From 66f7e8bcc8ade81978c58abc054756278b8dfeae Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 8 Jun 2009 12:59:13 +0000 Subject: [PATCH] SEC-1168: Added filter-security-metadat-source to namespace. --- .../security/config/Elements.java | 2 + .../HttpSecurityBeanDefinitionParser.java | 3 +- .../config/SecurityNamespaceHandler.java | 4 +- .../security/config/spring-security-3.0.rnc | 18 +- .../security/config/spring-security-3.0.xsd | 3225 +++++++++-------- .../security/config/spring-security.xsl | 2 +- ...adataSourceBeanDefinitionParserTests.java} | 10 +- config/src/test/resources/namespace-usage.xml | 9 +- .../manual/src/docbook/anon-auth-provider.xml | 145 +- docs/manual/src/docbook/channel-security.xml | 253 +- docs/manual/src/docbook/secured-objects.xml | 346 +- .../filter-chain-performance-app-context.xml | 4 +- .../channel/ChannelProcessingFilter.java | 16 +- .../channel/ChannelProcessingFilterTests.java | 20 +- 14 files changed, 2001 insertions(+), 2056 deletions(-) rename config/src/test/java/org/springframework/security/config/{FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests.java => FilterSecurityMetadataSourceBeanDefinitionParserTests.java} (90%) diff --git a/config/src/main/java/org/springframework/security/config/Elements.java b/config/src/main/java/org/springframework/security/config/Elements.java index c0d558dcbb..58102b71ec 100644 --- a/config/src/main/java/org/springframework/security/config/Elements.java +++ b/config/src/main/java/org/springframework/security/config/Elements.java @@ -44,6 +44,8 @@ public abstract class Elements { public static final String CUSTOM_AUTH_PROVIDER = "custom-authentication-provider"; public static final String CUSTOM_AFTER_INVOCATION_PROVIDER = "custom-after-invocation-provider"; public static final String X509 = "x509"; + public static final String FILTER_SECURITY_METADATA_SOURCE = "filter-security-metadata-source"; + @Deprecated public static final String FILTER_INVOCATION_DEFINITION_SOURCE = "filter-invocation-definition-source"; public static final String LDAP_PASSWORD_COMPARE = "password-compare"; } diff --git a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java index 1e671820c5..6119d94ee0 100644 --- a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java @@ -409,8 +409,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { new DefaultFilterInvocationSecurityMetadataSource(matcher, channelRequestMap); channelFilterInvDefSource.setStripQueryStringFromUrls(matcher instanceof AntUrlPathMatcher); - channelFilter.getPropertyValues().addPropertyValue("filterInvocationSecurityMetadataSource", - channelFilterInvDefSource); + channelFilter.getPropertyValues().addPropertyValue("securityMetadataSource", channelFilterInvDefSource); RootBeanDefinition channelDecisionManager = new RootBeanDefinition(ChannelDecisionManagerImpl.class); ManagedList channelProcessors = new ManagedList(3); RootBeanDefinition secureChannelProcessor = new RootBeanDefinition(SecureChannelProcessor.class); diff --git a/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java b/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java index 1d0b8fe435..a6b2007463 100644 --- a/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java +++ b/config/src/main/java/org/springframework/security/config/SecurityNamespaceHandler.java @@ -12,6 +12,7 @@ import org.springframework.beans.factory.xml.NamespaceHandlerSupport; */ public class SecurityNamespaceHandler extends NamespaceHandlerSupport { + @SuppressWarnings("deprecation") public void init() { // Parsers registerBeanDefinitionParser(Elements.LDAP_PROVIDER, new LdapProviderBeanDefinitionParser()); @@ -24,12 +25,13 @@ public class SecurityNamespaceHandler extends NamespaceHandlerSupport { registerBeanDefinitionParser(Elements.GLOBAL_METHOD_SECURITY, new GlobalMethodSecurityBeanDefinitionParser()); registerBeanDefinitionParser(Elements.AUTHENTICATION_MANAGER, new AuthenticationManagerBeanDefinitionParser()); registerBeanDefinitionParser(Elements.FILTER_INVOCATION_DEFINITION_SOURCE, new FilterInvocationSecurityMetadataSourceBeanDefinitionParser()); + registerBeanDefinitionParser(Elements.FILTER_SECURITY_METADATA_SOURCE, new FilterInvocationSecurityMetadataSourceBeanDefinitionParser()); // Decorators registerBeanDefinitionDecorator(Elements.INTERCEPT_METHODS, new InterceptMethodsBeanDefinitionDecorator()); registerBeanDefinitionDecorator(Elements.FILTER_CHAIN_MAP, new FilterChainMapBeanDefinitionDecorator()); registerBeanDefinitionDecorator(Elements.CUSTOM_FILTER, new OrderedFilterBeanDefinitionDecorator()); registerBeanDefinitionDecorator(Elements.CUSTOM_AUTH_PROVIDER, new CustomAuthenticationProviderBeanDefinitionDecorator()); - registerBeanDefinitionDecorator(Elements.CUSTOM_AFTER_INVOCATION_PROVIDER, new CustomAfterInvocationProviderBeanDefinitionDecorator()); + registerBeanDefinitionDecorator(Elements.CUSTOM_AFTER_INVOCATION_PROVIDER, new CustomAfterInvocationProviderBeanDefinitionDecorator()); } } diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc index 4774642643..eb44da6f56 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc @@ -367,20 +367,24 @@ filter-chain.attlist &= filter-chain.attlist &= attribute filters {xsd:token} -filter-invocation-definition-source = - ## Used to explicitly configure a FilterInvocationDefinitionSource bean for use with a FilterSecurityInterceptor. Usually only needed if you are configuring a FilterChainProxy explicitly, rather than using the element. The intercept-url elements used should only contain pattern, method and access attributes. Any others will result in a configuration error. - element filter-invocation-definition-source {fids.attlist, intercept-url+} -fids.attlist &= +filter-security-metadata-source = + ## Used to explicitly configure a FilterSecurityMetadataSource bean for use with a FilterSecurityInterceptor. Usually only needed if you are configuring a FilterChainProxy explicitly, rather than using the element. The intercept-url elements used should only contain pattern, method and access attributes. Any others will result in a configuration error. + element filter-security-metadata-source {fsmds.attlist, intercept-url+} +fsmds.attlist &= use-expressions? -fids.attlist &= +fsmds.attlist &= id? -fids.attlist &= +fsmds.attlist &= ## as for http element attribute lowercase-comparisons {boolean}? -fids.attlist &= +fsmds.attlist &= ## as for http element path-type? +filter-invocation-definition-source = + ## Deprecated synonym for filter-security-metadata-source + element filter-invocation-definition-source {fsmds.attlist, intercept-url+} + http-basic = ## Adds support for basic authentication (this is an element to permit future expansion, such as supporting an "ignoreFailure" attribute) element http-basic {empty} diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd index a46ab1c53a..898eb24d80 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd @@ -1,1636 +1,1671 @@ - - + xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified" + targetNamespace="http://www.springframework.org/schema/security"> + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing + algorithm. + + + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + Specifies an IP port number. Used to configure an embedded LDAP + server, for example. + + + + + + + Specifies a URL. + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + Defines a reference to a Spring bean Id. + + + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + A reference to a DataSource bean + + + + + + + Defines a reference to a Spring bean Id. + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing + algorithm. + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + A property of the UserDetails object which will be used as salt by a + password encoder. Typically something like "username" might be used. + + + + + + + + A single value that will be used as the salt for a password encoder. + + + + + + + + + + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of + configuration attributes. Defaults to 'false'. If enabled, each attribute should + contain a single boolean expression. If the expression evaluates to 'true', access + will be granted. + + + + - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing algorithm. + Defines an LDAP server location or starts an embedded server. The url + indicates the location of a remote server. If no url is given, an embedded server will + be started, listening on the supplied port number. The port is optional and defaults to + 33389. A Spring LDAP ContextSource bean will be registered for the server with the id + supplied. - - - - - - - - - - - - - - - + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + Specifies a URL. + + + + + Specifies an IP port number. Used to configure an embedded LDAP + server, for example. + + + + + Username (DN) of the "manager" user identity which will be used to + authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be + used. + + + + + The password for the manager DN. + + + + + Explicitly specifies an ldif file resource to load into an embedded + LDAP server + + + + + Optional root suffix for the embedded LDAP server. Default is + "dc=springframework,dc=org" + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + + + Search base for group membership searches. Defaults to "" (searching + from the root). + + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + + + The LDAP attribute name which contains the role name which will be + used within Spring Security. Defaults to "cn". + + + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the + returned UserDetails object + + + + + + + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + Search base for group membership searches. Defaults to "" (searching + from the root). + + + + + The LDAP attribute name which contains the role name which will be + used within Spring Security. Defaults to "cn". + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the + returned UserDetails object + + + + + + + + + + - Whether a string should be base64 encoded + Sets up an ldap authentication provider - - - - - - - - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - Specifies an IP port number. Used to configure an embedded LDAP server, - for example. - - - - - - - Specifies a URL. - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - Defines a reference to a Spring bean Id. - - - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - A reference to a DataSource bean - - - - - - - Defines a reference to a Spring bean Id. - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing algorithm. - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - A property of the UserDetails object which will be used as salt by a - password encoder. Typically something like "username" might be used. - - - - - - - A single value that will be used as the salt for a password encoder. - - - - - - - - - - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of configuration - attributes. Defaults to 'false'. If enabled, each attribute should contain a single - boolean expression. If the expression evaluates to 'true', access will be granted. - - - - - - - Defines an LDAP server location or starts an embedded server. The url - indicates the location of a remote server. If no url is given, an embedded server will be - started, listening on the supplied port number. The port is optional and defaults to 33389. - A Spring LDAP ContextSource bean will be registered for the server with the id supplied. - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - Specifies a URL. - - - - - Specifies an IP port number. Used to configure an embedded LDAP server, - for example. - - - - - Username (DN) of the "manager" user identity which will be used to - authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. - - - - - - The password for the manager DN. - - - - - Explicitly specifies an ldif file resource to load into an embedded LDAP - server - - - - - Optional root suffix for the embedded LDAP server. Default is - "dc=springframework,dc=org" - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - - - Search base for group membership searches. Defaults to "" (searching from - the root). - - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - - - The LDAP attribute name which contains the role name which will be used - within Spring Security. Defaults to "cn". - - - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the returned - UserDetails object - - - - - - - - - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - Search base for group membership searches. Defaults to "" (searching from - the root). - - - - - The LDAP attribute name which contains the role name which will be used - within Spring Security. Defaults to "cn". - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the returned - UserDetails object - - - - - - - - - - - - Sets up an ldap authentication provider - - - - - - Specifies that an LDAP provider should use an LDAP compare operation - of the user's password to authenticate the user - - - - - - element which defines a password encoding strategy. Used by an - authentication provider to convert submitted passwords to hashed versions, for - example. - - + + + + + Specifies that an LDAP provider should use an LDAP compare + operation of the user's password to authenticate the user + + - - - Password salting strategy. A system-wide constant or a - property from the UserDetails object can be used. - - - - - A property of the UserDetails object which will be - used as salt by a password encoder. Typically something like - "username" might be used. - - - - - A single value that will be used as the salt for a - password encoder. - - - - - Defines a reference to a Spring bean - Id. - - - - + + + element which defines a password encoding strategy. + Used by an authentication provider to convert submitted passwords to + hashed versions, for example. + + + + + + Password salting strategy. A system-wide + constant or a property from the UserDetails object can be + used. + + + + + A property of the UserDetails object + which will be used as salt by a password encoder. + Typically something like "username" might be used. + + + + + + A single value that will be used as the + salt for a password encoder. + + + + + Defines a reference to a Spring bean + Id. + + + + + + + + - - - - - - - - - - - - - + + + + + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for group membership searches. Defaults to "" (searching + from the root). + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + The LDAP attribute name which contains the role name which will be + used within Spring Security. Defaults to "cn". + + + + + A specific pattern used to build the user's DN, for example + "uid={0},ou=people". The key "{0}" must be present and will be substituted with the + username. + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the + returned UserDetails object + + + + + + + + + + + + + The attribute in the directory which contains the user password. + Defaults to "userPassword". + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing + algorithm. + + + + + + + + + + + + + + + - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - + Can be used inside a bean definition to add a security interceptor to the + bean and set up access configuration attributes for the bean's + methods - - + + + + + Defines a protected method and the access control configuration + attributes that apply to it. We strongly advise you NOT to mix "protect" + declarations with any services provided + "global-method-security". + + + + + + + + + + + + + Optional AccessDecisionManager bean ID to be used by the created + method security interceptor. + + + + + + + A method name + + + + + Access configuration attributes list that applies to the method, e.g. + "ROLE_A,ROLE_B". + + + + - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. + Provides method security for all beans registered in the Spring + application context. Specifically, beans will be scanned for matches with the ordered + list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there + is a match, the beans will automatically be proxied and security authorization applied + to the methods accordingly. If you use and enable all four sources of method security + metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also + JSR250 security annotations), the metadata sources will be queried in that order. In + practical terms, this enables you to use XML to override method security metadata + expressed in annotations. If using annotations, the order of precedence is EL-based + (@PreAuthorize etc.), @Secured and finally JSR-250. - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for group membership searches. Defaults to "" (searching from - the root). - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - The LDAP attribute name which contains the role name which will be used - within Spring Security. Defaults to "cn". - - - - - A specific pattern used to build the user's DN, for example - "uid={0},ou=people". The key "{0}" must be present and will be substituted with the - username. - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the returned - UserDetails object - - - - - - - - - - - - - The attribute in the directory which contains the user password. Defaults - to "userPassword". - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing algorithm. - - - - - - - - - - - - - - - - - Can be used inside a bean definition to add a security interceptor to the - bean and set up access configuration attributes for the bean's methods - - - - - - Defines a protected method and the access control configuration - attributes that apply to it. We strongly advise you NOT to mix "protect" declarations - with any services provided "global-method-security". - - - - - - - - - - - - - Optional AccessDecisionManager bean ID to be used by the created method - security interceptor. - - - - - - - A method name - - - - - Access configuration attributes list that applies to the method, e.g. - "ROLE_A,ROLE_B". - - - - - - Provides method security for all beans registered in the Spring application - context. Specifically, beans will be scanned for matches with the ordered list of - "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, - the beans will automatically be proxied and security authorization applied to the methods - accordingly. If you use and enable all four sources of method security metadata (ie - "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security - annotations), the metadata sources will be queried in that order. In practical terms, this - enables you to use XML to override method security metadata expressed in annotations. If - using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and - finally JSR-250. - - - - - - - Allows the default expression-based mechanism for handling Spring - Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, - @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these - annotations are enabled. - - - - + + + + - Defines the PrePostInvocationAttributeFactory instance which - is used to generate pre and post invocation metadata from the annotated - methods. + Allows the default expression-based mechanism for handling + Spring Security's pre and post invocation annotations (@PreFilter, + @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only + applies if these annotations are enabled. - + + + + Defines the PrePostInvocationAttributeFactory + instance which is used to generate pre and post invocation metadata + from the annotated methods. + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - Defines a protected pointcut and the access control configuration - attributes that apply to it. Every bean registered in the Spring application context - that provides a method that matches the pointcut will receive security - authorization. - - - - - - - - - - - + + + + + + Defines a protected pointcut and the access control + configuration attributes that apply to it. Every bean registered in the Spring + application context that provides a method that matches the pointcut will + receive security authorization. + + + + + + + + + + + + + Specifies whether the use of Spring Security's pre and post invocation + annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be + enabled for this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether the use of Spring Security's @Secured annotations + should be enabled for this application context. Defaults to + "disabled". + + + + + + + + + + + Specifies whether JSR-250 style attributes are to be used (for example + "RolesAllowed"). This will require the javax.annotation.security classes on the + classpath. Defaults to "disabled". + + + + + + + + + + + Optional AccessDecisionManager bean ID to override the default used + for method security. + + + + + Optional RunAsmanager implementation which will be used by the + configured MethodSecurityInterceptor + + + + - Specifies whether the use of Spring Security's pre and post invocation - annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for - this application context. Defaults to "disabled". + Defines the SecurityExpressionHandler instance which will be used if + expression-based access-control is enabled. A default implementation (with no ACL + support) will be used if not supplied. - - - - - - - - + + + + + - Specifies whether the use of Spring Security's @Secured annotations should - be enabled for this application context. Defaults to "disabled". + Used to decorate an AfterInvocationProvider to specify that it should be + used with method security. - - - - - - - - + + + + + + An AspectJ expression, including the 'execution' keyword. For example, + 'execution(int com.foo.TargetObject.countLength(String))' (without the + quotes). + + + + + Access configuration attributes list that applies to all methods + matching the pointcut, e.g. "ROLE_A,ROLE_B" + + + + - Specifies whether JSR-250 style attributes are to be used (for example - "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. - Defaults to "disabled". + Container element for HTTP security configuration - - - - - - - - - - Optional AccessDecisionManager bean ID to override the default used for - method security. - - - - - Optional RunAsmanager implementation which will be used by the configured - MethodSecurityInterceptor - - - - - - Defines the SecurityExpressionHandler instance which will be used if - expression-based access-control is enabled. A default implementation (with no ACL support) - will be used if not supplied. - - - - - - - - Used to decorate an AfterInvocationProvider to specify that it should be - used with method security. - - - - - - - An AspectJ expression, including the 'execution' keyword. For example, - 'execution(int com.foo.TargetObject.countLength(String))' (without the - quotes). - - - - - Access configuration attributes list that applies to all methods matching - the pointcut, e.g. "ROLE_A,ROLE_B" - - - - - - Container element for HTTP security configuration - - - - - - Specifies the access attributes and/or filter list for a particular - set of URLs. - - - - - - - - Defines the access-denied strategy that should be used. An access - denied page can be defined or a reference to an AccessDeniedHandler instance. + + + + + Specifies the access attributes and/or filter list for a + particular set of URLs. + + + + + + + + Defines the access-denied strategy that should be used. An + access denied page can be defined or a reference to an AccessDeniedHandler + instance. + + + + + + + + Sets up a form login configuration for authentication with a + username and password + + + + + + + + + Adds support for X.509 client authentication. + + + + + + + + Adds support for basic authentication (this is an element to + permit future expansion, such as supporting an "ignoreFailure" + attribute) + + + + + + Incorporates a logout processing filter. Most web applications + require a logout filter, although you may not require one if you write a + controller to provider similar logic. + + + + + + + + Adds support for concurrent session control, allowing limits to + be placed on the number of sessions a user can have. + + + + + + + + Sets up remember-me authentication. If used with the "key" + attribute (or no attributes) the cookie-only implementation will be used. + Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the + more secure, persisten token approach. + + + + + + + + Adds support for automatically granting all anonymous web + requests a particular principal identity and a corresponding granted + authority. + + + + + + + + Defines the list of mappings between http and https ports for + use in redirects + + + + + + + + + + + + + + + Automatically registers a login form, BASIC authentication, anonymous + authentication, logout services, remember-me and servlet-api-integration. If set to + "true", all of these capabilities are added (although you can still customize the + configuration of each by providing the respective element). If unspecified, defaults + to "false". + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of + configuration attributes. Defaults to 'false'. If enabled, each attribute should + contain a single boolean expression. If the expression evaluates to 'true', access + will be granted. + + + + + Controls the eagerness with which an HTTP session is created. If not + set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set + using security-context-repository-ref, then the only value which can be set is + "always". Otherwise the session creation behaviour will be determined by the + repository bean implementation. + + + + + + + + + + + + A reference to a SecurityContextRepository bean. This can be used to + customize how the SecurityContext is stored between requests. + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + Whether test URLs should be converted to lower case prior to comparing + with defined path