Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Extract appendix subsections

Browse Source 
Issue: gh-2567
This commit is contained in:
Rob Winch 2018-03-06 13:09:31 -06:00
parent 40bb73124c
commit 6e5105f899
7 changed files with 626 additions and 622 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

352
docs/manual/src/docs/asciidoc/_includes/appendix/database-schema.adoc Normal file
View File

@ -0,0 +1,352 @@
[[appendix-schema]]
== Security Database Schema
There are various database schema used by the framework and this appendix provides a single reference point to them all.
You only need to provide the tables for the areas of functionality you require.
DDL statements are given for the HSQLDB database.
You can use these as a guideline for defining the schema for the database you are using.
=== User Schema
The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
You will need to adjust this schema to match the database dialect you are using.
[source]
----
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null,
enabled boolean not null
);
create table authorities (
username varchar_ignorecase(50) not null,
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username)
);
create unique index ix_auth_username on authorities (username,authority);
----
==== Group Authorities
Spring Security 2.0 introduced support for group authorities in `JdbcDaoImpl`.
The table structure if groups are enabled is as follows.
You will need to adjust this schema to match the database dialect you are using.
[source]
----
create table groups (
id bigint generated by default as identity(start with 0) primary key,
group_name varchar_ignorecase(50) not null
);
create table group_authorities (
group_id bigint not null,
authority varchar(50) not null,
constraint fk_group_authorities_group foreign key(group_id) references groups(id)
);
create table group_members (
id bigint generated by default as identity(start with 0) primary key,
username varchar(50) not null,
group_id bigint not null,
constraint fk_group_members_group foreign key(group_id) references groups(id)
);
----
Remember that these tables are only required if you are using the provided JDBC `UserDetailsService` implementation.
If you write your own or choose to implement `AuthenticationProvider` without a `UserDetailsService`, then you have complete freedom over how you store the data, as long as the interface contract is satisfied.
=== Persistent Login (Remember-Me) Schema
This table is used to store data used by the more secure <<remember-me-persistent-token,persistent token>> remember-me implementation.
If you are using `JdbcTokenRepositoryImpl` either directly or through the namespace, then you will need this table.
Remember to adjust this schema to match the database dialect you are using.
[source]
----
create table persistent_logins (
username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null
);
----
[[dbschema-acl]]
=== ACL Schema
There are four tables used by the Spring Security <<domain-acls,ACL>> implementation.
. `acl_sid` stores the security identities recognised by the ACL system.
These can be unique principals or authorities which may apply to multiple principals.
. `acl_class` defines the domain object types to which ACLs apply.
The `class` column stores the Java class name of the object.
. `acl_object_identity` stores the object identity definitions of specific domai objects.
. `acl_entry` stores the ACL permissions which apply to a specific object identity and security identity.
It is assumed that the database will auto-generate the primary keys for each of the identities.
The `JdbcMutableAclService` has to be able to retrieve these when it has created a new row in the `acl_sid` or `acl_class` tables.
It has two properties which define the SQL needed to retrieve these values `classIdentityQuery` and `sidIdentityQuery`.
Both of these default to `call identity()`
The ACL artifact JAR contains files for creating the ACL schema in HyperSQL (HSQLDB), PostgreSQL, MySQL/MariaDB, Microsoft SQL Server, and Oracle Database.
These schemas are also demonstrated in the following sections.
==== HyperSQL
The default schema works with the embedded HSQLDB database that is used in unit tests within the framework.
