | 104 ++++++++---------- src/site/apt/petclinic-tutorial.apt | 22 ++-- 18 files changed, 171 insertions(+), 279 deletions(-) diff --git a/core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java b/core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java index 812a9fd342..0089dcb9af 100644 --- a/core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java @@ -43,8 +43,7 @@ import javax.servlet.http.HttpServletResponse; /** * Detects if there is no Authentication object in the SecurityContextHolder, and - * populates it with one if needed.

Do not use this class directly. Instead configure web.xml - * to use the {@link org.springframework.security.util.FilterToBeanProxy}.

+ * populates it with one if needed. * * @author Ben Alex * @version $Id$ diff --git a/core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java b/core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java index d6c099df49..6e0fb64daf 100644 --- a/core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java @@ -45,8 +45,6 @@ import java.util.Collection; *

Delegates the actual channel security decisions and necessary actions to the configured * {@link ChannelDecisionManager}. If a response is committed by the ChannelDecisionManager, * the filter chain will not proceed.

- *

Do not use this class directly. Instead configure web.xml to use the {@link - * org.springframework.security.util.FilterToBeanProxy}.

* * @author Ben Alex * @version $Id$ diff --git a/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java b/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java index 711a5de4ed..d7e44b7ec6 100644 --- a/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java +++ b/core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java @@ -73,10 +73,6 @@ import javax.servlet.http.HttpServletResponse; *
  • portResolver is used to determine the "real" port that a * request was received on.
    • * - *

    - * Do not use this class directly. Instead configure web.xml to use the - * {@link org.springframework.security.util.FilterToBeanProxy}. - *

    * * @author Ben Alex * @author colin sampaleanu diff --git a/core/src/main/java/org/springframework/security/ui/digestauth/DigestProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/digestauth/DigestProcessingFilter.java index 3bf9510a37..0927f5db34 100644 --- a/core/src/main/java/org/springframework/security/ui/digestauth/DigestProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/digestauth/DigestProcessingFilter.java @@ -81,8 +81,6 @@ import javax.servlet.http.HttpServletResponse; *

    Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution * than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest * authentication over Basic authentication, including commentary on the limitations that it still imposes.

    - *

    Do not use this class directly. Instead configure web.xml to use the {@link - * org.springframework.security.util.FilterToBeanProxy}.

    */ public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware { //~ Static fields/initializers ===================================================================================== diff --git a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java index 3f79fc9b4c..f56a7af547 100644 --- a/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java +++ b/core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java @@ -42,11 +42,7 @@ import org.springframework.util.StringUtils; *

    * After logout, the URL specified by {@link #logoutSuccessUrl} will be shown. *

    - *

    - * Do not use this class directly. Instead configure web.xml to use the - * {@link org.springframework.security.util.FilterToBeanProxy}. - *

    - * + * * @author Ben Alex * @version $Id$ */ diff --git a/core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java index 2b9039b684..4cedcd5d5c 100644 --- a/core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java @@ -50,8 +50,6 @@ import java.io.IOException; * org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application * context. No events will be published if authentication was unsuccessful, because this would generally be recorded * via an AuthenticationManager-specific application event.

    - *

    Do not use this class directly. Instead configure web.xml to use the {@link - * org.springframework.security.util.FilterToBeanProxy}.

    * * @author Ben Alex * @version $Id$ diff --git a/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java index 644ed6efe6..fb49f9e15e 100644 --- a/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java @@ -35,10 +35,6 @@ import javax.servlet.http.HttpSession; * static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}. * The parameter names can also be changed by setting the usernameParameter and passwordParameter * properties. - *

    - * - *

    Do not use this class directly. Instead configure web.xml to use the {@link - * org.springframework.security.util.FilterToBeanProxy}.

    * * @author Ben Alex * @author Colin Sampaleanu diff --git a/core/src/main/java/org/springframework/security/ui/webapp/SiteminderAuthenticationProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/webapp/SiteminderAuthenticationProcessingFilter.java index fd52db4a77..86d6f211c6 100644 --- a/core/src/main/java/org/springframework/security/ui/webapp/SiteminderAuthenticationProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/webapp/SiteminderAuthenticationProcessingFilter.java @@ -32,17 +32,18 @@ import javax.servlet.http.HttpServletResponse; /** * Extends Spring Security's AuthenticationProcessingFilter to pick up CA/Netegrity Siteminder headers. - *

    Also provides a backup form-based authentication and the ability set source key names.

