diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index 23129cfc0b..86085b8ff1 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -424,11 +424,11 @@ register a bean inside your application context to refer to the messages. An example is shown below: - - org/acegisecurity/messages - -]]> + +<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> + <property name="basename"><value>org/acegisecurity/messages</value></property> +</bean> + The messages.properties is named in @@ -577,21 +577,21 @@ MethodSecurityInterceptor itself is configured as follows: - - true - - - - - - + +<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> + <property name="validateConfigAttributes"><value>true</value></property> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> + <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> + <property name="objectDefinitionSource"> + <value> org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER - - - -]]> + </value> + </property> +</bean> + As shown above, the MethodSecurityInterceptor @@ -642,20 +642,20 @@ If you are using the Jakarta Commons Attributes approach, your bean context will be configured differently: - - - - + +<bean id="attributes" class="org.springframework.metadata.commons.CommonsAttributes"/> +<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes"> + <property name="attributes"><ref local="attributes"/></property> +</bean> + +<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> + <property name="validateConfigAttributes"><value>false</value></property> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> + <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property> +</bean> - - false - - - - - -]]> In addition, your source code will contain Jakarta Commons @@ -692,20 +692,20 @@ If you are using the Spring Security Java 5 Annotations approach, your bean context will be configured as follows: - - - - + +<bean id="attributes" class="org.acegisecurity.annotation.SecurityAnnotationAttributes"/> +<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes"> + <property name="attributes"><ref local="attributes"/></property> +</bean> + +<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> + <property name="validateConfigAttributes"><value>false</value></property> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> + <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property> +</bean> - - false - - - - - -]]> In addition, your source code will contain the Acegi Java 5 @@ -762,17 +762,17 @@ public interface BankManager { requirement on CGLIB. See an example of using BeanNameAutoProxyCreator below: - - - methodSecurityInterceptor - - - targetObjectName - - - -]]> + +<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> + <property name="interceptorNames"> + <list><value>methodSecurityInterceptor</value></list> + </property> + <property name="beanNames"> + <list><value>targetObjectName</value></list> + </property> + <property name="proxyTargetClass" value="true"/> +</bean> + @@ -799,21 +799,21 @@ public interface BankManager { AspectJSecurityInterceptor is configured in the Spring application context: - - true - - - - - - + +<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor"> + <property name="validateConfigAttributes"><value>true</value></property> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> + <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> + <property name="objectDefinitionSource"> + <value> org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER - - - -]]> + </value> + </property> +</bean> + As you can see, aside from the class name, the @@ -886,13 +886,13 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { with the AspectJSecurityInterceptor. A bean declaration which achieves this is shown below: - +<bean id="domainObjectInstanceSecurityAspect" class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect" - factory-method="aspectOf"> - - -]]> + factory-method="aspectOf"> + <property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property> +</bean> + That's it! Now you can create your beans from anywhere within @@ -907,21 +907,21 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { To secure FilterInvocations, developers need to add a filter to their web.xml that delegates to the FilterSecurityInterceptor. A typical - configuration example is provided below: - Acegi HTTP Request Security Filter - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.intercept.web.FilterSecurityInterceptor - - + configuration example is provided below: +<filter> + <filter-name>Acegi HTTP Request Security Filter</filter-name> + <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <init-param> + <param-name>targetClass</param-name> + <param-value>org.acegisecurity.intercept.web.FilterSecurityInterceptor</param-value> + </init-param> +</filter> - - Acegi HTTP Request Security Filter - /* - -]]> +<filter-mapping> + <filter-name>Acegi HTTP Request Security Filter</filter-name> + <url-pattern>/*</url-pattern> +</filter-mapping> + Notice that the filter is actually a FilterToBeanProxy. Most of the filters used by the @@ -931,31 +931,31 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { In the application context you will need to configure three beans: - - - + +<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> + <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property> +</bean> - - /acegilogin.jsp - false - +<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> + <property name="loginFormUrl"><value>/acegilogin.jsp</value></property> + <property name="forceHttps"><value>false</value></property> +</bean> - - - - - +<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> + <property name="objectDefinitionSource"> + <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON \A/secure/super/.