Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-625: Remove references to FilterToBeanProxy

This commit is contained in:
Luke Taylor 2008-03-13 18:52:31 +00:00
parent 1492918674
commit 5743763599
18 changed files with 171 additions and 279 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
core/src/main/java/org/springframework/security/providers/anonymous/AnonymousProcessingFilter.java
View File

@ -43,8 +43,7 @@ import javax.servlet.http.HttpServletResponse;
/** /**
* Detects if there is no <code>Authentication</code> object in the <code>SecurityContextHolder</code>, and * Detects if there is no <code>Authentication</code> object in the <code>SecurityContextHolder</code>, and
* populates it with one if needed.<p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> * populates it with one if needed.
* to use the {@link org.springframework.security.util.FilterToBeanProxy}.</p>
* *
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$

2
core/src/main/java/org/springframework/security/securechannel/ChannelProcessingFilter.java
View File

@ -45,8 +45,6 @@ import java.util.Collection;
* <p>Delegates the actual channel security decisions and necessary actions to the configured * <p>Delegates the actual channel security decisions and necessary actions to the configured
* {@link ChannelDecisionManager}. If a response is committed by the <code>ChannelDecisionManager</code>, * {@link ChannelDecisionManager}. If a response is committed by the <code>ChannelDecisionManager</code>,
* the filter chain will not proceed.</p> * the filter chain will not proceed.</p>
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
* *
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$

4
core/src/main/java/org/springframework/security/ui/ExceptionTranslationFilter.java
View File

@ -73,10 +73,6 @@ import javax.servlet.http.HttpServletResponse;
* <li><code>portResolver</code> is used to determine the "real" port that a * <li><code>portResolver</code> is used to determine the "real" port that a
* request was received on.</li> * request was received on.</li>
* </ul> * </ul>
* <p>
* <b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the
* {@link org.springframework.security.util.FilterToBeanProxy}.
* </p>
* *
* @author Ben Alex * @author Ben Alex
* @author colin sampaleanu * @author colin sampaleanu

2
core/src/main/java/org/springframework/security/ui/digestauth/DigestProcessingFilter.java
View File

@ -81,8 +81,6 @@ import javax.servlet.http.HttpServletResponse;
* <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution * <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution
* than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest * than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest
* authentication over Basic authentication, including commentary on the limitations that it still imposes.</p> * authentication over Basic authentication, including commentary on the limitations that it still imposes.</p>
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
*/ */
public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware { public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
//~ Static fields/initializers ===================================================================================== //~ Static fields/initializers =====================================================================================

4
core/src/main/java/org/springframework/security/ui/logout/LogoutFilter.java
View File

@ -42,10 +42,6 @@ import org.springframework.util.StringUtils;
* <p> * <p>
* After logout, the URL specified by {@link #logoutSuccessUrl} will be shown. * After logout, the URL specified by {@link #logoutSuccessUrl} will be shown.
* </p> * </p>
* <p>
* <b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the
* {@link org.springframework.security.util.FilterToBeanProxy}.
* </p>
* *
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$

2
core/src/main/java/org/springframework/security/ui/rememberme/RememberMeProcessingFilter.java
View File

@ -50,8 +50,6 @@ import java.io.IOException;
* org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application * org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application
* context. No events will be published if authentication was unsuccessful, because this would generally be recorded * context. No events will be published if authentication was unsuccessful, because this would generally be recorded
* via an <code>AuthenticationManager</code>-specific application event.</p> * via an <code>AuthenticationManager</code>-specific application event.</p>
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
* *
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$

4
core/src/main/java/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.java
View File

@ -35,10 +35,6 @@ import javax.servlet.http.HttpSession;
* static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}. * static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
* The parameter names can also be changed by setting the <tt>usernameParameter</tt> and <tt>passwordParameter</tt> * The parameter names can also be changed by setting the <tt>usernameParameter</tt> and <tt>passwordParameter</tt>
* properties. * properties.
* </p>
*
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
* *
* @author Ben Alex * @author Ben Alex
* @author Colin Sampaleanu * @author Colin Sampaleanu

15
core/src/main/java/org/springframework/security/ui/webapp/SiteminderAuthenticationProcessingFilter.java
View File