    - *

    Siteminder must present two headers to this filter, a username and password. You must set the + *

    + * Also provides a backup form-based authentication and the ability set source key names. + *

    + * Siteminder must present two headers to this filter, a username and password. You must set the * header keys before this filter is used for authentication, otherwise Siteminder checks will be skipped. If the * Siteminder check is unsuccessful (i.e. if the headers are not found), then the form parameters will be checked (see * next paragraph). This allows applications to optionally function even when their Siteminder infrastructure is - * unavailable, as is often the case during development.

    - *

    Login forms must present two parameters to this filter: a username and password. If not + * unavailable, as is often the case during development. + *

    + * Login forms must present two parameters to this filter: a username and password. If not * specified, the parameter names to use are contained in the static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} - * and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.

    - *

    Do not use this class directly. Instead, configure web.xml to use the {@link - * org.springframework.security.util.FilterToBeanProxy}.

    + * and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}. */ public class SiteminderAuthenticationProcessingFilter extends AuthenticationProcessingFilter { //~ Static fields/initializers ===================================================================================== diff --git a/core/src/main/java/org/springframework/security/ui/x509/X509ProcessingFilter.java b/core/src/main/java/org/springframework/security/ui/x509/X509ProcessingFilter.java index 4d8c383e66..58b5a13999 100644 --- a/core/src/main/java/org/springframework/security/ui/x509/X509ProcessingFilter.java +++ b/core/src/main/java/org/springframework/security/ui/x509/X509ProcessingFilter.java @@ -62,8 +62,6 @@ import javax.servlet.FilterConfig; * org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application * context. No events will be published if authentication was unsuccessful, because this would generally be recorded * via an AuthenticationManager-specific application event.

    - *

    Do not use this class directly. Instead configure web.xml to use the {@link - * org.springframework.security.util.FilterToBeanProxy}.

