mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-25 05:22:16 +00:00
Update references to SecurityEnforcementFilter
This commit is contained in:
Luke Taylor
parent
32aa840a78
commit
680e770508
@ -885,20 +885,22 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
||||
|
||||
<para>To secure <literal>FilterInvocation</literal>s, developers need
|
||||
to add a filter to their <literal>web.xml</literal> that delegates to
|
||||
the <literal>SecurityEnforcementFilter</literal>. A typical
|
||||
configuration example is provided below: <programlisting><filter>
|
||||
<filter-name>Acegi HTTP Request Security Filter</filter-name>
|
||||
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
the <literal>FilterSecurityInterceptor</literal>. A typical
|
||||
configuration example is provided below: <programlisting><![CDATA[
|
||||
<filter>
|
||||
<filter-name>Acegi HTTP Request Security Filter</filter-name>
|
||||
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>org.acegisecurity.intercept.web.FilterSecurityInterceptor</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>Acegi HTTP Request Security Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting></para>
|
||||
<filter-mapping>
|
||||
<filter-name>Acegi HTTP Request Security Filter</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
]]></programlisting></para>
|
||||
|
||||
<para>Notice that the filter is actually a
|
||||
<literal>FilterToBeanProxy</literal>. Most of the filters used by the
|
||||
@ -908,28 +910,47 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
||||
<para>In the application context you will need to configure three
|
||||
beans:</para>
|
||||
|
||||
<programlisting><bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
|
||||
<property name="filterSecurityInterceptor"><ref bean="filterInvocationInterceptor"/></property>
|
||||
<property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property>
|
||||
</bean>
|
||||
<programlisting><![CDATA[
|
||||
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
<property name="forceHttps"><value>false</value></property>
|
||||
</bean>
|
||||
<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
<property name="forceHttps"><value>false</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||
<property name="runAsManager"><ref bean="runAsManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/super/.*\Z=ROLE_WE_DONT_HAVE
|
||||
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
||||
</value>
|
||||
</property>
|
||||
</bean></programlisting>
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
]]>
|
||||
</programlisting>
|
||||
|
||||
<!-- Not in listing above, so removed. L.T.
|
||||
<para>The <literal>PortMapper</literal> provides information on which
|
||||
HTTPS ports correspond to which HTTP ports. This is used by the
|
||||
<literal>AuthenticationProcessingFilterEntryPoint</literal> and
|
||||
several other beans. The default implementation,
|
||||
<literal>PortMapperImpl</literal>, knows the common HTTP ports 80 and
|
||||
8080 map to HTTPS ports 443 and 8443 respectively. You can customise
|
||||
this mapping if desired.</para>
|
||||
-->
|
||||
<para>The <classname>ExceptionTranslationFilter</classname>
|
||||
provides the bridge between Java exceptions and HTTP responses.
|
||||
It is solely concerned with maintaining the
|
||||
user interface. This filter does not do any actual security enforcement.
|
||||
If an <exceptionname>AuthenticationException</exceptionname> is detected,
|
||||
the filter will call the AuthenticationEntryPoint to commence the
|
||||
authentication process (e.g. a user login).
|
||||
</para>
|
||||
|
||||
<para>The <literal>AuthenticationEntryPoint</literal> will be called
|
||||
if the user requests a secure HTTP resource but they are not
|
||||
@ -947,26 +968,13 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
||||
properties related to forcing the use of HTTPS, so please refer to the
|
||||
JavaDocs if you require this.</para>
|
||||
|
||||
<para>The <literal>PortMapper</literal> provides information on which
|
||||
HTTPS ports correspond to which HTTP ports. This is used by the
|
||||
<literal>AuthenticationProcessingFilterEntryPoint</literal> and
|
||||
several other beans. The default implementation,
|
||||
<literal>PortMapperImpl</literal>, knows the common HTTP ports 80 and
|
||||
8080 map to HTTPS ports 443 and 8443 respectively. You can customise
|
||||
this mapping if desired.</para>
|
||||
|
||||
<para>The <literal>SecurityEnforcementFilter</literal> primarily
|
||||
provides session management support and initiates authentication when
|
||||
required. It delegates actual <literal>FilterInvocation</literal>
|
||||
security decisions to the configured
|
||||
<literal>FilterSecurityInterceptor</literal>.</para>
|
||||
|
||||
<para>Like any other security interceptor, the
|
||||
<literal>FilterSecurityInterceptor</literal> requires a reference to
|
||||
an <literal>AuthenticationManager</literal>,
|
||||
<literal>AccessDecisionManager</literal> and
|
||||
<literal>RunAsManager</literal>, which are each discussed in separate
|
||||
sections below. The <literal>FilterSecurityInterceptor</literal> is
|
||||
<para><literal>FilterSecurityInterceptor</literal> is responsible for
|
||||
handling the security of HTTP resources.