@ -32,17 +32,18 @@ import javax.servlet.http.HttpServletResponse;
/** /**
* Extends Spring Security's AuthenticationProcessingFilter to pick up CA/Netegrity Siteminder headers. * Extends Spring Security's AuthenticationProcessingFilter to pick up CA/Netegrity Siteminder headers.
* <p>Also provides a backup form-based authentication and the ability set source key names.</p> * <p>
* <p><b>Siteminder</b> must present two <b>headers</b> to this filter, a username and password. You must set the * Also provides a backup form-based authentication and the ability set source key names.
* <p>
* <b>Siteminder</b> must present two <b>headers</b> to this filter, a username and password. You must set the
* header keys before this filter is used for authentication, otherwise Siteminder checks will be skipped. If the * header keys before this filter is used for authentication, otherwise Siteminder checks will be skipped. If the
* Siteminder check is unsuccessful (i.e. if the headers are not found), then the form parameters will be checked (see * Siteminder check is unsuccessful (i.e. if the headers are not found), then the form parameters will be checked (see
* next paragraph). This allows applications to optionally function even when their Siteminder infrastructure is * next paragraph). This allows applications to optionally function even when their Siteminder infrastructure is
* unavailable, as is often the case during development.</p> * unavailable, as is often the case during development.
* <p><b>Login forms</b> must present two <b>parameters</b> to this filter: a username and password. If not * <p>
* <b>Login forms</b> must present two <b>parameters</b> to this filter: a username and password. If not
* specified, the parameter names to use are contained in the static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} * specified, the parameter names to use are contained in the static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY}
* and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.</p> * and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
* <p><b>Do not use this class directly.</b> Instead, configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
*/ */
public class SiteminderAuthenticationProcessingFilter extends AuthenticationProcessingFilter { public class SiteminderAuthenticationProcessingFilter extends AuthenticationProcessingFilter {
//~ Static fields/initializers ===================================================================================== //~ Static fields/initializers =====================================================================================

2
core/src/main/java/org/springframework/security/ui/x509/X509ProcessingFilter.java
View File

@ -62,8 +62,6 @@ import javax.servlet.FilterConfig;
* org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application * org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent} will be published to the application
* context. No events will be published if authentication was unsuccessful, because this would generally be recorded * context. No events will be published if authentication was unsuccessful, because this would generally be recorded
* via an <code>AuthenticationManager</code>-specific application event.</p> * via an <code>AuthenticationManager</code>-specific application event.</p>
* <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link
* org.springframework.security.util.FilterToBeanProxy}.</p>
* *
* @author Luke Taylor * @author Luke Taylor
* @deprecated Use <tt>X509PreAuthenticatedProcessingFilter</tt> from the preauth.x509 package instead * @deprecated Use <tt>X509PreAuthenticatedProcessingFilter</tt> from the preauth.x509 package instead

21
core/src/test/resources/webxml/NoRoles.web.xml
View File

@ -11,18 +11,15 @@
<param-value>/WEB-INF/classes/log4j.properties</param-value> <param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param> </context-param>
<filter> <filter>
<filter-name>Acegi Filter Chain Proxy</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param> </filter>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value> <filter-mapping>
</init-param> <filter-name>springSecurityFilterChain</filter-name>
</filter> <url-pattern>/*</url-pattern>
<filter-mapping> </filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener> <listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>

21
core/src/test/resources/webxml/Role1-4.web.xml
View File

@ -11,18 +11,15 @@
<param-value>/WEB-INF/classes/log4j.properties</param-value> <param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param> </context-param>
<filter> <filter>
<filter-name>Acegi Filter Chain Proxy</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param> </filter>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value> <filter-mapping>
</init-param> <filter-name>springSecurityFilterChain</filter-name>
</filter> <url-pattern>/*</url-pattern>
<filter-mapping> </filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener> <listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>

20
ntlm/web.xml
View File

@ -16,19 +16,15 @@
</context-param> </context-param>
<!-- 2. Setup the Spring Security Filter Chain Proxy --> <!-- 2. Setup the Spring Security Filter Chain Proxy -->
<filter> <filter>
<filter-name>Spring Security Filter Chain Proxy</filter-name> <filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param> </filter>
<param-name>targetClass</param-name>
<param-value>org.springframework.security.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping> <filter-mapping>
<filter-name>Spring Security Filter Chain Proxy</filter-name> <filter-name>filterChainProxy</filter-name>
<url-pattern>/**</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- 3. Setup three listeners --> <!-- 3. Setup three listeners -->
<!-- a) Setup a listener to connect spring with the web context --> <!-- a) Setup a listener to connect spring with the web context -->