    * * @author Luke Taylor * @deprecated Use X509PreAuthenticatedProcessingFilter from the preauth.x509 package instead diff --git a/core/src/test/resources/webxml/NoRoles.web.xml b/core/src/test/resources/webxml/NoRoles.web.xml index e6b6adc519..688397cc8c 100755 --- a/core/src/test/resources/webxml/NoRoles.web.xml +++ b/core/src/test/resources/webxml/NoRoles.web.xml @@ -11,19 +11,16 @@ /WEB-INF/classes/log4j.properties - - Acegi Filter Chain Proxy - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.util.FilterChainProxy - - - - Acegi Filter Chain Proxy - /* - - + + springSecurityFilterChain + org.springframework.web.filter.DelegatingFilterProxy + + + + springSecurityFilterChain + /* + + org.springframework.web.util.Log4jConfigListener diff --git a/core/src/test/resources/webxml/Role1-4.web.xml b/core/src/test/resources/webxml/Role1-4.web.xml index 877c427eeb..bbf25e1e63 100755 --- a/core/src/test/resources/webxml/Role1-4.web.xml +++ b/core/src/test/resources/webxml/Role1-4.web.xml @@ -11,19 +11,16 @@ /WEB-INF/classes/log4j.properties - - Acegi Filter Chain Proxy - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.util.FilterChainProxy - - - - Acegi Filter Chain Proxy - /* - - + + springSecurityFilterChain + org.springframework.web.filter.DelegatingFilterProxy + + + + springSecurityFilterChain + /* + + org.springframework.web.util.Log4jConfigListener diff --git a/ntlm/web.xml b/ntlm/web.xml index 034cc391f5..f0c71db7e8 100755 --- a/ntlm/web.xml +++ b/ntlm/web.xml @@ -16,20 +16,16 @@ - - Spring Security Filter Chain Proxy - org.springframework.security.util.FilterToBeanProxy - - targetClass - org.springframework.security.util.FilterChainProxy - - - - - Spring Security Filter Chain Proxy - /** - - + + filterChainProxy + org.springframework.web.filter.DelegatingFilterProxy + + + + filterChainProxy + /* + + diff --git a/src/docbkx/channel-security.xml b/src/docbkx/channel-security.xml index cdce73d74b..84099e11e1 100644 --- a/src/docbkx/channel-security.xml +++ b/src/docbkx/channel-security.xml @@ -41,57 +41,35 @@ Configuration - - To utilise Spring Security's channel security services, add the - following lines to web.xml: - - - <filter> - <filter-name>Spring Security Channel Processing Filter</filter-name> - <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.springframework.security.securechannel.ChannelProcessingFilter</param-value> - </init-param> - </filter> - <filter-mapping> - <filter-name>Spring Security Channel Processing Filter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - - - As usual when running FilterToBeanProxy, you - will also need to configure the filter in your application + To use chanel security, you should define the following the filter in your application context: - - <bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"> - <property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property> - <property name="filterInvocationDefinitionSource"> - <value> - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON - \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL - \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL - \A/j_spring_security_check.*\Z=REQUIRES_SECURE_CHANNEL - \A.*\Z=REQUIRES_INSECURE_CHANNEL - </value> - </property> - </bean> + + + + + + + + + + + - <bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"> - <property name="channelProcessors"> - <list> - <ref bean="secureChannelProcessor"/> - <ref bean="insecureChannelProcessor"/> - </list> - </property> - </bean> - - <bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/> - <bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/> + + + + + + + + + + + ]]> Like FilterSecurityInterceptor, Apache Ant diff --git a/src/docbkx/common-auth-services.xml b/src/docbkx/common-auth-services.xml index ecce8ae1e7..bb4cca3fde 100644 --- a/src/docbkx/common-auth-services.xml +++ b/src/docbkx/common-auth-services.xml @@ -17,28 +17,29 @@ user for them to login) plus BASIC authentication (ie so a web service or similar can access protected resources). - In the web.xml, this application will need a single Acegi + In the web.xml, this application will need a single Spring Security filter in order to use the FilterChainProxy. Nearly every Spring Security application will have such an entry, and it looks like this: - <filter> -<filter-name>Spring Security Filter Chain Proxy</filter-name> -<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> -<init-param> -<param-name>targetClass</param-name> -<param-value>org.springframework.security.util.FilterChainProxy</param-value> -</init-param> -</filter> + + + filterChainProxy + org.springframework.web.filter.DelegatingFilterProxy + -<filter-mapping> -<filter-name>Spring Security Filter Chain Proxy</filter-name> -<url-pattern>/*</url-pattern> -</filter-mapping> + + filterChainProxy + /* + +]]> The above declarations will cause every web request to be passed - through to Spring Security's FilterChainProxy. As explained in the - filters section of this reference guide, the + through to the bean called filterChainProxy + which will usually be an instance of Spring Security's + FilterChainProxy. + As explained in the filters section of this reference guide, the FilterChainProxy is a generally-useful class that enables web requests to be passed to different filters based on the URL patterns. Those delegated filters are managed inside the diff --git a/src/docbkx/form-authentication.xml b/src/docbkx/form-authentication.xml index 41e9ca0222..502ad2101a 100644 --- a/src/docbkx/form-authentication.xml +++ b/src/docbkx/form-authentication.xml @@ -21,35 +21,17 @@ The login form simply contains j_username and j_password input fields, and posts to a URL that is monitored by the filter (by default - j_spring_security_check). The filter is defined in - web.xml behind a - FilterToBeanProxy as follows: - - <filter> - <filter-name>Acegi Authentication Processing Filter</filter-name> - <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.springframework.security.ui.webapp.AuthenticationProcessingFilter</param-value> - </init-param> - </filter> - - <filter-mapping> - <filter-name>Acegi Authentication Processing Filter</filter-name> - <url-pattern>/*</url-pattern> - </filter-mapping> - - For a discussion of FilterToBeanProxy, please - refer to the Filters section. The application context will need to - define the AuthenticationProcessingFilter: - - <bean id="authenticationProcessingFilter" - class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property> - <property name="defaultTargetUrl"><value>/</value></property> - <property name="filterProcessesUrl"><value>/j_spring_security_check</value></property> - </bean> + j_spring_security_check). You should add an + AuthenticationProcessingFilter to you application context: + + + + + + ]]> + The configured AuthenticationManager processes each authentication request. If authentication fails, the @@ -57,7 +39,7 @@ authenticationFailureUrl. The AuthenticationException will be placed into the HttpSession attribute indicated by - AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY, + AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY, enabling a reason to be provided to the user on the error page. If authentication is successful, the resulting @@ -68,7 +50,7 @@ updated, the browser will need to be redirected to the target URL. The target URL is usually indicated by the HttpSession attribute specified by - AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY. + AbstractProcessingFilter.SPRING_SECURITY_TARGET_URL_KEY. This attribute is automatically set by the ExceptionTranslationFilter when an AuthenticationException occurs, so that after login diff --git a/src/docbkx/secured-objects.xml b/src/docbkx/secured-objects.xml index 89df3cf0c4..9e7179e681 100644 --- a/src/docbkx/secured-objects.xml +++ b/src/docbkx/secured-objects.xml @@ -343,56 +343,37 @@ if (this.securityInterceptor == null) FilterInvocation Security Interceptor - To secure FilterInvocations, developers need - to add a filter to their web.xml that delegates to - the FilterSecurityInterceptor. A typical - configuration example is provided below: - - <filter> -<filter-name>Spring Security HTTP Request Security Filter</filter-name> -<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> -<init-param> -<param-name>targetClass</param-name> -<param-value>org.springframework.security.intercept.web.FilterSecurityInterceptor</param-value> -</init-param> -</filter> - -<filter-mapping> -<filter-name>Spring Security HTTP Request Security Filter</filter-name> -<url-pattern>/*</url-pattern> -</filter-mapping> - - Notice that the filter is actually a - FilterToBeanProxy. Most of the filters used by - Spring Security use this class. Refer to the Filters section to learn - more about this bean. + To secure FilterInvocations, developers need + to add a FilterSecurityInterceptor to their filter chain. + A typical configuration example is provided below: In the application context you will need to configure three beans: - <bean id="exceptionTranslationFilter" - class="org.springframework.security.ui.ExceptionTranslationFilter"> -<property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property> -</bean> + + + -<bean id="authenticationEntryPoint" - class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> -<property name="loginFormUrl"><value>/acegilogin.jsp</value></property> -<property name="forceHttps"><value>false</value></property> -</bean> + + /acegilogin.jsp + false + -<bean id="filterSecurityInterceptor" - class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> -<property name="authenticationManager"><ref bean="authenticationManager"/></property> -<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> -<property name="objectDefinitionSource"> -<value> - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON - \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE - \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER -</value> -</property> -</bean> + + + + + + + + + + + ]]> The ExceptionTranslationFilter provides the bridge between Java exceptions and HTTP responses. It is solely diff --git a/src/docbkx/supporting-infrastructure.xml b/src/docbkx/supporting-infrastructure.xml index a9bbfee691..3d87ffd371 100644 --- a/src/docbkx/supporting-infrastructure.xml +++ b/src/docbkx/supporting-infrastructure.xml @@ -83,43 +83,35 @@ Spring Security uses many filters, as referred to throughout the remainder of this reference guide. You have a choice in how these filters are added to your web application, in that you can use either - FilterToBeanProxy or + Spring's DelegatingFilterProxy or FilterChainProxy. We'll look at both below. + + When using DelegatingFilterProxy, you will see + something like this in the web.xml file: + + + + myFilter + org.springframework.web.filter.DelegatingFilterProxy + - Most filters are configured using the - FilterToBeanProxy. An example configuration from - web.xml follows: - - <filter> -<filter-name>Spring Security HTTP Request Security Filter</filter-name> -<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> -<init-param> -<param-name>targetClass</param-name> -<param-value>org.springframework.security.ClassThatImplementsFilter</param-value> -</init-param> -</filter> - - Notice