*\Z=ROLE_WE_DONT_HAVE \A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER - - - -]]> + </value> + </property> +</bean> + - - The ExceptionTranslationFilter - provides the bridge between Java exceptions and HTTP responses. - It is solely concerned with maintaining the - user interface. This filter does not do any actual security enforcement. - If an AuthenticationException is detected, + + The ExceptionTranslationFilter provides + the bridge between Java exceptions and HTTP responses. It is solely + concerned with maintaining the user interface. This filter does not do + any actual security enforcement. If an + AuthenticationException is detected, the filter will call the AuthenticationEntryPoint to commence the - authentication process (e.g. a user login). - - + authentication process (e.g. a user login). + The AuthenticationEntryPoint will be called if the user requests a secure HTTP resource but they are not authenticated. The class handles presenting the appropriate response @@ -982,23 +982,23 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { for commencing a form-based authentication, BasicProcessingFilterEntryPoint for commencing a HTTP Basic authentication process, and - CasProcessingFilterEntryPoint for commencing a JA-SIG - Central Authentication Service (CAS) login. The + CasProcessingFilterEntryPoint for commencing a + JA-SIG Central Authentication Service (CAS) login. The AuthenticationProcessingFilterEntryPoint and CasProcessingFilterEntryPoint have optional properties related to forcing the use of HTTPS, so please refer to the - JavaDocs if you require this. - - FilterSecurityInterceptor is responsible for - handling the security of HTTP resources. - Like any other security - interceptor, it requires a reference to an AuthenticationManager - and an AccessDecisionManager, which are both - discussed in separate sections below. The - FilterSecurityInterceptor is - also configured with configuration attributes that apply to different - HTTP URL requests. A full discussion of configuration attributes is - provided in the High Level Design section of this document. + JavaDocs if you require this. + + FilterSecurityInterceptor is responsible for + handling the security of HTTP resources. Like any other security + interceptor, it requires a reference to an + AuthenticationManager and an + AccessDecisionManager, which are both discussed in + separate sections below. The + FilterSecurityInterceptor is also configured with + configuration attributes that apply to different HTTP URL requests. A + full discussion of configuration attributes is provided in the High + Level Design section of this document. The FilterSecurityInterceptor can be configured with configuration attributes in two ways. The first is via @@ -1042,21 +1042,21 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { earlier configuration could be generated using Apache Ant paths as follows: - - - - - - + +<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> + <property name="runAsManager"><ref bean="runAsManager"/></property> + <property name="objectDefinitionSource"> + <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /secure/super/**=ROLE_WE_DONT_HAVE /secure/**=ROLE_SUPERVISOR,ROLE_TELLER - - - -]]> + </value> + </property> +</bean> + Irrespective of the type of expression syntax used, expressions @@ -1222,16 +1222,16 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { ProviderManager, is configured via the bean context with a list of AuthenticationProviders: - - - - - - - - -]]> + +<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <list> + <ref bean="daoAuthenticationProvider"/> + <ref bean="someOtherAuthenticationProvider"/> + </list> + </property> +</bean> + ProviderManager calls a series of registered @@ -1311,8 +1311,8 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { CasAuthenticationProvider is able to - authenticate JA-SIG Central Authentication Service (CAS) tickets. - This is discussed further in the CAS Single Sign On + authenticate JA-SIG Central Authentication Service (CAS) + tickets. This is discussed further in the CAS Single Sign On section. @@ -1336,11 +1336,11 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { To use concurrent session support, you'll need to add the following to web.xml: - - org.acegisecurity.ui.session.HttpSessionEventPublisher - -]]> + +<listener> + <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class> +</listener> + In addition, you will need to add the @@ -1362,21 +1362,21 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { ConcurrentSessionControllerImpl and refer to it from your ProviderManager bean: - - - - - - + +<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <!-- your providers go here --> + </property> + <property name="sessionController"><ref bean="concurrentSessionController"/></property> +</bean> - - 1 - - +<bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> + <property name="maximumSessions"><value>1</value></property> + <property name="sessionRegistry"><ref local="sessionRegistry"/></property> +</bean> + +<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/> - -]]> @@ -1391,13 +1391,13 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authentication details from a data access object configured at bean creation time: - - - - - -]]> + +<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> + <property name="saltSource"><ref bean="saltSource"/></property> + <property name="passwordEncoder"><ref bean="passwordEncoder"/></property> +</bean> + The PasswordEncoder and @@ -1429,31 +1429,31 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { EhCacheBasedUserCache, which is configured as follows: - - - - + +<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <property name="userDetailsService"><ref bean="userDetailsService"/></property> + <property name="userCache"><ref bean="userCache"/></property> +</bean> - - - classpath:/ehcache-failsafe.xml - - +<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> + <property name="configLocation"> + <value>classpath:/ehcache-failsafe.xml</value> + </property> +</bean> - - - - - - userCache - - +<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> + <property name="cacheManager"> + <ref local="cacheManager"/> + </property> + <property name="cacheName"> + <value>userCache</value> + </property> +</bean> - - - -]]> +<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache"> + <property name="cache"><ref local="userCacheBackend"/></property> +</bean> + All Acegi Security EH-CACHE implementations (including @@ -1528,18 +1528,18 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authentication repository in the application context itself using the InMemoryDaoImpl: - - - + +<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> + <property name="userMap"> + <value> marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR dianne=emu,ROLE_TELLER scott=wombat,ROLE_TELLER peter=opal,disabled,ROLE_TELLER - - - -]]> + </value> + </property> +</bean> + The userMap property contains each of the @@ -1573,18 +1573,18 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { from a JDBC data source. The typical configuration for the JdbcDaoImpl is shown below: - - org.hsqldb.jdbcDriver - jdbc:hsqldb:hsql://localhost:9001 - sa - - + +<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> + <property name="driverClassName"><value>org.hsqldb.jdbcDriver</value></property> + <property name="url"><value>jdbc:hsqldb:hsql://localhost:9001</value></property> + <property name="username"><value>sa</value></property> + <property name="password"><value></value></property> +</bean> + +<bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> + <property name="dataSource"><ref bean="dataSource"/></property> +</bean> - - - -]]> You can use different relational database management systems by @@ -1631,27 +1631,27 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { application context. The following definitions would correspond to the above JAAS login configuration file: - - - /WEB-INF/login.conf - - - JAASTest - - - - - - - - - - - - - -]]> + +<bean id="jaasAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider"> + <property name="loginConfig"> + <value>/WEB-INF/login.conf</value> + </property> + <property name="loginContextName"> + <value>JAASTest</value> + </property> + <property name="callbackHandlers"> + <list> + <bean class="org.acegisecurity.providers.jaas.JaasNameCallbackHandler"/> + <bean class="org.