70
src/docbkx/channel-security.xml
View File

@ -42,56 +42,34 @@
<sect1 id="channel-security-config"> <sect1 id="channel-security-config">
<title>Configuration</title> <title>Configuration</title>
<para>To utilise Spring Security's channel security services, add the <para>To use chanel security, you should define the following the filter in your application
following lines to <literal>web.xml</literal>:</para>
<para><programlisting>
&lt;filter&gt;
&lt;filter-name&gt;Spring Security Channel Processing Filter&lt;/filter-name&gt;
&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;targetClass&lt;/param-name&gt;
&lt;param-value&gt;org.springframework.security.securechannel.ChannelProcessingFilter&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;Spring Security Channel Processing Filter&lt;/filter-name&gt;
&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
</programlisting></para>
<para>As usual when running <literal>FilterToBeanProxy</literal>, you
will also need to configure the filter in your application
context:</para> context:</para>
<para><programlisting> <para><programlisting><![CDATA[
&lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt; <bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
&lt;property name="channelDecisionManager"&gt;&lt;ref bean="channelDecisionManager"/&gt;&lt;/property&gt; <property name="channelDecisionManager" ref="channelDecisionManager"/>
&lt;property name="filterInvocationDefinitionSource"&gt; <property name="filterInvocationDefinitionSource">
&lt;value&gt; <security:filter-invocation-definition-source path-type="regex">
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL <security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/>
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL <security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
\A/j_spring_security_check.*\Z=REQUIRES_SECURE_CHANNEL <security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/>
\A.*\Z=REQUIRES_INSECURE_CHANNEL </security:filter-invocation-definition-source>
&lt;/value&gt; </property>
&lt;/property&gt; </bean>
&lt;/bean&gt;
&lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt; <bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
&lt;property name="channelProcessors"&gt; <property name="channelProcessors">
&lt;list&gt; <list>
&lt;ref bean="secureChannelProcessor"/&gt; <ref bean="secureChannelProcessor"/>
&lt;ref bean="insecureChannelProcessor"/&gt; <ref bean="insecureChannelProcessor"/>
&lt;/list&gt; </list>
&lt;/property&gt; </property>
&lt;/bean&gt; </bean>
&lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
&lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
]]>
</programlisting></para> </programlisting></para>
<para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant <para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant

31
src/docbkx/common-auth-services.xml
View File

@ -17,28 +17,29 @@
user for them to login) plus BASIC authentication (ie so a web service user for them to login) plus BASIC authentication (ie so a web service
or similar can access protected resources).</para> or similar can access protected resources).</para>
<para>In the web.xml, this application will need a single Acegi <para>In the web.xml, this application will need a single Spring
Security filter in order to use the FilterChainProxy. Nearly every Security filter in order to use the FilterChainProxy. Nearly every
Spring Security application will have such an entry, and it looks like Spring Security application will have such an entry, and it looks like
this:</para> this:</para>
<para><programlisting>&lt;filter&gt; <para><programlisting>
&lt;filter-name&gt;Spring Security Filter Chain Proxy&lt;/filter-name&gt; <![CDATA[
&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt; <filter>
&lt;init-param&gt; <filter-name>filterChainProxy</filter-name>
&lt;param-name&gt;targetClass&lt;/param-name&gt; <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
&lt;param-value&gt;org.springframework.security.util.FilterChainProxy&lt;/param-value&gt; </filter>
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt; <filter-mapping>
&lt;filter-name&gt;Spring Security Filter Chain Proxy&lt;/filter-name&gt; <filter-name>filterChainProxy</filter-name>
&lt;url-pattern&gt;/*&lt;/url-pattern&gt; <url-pattern>/*</url-pattern>
&lt;/filter-mapping&gt;</programlisting></para> </filter-mapping>
]]></programlisting></para>
<para>The above declarations will cause every web request to be passed <para>The above declarations will cause every web request to be passed
through to Spring Security's FilterChainProxy. As explained in the through to the bean called <literal>filterChainProxy</literal>
filters section of this reference guide, the which will usually be an instance of Spring Security's
<classname>FilterChainProxy</classname>.
As explained in the filters section of this reference guide, the
<classname>FilterChainProxy</classname> is a generally-useful class <classname>FilterChainProxy</classname> is a generally-useful class
that enables web requests to be passed to different filters based on that enables web requests to be passed to different filters based on
the URL patterns. Those delegated filters are managed inside the the URL patterns. Those delegated filters are managed inside the