[source,ddl]
----
create table acl_sid(
id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null,
sid varchar_ignorecase(100) not null,
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class(
id bigint generated by default as identity(start with 100) not null primary key,
class varchar_ignorecase(100) not null,
constraint unique_uk_2 unique(class)
);
create table acl_object_identity(
id bigint generated by default as identity(start with 100) not null primary key,
object_id_class bigint not null,
object_id_identity varchar_ignorecase(36) not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
);
create table acl_entry(
id bigint generated by default as identity(start with 100) not null primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
);
----
==== PostgreSQL
[source,ddl]
----
create table acl_sid(
id bigserial not null primary key,
principal boolean not null,
sid varchar(100) not null,
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class(
id bigserial not null primary key,
class varchar(100) not null,
constraint unique_uk_2 unique(class)
);
create table acl_object_identity(
id bigserial primary key,
object_id_class bigint not null,
object_id_identity varchar(36) not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
);
create table acl_entry(
id bigserial primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
);
----
You will have to set the `classIdentityQuery` and `sidIdentityQuery` properties of `JdbcMutableAclService` to the following values, respectively:
* `select currval(pg_get_serial_sequence('acl_class', 'id'))`
* `select currval(pg_get_serial_sequence('acl_sid', 'id'))`
==== MySQL and MariaDB
[source,ddl]
----
CREATE TABLE acl_sid (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
principal BOOLEAN NOT NULL,
sid VARCHAR(100) NOT NULL,
UNIQUE KEY unique_acl_sid (sid, principal)
) ENGINE=InnoDB;
CREATE TABLE acl_class (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
class VARCHAR(100) NOT NULL,
UNIQUE KEY uk_acl_class (class)
) ENGINE=InnoDB;
CREATE TABLE acl_object_identity (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
object_id_class BIGINT UNSIGNED NOT NULL,
object_id_identity VARCHAR(36) NOT NULL,
parent_object BIGINT UNSIGNED,
owner_sid BIGINT UNSIGNED,
entries_inheriting BOOLEAN NOT NULL,
UNIQUE KEY uk_acl_object_identity (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
CREATE TABLE acl_entry (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
acl_object_identity BIGINT UNSIGNED NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT UNSIGNED NOT NULL,
mask INTEGER UNSIGNED NOT NULL,
granting BOOLEAN NOT NULL,
audit_success BOOLEAN NOT NULL,
audit_failure BOOLEAN NOT NULL,
UNIQUE KEY unique_acl_entry (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
----
==== Microsoft SQL Server
[source,ddl]
----
CREATE TABLE acl_sid (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
principal BIT NOT NULL,
sid VARCHAR(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE TABLE acl_class (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
class VARCHAR(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE TABLE acl_object_identity (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
object_id_class BIGINT NOT NULL,
object_id_identity VARCHAR(36) NOT NULL,
parent_object BIGINT,
owner_sid BIGINT,
entries_inheriting BIT NOT NULL,
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE TABLE acl_entry (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
acl_object_identity BIGINT NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT NOT NULL,
mask INTEGER NOT NULL,
granting BIT NOT NULL,
audit_success BIT NOT NULL,
audit_failure BIT NOT NULL,
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
----
==== Oracle Database
[source,ddl]
----
CREATE TABLE acl_sid (
id NUMBER(38) NOT NULL PRIMARY KEY,
principal NUMBER(1) NOT NULL CHECK (principal in (0, 1)),
sid NVARCHAR2(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE SEQUENCE acl_sid_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_sid_id_trigger
BEFORE INSERT ON acl_sid
FOR EACH ROW
BEGIN
SELECT acl_sid_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_class (
id NUMBER(38) NOT NULL PRIMARY KEY,
class NVARCHAR2(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE SEQUENCE acl_class_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_class_id_trigger
BEFORE INSERT ON acl_class
FOR EACH ROW
BEGIN
SELECT acl_class_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_object_identity (
id NUMBER(38) NOT NULL PRIMARY KEY,
object_id_class NUMBER(38) NOT NULL,
object_id_identity NVARCHAR2(36) NOT NULL,
parent_object NUMBER(38),
owner_sid NUMBER(38),
entries_inheriting NUMBER(1) NOT NULL CHECK (entries_inheriting in (0, 1)),
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_object_identity_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_object_identity_id_trigger
BEFORE INSERT ON acl_object_identity
FOR EACH ROW
BEGIN
SELECT acl_object_identity_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_entry (
id NUMBER(38) NOT NULL PRIMARY KEY,
acl_object_identity NUMBER(38) NOT NULL,
ace_order INTEGER NOT NULL,
sid NUMBER(38) NOT NULL,
mask INTEGER NOT NULL,
granting NUMBER(1) NOT NULL CHECK (granting in (0, 1)),
audit_success NUMBER(1) NOT NULL CHECK (audit_success in (0, 1)),
audit_failure NUMBER(1) NOT NULL CHECK (audit_failure in (0, 1)),
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_entry_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_entry_id_trigger
BEFORE INSERT ON acl_entry
FOR EACH ROW
BEGIN
SELECT acl_entry_sequence.nextval INTO :new.id FROM dual;
END;
----

261
docs/manual/src/docs/asciidoc/_includes/appendix/dependencies.adoc Normal file
View File

@ -0,0 +1,261 @@
[[appendix-dependencies]]
== Spring Security Dependencies
This appendix provides a reference of the modules in Spring Security and the additional dependencies that they require in order to function in a running application.