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/> + </list> + </property> + <property name="authorityGranters"> + <list> + <bean class="org.acegisecurity.providers.jaas.TestAuthorityGranter"/> + </list> + </property> +</bean> + The CallbackHandlers and @@ -1740,14 +1740,15 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { Recall that a Siteminder agent is set up on your web server to intercept a user's first call to your application. This agent - redirects the initial request to a login page, and only after - successful authentication does your application receive the request. - Authenticated requests contain one or more HTTP headers populated by - the Siteminder agent. Below we'll assume that the request header key - containing the user's identity is "SM_USER", but of course your header - values may be different based on Siteminder policy server - configuration. Please refer to your company's "single sign-on" group - for header details. + redirects the initial request to a login page (usually + organization-wide), and only after successful authentication does your + application receive the request. Authenticated requests then contain + one or more HTTP headers populated by the Siteminder agent. Below + we'll assume that the request header key containing the user's + identity is "SM_USER", but of course your header values may be + different based on Siteminder policy server configuration. Please + refer to your organization's "single sign-on" group for header + details. SiteminderAuthenticationProcessingFilter @@ -1761,41 +1762,41 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authenticated the user, so it's typical to use the same header for both. - - - - /login.jsp?login_error=1 - /security.do?method=getMainMenu - /j_acegi_security_check - SM_USER - SM_USER - -]]> + +<!-- ======================== SITEMINDER AUTHENTICATION PROCESSING FILTER ======================= --> +<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.SiteminderAuthenticationProcessingFilter"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property> + <property name="defaultTargetUrl"><value>/security.do?method=getMainMenu</value></property> + <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property> + <property name="siteminderUsernameHeaderKey"><value>SM_USER</value></property> + <property name="siteminderPasswordHeaderKey"><value>SM_USER</value></property> +</bean> + - Since this authenticationProcessingFilter - depends on an authenticationManager, we'll need - to define one: + Since this authenticationProcessingFilter + depends on an authenticationManager, we'll need + to define one: - - - - - - - - - -]]> + --> +<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <list> + <ref local="daoAuthenticationProvider"/> + </list> + </property> +</bean> + - Note that your daoAuthenticationProvider - above will expect the password property to match what it expects. In + Note that a daoAuthenticationProvider above + needs to expect the password property to match what it expects. In this case, authentication has already been handled by Siteminder and you've specified the same HTTP header for both username and password, so you can code @@ -1812,35 +1813,46 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authenticationProcessingFilter in its operations. - - - - - + --> +<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> + <property name="filterInvocationDefinitionSource"> + <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor - - - -]]> + </value> + </property> +</bean> + - In summary, once the user has authenticated through - Siteminder, their header-loaded request will be brokered by + If you already have Acegi configured prior to adding + Siteminder authentication, that's really all there is to it. In + summary, once the user has authenticated through Siteminder, their + header-loaded request will be brokered by filterChainProxy to authenticationProcessingFilter, which in turn will grab the user's identity from the SM_USER request header. The user's identity will then be passed to the - authenticationManager and finally + authenticationManager and finally your daoAuthenticationProvider will do the work of - authorizing the user against back-end databases, etc. and loading + authorizing the user (against back-end databases, etc.) and loading the UserDetails implementation with roles, - username and any other property you deem relevant. + username and other properties you deem relevant. + + Advanced tip & word to the wise: the + SiteminderAuthenticationProcessingFilter actually extends + AuthenticationProcessingFilter and thus additionally supports form + validation. If you configure the filter to support both, and code + your daoAuthenticationProvider to match the + username and passwords as described above, you'll potentially defeat + any security you have in place if the web server's Siteminder agent + is deactivated. Don't do this, especially in production! @@ -2083,31 +2095,31 @@ public boolean supports(Class clazz); designed to have multiple instances in the same application context, such as: - - ACL_CONTACT_READ - sample.contact.Contact - - - - - - - - + +<bean id="aclContactReadVoter" class="org.acegisecurity.vote.BasicAclEntryVoter"> + <property name="processConfigAttribute"><value>ACL_CONTACT_READ</value></property> + <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + </list> + </property> +</bean> + +<bean id="aclContactDeleteVoter" class="org.acegisecurity.vote.BasicAclEntryVoter"> + <property name="processConfigAttribute"><value>ACL_CONTACT_DELETE</value></property> + <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.DELETE"/> + </list> + </property> +</bean> - - ACL_CONTACT_DELETE - sample.contact.Contact - - - - - - - - -]]> In the above example, you'd define @@ -2174,12 +2186,12 @@ public boolean supports(Class clazz); directory. The following fragment is added to