44
src/docbkx/form-authentication.xml
View File

@ -21,35 +21,17 @@
<para>The login form simply contains <literal>j_username</literal> and <para>The login form simply contains <literal>j_username</literal> and
<literal>j_password</literal> input fields, and posts to a URL that is <literal>j_password</literal> input fields, and posts to a URL that is
monitored by the filter (by default monitored by the filter (by default
<literal>j_spring_security_check</literal>). The filter is defined in <literal>j_spring_security_check</literal>). You should add an
<literal>web.xml</literal> behind a <literal>AuthenticationProcessingFilter</literal> to you application context:
<literal>FilterToBeanProxy</literal> as follows:</para> <programlisting><![CDATA[
<bean id="authenticationProcessingFilter"
<para><programlisting>&lt;filter&gt; class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
&lt;filter-name&gt;Acegi Authentication Processing Filter&lt;/filter-name&gt; <property name="authenticationManager" ref="authenticationManager"/>
&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt; <property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
&lt;init-param&gt; <property name="defaultTargetUrl" value="/"/>
&lt;param-name&gt;targetClass&lt;/param-name&gt; <property name="filterProcessesUrl" value="/j_spring_security_check"/>
&lt;param-value&gt;org.springframework.security.ui.webapp.AuthenticationProcessingFilter&lt;/param-value&gt; </bean> ]]>
&lt;/init-param&gt; </programlisting></para>
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;Acegi Authentication Processing Filter&lt;/filter-name&gt;
&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;</programlisting></para>
<para>For a discussion of <literal>FilterToBeanProxy</literal>, please
refer to the Filters section. The application context will need to
define the <literal>AuthenticationProcessingFilter</literal>:</para>
<para><programlisting>&lt;bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"&gt;
&lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
&lt;property name="authenticationFailureUrl"&gt;&lt;value&gt;/acegilogin.jsp?login_error=1&lt;/value&gt;&lt;/property&gt;
&lt;property name="defaultTargetUrl"&gt;&lt;value&gt;/&lt;/value&gt;&lt;/property&gt;
&lt;property name="filterProcessesUrl"&gt;&lt;value&gt;/j_spring_security_check&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para>The configured <literal>AuthenticationManager</literal> <para>The configured <literal>AuthenticationManager</literal>
processes each authentication request. If authentication fails, the processes each authentication request. If authentication fails, the
@ -57,7 +39,7 @@
<literal>authenticationFailureUrl</literal>. The <literal>authenticationFailureUrl</literal>. The
<literal>AuthenticationException</literal> will be placed into the <literal>AuthenticationException</literal> will be placed into the
<literal>HttpSession</literal> attribute indicated by <literal>HttpSession</literal> attribute indicated by
<literal>AbstractProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY</literal>, <literal>AbstractProcessingFilter.SPRING_SECURITY_LAST_EXCEPTION_KEY</literal>,
enabling a reason to be provided to the user on the error page.</para> enabling a reason to be provided to the user on the error page.</para>
<para>If authentication is successful, the resulting <para>If authentication is successful, the resulting
@ -68,7 +50,7 @@
updated, the browser will need to be redirected to the target URL. The updated, the browser will need to be redirected to the target URL. The
target URL is usually indicated by the <literal>HttpSession</literal> target URL is usually indicated by the <literal>HttpSession</literal>
attribute specified by attribute specified by
<literal>AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY</literal>. <literal>AbstractProcessingFilter.SPRING_SECURITY_TARGET_URL_KEY</literal>.
This attribute is automatically set by the This attribute is automatically set by the
<literal>ExceptionTranslationFilter</literal> when an <literal>ExceptionTranslationFilter</literal> when an
<literal>AuthenticationException</literal> occurs, so that after login <literal>AuthenticationException</literal> occurs, so that after login