|
||||
Like any other security
|
||||
interceptor, it requires a reference to an <literal>AuthenticationManager</literal>
|
||||
and an <literal>AccessDecisionManager</literal>, which are both
|
||||
discussed in separate sections below. The
|
||||
<literal>FilterSecurityInterceptor</literal> is
|
||||
also configured with configuration attributes that apply to different
|
||||
HTTP URL requests. A full discussion of configuration attributes is
|
||||
provided in the High Level Design section of this document.</para>
|
||||
@ -1760,7 +1768,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
PATTERN_TYPE_APACHE_ANT
|
||||
/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,securityEnforcementFilter
|
||||
/**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
|
||||
</value>
|
||||
</property>
|
||||
</bean></programlisting></para>
|
||||
@ -2593,7 +2601,7 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||
attribute specified by
|
||||
<literal>AbstractProcessingFilter.ACEGI_SECURITY_TARGET_URL_KEY</literal>.
|
||||
This attribute is automatically set by the
|
||||
<literal>SecurityEnforcementFilter</literal> when an
|
||||
<literal>ExceptionTranslationFilter</literal> when an
|
||||
<literal>AuthenticationException</literal> occurs, so that after login
|
||||
is completed the user can return to what they were trying to access.
|
||||
If for some reason the <literal>HttpSession</literal> does not
|
||||
@ -2862,7 +2870,7 @@ key: A private key to prevent modification of the nonce token
|
||||
<literal>isAnonymous(Authentication)</literal> method, which allows
|
||||
interested classes to take into account this special type of
|
||||
authentication status. The
|
||||
<literal>SecurityEnforcementFilter</literal> uses this interface in
|
||||
<literal>ExceptionTranslationFilter</literal> uses this interface in
|
||||
processing <literal>AccessDeniedException</literal>s. If an
|
||||
<literal>AccessDeniedException</literal> is thrown, and the
|
||||
authentication is of an anonymous type, instead of throwing a 403
|
||||
@ -3516,7 +3524,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||
<listitem>
|
||||
<para>The user eventually requests a page that is either secure or
|
||||
one of the beans it uses is secure. Acegi Security's
|
||||
<literal>SecurityEnforcementFilter</literal> will detect the
|
||||
<literal>ExceptionTranslationFilter</literal> will detect the
|
||||
<literal>AuthenticationException</literal>.</para>
|
||||
</listitem>
|
||||
|
||||
@ -3524,7 +3532,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||
<para>Because the user's <literal>Authentication</literal> object
|
||||
(or lack thereof) caused an
|
||||
<literal>AuthenticationException</literal>, the
|
||||
<literal>SecurityEnforcementFilter</literal> will call the
|
||||
<literal>ExceptionTranslationFilter</literal> will call the
|
||||
configured <literal>AuthenticationEntryPoint</literal>. If using
|
||||
CAS, this will be the
|
||||
<literal>CasProcessingFilterEntryPoint</literal> class.</para>
|
||||
@ -3815,22 +3823,24 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||
<para>The following beans should be configured to commence the CAS
|
||||
authentication process:</para>
|
||||
|
||||
<para><programlisting><bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
|
||||
<property name="defaultTargetUrl"><value>/</value></property>
|
||||
<property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
|
||||
</bean>
|
||||
<para><programlisting><![CDATA[
|
||||
<bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
|
||||
<property name="defaultTargetUrl"><value>/</value></property>
|
||||
<property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="securityEnforcementFilter" class="org.acegisecurity.intercept.web.SecurityEnforcementFilter">
|
||||
<property name="filterSecurityInterceptor"><ref bean="filterInvocationInterceptor"/></property>
|
||||
<property name="authenticationEntryPoint"><ref bean="casProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
||||
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
||||
<property name="serviceProperties"><ref bean="serviceProperties"/></property>
|
||||
</bean></programlisting></para>
|
||||
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
||||
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
||||
<property name="serviceProperties"><ref bean="serviceProperties"/></property>
|
||||
</bean>
|
||||
]]>
|
||||
</programlisting></para>
|