We don't include dependencies that are only used when building or testing Spring Security itself.
Nor do we include transitive dependencies which are required by external dependencies.
The version of Spring required is listed on the project website, so the specific versions are omitted for Spring dependencies below.
Note that some of the dependencies listed as "optional" below may still be required for other non-security functionality in a Spring application.
Also dependencies listed as "optional" may not actually be marked as such in the project's Maven POM files if they are used in most applications.
They are "optional" only in the sense that you don't need them unless you are using the specified functionality.
Where a module depends on another Spring Security module, the non-optional dependencies of the module it depends on are also assumed to be required and are not listed separately.
=== spring-security-core
The core module must be included in any project using Spring Security.
.Core Dependencies
|===
| Dependency | Version | Description
| ehcache
| 1.6.2
| Required if the Ehcache-based user cache implementation is used (optional).
| spring-aop
|
| Method security is based on Spring AOP
| spring-beans
|
| Required for Spring configuration
| spring-expression
|
| Required for expression-based method security (optional)
| spring-jdbc
|
| Required if using a database to store user data (optional).
| spring-tx
|
| Required if using a database to store user data (optional).
| aspectjrt
| 1.6.10
| Required if using AspectJ support (optional).
| jsr250-api
| 1.0
| Required if you are using JSR-250 method-security annotations (optional).
|===
=== spring-security-remoting
This module is typically required in web applications which use the Servlet API.
.Remoting Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-web
|
| Required for clients which use HTTP remoting support.
|===
=== spring-security-web
This module is typically required in web applications which use the Servlet API.
.Web Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-web
|
| Spring web support classes are used extensively.
| spring-jdbc
|
| Required for JDBC-based persistent remember-me token repository (optional).
| spring-tx
|
| Required by remember-me persistent token repository implementations (optional).
|===
=== spring-security-ldap
This module is only required if you are using LDAP authentication.
.LDAP Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-ldap-core
| 1.3.0
| LDAP support is based on Spring LDAP.
| spring-tx
|
| Data exception classes are required.
| apache-ds footnote:[The modules `apacheds-core`, `apacheds-core-entry`, `apacheds-protocol-shared`, `apacheds-protocol-ldap` and `apacheds-server-jndi` are required.
]
| 1.5.5
| Required if you are using an embedded LDAP server (optional).
| shared-ldap
| 0.9.15
| Required if you are using an embedded LDAP server (optional).
| ldapsdk
| 4.1
| Mozilla LdapSDK.
Used for decoding LDAP password policy controls if you are using password-policy functionality with OpenLDAP, for example.
|===
=== spring-security-config
This module is required if you are using Spring Security namespace configuration.
.Config Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
| Required if you are using any web-related namespace configuration (optional).
| spring-security-ldap
|
| Required if you are using the LDAP namespace options (optional).
| spring-security-openid
|
| Required if you are using OpenID authentication (optional).
| aspectjweaver
| 1.6.10
| Required if using the protect-pointcut namespace syntax (optional).
|===
=== spring-security-acl
The ACL module.
.ACL Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| ehcache
| 1.6.2
| Required if the Ehcache-based ACL cache implementation is used (optional if you are using your own implementation).
| spring-jdbc
|
| Required if you are using the default JDBC-based AclService (optional if you implement your own).
| spring-tx
|
| Required if you are using the default JDBC-based AclService (optional if you implement your own).
|===
=== spring-security-cas
The CAS module provides integration with JA-SIG CAS.