69
src/docbkx/secured-objects.xml
View File

@ -343,56 +343,37 @@ if (this.securityInterceptor == null)
<sect1 id="filter-invocation-authorization"> <sect1 id="filter-invocation-authorization">
<title>FilterInvocation Security Interceptor</title> <title>FilterInvocation Security Interceptor</title>
<para>To secure <literal>FilterInvocation</literal>s, developers need <para>To secure <classname>FilterInvocation</classname>s, developers need
to add a filter to their <literal>web.xml</literal> that delegates to to add a <literal>FilterSecurityInterceptor</literal> to their filter chain.
the <literal>FilterSecurityInterceptor</literal>. A typical A typical configuration example is provided below:</para>
configuration example is provided below:</para>
<programlisting>&lt;filter&gt;
&lt;filter-name&gt;Spring Security HTTP Request Security Filter&lt;/filter-name&gt;
&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt;
&lt;init-param&gt;
&lt;param-name&gt;targetClass&lt;/param-name&gt;
&lt;param-value&gt;org.springframework.security.intercept.web.FilterSecurityInterceptor&lt;/param-value&gt;
&lt;/init-param&gt;
&lt;/filter&gt;
&lt;filter-mapping&gt;
&lt;filter-name&gt;Spring Security HTTP Request Security Filter&lt;/filter-name&gt;
&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;</programlisting>
<para>Notice that the filter is actually a
<literal>FilterToBeanProxy</literal>. Most of the filters used by
Spring Security use this class. Refer to the Filters section to learn
more about this bean.</para>
<para>In the application context you will need to configure three <para>In the application context you will need to configure three
beans:</para> beans:</para>
<programlisting>&lt;bean id="exceptionTranslationFilter" <programlisting><![CDATA[
class="org.springframework.security.ui.ExceptionTranslationFilter"&gt; <bean id="exceptionTranslationFilter"
&lt;property name="authenticationEntryPoint"&gt;&lt;ref local="authenticationEntryPoint"/&gt;&lt;/property&gt; class="org.springframework.security.ui.ExceptionTranslationFilter">
&lt;/bean&gt; <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
</bean>
&lt;bean id="authenticationEntryPoint" <bean id="authenticationEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt; class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
&lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt; <property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
&lt;property name="forceHttps"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt; <property name="forceHttps"><value>false</value></property>
&lt;/bean&gt; </bean>
&lt;bean id="filterSecurityInterceptor" <bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor"&gt; class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
&lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt; <property name="authenticationManager"><ref bean="authenticationManager"/></property>
&lt;property name="accessDecisionManager"&gt;&lt;ref bean="accessDecisionManager"/&gt;&lt;/property&gt; <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
&lt;property name="objectDefinitionSource"&gt; <property name="objectDefinitionSource">
&lt;value&gt; <property name="filterInvocationDefinitionSource">
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <security:filter-invocation-definition-source path-type="regex">
\A/secure/super/.*\Z=ROLE_WE_DONT_HAVE <security:intercept-url pattern="\A/secure/super/.*\Z" access="ROLE_WE_DONT_HAVE"/>
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER <security:intercept-url pattern="\A/secure/.*\" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
&lt;/value&gt; </security:filter-invocation-definition-source>
&lt;/property&gt; </property>
&lt;/bean&gt; </programlisting> </bean> ]]> </programlisting>
<para>The <classname>ExceptionTranslationFilter</classname> provides <para>The <classname>ExceptionTranslationFilter</classname> provides
the bridge between Java exceptions and HTTP responses. It is solely the bridge between Java exceptions and HTTP responses. It is solely