patterns. If unspecified, defaults to "true". + + + + + Provides versions of HttpServletRequest security methods such as + isUserInRole() and getPrincipal() which are implemented by accessing the Spring + SecurityContext. Defaults to "true". + + + + + Optional attribute specifying the ID of the AccessDecisionManager + implementation which should be used for authorizing HTTP requests. + + + + + Optional attribute specifying the realm name that will be used for all + authentication features that require a realm name (eg BASIC and Digest + authentication). If unspecified, defaults to "Spring Security + Application". + + + + + Indicates whether an existing session should be invalidated when a + user authenticates and a new session started. If set to "none" no change will be + made. "newSession" will create a new empty session. "migrateSession" will create a + new session and copy the session attributes to the new session. Defaults to + "migrateSession". + + + + + + + + + + + + Allows a customized AuthenticationEntryPoint to be + used. + + + + + Corresponds to the observeOncePerRequest property of + FilterSecurityInterceptor. Defaults to "true" + + + + + Deprecated in favour of the access-denied-handler + element. + + + + + + + + + + + + Defines a reference to a Spring bean Id. + + + + + The access denied page that an authenticated user will be redirected + to if they request a page which they don't have the authority to access. - - - - - - - - Sets up a form login configuration for authentication with a username - and password - - - - - - - - - Adds support for X.509 client authentication. - - - - - - - - Adds support for basic authentication (this is an element to permit - future expansion, such as supporting an "ignoreFailure" attribute) - - - - - - Incorporates a logout processing filter. Most web applications require - a logout filter, although you may not require one if you write a controller to - provider similar logic. - - - - - - - - Adds support for concurrent session control, allowing limits to be - placed on the number of sessions a user can have. - - - - - - - - Sets up remember-me authentication. If used with the "key" attribute - (or no attributes) the cookie-only implementation will be used. Specifying - "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, - persisten token approach. - - - - - - - - Adds support for automatically granting all anonymous web requests a - particular principal identity and a corresponding granted - authority. - - - - - - - - Defines the list of mappings between http and https ports for use in - redirects - - - - - - - - - - - - - + + + + + + + The access denied page that an authenticated user will be redirected + to if they request a page which they don't have the authority to access. + + + + + + + + The pattern which defines the URL path. The content will depend on the + type set in the containing http element, so will default to ant path + syntax. + + + + + The access configuration attributes that apply for the configured + path. + + + + + The HTTP Method for which the access configuration attributes should + apply. If not specified, the attributes will apply to any method. + + + + + + + + + + + + + + + + The filter list for the path. Currently can be set to "none" to remove + a path from having any filters applied. The full filter stack (consisting of all + filters created by the namespace configuration, and any added using 'custom-filter'), + will be applied to any other paths. + + + + + + + + + + Used to specify that a URL must be accessed over http or https, or + that there is no preference. + + + + + + + + + + + + + + Specifies the URL that will cause a logout. Spring Security will + initialize a filter that responds to this particular URL. Defaults to + /j_spring_security_logout if unspecified. + + + + + Specifies the URL to display once the user has logged out. If not + specified, defaults to /. + + + + + Specifies whether a logout also causes HttpSession invalidation, which + is generally desirable. If unspecified, defaults to true. + + + + + + + The URL that the login form is posted to. If unspecified, it defaults + to /j_spring_security_check. + + + + + The URL that will be redirected to after successful authentication, if + the user's previous action could not be resumed. This generally happens if the user + visits a login page without having first requested a secured operation that triggers + authentication. If unspecified, defaults to the root of the + application. + + + + + Whether the user should always be redirected to the default-target-url + after login. + + + + + The URL for the login page. If no login URL is specified, Spring + Security will automatically create a login URL at /spring_security_login and a + corresponding filter to render that login URL when requested. + + + + + The URL for the login failure page. If no login failure URL is + specified, Spring Security will automatically create a failure login URL at + /spring_security_login?login_error and a corresponding filter to render that login + failure URL when requested. + + + + + Reference to an AuthenticationSuccessHandler bean which should be used + to handle a successful authentication request. Should not be used in combination with + default-target-url (or always-use-default-target-url) as the implementation should + always deal with navigation to the subsequent destination + + + + + Reference to an AuthenticationFailureHandler bean which should be used + to handle a failed authentication request. Should not be used in combination with + authentication-failure-url as the implementation should always deal with navigation + to the subsequent destination + + + + - Automatically registers a login form, BASIC authentication, anonymous - authentication, logout services, remember-me and servlet-api-integration. If set to - "true", all of these capabilities are added (although you can still customize the - configuration of each by providing the respective element). If unspecified, defaults to - "false". + Sets up form login for authentication with an Open ID + identity - - + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of configuration - attributes. Defaults to 'false'. If enabled, each attribute should contain a single - boolean expression. If the expression evaluates to 'true', access will be granted. - + Used to explicitly configure a FilterChainProxy instance with a + FilterChainMap - - + + + + + Used within filter-chain-map to define a specific URL pattern + and the list of filters which apply to the URLs matching that pattern. When + multiple filter-chain elements are used within a filter-chain-map element, the + most specific patterns must be placed at the top of the list, with most general + ones at the bottom. + + + + + + + + + + + + + + + + + - Controls the eagerness with which an HTTP session is created. If not set, - defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using - security-context-repository-ref, then the only value which can be set is "always". - Otherwise the session creation behaviour will be determined by the repository bean - implementation. + Used to explicitly configure a FilterSecurityMetadataSource bean for use + with a FilterSecurityInterceptor. Usually only needed if you are configuring a + FilterChainProxy explicitly, rather than using the <http> element. The + intercept-url elements used should only contain pattern, method and access attributes. + Any others will result in a configuration error. - - - - - - - - - + + + + + Specifies the access attributes and/or filter list for a + particular set of URLs. + + + + + + + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of + configuration attributes. Defaults to 'false'. If enabled, each attribute should + contain a single boolean expression. If the expression evaluates to 'true', access + will be granted. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + as for http element + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + - A reference to a SecurityContextRepository bean. This can be used to - customize how the SecurityContext is stored between requests. + Deprecated synonym for filter-security-metadata-source - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - Whether test URLs should be converted to lower case prior to comparing - with defined path patterns. If unspecified, defaults to "true". - - - - - Provides versions of HttpServletRequest security methods such as - isUserInRole() and getPrincipal() which are implemented by accessing the Spring - SecurityContext. Defaults to "true". - - - - - Optional attribute specifying the ID of the AccessDecisionManager - implementation which should be used for authorizing HTTP requests. - - - - - Optional attribute specifying the realm name that will be used for all - authentication features that require a realm name (eg BASIC and Digest authentication). If - unspecified, defaults to "Spring Security Application". - - - - - Indicates whether an existing session should be invalidated when a user - authenticates and a new session started. If set to "none" no change will be made. - "newSession" will create a new empty session. "migrateSession" will create a new session - and copy the session attributes to the new session. Defaults to - "migrateSession". - - - - - - - - - - - - Allows a customized AuthenticationEntryPoint to be - used. - - - - - Corresponds to the observeOncePerRequest property of - FilterSecurityInterceptor. Defaults to "true" - - - - - Deprecated in favour of the access-denied-handler - element. - - - - - - - - - - - - Defines a reference to a Spring bean Id. - - - - - The access denied page that an authenticated user will be redirected to if - they request a page which they don't have the authority to access. - - - - - - - The access denied page that an authenticated user will be redirected to if - they request a page which they don't have the authority to access. - - - - - - - The pattern which defines the URL path. The content will depend on the - type set in the containing http element, so will default to ant path - syntax. - - - - - The access configuration attributes that apply for the configured - path. - - - - - The HTTP Method for which the access configuration attributes should - apply. If not specified, the attributes will apply to any method. - - - - - - - - - - - - - - - - The filter list for the path. Currently can be set to "none" to remove a - path from having any filters applied. The full filter stack (consisting of all filters - created by the namespace configuration, and any added using 'custom-filter'), will be - applied to any other paths. - - - - - - - - - - Used to specify that a URL must be accessed over http or https, or that - there is no preference. - - - - - - - - - - - - - - Specifies the URL that will cause a logout. Spring Security will - initialize a filter that responds to this particular URL. Defaults to - /j_spring_security_logout if unspecified. - - - - - Specifies the URL to display once the user has logged out. If not - specified, defaults to /. - - - - - Specifies whether a logout also causes HttpSession invalidation, which is - generally desirable. If unspecified, defaults to true. - - - - - - - The URL that the login form is posted to. If unspecified, it defaults to - /j_spring_security_check. - - - - - The URL that will be redirected to after successful authentication, if the - user's previous action could not be resumed. This generally happens if the user visits a - login page without having first requested a secured operation that triggers - authentication. If unspecified, defaults to the root of the - application. - - - - - Whether the user should always be redirected to the default-target-url - after login. - - - - - The URL for the login page. If no login URL is specified, Spring Security - will automatically create a login URL at /spring_security_login and a corresponding filter - to render that login URL when requested. - - - - - The URL for the login failure page. If no login failure URL is specified, - Spring Security will automatically create a failure login URL at - /spring_security_login?login_error and a corresponding filter to render that login failure - URL when requested. - - - - - Reference to an AuthenticationSuccessHandler bean which should be used to - handle a successful authentication request. Should not be used in combination with - default-target-url (or always-use-default-target-url) as the implementation should always - deal with navigation to the subsequent destination - - - - - Reference to an AuthenticationFailureHandler bean which should be used to - handle a failed authentication request. Should not be used in combination with - authentication-failure-url as the implementation should always deal with navigation to the - subsequent destination - - - - - - Sets up form login for authentication with an Open ID - identity - - - + + + + + Specifies the access attributes