web.xml: - - http://acegisecurity.sf.net/authz - /WEB-INF/authz.tld - -]]> + +<taglib> + <taglib-uri>http://acegisecurity.sf.net/authz</taglib-uri> + <taglib-location>/WEB-INF/authz.tld</taglib-location> +</taglib> + @@ -2192,13 +2204,13 @@ public boolean supports(Class clazz); The following JSP fragment illustrates how to use the AuthorizeTag: - - - ">Del - - -]]> + +<authz:authorize ifAllGranted="ROLE_SUPERVISOR"> + <td> + <A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A> + </td> +</authz:authorize> + This tag would cause the tag's body to be output if the @@ -2281,11 +2293,11 @@ public boolean supports(Class clazz); The following JSP fragment illustrates how to use the AclTag: - - ">Del - -]]> + +<authz:acl domainObject="${contact}" hasPermission="16,1"> + <td><A HREF="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</A></td> +</authz:acl> + This tag would cause the tag's body to be output if the @@ -2410,17 +2422,17 @@ public boolean supports(Class clazz); BasicAclAfterInvocationProvider delivers a solution, and is configured as follows: - - - - - - - - - -]]> + +<bean id="afterAclRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider"> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + </list> + </property> +</bean> + In the above example, the Contact will be @@ -2441,17 +2453,17 @@ public boolean supports(Class clazz); an AccessDeniedException - simply silently removes the offending elements. The provider is configured as follows: - - - - - - - - - -]]> + +<bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"> + <property name="aclManager"><ref local="aclManager"/></property> + <property name="requirePermission"> + <list> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + </list> + </property> +</bean> + As you can imagine, the returned Object must @@ -2554,15 +2566,15 @@ public boolean supports(Class clazz); RunAsImplAuthenticationProvider is created in the bean context with the same key: - - my_run_as_password - + +<bean id="runAsManager" class="org.acegisecurity.runas.RunAsManagerImpl"> + <property name="key"><value>my_run_as_password</value></property> +</bean> + +<bean id="runAsAuthenticationProvider" class="org.acegisecurity.runas.RunAsImplAuthenticationProvider"> + <property name="key"><value>my_run_as_password</value></property> +</bean> - - my_run_as_password - -]]> By using the same key, each RunAsUserToken @@ -2637,35 +2649,34 @@ public boolean supports(Class clazz); web.xml behind a FilterToBeanProxy as follows: - - Acegi Authentication Processing Filter - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.ui.webapp.AuthenticationProcessingFilter - - + +<filter> + <filter-name>Acegi Authentication Processing Filter</filter-name> + <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <init-param> + <param-name>targetClass</param-name> + <param-value>org.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value> + </init-param> +</filter> - - Acegi Authentication Processing Filter - /* -]]> - - +<filter-mapping> + <filter-name>Acegi Authentication Processing Filter</filter-name> + <url-pattern>/*</url-pattern> +</filter-mapping> + For a discussion of FilterToBeanProxy, please refer to the Filters section. The application context will need to define the AuthenticationProcessingFilter: - - - /acegilogin.jsp?login_error=1 - / - /j_acegi_security_check - -]]> + +<bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property> + <property name="defaultTargetUrl"><value>/</value></property> + <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property> +</bean> + The configured AuthenticationManager @@ -2721,16 +2732,16 @@ public boolean supports(Class clazz); BasicProcessingFilter and its required collaborator: - - - - + +<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property> +</bean> + +<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"> + <property name="realmName"><value>Name Of Your Realm</value></property> +</bean> - - Name Of Your Realm - -]]> The configured AuthenticationManager @@ -2834,19 +2845,19 @@ key: A private key to prevent modification of the nonce token DigestProcessingFilter and its required collaborators: - - - - - + +<bean id="digestProcessingFilter" class="org.acegisecurity.ui.digestauth.DigestProcessingFilter"> + <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> + <property name="authenticationEntryPoint"><ref local="digestProcessingFilterEntryPoint"/></property> + <property name="userCache"><ref local="userCache"/></property> +</bean> + +<bean id="digestProcessingFilterEntryPoint" class="org.acegisecurity.ui.digestauth.DigestProcessingFilterEntryPoint"> + <property name="realmName"><value>Contacts Realm via Digest Authentication</value></property> + <property name="key"><value>acegi</value></property> + <property name="nonceValiditySeconds"><value>10</value></property> +</bean> - - Contacts Realm via Digest Authentication - acegi - 10 - -]]> The configured UserDetailsService is needed @@ -2918,16 +2929,16 @@ key: A private key to prevent modification of the nonce token Authentication held there. The definition of the filter and authentication provider appears as follows: - - foobar - anonymousUser,ROLE_ANONYMOUS - + +<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> + <property name="key"><value>foobar</value></property> + <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property> +</bean> + +<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> + <property name="key"><value>foobar</value></property> +</bean> - - foobar - -]]> The key is shared between the filter and @@ -2943,12 +2954,12 @@ key: A private key to prevent modification of the nonce token that all URI patterns can have security applied to them. For example: - - - - - + +<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property> + <property name="objectDefinitionSource"> + <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ANONYMOUS,ROLE_USER @@ -2956,15 +2967,14 @@ key: A private key to prevent modification of the nonce token /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER /**=ROLE_USER - - - -]]> - Rounding out the anonymous authentication - discussion is the AuthenticationTrustResolver - interface, with its corresponding - AuthenticationTrustResolverImpl implementation. - This interface provides an + </value> + </property> +</bean> + + Rounding out the anonymous authentication discussion + is the AuthenticationTrustResolver interface, with + its corresponding AuthenticationTrustResolverImpl + implementation. This interface provides an isAnonymous(Authentication) method, which allows interested classes to take into account this special type of authentication status. The @@ -3063,20 +3073,20 @@ key: A private key to