.CAS Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| cas-client-core
| 3.1.12
| The JA-SIG CAS Client.
This is the basis of the Spring Security integration.
| ehcache
| 1.6.2
| Required if you are using the Ehcache-based ticket cache (optional).
|===
=== spring-security-openid
The OpenID module.
.OpenID Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| openid4java-nodeps
| 0.9.6
| Spring Security's OpenID integration uses OpenID4Java.
| httpclient
| 4.1.1
| openid4java-nodeps depends on HttpClient 4.
| guice
| 2.0
| openid4java-nodeps depends on Guice 2.
|===
=== spring-security-taglibs
Provides Spring Security's JSP tag implementations.
.Taglib Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| spring-security-acl
|
| Required if you are using the `accesscontrollist` tag or `hasPermission()` expressions with ACLs (optional).
| spring-expression
|
| Required if you are using SPEL expressions in your tag access constraints.
|===

0
docs/manual/src/docs/asciidoc/_includes/faq.adoc → docs/manual/src/docs/asciidoc/_includes/appendix/faq.adoc
View File

12
docs/manual/src/docs/asciidoc/_includes/appendix/index.adoc Normal file
View File

@ -0,0 +1,12 @@
= Appendix
include::database-schema.adoc[]
include::namespace.adoc[]
include::dependencies.adoc[]
include::proxy-server.adoc[]
include::faq.adoc[]

621
docs/manual/src/docs/asciidoc/_includes/appendix.adoc → docs/manual/src/docs/asciidoc/_includes/appendix/namespace.adoc
View File

@ -1,359 +1,3 @@
= Appendix
[[appendix-schema]]
== Security Database Schema
There are various database schema used by the framework and this appendix provides a single reference point to them all.
You only need to provide the tables for the areas of functionality you require.
DDL statements are given for the HSQLDB database.
You can use these as a guideline for defining the schema for the database you are using.
=== User Schema
The standard JDBC implementation of the `UserDetailsService` (`JdbcDaoImpl`) requires tables to load the password, account status (enabled or disabled) and a list of authorities (roles) for the user.
You will need to adjust this schema to match the database dialect you are using.
[source]
----
create table users(
username varchar_ignorecase(50) not null primary key,
password varchar_ignorecase(50) not null,
enabled boolean not null
);
create table authorities (
username varchar_ignorecase(50) not null,
authority varchar_ignorecase(50) not null,
constraint fk_authorities_users foreign key(username) references users(username)
);
create unique index ix_auth_username on authorities (username,authority);
----
==== Group Authorities
Spring Security 2.0 introduced support for group authorities in `JdbcDaoImpl`.
The table structure if groups are enabled is as follows.
You will need to adjust this schema to match the database dialect you are using.
[source]
----
create table groups (
id bigint generated by default as identity(start with 0) primary key,
group_name varchar_ignorecase(50) not null
);
create table group_authorities (
group_id bigint not null,
authority varchar(50) not null,
constraint fk_group_authorities_group foreign key(group_id) references groups(id)
);
create table group_members (
id bigint generated by default as identity(start with 0) primary key,
username varchar(50) not null,
group_id bigint not null,
constraint fk_group_members_group foreign key(group_id) references groups(id)
);
----
Remember that these tables are only required if you are using the provided JDBC `UserDetailsService` implementation.
If you write your own or choose to implement `AuthenticationProvider` without a `UserDetailsService`, then you have complete freedom over how you store the data, as long as the interface contract is satisfied.
=== Persistent Login (Remember-Me) Schema
This table is used to store data used by the more secure <<remember-me-persistent-token,persistent token>> remember-me implementation.
If you are using `JdbcTokenRepositoryImpl` either directly or through the namespace, then you will need this table.
Remember to adjust this schema to match the database dialect you are using.
[source]
----
create table persistent_logins (
username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null
);
----
[[dbschema-acl]]
=== ACL Schema
There are four tables used by the Spring Security <<domain-acls,ACL>> implementation.
. `acl_sid` stores the security identities recognised by the ACL system.
These can be unique principals or authorities which may apply to multiple principals.
. `acl_class` defines the domain object types to which ACLs apply.