and/or filter list for a + particular set of URLs. + + + + + + + + + + + + + The maximum number of sessions a single user can have open at the same + time. Defaults to "1". + + + + + The URL a user will be redirected to if they attempt to use a session + which has been "expired" by the concurrent session controller because they have + logged in again. + + + + + Specifies that an exception should be raised when a user attempts to + login when they already have the maximum configured sessions open. The default + behaviour is to expire the original session. + + + + + Allows you to define an alias for the SessionRegistry bean in order to + access it in your own configuration + + + + + A reference to an external SessionRegistry implementation which will + be used in place of the standard one. + + + + + + + The "key" used to identify cookies from a specific token-based + remember-me application. You should set this to a unique value for your + application. + + + + + Reference to a PersistentTokenRepository bean for use with the + persistent token remember-me implementation. + + + + + A reference to a DataSource bean + + + - - A reference to a user-service (or UserDetailsService bean) - Id - + + A reference to a user-service (or UserDetailsService bean) + Id + - - - - - Used to explicitly configure a FilterChainProxy instance with a - FilterChainMap - - + + + The period (in seconds) for which the remember-me cookie should be + valid. If set to a negative value + + + + + + + Reference to a PersistentTokenRepository bean for use with the + persistent token remember-me implementation. + + + + + + + Allows a custom implementation of RememberMeServices to be used. Note + that this implementation should return RememberMeAuthenticationToken instances with + the same "key" value as specified in the remember-me element. Alternatively it should + register its own AuthenticationProvider. + + + + + + + + + + The key shared between the provider and filter. This generally does + not need to be set. If unset, it will default to "doesNotMatter". + + + + + The username that should be assigned to the anonymous request. This + allows the principal to be identified, which may be important for logging and + auditing. if unset, defaults to "anonymousUser". + + + + + The granted authority that should be assigned to the anonymous + request. Commonly this is used to assign the anonymous request particular roles, + which can subsequently be used in authorization decisions. If unset, defaults to + "ROLE_ANONYMOUS". + + + + + With the default namespace setup, the anonymous "authentication" + facility is automatically enabled. You can disable it using this property. + + + + + + + + + + + + + + + + + + + + The regular expression used to obtain the username from the + certificate's subject. Defaults to matching on the common name using the pattern + "CN=(.*?),". + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + If you are using namespace configuration with Spring Security, an + AuthenticationManager will automatically be registered. This element allows you to + define an alias to allow you to reference the authentication-manager in your own beans. + + + + + + + + + + The alias you wish to use for the AuthenticationManager + bean + + + + + Allows the session controller to be set on the internal + AuthenticationManager. This should not be used with the + <concurrent-session-control /> element + + + + + + Indicates that the contained user-service should be used as an + authentication source. + + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a + property from the UserDetails object can be used. + + + + + A property of the UserDetails object which will + be used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for + a password encoder. + + + + + Defines a reference to a Spring bean + Id. + + + + + + + + + + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + Element used to decorate an AuthenticationProvider bean to add it to the + internal AuthenticationManager maintained by the namespace. + + + + + + Creates an in-memory UserDetailsService from a properties file or a list + of "user" child elements. + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + + + Represents a user in the application. + + + + + + + + + The username assigned to the user. + + + + + The password assigned to the user. This may be hashed if the + corresponding authentication provider supports hashing (remember to set the "hash" + attribute of the "user-service" element). + + + + + One of more authorities granted to the user. Separate authorities with + a comma (but no space). For example, + "ROLE_USER,ROLE_ADMINISTRATOR" + + + + + Can be set to "true" to mark an account as locked and + unusable. + + + + + Can be set to "true" to mark an account as disabled and + unusable. + + + + + + Causes creation of a JDBC-based UserDetailsService. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + The bean ID of the DataSource which provides the required + tables. + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + An SQL statement to query a username, password, and enabled status + given a username + + + + + An SQL statement to query for a user's granted authorities given a + username. + + + + + An SQL statement to query user's group authorities given a + username. + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + - - - Used within filter-chain-map to define a specific URL pattern and the - list of filters which apply to the URLs matching that pattern. When multiple - filter-chain elements are used within a filter-chain-map element, the most specific - patterns must be placed at the top of the list, with most general ones at the - bottom. - - - - - + - - - - - - - - - - - - - Used to explicitly configure a FilterInvocationDefinitionSource bean for use - with a FilterSecurityInterceptor. Usually only needed if you are configuring a - FilterChainProxy explicitly, rather than using the <http> element. The - intercept-url elements used should only contain pattern, method and access attributes. Any - others will result in a configuration error. - - - - - - Specifies the access attributes and/or filter list for a particular - set of URLs. - - - - - - - - - - - + + - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of configuration - attributes. Defaults to 'false'. If enabled, each attribute should contain a single - boolean expression. If the expression evaluates to 'true', access will be granted. - + Used to indicate that a filter bean declaration should be incorporated + into the security filter chain. If neither the 'after' or 'before' options are supplied, + then the filter must implement the Ordered interface directly. - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - as for http element - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - The maximum number of sessions a single user can have open at the same - time. Defaults to "1". - - - - - The URL a user will be redirected to if they attempt to use a session - which has been "expired" by the concurrent session controller because they have logged in - again. - - - - - Specifies that an exception should be raised when a user attempts to login - when they already have the maximum configured sessions open. The default behaviour is to - expire the original session. - - - - - Allows you to define an alias for the SessionRegistry bean in order to - access it in your own configuration - - - - - A reference to an external SessionRegistry implementation which will be - used in place of the standard one. - - - - - - - The "key" used to identify cookies from a specific token-based remember-me - application. You should set this to a unique value for your - application. - - - - - Reference to a PersistentTokenRepository bean for use with the persistent - token remember-me implementation. - - - - - A reference to a DataSource bean - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - The period (in seconds) for which the remember-me cookie should be valid. - If set to a negative value - - - - - - - Reference to a PersistentTokenRepository bean for use with the persistent - token remember-me implementation. - - - - - - - Allows a custom implementation of RememberMeServices to be used. Note that - this implementation should return RememberMeAuthenticationToken instances with the same - "key" value as specified in the remember-me element. Alternatively it should register its - own AuthenticationProvider. - - - - - - - - - - The key shared between the provider and filter. This generally does not - need to be set. If unset, it will default to "doesNotMatter". - - - - - The username that should be assigned to the anonymous request. This allows - the principal to be identified, which may be important for logging and auditing. if unset, - defaults to "anonymousUser". - - - - - The granted authority that should be assigned to the anonymous request. - Commonly this is used to assign the anonymous request particular roles, which can - subsequently be used in authorization decisions. If unset, defaults to - "ROLE_ANONYMOUS". - - - - - With the default namespace setup, the anonymous "authentication" facility - is automatically enabled. You can disable it using this property. - - - - - - - - - - - - - - - - - - - The regular expression used to obtain the username from the certificate's - subject. Defaults to matching on the common name using the pattern - "CN=(.*?),". - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - If you are using namespace configuration with Spring Security, an - AuthenticationManager will automatically be registered. This element allows you to define an - alias to allow you to reference the authentication-manager in your own beans. - - - - - - - - - - The alias you wish to use for the AuthenticationManager - bean - - - - - Allows the session controller to be set on the internal - AuthenticationManager. This should not be used with the <concurrent-session-control - /> element - - - - - - Indicates that the contained user-service should be used as an - authentication source. - - - - - - - element which defines a password encoding strategy. Used by an - authentication provider to convert submitted passwords to hashed versions, for - example. - - - - - - Password salting strategy. A system-wide constant or a property - from the UserDetails object can be used. - - - - - A property of the UserDetails object which will be used as - salt by a password encoder. Typically something like "username" might be - used. - - - - - A single value that will be used as the salt for a password - encoder. - - - - - Defines a reference to a Spring bean Id. - - - - - - - - - - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - Element used to decorate an AuthenticationProvider bean to add it to the - internal AuthenticationManager maintained by the namespace. - - - - - - Creates an in-memory UserDetailsService from a properties file or a list of - "user" child elements. - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - + + + + The filter immediately after which the custom-filter should be + placed in the chain. This feature will only be needed by advanced users who wish + to mix their own filters into the security filter chain and have some knowledge of + the standard Spring Security filters. The filter names map to specific Spring + Security implementation filters. + + + + + The filter immediately before which the custom-filter should be + placed in the chain + + + + + The explicit position at which the custom-filter should be placed + in the chain. Use if you are replacing a standard filter. + + + + + + + + The filter immediately after which the custom-filter should be placed + in the chain. This feature will only be needed by advanced users who wish to mix + their own filters into the security filter chain and have some knowledge of the + standard Spring Security filters. The filter names map to specific Spring Security + implementation filters. + - - - - - - - - - Represents a user in the application. - - - - - - - - - The username assigned to the user. - - - - - The password assigned to the user. This may be hashed if the corresponding - authentication provider supports hashing (remember to set the "hash" attribute of the - "user-service" element). - - - - - One of more authorities granted to the user. Separate authorities with a - comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" - - - - - Can be set to "true" to mark an account as locked and - unusable. - - - - - Can be set to "true" to mark an account as disabled and - unusable. - - - - - - Causes creation of a JDBC-based UserDetailsService. - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - + + + + + The filter immediately before which the custom-filter should be placed + in the chain + - - - - - - - The bean ID of the DataSource which provides the required - tables. - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - An SQL statement to