prevent modification of the remember-me token The beans required in an application context to enable remember-me services are as follows: - - - + +<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> + <property name="rememberMeServices"><ref local="rememberMeServices"/></property> +</bean> - - - springRocks - +<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> + <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> + <property name="key"><value>springRocks</value></property> +</bean> - - springRocks - -]]> +<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> + <property name="key"><value>springRocks</value></property> +</bean> + Don't forget to add your RememberMeServices implementation to your AuthenticationProcessingFilter.setRememberMeServices() @@ -3176,11 +3186,11 @@ key: A private key to prevent modification of the remember-me token to be validated by the AuthByAdapterProvider. This authentication provider is defined as follows: - - my_password - -]]> + +<bean id="authByAdapterProvider" class="org.acegisecurity.adapters.AuthByAdapterProvider"> + <property name="key"><value>my_password</value></property> +</bean> + The key must match the key that is defined in the @@ -3298,17 +3308,17 @@ $CATALINA_HOME/bin/startup.sh the <Configure class> section has a new addRealm call: - - - - Spring Powered Realm - my_password - etc/acegisecurity.xml - - - -]]> + + <Call name="addRealm"> + <Arg> + <New class="org.acegisecurity.adapters.jetty.JettyAcegiUserRealm"> + <Arg>Spring Powered Realm</Arg> + <Arg>my_password</Arg> + <Arg>etc/acegisecurity.xml</Arg> + </New> + </Arg> + </Call> + Copy acegisecurity.xml into @@ -3371,17 +3381,17 @@ $CATALINA_HOME/bin/startup.sh file so that it contains a new entry under the <Policy> section: - - - - acegisecurity.xml - my_password - - - -]]> + +<application-policy name = "SpringPoweredRealm"> + <authentication> + <login-module code = "org.acegisecurity.adapters.jboss.JbossSpringLoginModule" + flag = "required"> + <module-option name = "appContextLocation">acegisecurity.xml</module-option> + <module-option name = "key">my_password</module-option> + </login-module> + </authentication> +</application-policy> + Copy acegisecurity.xml into @@ -3397,18 +3407,18 @@ $CATALINA_HOME/bin/startup.sh org.springframework.beans.factory.access.SingletonBeanFactoryLocator. The required configuration for this approach is: - - - - springRealm - my_password - authenticationManager - - - -]]> + +<application-policy name = "SpringPoweredRealm"> + <authentication> + <login-module code = "org.acegisecurity.adapters.jboss.JbossSpringLoginModule" + flag = "required"> + <module-option name = "singletonId">springRealm</module-option> + <module-option name = "key">my_password</module-option> + <module-option name = "authenticationManager">authenticationManager</module-option> + </login-module> + </authentication> +</application-policy> + In the above code fragment, @@ -3423,17 +3433,17 @@ $CATALINA_HOME/bin/startup.sh beanRefFactory.xml contains the following declaration: - - - - - acegisecurity.xml - - - - -]]> + +<beans> + <bean id="springRealm" singleton="true" lazy-init="true" class="org.springframework.context.support.ClassPathXmlApplicationContext"> + <constructor-arg> + <list> + <value>acegisecurity.xml</value> + </list> + </constructor-arg> + </bean> +</beans> + Finally, irrespective of the configuration approach you need to @@ -3475,11 +3485,11 @@ $CATALINA_HOME/bin/startup.sh example, your jboss-web.xml would look like this: - - java:/jaas/SpringPoweredRealm - -]]> + +<jboss-web> + <security-domain>java:/jaas/SpringPoweredRealm</security-domain> +</jboss-web> + @@ -3537,17 +3547,17 @@ $CATALINA_HOME/bin/startup.sh application will also contain a resin-web.xml file which Resin uses to start the container adapter: - - - org.acegisecurity.adapters.resin.ResinAcegiAuthenticator - - WEB-INF/resin-acegisecurity.xml - my_password - - - -]]> + +<web-app> + <authenticator> + <type>org.acegisecurity.adapters.resin.ResinAcegiAuthenticator</type> + <init> + <app-context-location>WEB-INF/resin-acegisecurity.xml</app-context-location> + <key>my_password</key> + </init> + </authenticator> +</web-app> + With the basic configuration provided above, none of the JAR @@ -3560,23 +3570,24 @@ $CATALINA_HOME/bin/startup.sh - JA-SIG Central Authentication Service (CAS) Single Sign On + JA-SIG Central Authentication Service (CAS) Single Sign + On Overview - JA-SIG produces an enterprise-wide single sign on - system known as CAS. Unlike other initiatives, JA-SIG's Central - Authentication Service is open source, widely used, simple to - understand, platform independent, and supports proxy capabilities. The - Acegi Security System for Spring fully supports CAS, and provides an - easy migration path from single-application deployments of Acegi - Security through to multiple-application deployments secured by an - enterprise-wide CAS server. + JA-SIG produces an enterprise-wide single sign on system known + as CAS. Unlike other initiatives, JA-SIG's Central Authentication + Service is open source, widely used, simple to understand, platform + independent, and supports proxy capabilities. The Acegi Security + System for Spring fully supports CAS, and provides an easy migration + path from single-application deployments of Acegi Security through to + multiple-application deployments secured by an enterprise-wide CAS + server. You can learn more about CAS at - http://www.ja-sig.org/products/cas/. You will need to - visit this URL to download the CAS Server files. Whilst the Acegi + http://www.ja-sig.org/products/cas/. You will need + to visit this URL to download the CAS Server files. Whilst the Acegi Security System for Spring includes two CAS libraries in the "-with-dependencies" ZIP file, you will still need the CAS Java Server Pages and web.xml to customise and deploy your CAS @@ -3598,21 +3609,21 @@ $CATALINA_HOME/bin/startup.sh anything difficult about setting up your server. Inside the WAR file you will customise the login and other single sign on pages displayed to users. - + If you are deploying CAS 2.0, you will also need to specify in - the web.xml a PasswordHandler. The + the web.xml a PasswordHandler. The PasswordHandler has a simple method that returns a boolean as to whether a given username and password is valid. Your PasswordHandler implementation will need to link into some type of backend authentication repository, such as an LDAP server or database. - If you are already running an existing CAS 2.0 server instance, you - will have already established a PasswordHandler. If - you do not already have a PasswordHandler, you - might prefer to use the Acegi Security System for Spring - CasPasswordHandler class. This class delegates - through to the standard Acegi Security + If you are already running an existing CAS 2.0 server instance, + you will have already established a + PasswordHandler. If you do not already have a + PasswordHandler, you might prefer to use the Acegi + Security System for Spring CasPasswordHandler + class. This class delegates through to the standard Acegi Security AuthenticationManager, enabling you to use a security configuration you might already have in place. You do not need to use the CasPasswordHandler class on your @@ -3620,30 +3631,30 @@ $CATALINA_HOME/bin/startup.sh will function as a CAS client successfully irrespective of the PasswordHandler you've chosen for your CAS server. - + If you are deploying CAS 3.0, you will also need to specify an AuthenticationHandler in the - deployerConfigContext.xml included with CAS. The + deployerConfigContext.xml included with CAS. The AuthenticationHandler has a simple method that returns a boolean as to whether a given set of Credentials is valid. Your AuthenticationHandler implementation will need - to link into some type of backend authentication repository, such as an - LDAP server or database. CAS itself includes numerous - AuthenticationHandlers out of the box to assist with - this. - + to link into some type of backend authentication repository, such as + an LDAP server or database. CAS itself includes numerous + AuthenticationHandlers out of the box to assist + with this. + If you are already running an existing CAS 3.0 server instance, you will have already established an - AuthenticationHandler. If you do not already have an - AuthenticationHandler, you might prefer to use the - Acegi Security System for Spring - CasAuthenticationHandler class. This class delegates - through to the standard Acegi Security - AuthenticationManager, enabling you to use a security - configuration you might already have in place. You do not need to use - the CasAuthenticationHandler class on your CAS server - if you do not wish. The Acegi Security System for Spring will function - as a CAS client successfully irrespective of the + AuthenticationHandler. If you do not already have + an AuthenticationHandler, you might prefer to use + the Acegi Security System for Spring + CasAuthenticationHandler class. This class + delegates through to the standard Acegi Security + AuthenticationManager, enabling you to use a + security configuration you might already have in place. You do not + need to use the CasAuthenticationHandler class on + your CAS server if you do not wish. The Acegi Security System for + Spring will function as a CAS client successfully irrespective of the AuthenticationHandler you've chosen for your CAS server. @@ -3869,8 +3880,8 @@ $CATALINA_HOME/bin/startup.sh As mentioned above, the Acegi Security System for Spring includes a PasswordHandler that bridges your - existing AuthenticationManager into CAS 2.0. You do not - need to use this PasswordHandler to use Acegi + existing AuthenticationManager into CAS 2.0. You do + not need to use this PasswordHandler to use Acegi Security on the client side (any CAS PasswordHandler will do). @@ -3883,34 +3894,34 @@ $CATALINA_HOME/bin/startup.sh /web/WEB-INF directory. A sample applicationContext.xml is included below: - - - + +<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> + <property name="userMap"> + <value> marissa=koala,ROLES_IGNORED_BY_CAS dianne=emu,ROLES_IGNORED_BY_CAS scott=wombat,ROLES_IGNORED_BY_CAS peter=opal,disabled,ROLES_IGNORED_BY_CAS - - - + </value> + </property> +</bean> - - - +<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> +</bean> - - - - - - - +<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <list> + <ref bean="daoAuthenticationProvider"/> + </list> + </property> +</bean> + +<bean id="casPasswordHandler" class="org.acegisecurity.adapters.cas.CasPasswordHandler"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> +</bean> - - - -]]> Note the granted authorities are ignored by CAS because it has @@ -3924,21 +3935,21 @@ $CATALINA_HOME/bin/startup.sh lines: - - edu.yale.its.tp.cas.authHandler - org.acegisecurity.adapters.cas.CasPasswordHandlerProxy - - - contextConfigLocation - /WEB-INF/applicationContext.xml - +<context-param> + <param-name>edu.yale.its.tp.cas.authHandler</param-name> + <param-value>org.acegisecurity.adapters.cas.CasPasswordHandlerProxy</param-value> +</context-param> + +<context-param> + <param-name>contextConfigLocation</param-name> + <param-value>/WEB-INF/applicationContext.xml</param-value> +</context-param> + +<listener> + <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> +</listener> - - org.springframework.web.context.ContextLoaderListener - -]]> Copy the spring.jar and @@ -3955,93 +3966,94 @@ $CATALINA_HOME/bin/startup.sh additional help or a test certificate you might like to check the samples/contacts/etc/ssl directory. - + - CAS 3.0 Server Installation (Optional) - As mentioned above, the Acegi Security System for Spring + CAS 3.0 Server Installation (Optional) + + As mentioned above, the Acegi Security System for Spring includes an AuthenticationHandler that bridges your - existing AuthenticationManager into CAS 3.0. You do not - need to use this AuthenticationHandler to use Acegi - Security on the client side (any CAS + existing AuthenticationManager into CAS 3.0. You do + not need to use this AuthenticationHandler to use + Acegi Security on the client side (any CAS AuthenticationHandler will do). To install, you will need to download and extract the CAS server archive. We used version 3.0.4. There will be a - /webapp directory in the root of the deployment. Edit the - an deployerConfigContext.xml so that it contains your - AuthenticationManager as well as the - CasAuthenticationHandler. A sample + /webapp directory in the root of the deployment. + Edit the an deployerConfigContext.xml so that it + contains your AuthenticationManager as well as the + CasAuthenticationHandler. A sample applicationContext.xml is included below: - - - - - + <?xml version="1.0" encoding="UTF-8"?