100
src/docbkx/supporting-infrastructure.xml
View File

@ -83,43 +83,35 @@
<para>Spring Security uses many filters, as referred to throughout the <para>Spring Security uses many filters, as referred to throughout the
remainder of this reference guide. You have a choice in how these remainder of this reference guide. You have a choice in how these
filters are added to your web application, in that you can use either filters are added to your web application, in that you can use either
<literal>FilterToBeanProxy</literal> or Spring's <literal>DelegatingFilterProxy</literal> or
<literal>FilterChainProxy</literal>. We'll look at both below.</para> <literal>FilterChainProxy</literal>. We'll look at both below.</para>
<para>Most filters are configured using the <para>When using <literal>DelegatingFilterProxy</literal>, you will see
<literal>FilterToBeanProxy</literal>. An example configuration from something like this in the web.xml file:
<literal>web.xml</literal> follows:</para>
<para><programlisting>&lt;filter&gt; <programlisting>
&lt;filter-name&gt;Spring Security HTTP Request Security Filter&lt;/filter-name&gt; <![CDATA[
&lt;filter-class&gt;org.springframework.security.util.FilterToBeanProxy&lt;/filter-class&gt; <filter>
&lt;init-param&gt; <filter-name>myFilter</filter-name>
&lt;param-name&gt;targetClass&lt;/param-name&gt; <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
&lt;param-value&gt;org.springframework.security.ClassThatImplementsFilter&lt;/param-value&gt; </filter>
&lt;/init-param&gt;
&lt;/filter&gt;</programlisting></para>
<para>Notice that the filter in <literal>web.xml</literal> is actually <filter-mapping>
a <literal>FilterToBeanProxy</literal>, and not the filter that will <filter-name>myFilter</filter-name>
actually implement the logic of the filter. What <url-pattern>/*</url-pattern>
<literal>FilterToBeanProxy</literal> does is delegate the </filter-mapping>
]]>
</programlisting>
Notice that the filter is actually a <literal>DelegatingFilterProxy</literal>,
and not the filter that will actually implement the logic of the filter. What
<literal>DelegatingFilterProxy</literal> does is delegate the
<literal>Filter</literal>'s methods through to a bean which is <literal>Filter</literal>'s methods through to a bean which is
obtained from the Spring application context. This enables the bean to obtained from the Spring application context. This enables the bean to
benefit from the Spring application context lifecycle support and benefit from the Spring web application context lifecycle support and
configuration flexibility. The bean must implement configuration flexibility. The bean must implement
<literal>javax.servlet.Filter</literal>.</para> <literal>javax.servlet.Filter</literal> and it must have the same name as that in
the <literal>filter-name</literal> element.</para>
<para>The <literal>FilterToBeanProxy</literal> only requires a single
initialization parameter, <literal>targetClass</literal> or
<literal>targetBean</literal>. The <literal>targetClass</literal>
parameter locates the first object in the application context of the
specified class, whilst <literal>targetBean</literal> locates the
object by bean name. Like standard Spring web applications, the
<literal>FilterToBeanProxy</literal> accesses the application context
via<literal>
WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>,
so you should configure a <literal>ContextLoaderListener</literal> in
<literal>web.xml</literal>.</para>
<para>There is a lifecycle issue to consider when hosting <para>There is a lifecycle issue to consider when hosting
<literal>Filter</literal>s in an IoC container instead of a servlet <literal>Filter</literal>s in an IoC container instead of a servlet
@ -139,39 +131,31 @@
Spring interfaces (eg the <literal>destroy-method</literal> attribute Spring interfaces (eg the <literal>destroy-method</literal> attribute
in Spring XML). For this reason we recommend the use of Spring in Spring XML). For this reason we recommend the use of Spring
lifecycle services instead of servlet container lifecycle services lifecycle services instead of servlet container lifecycle services
wherever possible. By default <literal>FilterToBeanProxy</literal> wherever possible. Read the Javadoc for <classname>DelegatingFilterProxy</classname>
will not delegate <literal>init(FilterConfig)</literal> and for more information</para>
<literal>destroy()</literal> methods through to the proxied bean. If
you do require such invocations to be delegated, set the
<literal>lifecycle</literal> initialization parameter to
<literal>servlet-container-managed</literal>.</para>
<para>Rather than using <literal>FilterToBeanProxy</literal>, we <para>Rather than using <literal>DelegatingFilterProxy</literal>, we
strongly recommend to use <literal>FilterChainProxy</literal> instead. strongly recommend to use <literal>FilterChainProxy</literal> instead.
Whilst <literal>FilterToBeanProxy</literal> is a very useful class, Whilst <literal>DelegatingFilterProxy</literal> is a very useful class,
the problem is that the lines of code required for the problem is that the number of lines of code required for
<literal>&lt;filter&gt;</literal> and <literal>&lt;filter&gt;</literal> and