query a username, password, and enabled status given a - username - - - - - An SQL statement to query for a user's granted authorities given a - username. - - - - - An SQL statement to query user's group authorities given a - username. - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - - - - - - - - Used to indicate that a filter bean declaration should be incorporated into - the security filter chain. If neither the 'after' or 'before' options are supplied, then the - filter must implement the Ordered interface directly. - - - - - The filter immediately after which the custom-filter should be placed in - the chain. This feature will only be needed by advanced users who wish to mix their own - filters into the security filter chain and have some knowledge of the standard Spring - Security filters. The filter names map to specific Spring Security implementation - filters. - + + + + + The explicit position at which the custom-filter should be placed in + the chain. Use if you are replacing a standard filter. + - - - The filter immediately before which the custom-filter should be placed - in the chain - - - - - The explicit position at which the custom-filter should be placed in the - chain. Use if you are replacing a standard filter. - - - - - - - - The filter immediately after which the custom-filter should be placed in - the chain. This feature will only be needed by advanced users who wish to mix their own - filters into the security filter chain and have some knowledge of the standard Spring - Security filters. The filter names map to specific Spring Security implementation filters. - - - - - - - - The filter immediately before which the custom-filter should be placed in - the chain - - - - - - - The explicit position at which the custom-filter should be placed in the - chain. Use if you are replacing a standard filter. - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/config/src/main/resources/org/springframework/security/config/spring-security.xsl b/config/src/main/resources/org/springframework/security/config/spring-security.xsl index 0e94992ff0..a9c2a2d94c 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security.xsl +++ b/config/src/main/resources/org/springframework/security/config/spring-security.xsl @@ -10,7 +10,7 @@ - ,access-denied-handler,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,pre-post-annotation-handling,pre-invocation-advice,post-invocation-advice,invocation-attribute-factory,remember-me,salt-source,x509, + ,access-denied-handler,anonymous,concurrent-session-control,user,port-mapping,openid-login,expression-handler,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,pre-post-annotation-handling,pre-invocation-advice,post-invocation-advice,invocation-attribute-factory,remember-me,salt-source,x509, diff --git a/config/src/test/java/org/springframework/security/config/FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/FilterSecurityMetadataSourceBeanDefinitionParserTests.java similarity index 90% rename from config/src/test/java/org/springframework/security/config/FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests.java rename to config/src/test/java/org/springframework/security/config/FilterSecurityMetadataSourceBeanDefinitionParserTests.java index 9d13ac77c9..201dd73b56 100644 --- a/config/src/test/java/org/springframework/security/config/FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/FilterSecurityMetadataSourceBeanDefinitionParserTests.java @@ -23,7 +23,7 @@ import org.w3c.dom.Element; * @author Luke Taylor * @version $Id$ */ -public class FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests { +public class FilterSecurityMetadataSourceBeanDefinitionParserTests { private AbstractXmlApplicationContext appContext; @After @@ -46,9 +46,9 @@ public class FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests { @Test public void parsingMinimalConfigurationIsSuccessful() { setContext( - "" + + "" + " " + - ""); + ""); DefaultFilterInvocationSecurityMetadataSource fids = (DefaultFilterInvocationSecurityMetadataSource) appContext.getBean("fids"); List cad = fids.getAttributes(createFilterInvocation("/anything", "GET")); assertNotNull(cad); @@ -61,11 +61,11 @@ public class FilterInvocationSecurityMetadataSourceBeanDefinitionParserTests { "" + "" + " " + - " " + + " " + " " + " " + " " + - " " + + " " + " " + "" + ConfigTestUtils.AUTH_PROVIDER_XML); diff --git a/config/src/test/resources/namespace-usage.xml b/config/src/test/resources/namespace-usage.xml index f909ab3898..c6bcea0ab4 100644 --- a/config/src/test/resources/namespace-usage.xml +++ b/config/src/test/resources/namespace-usage.xml @@ -16,10 +16,17 @@ - < + + + + + + + + diff --git a/docs/manual/src/docbook/anon-auth-provider.xml b/docs/manual/src/docbook/anon-auth-provider.xml index fe094d3428..52de4015b9 100644 --- a/docs/manual/src/docbook/anon-auth-provider.xml +++ b/docs/manual/src/docbook/anon-auth-provider.xml @@ -1,47 +1,41 @@ - -Anonymous Authentication - - -
- Overview - - Particularly in the case of web request URI security, sometimes - it is more convenient to assign configuration attributes against every - possible secure object invocation. Put differently, sometimes it is - nice to say ROLE_SOMETHING is required by default - and only allow certain exceptions to this rule, such as for login, - logout and home pages of an application. There are also other - situations where anonymous authentication would be desired, such as - when an auditing interceptor queries the - SecurityContextHolder to identify which principal - was responsible for a given operation. Such classes can be authored - with more robustness if they know the - SecurityContextHolder always contains an - Authentication object, and never - null. -
- -
- Configuration - - Spring Security provides three classes that together provide an - anonymous authentication feature. - AnonymousAuthenticationToken is an implementation - of Authentication, and stores the - GrantedAuthority[]s which apply to the anonymous - principal. There is a corresponding - AnonymousAuthenticationProvider, which is chained - into the ProviderManager so that - AnonymousAuthenticationTokens are accepted. - Finally, there is an AnonymousProcessingFilter, which is chained after - the normal authentication mechanisms and automatically add an - AnonymousAuthenticationToken to the - SecurityContextHolder if there is no existing - Authentication held there. The definition of the - filter and authentication provider appears as follows: - - + + Anonymous Authentication + +
+ + Overview + + Particularly in the case of web request URI security, sometimes it is more convenient + to assign configuration attributes against every possible secure object invocation. Put + differently, sometimes it is nice to say ROLE_SOMETHING is required + by default and only allow certain exceptions to this rule, such as for login, logout and + home pages of an application. There are also other situations where anonymous + authentication would be desired, such as when an auditing interceptor queries the + SecurityContextHolder to identify which principal was + responsible for a given operation. Such classes can be authored with more robustness if + they know the SecurityContextHolder always contains an + Authentication object, and never + null. +
+
+ + Configuration + + Spring Security provides three classes that together provide an anonymous + authentication feature. AnonymousAuthenticationToken is an + implementation of Authentication, and stores the + GrantedAuthority[]s which apply to the anonymous + principal. There is a corresponding AnonymousAuthenticationProvider, + which is chained into the ProviderManager so that + AnonymousAuthenticationTokens are accepted. Finally, there is an + AnonymousProcessingFilter, which is chained after the normal authentication mechanisms + and automatically add an AnonymousAuthenticationToken to the + SecurityContextHolder if there is no existing + Authentication held there. The definition of the + filter and authentication provider appears as follows: + + @@ -53,53 +47,44 @@ class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> ]]> - - - The key is shared between the filter and - authentication provider, so that tokens created by the former are - accepted by the latter. The userAttribute is - expressed in the form of - usernameInTheAuthenticationToken,grantedAuthority[,grantedAuthority]. - This is the same syntax as used after the equals sign for - InMemoryDaoImpl's userMap - property. - - As explained earlier, the benefit of anonymous authentication is - that all URI patterns can have security applied to them. For - example: - - + + + The key is shared between the filter and authentication provider, + so that tokens created by the former are accepted by the latter. The + userAttribute is expressed in the form of + usernameInTheAuthenticationToken,grantedAuthority[,grantedAuthority]. + This is the same syntax as used after the equals sign for + InMemoryDaoImpl's userMap property. + As explained earlier, the benefit of anonymous authentication is that all URI patterns + can have security applied to them. For example: + - - + + - " + + " + ]]> - Rounding out the anonymous authentication discussion - is the AuthenticationTrustResolver interface, with - its corresponding AuthenticationTrustResolverImpl - implementation. This interface provides an - isAnonymous(Authentication) method, which allows - interested classes to take into account this special type of - authentication status. The - ExceptionTranslationFilter uses this interface in - processing AccessDeniedExceptions. If an - AccessDeniedException is thrown, and the - authentication is of an anonymous type, instead of throwing a 403 - (forbidden) response, the filter will instead commence the - AuthenticationEntryPoint so the principal can - authenticate properly. This is a necessary distinction, otherwise - principals would always be deemed "authenticated" and never be given - an opportunity to login via form, basic, digest or some other normal - authentication mechanism -
+ Rounding out the anonymous authentication discussion is the + AuthenticationTrustResolver interface, with its corresponding + AuthenticationTrustResolverImpl implementation. This interface + provides an isAnonymous(Authentication) method, which allows + interested classes to take into account this special type of authentication status. The + ExceptionTranslationFilter uses this interface in processing + AccessDeniedExceptions. If an + AccessDeniedException is thrown, and the authentication is of an + anonymous type, instead of throwing a 403 (forbidden) response, the filter will instead + commence the AuthenticationEntryPoint so the principal + can authenticate properly. This is a necessary distinction, otherwise principals would + always be deemed "authenticated" and never be given an opportunity to login via form, + basic, digest or some other normal authentication mechanism +
diff --git a/docs/manual/src/docbook/channel-security.xml b/docs/manual/src/docbook/channel-security.xml index 096f4777b2..48ee50306a 100644 --- a/docs/manual/src/docbook/channel-security.xml +++ b/docs/manual/src/docbook/channel-security.xml @@ -1,52 +1,49 @@ - - -Channel Security - -
- Overview - - In addition to coordinating the authentication and authorization - requirements of your application, Spring Security is also able to - ensure unauthenticated web requests have certain properties. These - properties may include being of a particular transport type, having a - particular HttpSession attribute set and so on. The - most common requirement is for your web requests to be received using - a particular transport protocol, such as HTTPS. - - An important issue in considering transport security is that of - session hijacking. Your web container manages a - HttpSession by reference to a - jsessionid that is sent to user agents either via a - cookie or URL rewriting. If the jsessionid is ever - sent over HTTP, there is a possibility that session identifier can be - intercepted and used to impersonate the user after they complete the - authentication process. This is because most web containers maintain - the same session identifier for a given user, even after they switch - from HTTP to HTTPS pages. - - If session hijacking is considered too significant a risk for - your particular application, the only option is to use HTTPS for every - request. This means the jsessionid is never sent - across an insecure channel. You will need to ensure your - web.xml-defined - <welcome-file> points to an HTTPS location, - and the application never directs the user to an HTTP location. Spring - Security provides a solution to assist with the latter. -
- -
- Configuration - Channel security is supported by the security namespace - by means of the requires-channel attribute on the <intercept-url> - element and this is the simplest (and recommended approach). - To confiure channel security explicitly, you would define the following the filter in your application - context: - + + Channel Security + +