> + <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> + <beans> + <bean id="authenticationManager" - class="org.jasig.cas.authentication.AuthenticationManagerImpl"> - - - - - - + class="org.jasig.cas.authentication.AuthenticationManagerImpl"> + <property name="credentialsToPrincipalResolvers"> + <list> + <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" /> + <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> + </list> + </property> - - - - - - - - - + <property name="authenticationHandlers"> + <list> + <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> + <bean class="org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> + <property name="authenticationManager" ref="acegiAuthenticationManager" /> + </bean> + </list> + </property> + </bean> - - - + <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> + <property name="userMap"> + <value> marissa=koala,ROLES_IGNORED_BY_CAS dianne=emu,ROLES_IGNORED_BY_CAS scott=wombat,ROLES_IGNORED_BY_CAS peter=opal,disabled,ROLES_IGNORED_BY_CAS - - - + </value> + </property> + </bean> - - - + <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> + </bean> + + <bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <list> + <ref bean="daoAuthenticationProvider"/> + </list> + </property> + </bean> + </beans> - - - - - - - - - ]]> - Note the granted authorities are ignored by CAS because it has + + Note the granted authorities are ignored by CAS because it has no way of communicating the granted authorities to calling applications. CAS is only concerned with username and passwords (and the enabled/disabled status). - - Copy the acegi-security.jar file into + + Copy the acegi-security.jar file into /localPlugins/lib. Now use the ant - war task in the build.xml in the /localPlugins - directory. This will create - /localPlugins/target/cas.war, which is ready for deployment to your - servlet container. + war task in the build.xml in the + /localPlugins directory. This will create + /localPlugins/target/cas.war, which is ready for + deployment to your servlet container. Note CAS heavily relies on HTTPS. You can't even test the system without a HTTPS certificate. Whilst you should refer to your web container's documentation on setting up HTTPS, if you need some - additional help or a test certificate you might like to check the - CAS documentation on setting up SSL: - http://www.ja-sig.org/products/cas/server/ssl/index.html - + additional help or a test certificate you might like to check the CAS + documentation on setting up SSL: + http://www.ja-sig.org/products/cas/server/ssl/index.html @@ -4056,12 +4068,12 @@ $CATALINA_HOME/bin/startup.sh to your application context. This represents your service: - - https://localhost:8443/contacts-cas/j_acegi_cas_security_check - false - -]]> + +<bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties"> + <property name="service"><value>https://localhost:8443/contacts-cas/j_acegi_cas_security_check</value></property> + <property name="sendRenew"><value>false</value></property> +</bean> + The service must equal a URL that will be @@ -4075,43 +4087,43 @@ $CATALINA_HOME/bin/startup.sh The following beans should be configured to commence the CAS authentication process: - - - /casfailed.jsp - / - /j_acegi_cas_security_check - + +<bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter"> + <property name="authenticationManager"><ref bean="authenticationManager"/></property> + <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property> + <property name="defaultTargetUrl"><value>/</value></property> + <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property> +</bean> - - - +<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> + <property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> +</bean> + +<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> + <property name="loginUrl"><value>https://localhost:8443/cas/login</value></property> + <property name="serviceProperties"><ref bean="serviceProperties"/></property> +</bean> - - https://localhost:8443/cas/login - - -]]> You will also need to add the CasProcessingFilter to web.xml: - - Acegi CAS Processing Filter - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.ui.cas.CasProcessingFilter - - + +<filter> + <filter-name>Acegi CAS Processing Filter</filter-name> + <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <init-param> + <param-name>targetClass</param-name> + <param-value>org.acegisecurity.ui.cas.CasProcessingFilter</param-value> + </init-param> +</filter> + +<filter-mapping> + <filter-name>Acegi CAS Processing Filter</filter-name> + <url-pattern>/*</url-pattern> +</filter-mapping> - - Acegi CAS Processing Filter - /* - -]]> The CasProcessingFilter has very similar @@ -4133,55 +4145,55 @@ $CATALINA_HOME/bin/startup.sh that uses CasAuthenticationProvider and its collaborators: - - - - - - - + +<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <property name="providers"> + <list> + <ref bean="casAuthenticationProvider"/> + </list> + </property> +</bean> - - - - - - my_password_for_this_auth_provider_only - +<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> + <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> + <property name="casProxyDecider"><ref bean="casProxyDecider"/></property> + <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> + <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> + <property name="key"><value>my_password_for_this_auth_provider_only</value></property> +</bean> - - https://localhost:8443/cas/proxyValidate - https://localhost:8443/contacts-cas/casProxy/receptor - - - +<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> + <property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property> + <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> + <property name="serviceProperties"><ref bean="serviceProperties"/></property> + <!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> --> +</bean> - - - classpath:/ehcache-failsafe.xml - - +<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> + <property name="configLocation"> + <value>classpath:/ehcache-failsafe.xml</value> + </property> +</bean> - - - - - - ticketCache - - +<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> + <property name="cacheManager"> + <ref local="cacheManager"/> + </property> + <property name="cacheName"> + <value>ticketCache</value> + </property> +</bean> - - - +<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> + <property name="cache"><ref local="ticketCacheBackend"/></property> +</bean> - - - +<bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> + <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> +</bean> + +<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> - -]]> The beans are all reasonable self-explanatory if you refer back @@ -4201,17 +4213,17 @@ $CATALINA_HOME/bin/startup.sh ProxyTicketReceptor by adding the following to your web application's web.xml: - - casproxy - edu.yale.its.tp.cas.proxy.ProxyTicketReceptor - + +<servlet> + <servlet-name>casproxy</servlet-name> + <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class> +</servlet> + +<servlet-mapping> + <servlet-name>casproxy</servlet-name> + <url-pattern>/casProxy/*</url-pattern> +</servlet-mapping> - - casproxy - /casProxy/* - -]]> This completes the configuration of CAS. If you haven't made any @@ -4377,8 +4389,8 @@ $CATALINA_HOME/bin/startup.sh valid Authentication object in the secure context and the invocation will procede as normal. If no certificate was found, or the certificate was rejected, then the - ExceptionTranslationFilter will invoke the - X509ProcessingFilterEntryPoint which + ExceptionTranslationFilter will invoke + the X509ProcessingFilterEntryPoint which returns a 403 error (forbidden) to the user. @@ -4413,9 +4425,9 @@ $CATALINA_HOME/bin/startup.sh For JBoss 3.2.7 (with Tomcat 5.0), the SSL configuration in the server.xml file looks like - this - +<!