that the filter in web.xml is actually - a FilterToBeanProxy, and not the filter that will - actually implement the logic of the filter. What - FilterToBeanProxy does is delegate the + + myFilter + /* + + ]]> + + + Notice that the filter is actually a DelegatingFilterProxy, + and not the filter that will actually implement the logic of the filter. What + DelegatingFilterProxy does is delegate the Filter's methods through to a bean which is obtained from the Spring application context. This enables the bean to - benefit from the Spring application context lifecycle support and + benefit from the Spring web application context lifecycle support and configuration flexibility. The bean must implement - javax.servlet.Filter. - - The FilterToBeanProxy only requires a single - initialization parameter, targetClass or - targetBean. The targetClass - parameter locates the first object in the application context of the - specified class, whilst targetBean locates the - object by bean name. Like standard Spring web applications, the - FilterToBeanProxy accesses the application context - via - WebApplicationContextUtils.getWebApplicationContext(ServletContext), - so you should configure a ContextLoaderListener in - web.xml. + javax.servlet.Filter and it must have the same name as that in + the filter-name element. There is a lifecycle issue to consider when hosting Filters in an IoC container instead of a servlet @@ -139,39 +131,31 @@ Spring interfaces (eg the destroy-method attribute in Spring XML). For this reason we recommend the use of Spring lifecycle services instead of servlet container lifecycle services - wherever possible. By default FilterToBeanProxy - will not delegate init(FilterConfig) and - destroy() methods through to the proxied bean. If - you do require such invocations to be delegated, set the - lifecycle initialization parameter to - servlet-container-managed. + wherever possible. Read the Javadoc for DelegatingFilterProxy + for more information - Rather than using FilterToBeanProxy, we + Rather than using DelegatingFilterProxy, we strongly recommend to use FilterChainProxy instead. - Whilst FilterToBeanProxy is a very useful class, - the problem is that the lines of code required for + Whilst DelegatingFilterProxy is a very useful class, + the problem is that the number of lines of code required for <filter> and <filter-mapping> entries in web.xml explodes when using more than a few filters. To overcome this issue, Spring Security provides a FilterChainProxy class. It is wired using a - FilterToBeanProxy (just like in the example above), + DelegatingFilterProxy (just like in the example above), but the target class is org.springframework.security.util.FilterChainProxy. The filter chain is then declared in the application context, using code such as this: - <bean id="filterChainProxy" - class="org.springframework.security.util.FilterChainProxy"> -<property name="filterInvocationDefinitionSource"> -<value> - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON - PATTERN_TYPE_APACHE_ANT - /webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor - /**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor -</value> -</property> -</bean> + + + + + + ]]> You may notice similarities with the way FilterSecurityInterceptor is declared. Both regular @@ -221,11 +205,11 @@ irrespective of how many times it is declared by the FilterInvocationDefinitionSource. You control the overall choice as to whether these methods are called or not via the - lifecycle initialization parameter of the - FilterToBeanProxy that proxies - FilterChainProxy. As discussed above, by default + targetFilterLifecycle initialization parameter of the + DelegatingFilterProxy that proxies + DelegatingFilterProxy. As discussed above, by default any servlet container lifecycle invocations are not delegated through - to FilterChainProxy. + to DelegatingFilterProxy. You can also omit a URI pattern from the filter chain by using the token #NONE# on the right-hand side of the @@ -317,12 +301,12 @@ All of the above filters use - FilterToBeanProxy or + DelegatingFilterProxy or FilterChainProxy. It is recommended that a single - FilterToBeanProxy proxy through to a single + DelegatingFilterProxy proxy through to a single FilterChainProxy for each application, with that FilterChainProxy defining all of Spring Security - Filters. + filters. If you're using SiteMesh, ensure Spring Security filters execute before the SiteMesh filters are called. This enables the diff --git a/src/site/apt/petclinic-tutorial.apt b/src/site/apt/petclinic-tutorial.apt index bcb35010fe..670c0f562a 100644 --- a/src/site/apt/petclinic-tutorial.apt +++ b/src/site/apt/petclinic-tutorial.apt @@ -55,19 +55,15 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE +------------------------------------------------------ - - Spring Security Filter Chain Proxy - org.springframework.security.util.FilterToBeanProxy - - targetClass - org.springframework.security.util.FilterChainProxy - - + + springSecurityFilterChain + org.springframework.web.filter.DelegatingFilterProxy + - - Spring Security Filter Chain Proxy - /* - + + springSecurityFilterChain + /* + +------------------------------------------------------ @@ -80,7 +76,7 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE contextConfigLocation /WEB-INF/applicationContext-jdbc.xml - /WEB-INF/applicationContext-acegi-security.xml + /WEB-INF/applicationContext-security-ns.xml