+ + Overview + + In addition to coordinating the authentication and authorization requirements of your + application, Spring Security is also able to ensure unauthenticated web requests have + certain properties. These properties may include being of a particular transport type, + having a particular HttpSession attribute set and so on. The most + common requirement is for your web requests to be received using a particular transport + protocol, such as HTTPS. + An important issue in considering transport security is that of session hijacking. + Your web container manages a HttpSession by reference to a + jsessionid that is sent to user agents either via a cookie or URL + rewriting. If the jsessionid is ever sent over HTTP, there is a + possibility that session identifier can be intercepted and used to impersonate the user + after they complete the authentication process. This is because most web containers + maintain the same session identifier for a given user, even after they switch from HTTP + to HTTPS pages. + If session hijacking is considered too significant a risk for your particular + application, the only option is to use HTTPS for every request. This means the + jsessionid is never sent across an insecure channel. You will + need to ensure your web.xml-defined + <welcome-file> points to an HTTPS location, and the + application never directs the user to an HTTP location. Spring Security provides a + solution to assist with the latter. +
+
+ + Configuration + + Channel security is supported by the security + namespace by means of the requires-channel attribute on + the <intercept-url> element and this is the simplest (and + recommended approach). + To confiure channel security explicitly, you would define the following the filter in + your application context: - - + + - + @@ -73,95 +70,73 @@ ]]> - Like FilterSecurityInterceptor, Apache Ant - style paths are also supported by the - ChannelProcessingFilter. - - The ChannelProcessingFilter operates by - filtering all web requests and determining the configuration - attributes that apply. It then delegates to the - ChannelDecisionManager. The default implementation, - ChannelDecisionManagerImpl, should suffice in most - cases. It simply delegates to the list of configured - ChannelProcessor instances. The attribute ANY_CHANNEL - can be used to override this behaviour and skip a particular URL. Otherwise, a - ChannelProcessor will review the request, and if it - is unhappy with the request (e.g. if it was received across the incorrect - transport protocol), it will perform a redirect, throw an exception or - take whatever other action is appropriate. - - Included with Spring Security are two concrete - ChannelProcessor implementations: - SecureChannelProcessor ensures requests with a - configuration attribute of REQUIRES_SECURE_CHANNEL - are received over HTTPS, whilst - InsecureChannelProcessor ensures requests with a - configuration attribute of - REQUIRES_INSECURE_CHANNEL are received over HTTP. - Both implementations delegate to a - ChannelEntryPoint if the required transport - protocol is not used. The two ChannelEntryPoint - implementations included with Spring Security simply redirect the - request to HTTP and HTTPS as appropriate. Appropriate defaults are - assigned to the ChannelProcessor implementations - for the configuration attribute keywords they respond to and the - ChannelEntryPoint they delegate to, although you - have the ability to override these using the application - context. - - Note that the redirections are absolute (eg - http://www.company.com:8080/app/page), not relative - (eg /app/page). During testing it was discovered - that Internet Explorer 6 Service Pack 1 has a bug whereby it does not - respond correctly to a redirection instruction which also changes the - port to use. Accordingly, absolute URLs are used in conjunction with - bug detection logic in the PortResolverImpl that is - wired up by default to many Spring Security beans. Please refer to the - JavaDocs for PortResolverImpl for further - details. - - You should note that using a secure channel is recommended if - usernames and passwords are to be kept secure during the login - process. If you do decide to use - ChannelProcessingFilter with form-based login, - please ensure that your login page is set to - REQUIRES_SECURE_CHANNEL, and that the - LoginUrlAuthenticationEntryPoint.forceHttps - property is true. -
- -
- Conclusion - - Once configured, using the channel security filter is very easy. - Simply request pages without regard to the protocol (ie HTTP or HTTPS) - or port (eg 80, 8080, 443, 8443 etc). Obviously you'll still need a - way of making the initial request (probably via the - web.xml <welcome-file> or - a well-known home page URL), but once this is done the filter will - perform redirects as defined by your application context. - - You can also add your own ChannelProcessor - implementations to the ChannelDecisionManagerImpl. - For example, you might set a HttpSession attribute - when a human user is detected via a "enter the contents of this - graphic" procedure. Your ChannelProcessor would - respond to say REQUIRES_HUMAN_USER configuration - attributes and redirect to an appropriate entry point to start the - human user validation process if the HttpSession - attribute is not currently set. - - To decide whether a security check belongs in a - ChannelProcessor or an - AccessDecisionVoter, remember that the former is - designed to handle unauthenticated requests, whilst the latter is - designed to handle authenticated requests. The latter therefore has - access to the granted authorities of the authenticated principal. In - addition, problems detected by a ChannelProcessor - will generally cause an HTTP/HTTPS redirection so its requirements can - be met, whilst problems detected by an - AccessDecisionVoter will ultimately result in an - AccessDeniedException (depending on the governing - AccessDecisionManager). -
- \ No newline at end of file + Like FilterSecurityInterceptor, Apache Ant style paths are also + supported by the ChannelProcessingFilter. + The ChannelProcessingFilter operates by filtering all web requests + and determining the configuration attributes that apply. It then delegates to the + ChannelDecisionManager. The default implementation, + ChannelDecisionManagerImpl, should suffice in most cases. It + simply delegates to the list of configured ChannelProcessor + instances. The attribute ANY_CHANNEL can be used to override this + behaviour and skip a particular URL. Otherwise, a ChannelProcessor + will review the request, and if it is unhappy with the request (e.g. if it was received + across the incorrect transport protocol), it will perform a redirect, throw an exception + or take whatever other action is appropriate. + Included with Spring Security are two concrete ChannelProcessor + implementations: SecureChannelProcessor ensures requests with a + configuration attribute of REQUIRES_SECURE_CHANNEL are received over + HTTPS, whilst InsecureChannelProcessor ensures requests with a + configuration attribute of REQUIRES_INSECURE_CHANNEL are received + over HTTP. Both implementations delegate to a ChannelEntryPoint if + the required transport protocol is not used. The two + ChannelEntryPoint implementations included with Spring Security + simply redirect the request to HTTP and HTTPS as appropriate. Appropriate defaults are + assigned to the ChannelProcessor implementations for the + configuration attribute keywords they respond to and the + ChannelEntryPoint they delegate to, although you have + the ability to override these using the application context. + Note that the redirections are absolute (eg + http://www.company.com:8080/app/page), not relative (eg + /app/page). During testing it was discovered that Internet + Explorer 6 Service Pack 1 has a bug whereby it does not respond correctly to a + redirection instruction which also changes the port to use. Accordingly, absolute URLs + are used in conjunction with bug detection logic in the + PortResolverImpl that is wired up by default to many Spring + Security beans. Please refer to the JavaDocs for PortResolverImpl + for further details. + You should note that using a secure channel is recommended if usernames and passwords + are to be kept secure during the login process. If you do decide to use + ChannelProcessingFilter with form-based login, please ensure + that your login page is set to REQUIRES_SECURE_CHANNEL, and that the + LoginUrlAuthenticationEntryPoint.forceHttps property is + true. +
+
+ + Conclusion + + Once configured, using the channel security filter is very easy. Simply request pages + without regard to the protocol (ie HTTP or HTTPS) or port (eg 80, 8080, 443, 8443 etc). + Obviously you'll still need a way of making the initial request (probably via the + web.xml + <welcome-file> or a well-known home page URL), but once this is + done the filter will perform redirects as defined by your application context. + You can also add your own ChannelProcessor implementations to the + ChannelDecisionManagerImpl. For example, you might set a + HttpSession attribute when a human user is detected via a "enter + the contents of this graphic" procedure. Your ChannelProcessor would + respond to say REQUIRES_HUMAN_USER configuration attributes and + redirect to an appropriate entry point to start the human user validation process if the + HttpSession attribute is not currently set. + To decide whether a security check belongs in a ChannelProcessor or + an AccessDecisionVoter, remember that the former is + designed to handle unauthenticated requests, whilst the latter is designed to handle + authenticated requests. The latter therefore has access to the granted authorities of + the authenticated principal. In addition, problems detected by a + ChannelProcessor will generally cause an HTTP/HTTPS redirection + so its requirements can be met, whilst problems detected by an + AccessDecisionVoter will ultimately result in an + AccessDeniedException (depending on the governing + AccessDecisionManager). +
+ diff --git a/docs/manual/src/docbook/secured-objects.xml b/docs/manual/src/docbook/secured-objects.xml index 7561af023b..f7e2381ebe 100644 --- a/docs/manual/src/docbook/secured-objects.xml +++ b/docs/manual/src/docbook/secured-objects.xml @@ -1,36 +1,32 @@ - - Secure Object Implementations - + + + Secure Object Implementations +
AOP Alliance (MethodInvocation) Security Interceptor - - - Prior to Spring Security 2.0, securing MethodInvocations needed quite a - lot of boiler plate configuration. Now the recommended approach for method security - is to use namespace configuration. - This way the method security infrastructure beans are configured automatically for you so you don't really need to - know about the implementation classes. We'll just provide a quick overview of the classes that are involved here. - - - - Method security in enforced using a MethodSecurityInterceptor, which secures - MethodInvocations. Depending on the configuration approach, an interceptor may be specific to a single - bean or shared between multiple beans. The interceptor uses a MethodDefinitionSource - instance to obtain the configuration attributes that apply to a particular method invocation. - MapBasedMethodDefinitionSource is used to store configuration attributes keyed by method names - (which can be wildcarded) and will be used internally when the attributes are defined in the application context using - the <intercept-methods> or <protect-point> elements. Other implementations - will be used to handle annotation-based configuration. - - + Prior to Spring Security 2.0, securing MethodInvocations needed + quite a lot of boiler plate configuration. Now the recommended approach for method security is + to use namespace configuration. This way the + method security infrastructure beans are configured automatically for you so you don't really + need to know about the implementation classes. We'll just provide a quick overview of the + classes that are involved here. + Method security in enforced using a MethodSecurityInterceptor, + which secures MethodInvocations. Depending on the configuration + approach, an interceptor may be specific to a single bean or shared between multiple beans. + The interceptor uses a MethodDefinitionSource instance to + obtain the configuration attributes that apply to a particular method invocation. + MapBasedMethodDefinitionSource is used to store configuration + attributes keyed by method names (which can be wildcarded) and will be used internally when + the attributes are defined in the application context using the + <intercept-methods> or <protect-point> + elements. Other implementations will be used to handle annotation-based configuration.