-- SSL/TLS Connector configuration --> +<Connector port="8443" address="${jboss.bind.address}" maxThreads="100" minSpareThreads="5" maxSpareThreads="15" scheme="https" secure="true" sslProtocol = "TLS" @@ -4423,8 +4435,8 @@ $CATALINA_HOME/bin/startup.sh keystoreType="PKCS12" keystorePass="password" truststoreFile="${jboss.server.home.dir}/conf/ca.jks" truststoreType="JKS" truststorePass="password" -/> -]]> +/> + clientAuth can also be set to want if you still want SSL connections to succeed even if the client doesn't provide a certificate. Obviously @@ -4622,47 +4634,47 @@ $CATALINA_HOME/bin/startup.sh starting point for configuring your own application. A typical configuration, using some of the beans we've discussed - above, might look like this: - - cn=manager,dc=acegisecurity,dc=org - password - + above, might look like this: + <bean id="initialDirContextFactory" + class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory"> + <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> + <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> + <property name="managerPassword"><value>password</value></property> + </bean> - - - - - - (uid={0}) - - - - - - true - - + <bean id="userSearch" + class="org.acegisecurity.providers.ldap.search.FilterBasedLdapUserSearch"> + <constructor-arg index="0"> + <value></value> + </constructor-arg> + <constructor-arg index="1"> + <value>(uid={0})</value> + </constructor-arg> + <constructor-arg index="2"> + <ref local="initialDirContextFactory" /> + </constructor-arg> + <property name="searchSubtree"> + <value>true</value> + </property> + </bean> - - - - - uid={0},ou=people - - - - - - ou=groups - ou - - - -]]> + <bean id="ldapAuthProvider" + class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> + <constructor-arg> + <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> + <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> + <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property> + </bean> + </constructor-arg> + <constructor-arg> + <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> + <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> + <constructor-arg><value>ou=groups</value></constructor-arg> + <property name="groupRoleAttribute"><value>ou</value></property> + </bean> + </constructor-arg> + </bean> + This would set up the provider to access an LDAP server with URL ldap://monkeymachine:389/dc=acegisecurity,dc=org. @@ -4728,53 +4740,53 @@ $CATALINA_HOME/bin/startup.sh To utilise Acegi Security's channel security services, add the following lines to web.xml: - - Acegi Channel Processing Filter - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.securechannel.ChannelProcessingFilter - - + +<filter> + <filter-name>Acegi Channel Processing Filter</filter-name> + <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <init-param> + <param-name>targetClass</param-name> + <param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value> + </init-param> +</filter> + +<filter-mapping> + <filter-name>Acegi Channel Processing Filter</filter-name> + <url-pattern>/*</url-pattern> +</filter-mapping> - - Acegi Channel Processing Filter - /* - -]]> As usual when running FilterToBeanProxy, you will also need to configure the filter in your application context: - - - - + +<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter"> + <property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property> + <property name="filterInvocationDefinitionSource"> + <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL \A.*\Z=REQUIRES_INSECURE_CHANNEL - - - + </value> + </property> +</bean> - - - - - - - - +<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> + <property name="channelProcessors"> + <list> + <ref bean="secureChannelProcessor"/> + <ref bean="insecureChannelProcessor"/> + </list> + </property> +</bean> + +<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/> +<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/> - - -]]> Like FilterSecurityInterceptor, Apache Ant @@ -5297,16 +5309,16 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); FilterToBeanProxy. An example configuration from web.xml follows: - - Acegi HTTP Request Security Filter - org.acegisecurity.util.FilterToBeanProxy - - targetClass - org.acegisecurity.ClassThatImplementsFilter - - -]]> + +<filter> + <filter-name>Acegi HTTP Request Security Filter</filter-name> + <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <init-param> + <param-name>targetClass</param-name> + <param-value>org.acegisecurity.ClassThatImplementsFilter</param-value> + </init-param> +</filter> + Notice that the filter in web.xml is actually @@ -5377,18 +5389,18 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); chain is then declared in the application context, using code such as this: - - - + +<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> + <property name="filterInvocationDefinitionSource"> + <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor /**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor - - - -]]> + </value> + </property> +</bean> + You may notice similarities with the way @@ -5405,8 +5417,8 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); As you can see, FilterChainProxy requires the duplication of filter names for different request patterns (in the - above example, exceptionTranslationFilter - and filterSecurityInterceptor are duplicated). This + above example, exceptionTranslationFilter and + filterSecurityInterceptor are duplicated). This design decision was made to enable FilterChainProxy to specify different Filter invocation orders for different URI patterns, and also to improve both the expressiveness @@ -5515,12 +5527,12 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); - ExceptionTranslationFilter, catch any Acegi Security - exceptions so that an either an HTTP error response can be returned - or an appropriate AuthenticationEntryPoint - can be launched - - + ExceptionTranslationFilter, catch any + Acegi Security exceptions so that an either an HTTP error response + can be returned or an appropriate + AuthenticationEntryPoint can be launched + + FilterSecurityInterceptor, to protect web URIs