<literal>&lt;filter-mapping&gt;</literal> entries in <literal>&lt;filter-mapping&gt;</literal> entries in
<literal>web.xml</literal> explodes when using more than a few <literal>web.xml</literal> explodes when using more than a few
filters. To overcome this issue, Spring Security provides a filters. To overcome this issue, Spring Security provides a
<literal>FilterChainProxy</literal> class. It is wired using a <literal>FilterChainProxy</literal> class. It is wired using a
<literal>FilterToBeanProxy</literal> (just like in the example above), <literal>DelegatingFilterProxy</literal> (just like in the example above),
but the target class is but the target class is
<literal>org.springframework.security.util.FilterChainProxy</literal>. <literal>org.springframework.security.util.FilterChainProxy</literal>.
The filter chain is then declared in the application context, using The filter chain is then declared in the application context, using
code such as this:</para> code such as this:</para>
<para><programlisting>&lt;bean id="filterChainProxy" <para><programlisting><![CDATA[
class="org.springframework.security.util.FilterChainProxy"&gt; <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
&lt;property name="filterInvocationDefinitionSource"&gt; <sec:filter-chain-map path-type="ant">
&lt;value&gt; <sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
PATTERN_TYPE_APACHE_ANT </sec:filter-chain-map>
/webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor </bean> ]]> </programlisting></para>
/**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para>You may notice similarities with the way <para>You may notice similarities with the way
<literal>FilterSecurityInterceptor</literal> is declared. Both regular <literal>FilterSecurityInterceptor</literal> is declared. Both regular
@ -221,11 +205,11 @@
irrespective of how many times it is declared by the irrespective of how many times it is declared by the
<literal>FilterInvocationDefinitionSource</literal>. You control the <literal>FilterInvocationDefinitionSource</literal>. You control the
overall choice as to whether these methods are called or not via the overall choice as to whether these methods are called or not via the
<literal>lifecycle</literal> initialization parameter of the <literal>targetFilterLifecycle</literal> initialization parameter of the
<literal>FilterToBeanProxy</literal> that proxies <literal>DelegatingFilterProxy</literal> that proxies
<literal>FilterChainProxy</literal>. As discussed above, by default <literal>DelegatingFilterProxy</literal>. As discussed above, by default
any servlet container lifecycle invocations are not delegated through any servlet container lifecycle invocations are not delegated through
to <literal>FilterChainProxy</literal>.</para> to <literal>DelegatingFilterProxy</literal>.</para>
<para>You can also omit a URI pattern from the filter chain by using <para>You can also omit a URI pattern from the filter chain by using
the token <literal>#NONE#</literal> on the right-hand side of the the token <literal>#NONE#</literal> on the right-hand side of the
@ -317,12 +301,12 @@
</orderedlist> </orderedlist>
<para>All of the above filters use <para>All of the above filters use
<literal>FilterToBeanProxy</literal> or <literal>DelegatingFilterProxy</literal> or
<literal>FilterChainProxy</literal>. It is recommended that a single <literal>FilterChainProxy</literal>. It is recommended that a single
<literal>FilterToBeanProxy</literal> proxy through to a single <literal>DelegatingFilterProxy</literal> proxy through to a single
<literal>FilterChainProxy</literal> for each application, with that <literal>FilterChainProxy</literal> for each application, with that
<literal>FilterChainProxy</literal> defining all of Spring Security <literal>FilterChainProxy</literal> defining all of Spring Security
<literal>Filter</literal>s.</para> filters.</para>
<para>If you're using SiteMesh, ensure Spring Security filters execute <para>If you're using SiteMesh, ensure Spring Security filters execute
before the SiteMesh filters are called. This enables the before the SiteMesh filters are called. This enables the

22
src/site/apt/petclinic-tutorial.apt
View File

@ -55,19 +55,15 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE
+------------------------------------------------------ +------------------------------------------------------
<filter> <filter>
<filter-name>Spring Security Filter Chain Proxy</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param> </filter>
<param-name>targetClass</param-name>
<param-value>org.springframework.security.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping> <filter-mapping>
<filter-name>Spring Security Filter Chain Proxy</filter-name> <filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
+------------------------------------------------------ +------------------------------------------------------
@ -80,7 +76,7 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE
<param-name>contextConfigLocation</param-name> <param-name>contextConfigLocation</param-name>
<param-value> <param-value>
/WEB-INF/applicationContext-jdbc.xml /WEB-INF/applicationContext-jdbc.xml
/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-security-ns.xml
</param-value> </param-value>
</context-param> </context-param>