Explicit MethodSecurityIterceptor Configuration - - You can of course configure a MethodSecurityIterceptor directly in your application context - for use with one of Spring AOP's proxying mechanisms: - You can of course configure a MethodSecurityIterceptor directly + in your application context for use with one of Spring AOP's proxying mechanisms: @@ -43,37 +39,26 @@ ]]> - - +
-
-
AspectJ (JoinPoint) Security Interceptor - - The AspectJ security interceptor is very similar to the AOP - Alliance security interceptor discussed in the previous section. - Indeed we will only discuss the differences in this section. - - The AspectJ interceptor is named - AspectJSecurityInterceptor. Unlike the AOP Alliance - security interceptor, which relies on the Spring application context - to weave in the security interceptor via proxying, the - AspectJSecurityInterceptor is weaved in via the - AspectJ compiler. It would not be uncommon to use both types of - security interceptors in the same application, with - AspectJSecurityInterceptor being used for domain - object instance security and the AOP Alliance - MethodSecurityInterceptor being used for services - layer security. - - Let's first consider how the - AspectJSecurityInterceptor is configured in the - Spring application context: - + The AspectJ security interceptor is very similar to the AOP Alliance security interceptor + discussed in the previous section. Indeed we will only discuss the differences in this + section. + The AspectJ interceptor is named AspectJSecurityInterceptor. Unlike the + AOP Alliance security interceptor, which relies on the Spring application context to weave in + the security interceptor via proxying, the AspectJSecurityInterceptor is + weaved in via the AspectJ compiler. It would not be uncommon to use both types of security + interceptors in the same application, with AspectJSecurityInterceptor being + used for domain object instance security and the AOP Alliance + MethodSecurityInterceptor being used for services layer + security. + Let's first consider how the AspectJSecurityInterceptor is configured + in the Spring application context: @@ -87,23 +72,18 @@ ]]> - As you can see, aside from the class name, the - AspectJSecurityInterceptor is exactly the same as - the AOP Alliance security interceptor. Indeed the two interceptors can - share the same securityMetadataSource, as the - SecurityMetadataSource works with - java.lang.reflect.Methods rather than an AOP - library-specific class. Of course, your access decisions have access - to the relevant AOP library-specific invocation (ie - MethodInvocation or JoinPoint) - and as such can consider a range of addition criteria when making - access decisions (such as method arguments). - - Next you'll need to define an AspectJ aspect. - For example: - - + AspectJSecurityInterceptor is exactly the same as the AOP Alliance + security interceptor. Indeed the two interceptors can share the same + securityMetadataSource, as the + SecurityMetadataSource works with + java.lang.reflect.Methods rather than an AOP library-specific class. Of + course, your access decisions have access to the relevant AOP library-specific invocation (ie + MethodInvocation or JoinPoint) and as such can + consider a range of addition criteria when making access decisions (such as method + arguments). + Next you'll need to define an AspectJ aspect. For example: + package org.springframework.security.samples.aspectj; import org.springframework.security.intercept.aspectj.AspectJSecurityInterceptor; @@ -144,22 +124,16 @@ public void afterPropertiesSet() throws Exception { throw new IllegalArgumentException("securityInterceptor required"); } } - - In the above example, the security interceptor will be applied - to every instance of PersistableEntity, which is an - abstract class not shown (you can use any other class or - pointcut expression you like). For those curious, - AspectJCallback is needed because the - proceed(); statement has special meaning only - within an around() body. The - AspectJSecurityInterceptor calls this anonymous - AspectJCallback class when it wants the target - object to continue. - - You will need to configure Spring to load the aspect and wire it - with the AspectJSecurityInterceptor. A bean - declaration which achieves this is shown below: - + In the above example, the security interceptor will be applied to every instance of + PersistableEntity, which is an abstract class not shown (you can use any + other class or pointcut expression you like). For those curious, + AspectJCallback is needed because the proceed(); + statement has special meaning only within an around() body. The + AspectJSecurityInterceptor calls this anonymous + AspectJCallback class when it wants the target object to continue. + You will need to configure Spring to load the aspect and wire it with the + AspectJSecurityInterceptor. A bean declaration which achieves this is + shown below: ]]> - - That's it! Now you can create your beans from anywhere within - your application, using whatever means you think fit (eg new - Person();) and they will have the security interceptor - applied. + That's it! Now you can create your beans from anywhere within your application, using + whatever means you think fit (eg new Person();) and they will have the + security interceptor applied.
-
- FilterInvocation Security Interceptor - - To secure FilterInvocations, developers need - to add a FilterSecurityInterceptor to their filter chain. - A typical configuration example is provided below: - - In the application context you will need to configure three - beans: - + + FilterInvocation Security Interceptor + + To secure FilterInvocations, developers need to add a + FilterSecurityInterceptor to their filter chain. A typical + configuration example is provided below: + In the application context you will need to configure three beans: - + - + ]]> - - The ExceptionTranslationFilter provides - the bridge between Java exceptions and HTTP responses. It is solely - concerned with maintaining the user interface. This filter does not do - any actual security enforcement. If an - AuthenticationException is detected, - the filter will call the AuthenticationEntryPoint to commence the - authentication process (e.g. a user login). - - The AuthenticationEntryPoint will be called - if the user requests a secure HTTP resource but they are not - authenticated. The class handles presenting the appropriate response - to the user so that authentication can begin. Three concrete - implementations are provided with Spring Security: - LoginUrlAuthenticationEntryPoint for - commencing a form-based authentication, - BasicProcessingFilterEntryPoint for commencing a - HTTP Basic authentication process, and - CasProcessingFilterEntryPoint for commencing a - JA-SIG Central Authentication Service (CAS) login. The - LoginUrlAuthenticationEntryPoint and - CasProcessingFilterEntryPoint have optional - properties related to forcing the use of HTTPS, so please refer to the - JavaDocs if you require this. - - FilterSecurityInterceptor is responsible for - handling the security of HTTP resources. Like any other security - interceptor, it requires a reference to an - AuthenticationManager and an - AccessDecisionManager, which are both discussed in - separate sections below. The - FilterSecurityInterceptor is also configured with - configuration attributes that apply to different HTTP URL requests. A - full discussion of configuration attributes is provided in the High - Level Design section of this document. - - The FilterSecurityInterceptor can be - configured with configuration attributes in two ways. The first, - which is shown above, is using the <filter-invocation-definition-source> - namespace element. This is similar to the <filter-chain-map> - used to configure a FilterChainProxy but the <intercept-url> - child elements only use the pattern and access attributes. - The second is by writing your own - SecurityMetadataSource, although this is beyond the - scope of this document. Irrespective of the approach used, the - SecurityMetadataSource is responsible for returning - a List<ConfigAttribute> containing - all of the configuration attributes associated with a single secure - HTTP URL. - + The ExceptionTranslationFilter provides the bridge between Java + exceptions and HTTP responses. It is solely concerned with maintaining the user interface. + This filter does not do any actual security enforcement. If an + AuthenticationException is detected, the filter will call the + AuthenticationEntryPoint to commence the authentication process (e.g. a user login). + The AuthenticationEntryPoint will be called if the user + requests a secure HTTP resource but they are not authenticated. The class handles presenting + the appropriate response to the user so that authentication can begin. Three concrete + implementations are provided with Spring Security: + LoginUrlAuthenticationEntryPoint for commencing a form-based + authentication, BasicProcessingFilterEntryPoint for commencing a HTTP Basic + authentication process, and CasProcessingFilterEntryPoint for commencing a + JA-SIG Central Authentication Service (CAS) login. The + LoginUrlAuthenticationEntryPoint and + CasProcessingFilterEntryPoint have optional properties related to forcing + the use of HTTPS, so please refer to the JavaDocs if you require this. + FilterSecurityInterceptor is responsible for handling the security + of HTTP resources. Like any other security interceptor, it requires a reference to an + AuthenticationManager and an + AccessDecisionManager, which are both discussed in separate + sections below. The FilterSecurityInterceptor is also configured with + configuration attributes that apply to different HTTP URL requests. A full discussion of + configuration attributes is provided in the High Level Design section of this document. + The FilterSecurityInterceptor can be configured with configuration + attributes in two ways. The first, which is shown above, is using the + <filter-security-metadata-source> namespace element. This is + similar to the <filter-chain-map> used to configure a + FilterChainProxy but the <intercept-url> + child elements only use the pattern and access + attributes. The second is by writing your own + SecurityMetadataSource, although this is beyond the scope of + this document. Irrespective of the approach used, the + SecurityMetadataSource is responsible for returning a + List<ConfigAttribute> containing all of the configuration + attributes associated with a single secure HTTP URL. It should be noted that the - FilterSecurityInterceptor.setSecurityMetadataSource() - method actually expects an instance of - FilterInvocationDefinitionSource. This is a marker - interface which subclasses SecurityMetadataSource. - It simply