||||
|
||||
<para>You will also need to add the
|
||||
<literal>CasProcessingFilter</literal> to web.xml:</para>
|
||||
@ -3855,7 +3865,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||
self-explanatory.</para>
|
||||
|
||||
<para>For CAS to operate, the
|
||||
<literal>SecurityEnforcementFilter</literal> must have its
|
||||
<literal>ExceptionTranslationFilter</literal> must have its
|
||||
<literal>authenticationEntryPoint</literal> property set to the
|
||||
<literal>CasProcessingFilterEntryPoint</literal> bean.</para>
|
||||
|
||||
@ -4106,7 +4116,7 @@ $CATALINA_HOME/bin/startup.sh</programlisting></para>
|
||||
valid <classname>Authentication</classname> object in the secure
|
||||
context and the invocation will procede as normal. If no
|
||||
certificate was found, or the certificate was rejected, then the
|
||||
<classname>SecurityEnforcementFilter</classname> will invoke the
|
||||
<classname>ExceptionTranslationFilter</classname> will invoke the
|
||||
<classname>X509ProcessingFilterEntryPoint</classname> which
|
||||
returns a 403 error (forbidden) to the user.</para>
|
||||
</listitem>
|
||||
@ -5099,14 +5109,14 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
PATTERN_TYPE_APACHE_ANT
|
||||
/webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,securityEnforcementFilter
|
||||
/**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,securityEnforcementFilter
|
||||
/webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
|
||||
/**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
|
||||
</value>
|
||||
</property>
|
||||
</bean></programlisting></para>
|
||||
|
||||
<para>You may notice similarities with the way
|
||||
<literal>SecurityEnforcementFilter</literal> is declared. Both regular
|
||||
<literal>FilterSecurityInterceptor</literal> is declared. Both regular
|
||||
expressions and Ant Paths are supported, and the most specific URIs
|
||||
appear first. At runtime the <literal>FilterChainProxy</literal> will
|
||||
locate the first URI pattern that matches the current web request.
|
||||
@ -5117,10 +5127,10 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
|
||||
<literal>Filter</literal> can elect not to proceed with the chain if
|
||||
it wishes to end processing).</para>
|
||||
|
||||
<para>As you can see, <literal>FitlerChainProxy</literal> requires the
|
||||
<para>As you can see, <literal>FilterChainProxy</literal> requires the
|
||||
duplication of filter names for different request patterns (in the
|
||||
above example, <literal>httpSessionContextIntegrationFilter</literal>
|
||||
and <literal>securityEnforcementFilter</literal> are duplicated). This
|
||||
above example, <literal>exceptionTranslationFilter</literal>
|
||||
and <literal>filterSecurityInterceptor</literal> are duplicated). This
|
||||
design decision was made to enable <literal>FilterChainProxy</literal>
|
||||
to specify different <literal>Filter</literal> invocation orders for
|
||||
different URI patterns, and also to improve both the expressiveness
|
||||
@ -5229,10 +5239,15 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><literal>SecurityEnforcementFilter</literal>, to protect web
|
||||
URIs and catch any Acegi Security exceptions so that an
|
||||
appropriate <literal>AuthenticationEntryPoint</literal> can be
|
||||
launched</para>
|
||||
<para><literal>ExceptionTranslationFilter</literal>, catch any Acegi Security
|
||||
exceptions so that an either an HTTP error response can be returned
|
||||
or an appropriate <literal>AuthenticationEntryPoint</literal>
|
||||
can be launched</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><literal>FilterSecurityInterceptor</literal>, to protect web
|
||||
URIs</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
@ -5334,7 +5349,7 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1);</programlisting></para>
|
||||
requests. If using either of these WARs, be sure to try visiting
|
||||
<literal>http://localhost:8080/contacts/secure/super</literal>, which
|
||||
will demonstrate access being denied by the
|
||||
<literal>SecurityEnforcementFilter</literal>. Note the sample
|
||||
<literal>FilterSecurityInterceptor</literal>. Note the sample
|
||||
application enables you to modify the access control lists associated
|
||||
with different contacts. Be sure to give this a try and understand how
|
||||
it works by reviewing the sample application's application context XML
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user