The `class` column stores the Java class name of the object.
. `acl_object_identity` stores the object identity definitions of specific domai objects.
. `acl_entry` stores the ACL permissions which apply to a specific object identity and security identity.
It is assumed that the database will auto-generate the primary keys for each of the identities.
The `JdbcMutableAclService` has to be able to retrieve these when it has created a new row in the `acl_sid` or `acl_class` tables.
It has two properties which define the SQL needed to retrieve these values `classIdentityQuery` and `sidIdentityQuery`.
Both of these default to `call identity()`
The ACL artifact JAR contains files for creating the ACL schema in HyperSQL (HSQLDB), PostgreSQL, MySQL/MariaDB, Microsoft SQL Server, and Oracle Database.
These schemas are also demonstrated in the following sections.
==== HyperSQL
The default schema works with the embedded HSQLDB database that is used in unit tests within the framework.
[source,ddl]
----
create table acl_sid(
id bigint generated by default as identity(start with 100) not null primary key,
principal boolean not null,
sid varchar_ignorecase(100) not null,
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class(
id bigint generated by default as identity(start with 100) not null primary key,
class varchar_ignorecase(100) not null,
constraint unique_uk_2 unique(class)
);
create table acl_object_identity(
id bigint generated by default as identity(start with 100) not null primary key,
object_id_class bigint not null,
object_id_identity varchar_ignorecase(36) not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
);
create table acl_entry(
id bigint generated by default as identity(start with 100) not null primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
);
----
==== PostgreSQL
[source,ddl]
----
create table acl_sid(
id bigserial not null primary key,
principal boolean not null,
sid varchar(100) not null,
constraint unique_uk_1 unique(sid,principal)
);
create table acl_class(
id bigserial not null primary key,
class varchar(100) not null,
constraint unique_uk_2 unique(class)
);
create table acl_object_identity(
id bigserial primary key,
object_id_class bigint not null,
object_id_identity varchar(36) not null,
parent_object bigint,
owner_sid bigint,
entries_inheriting boolean not null,
constraint unique_uk_3 unique(object_id_class,object_id_identity),
constraint foreign_fk_1 foreign key(parent_object)references acl_object_identity(id),
constraint foreign_fk_2 foreign key(object_id_class)references acl_class(id),
constraint foreign_fk_3 foreign key(owner_sid)references acl_sid(id)
);
create table acl_entry(
id bigserial primary key,
acl_object_identity bigint not null,
ace_order int not null,
sid bigint not null,
mask integer not null,
granting boolean not null,
audit_success boolean not null,
audit_failure boolean not null,
constraint unique_uk_4 unique(acl_object_identity,ace_order),
constraint foreign_fk_4 foreign key(acl_object_identity) references acl_object_identity(id),
constraint foreign_fk_5 foreign key(sid) references acl_sid(id)
);
----
You will have to set the `classIdentityQuery` and `sidIdentityQuery` properties of `JdbcMutableAclService` to the following values, respectively:
* `select currval(pg_get_serial_sequence('acl_class', 'id'))`
* `select currval(pg_get_serial_sequence('acl_sid', 'id'))`
==== MySQL and MariaDB
[source,ddl]
----
CREATE TABLE acl_sid (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
principal BOOLEAN NOT NULL,
sid VARCHAR(100) NOT NULL,
UNIQUE KEY unique_acl_sid (sid, principal)
) ENGINE=InnoDB;
CREATE TABLE acl_class (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
class VARCHAR(100) NOT NULL,
UNIQUE KEY uk_acl_class (class)
) ENGINE=InnoDB;
CREATE TABLE acl_object_identity (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
object_id_class BIGINT UNSIGNED NOT NULL,
object_id_identity VARCHAR(36) NOT NULL,
parent_object BIGINT UNSIGNED,