denotes the SecurityMetadataSource - understands FilterInvocations. In the interests of - simplicity we'll continue to refer to the - FilterInvocationDefinitionSource as an - SecurityMetadataSource, as the distinction is of - little relevance to most users of the - FilterSecurityInterceptor. - - When using the namespace option to configure the interceptor, - commas are used to delimit the different configuration - attributes that apply to each HTTP URL. Each configuration attribute - is assigned into its own SecurityConfig object. The - SecurityConfig object is discussed in the High - Level Design section. The SecurityMetadataSource - created by the property editor, - FilterInvocationDefinitionSource, matches - configuration attributes against FilterInvocations - based on expression evaluation of the request URL. Two standard - expression syntaxes are supported. The default is to treat all - expressions as Apache Ant paths and regular expressions are also supported - for ore complex cases. The path-type attribute is used - to specify the type of pattern being used. It is not possible to - mix expression syntaxes within the same definition. For example, the - previous configuration using regular expressions instead of Ant paths would be - written as follows: - + FilterSecurityInterceptor.setSecurityMetadataSource() method actually + expects an instance of FilterInvocationDefinitionSource. This + is a marker interface which subclasses SecurityMetadataSource. + It simply denotes the SecurityMetadataSource understands + FilterInvocations. In the interests of simplicity we'll continue to + refer to the FilterInvocationDefinitionSource as an + SecurityMetadataSource, as the distinction is of little + relevance to most users of the FilterSecurityInterceptor. + When using the namespace option to configure the interceptor, commas are used to delimit + the different configuration attributes that apply to each HTTP URL. Each configuration + attribute is assigned into its own SecurityConfig object. The + SecurityConfig object is discussed in the High Level Design section. The + SecurityMetadataSource created by the property editor, + FilterInvocationDefinitionSource, matches configuration + attributes against FilterInvocations based on expression evaluation of the + request URL. Two standard expression syntaxes are supported. The default is to treat all + expressions as Apache Ant paths and regular expressions are also supported for ore complex + cases. The path-type attribute is used to specify the type of pattern being + used. It is not possible to mix expression syntaxes within the same definition. For example, + the previous configuration using regular expressions instead of Ant paths would be written as + follows: @@ -296,32 +241,25 @@ public void afterPropertiesSet() throws Exception { - + - + ]]> - - Irrespective of the type of expression syntax used, expressions - are always evaluated in the order they are defined. Thus it is - important that more specific expressions are defined higher in the - list than less specific expressions. This is reflected in our example - above, where the more specific /secure/super/ - pattern appears higher than the less specific - /secure/ pattern. If they were reversed, the - /secure/ pattern would always match and the - /secure/super/ pattern would never be - evaluated. - - As with other security interceptors, the - validateConfigAttributes property is observed. When - set to true (the default), at startup time the - FilterSecurityInterceptor will evaluate if the - provided configuration attributes are valid. It does this by checking - each configuration attribute can be processed by either the - AccessDecisionManager or the - RunAsManager. If neither of these can process a - given configuration attribute, an exception is thrown. + Irrespective of the type of expression syntax used, expressions are always evaluated in + the order they are defined. Thus it is important that more specific expressions are defined + higher in the list than less specific expressions. This is reflected in our example above, + where the more specific /secure/super/ pattern appears higher than the less + specific /secure/ pattern. If they were reversed, the + /secure/ pattern would always match and the + /secure/super/ pattern would never be evaluated. + As with other security interceptors, the validateConfigAttributes + property is observed. When set to true (the default), at startup time the + FilterSecurityInterceptor will evaluate if the provided configuration + attributes are valid. It does this by checking each configuration attribute can be processed + by either the AccessDecisionManager or the + RunAsManager. If neither of these can process a given configuration + attribute, an exception is thrown.
diff --git a/itest/context/src/test/resources/filter-chain-performance-app-context.xml b/itest/context/src/test/resources/filter-chain-performance-app-context.xml index 0e6ab55d36..02d82e02c5 100644 --- a/itest/context/src/test/resources/filter-chain-performance-app-context.xml +++ b/itest/context/src/test/resources/filter-chain-performance-app-context.xml @@ -92,11 +92,11 @@ - + - + diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java index 6c9faa9d19..07e2efa1bf 100644 --- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java @@ -51,15 +51,15 @@ public class ChannelProcessingFilter extends SpringSecurityFilter implements Ini //~ Instance fields ================================================================================================ private ChannelDecisionManager channelDecisionManager; - private FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource; + private FilterInvocationSecurityMetadataSource securityMetadataSource; //~ Methods ======================================================================================================== public void afterPropertiesSet() throws Exception { - Assert.notNull(filterInvocationSecurityMetadataSource, "filterInvocationSecurityMetadataSource must be specified"); + Assert.notNull(securityMetadataSource, "securityMetadataSource must be specified"); Assert.notNull(channelDecisionManager, "channelDecisionManager must be specified"); - Collection attrDefs = this.filterInvocationSecurityMetadataSource.getAllConfigAttributes(); + Collection attrDefs = this.securityMetadataSource.getAllConfigAttributes(); if (attrDefs == null) { if (logger.isWarnEnabled()) { @@ -91,7 +91,7 @@ public class ChannelProcessingFilter extends SpringSecurityFilter implements Ini throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(request, response, chain); - List attr = this.filterInvocationSecurityMetadataSource.getAttributes(fi); + List attr = this.securityMetadataSource.getAttributes(fi); if (attr != null) { if (logger.isDebugEnabled()) { @@ -112,16 +112,16 @@ public class ChannelProcessingFilter extends SpringSecurityFilter implements Ini return channelDecisionManager; } - public FilterInvocationSecurityMetadataSource getFilterInvocationSecurityMetadataSource() { - return filterInvocationSecurityMetadataSource; + public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { + return securityMetadataSource; } public void setChannelDecisionManager(ChannelDecisionManager channelDecisionManager) { this.channelDecisionManager = channelDecisionManager; } - public void setFilterInvocationSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource) { - this.filterInvocationSecurityMetadataSource = filterInvocationSecurityMetadataSource; + public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource filterInvocationSecurityMetadataSource) { + this.securityMetadataSource = filterInvocationSecurityMetadataSource; } public int getOrder() { diff --git a/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java index 871ff21773..3a54239af7 100644 --- a/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/access/channel/ChannelProcessingFilterTests.java @@ -15,7 +15,7 @@ package org.springframework.security.web.access.channel; -import static org.junit.Assert.assertTrue; +import static org.junit.Assert.*; import static org.mockito.Mockito.mock; import java.io.IOException; @@ -31,8 +31,6 @@ import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; -import org.springframework.security.web.access.channel.ChannelDecisionManager; -import org.springframework.security.web.access.channel.ChannelProcessingFilter; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; @@ -50,7 +48,7 @@ public class ChannelProcessingFilterTests { ChannelProcessingFilter filter = new ChannelProcessingFilter(); MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", true, "MOCK"); - filter.setFilterInvocationSecurityMetadataSource(fids); + filter.setSecurityMetadataSource(fids); filter.afterPropertiesSet(); } @@ -69,7 +67,7 @@ public class ChannelProcessingFilterTests { MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", true, "SUPPORTS_MOCK_ONLY"); - filter.setFilterInvocationSecurityMetadataSource(fids); + filter.setSecurityMetadataSource(fids); filter.afterPropertiesSet(); } @@ -81,7 +79,7 @@ public class ChannelProcessingFilterTests { MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", true, "SUPPORTS_MOCK_ONLY", "INVALID_ATTRIBUTE"); - filter.setFilterInvocationSecurityMetadataSource(fids); + filter.setSecurityMetadataSource(fids); filter.afterPropertiesSet(); } @@ -92,7 +90,7 @@ public class ChannelProcessingFilterTests { MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", true, "SOME_ATTRIBUTE"); - filter.setFilterInvocationSecurityMetadataSource(fids); + filter.setSecurityMetadataSource(fids); MockHttpServletRequest request = new MockHttpServletRequest(); request.setQueryString("info=now"); @@ -110,7 +108,7 @@ public class ChannelProcessingFilterTests { MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", true, "SOME_ATTRIBUTE"); - filter.setFilterInvocationSecurityMetadataSource(fids); + filter.setSecurityMetadataSource(fids); MockHttpServletRequest request = new MockHttpServletRequest(); request.setQueryString("info=now"); @@ -129,7 +127,7 @@ public class ChannelProcessingFilterTests { MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", true, "NOT_USED"); - filter.setFilterInvocationSecurityMetadataSource(fids); + filter.setSecurityMetadataSource(fids); MockHttpServletRequest request = new MockHttpServletRequest(); request.setQueryString("info=now"); @@ -148,8 +146,8 @@ public class ChannelProcessingFilterTests { MockFilterInvocationDefinitionMap fids = new MockFilterInvocationDefinitionMap("/path", false, "MOCK"); - filter.setFilterInvocationSecurityMetadataSource(fids); - assertTrue(filter.getFilterInvocationSecurityMetadataSource() != null); + filter.setSecurityMetadataSource(fids); + assertSame(fids, filter.getSecurityMetadataSource()); filter.init(null); filter.afterPropertiesSet();