owner_sid BIGINT UNSIGNED,
entries_inheriting BOOLEAN NOT NULL,
UNIQUE KEY uk_acl_object_identity (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
CREATE TABLE acl_entry (
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
acl_object_identity BIGINT UNSIGNED NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT UNSIGNED NOT NULL,
mask INTEGER UNSIGNED NOT NULL,
granting BOOLEAN NOT NULL,
audit_success BOOLEAN NOT NULL,
audit_failure BOOLEAN NOT NULL,
UNIQUE KEY unique_acl_entry (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
) ENGINE=InnoDB;
----
==== Microsoft SQL Server
[source,ddl]
----
CREATE TABLE acl_sid (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
principal BIT NOT NULL,
sid VARCHAR(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE TABLE acl_class (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
class VARCHAR(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE TABLE acl_object_identity (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
object_id_class BIGINT NOT NULL,
object_id_identity VARCHAR(36) NOT NULL,
parent_object BIGINT,
owner_sid BIGINT,
entries_inheriting BIT NOT NULL,
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE TABLE acl_entry (
id BIGINT NOT NULL IDENTITY PRIMARY KEY,
acl_object_identity BIGINT NOT NULL,
ace_order INTEGER NOT NULL,
sid BIGINT NOT NULL,
mask INTEGER NOT NULL,
granting BIT NOT NULL,
audit_success BIT NOT NULL,
audit_failure BIT NOT NULL,
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
----
==== Oracle Database
[source,ddl]
----
CREATE TABLE acl_sid (
id NUMBER(38) NOT NULL PRIMARY KEY,
principal NUMBER(1) NOT NULL CHECK (principal in (0, 1)),
sid NVARCHAR2(100) NOT NULL,
CONSTRAINT unique_acl_sid UNIQUE (sid, principal)
);
CREATE SEQUENCE acl_sid_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_sid_id_trigger
BEFORE INSERT ON acl_sid
FOR EACH ROW
BEGIN
SELECT acl_sid_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_class (
id NUMBER(38) NOT NULL PRIMARY KEY,
class NVARCHAR2(100) NOT NULL,
CONSTRAINT uk_acl_class UNIQUE (class)
);
CREATE SEQUENCE acl_class_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_class_id_trigger
BEFORE INSERT ON acl_class
FOR EACH ROW
BEGIN
SELECT acl_class_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_object_identity (
id NUMBER(38) NOT NULL PRIMARY KEY,
object_id_class NUMBER(38) NOT NULL,
object_id_identity NVARCHAR2(36) NOT NULL,
parent_object NUMBER(38),
owner_sid NUMBER(38),
entries_inheriting NUMBER(1) NOT NULL CHECK (entries_inheriting in (0, 1)),
CONSTRAINT uk_acl_object_identity UNIQUE (object_id_class, object_id_identity),
CONSTRAINT fk_acl_object_identity_parent FOREIGN KEY (parent_object) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_object_identity_class FOREIGN KEY (object_id_class) REFERENCES acl_class (id),
CONSTRAINT fk_acl_object_identity_owner FOREIGN KEY (owner_sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_object_identity_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_object_identity_id_trigger
BEFORE INSERT ON acl_object_identity
FOR EACH ROW
BEGIN
SELECT acl_object_identity_sequence.nextval INTO :new.id FROM dual;
END;
CREATE TABLE acl_entry (
id NUMBER(38) NOT NULL PRIMARY KEY,
acl_object_identity NUMBER(38) NOT NULL,
ace_order INTEGER NOT NULL,
sid NUMBER(38) NOT NULL,
mask INTEGER NOT NULL,
granting NUMBER(1) NOT NULL CHECK (granting in (0, 1)),
audit_success NUMBER(1) NOT NULL CHECK (audit_success in (0, 1)),
audit_failure NUMBER(1) NOT NULL CHECK (audit_failure in (0, 1)),
CONSTRAINT unique_acl_entry UNIQUE (acl_object_identity, ace_order),
CONSTRAINT fk_acl_entry_object FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity (id),
CONSTRAINT fk_acl_entry_acl FOREIGN KEY (sid) REFERENCES acl_sid (id)
);
CREATE SEQUENCE acl_entry_sequence START WITH 1 INCREMENT BY 1 NOMAXVALUE;
CREATE OR REPLACE TRIGGER acl_entry_id_trigger
BEFORE INSERT ON acl_entry
FOR EACH ROW
BEGIN
SELECT acl_entry_sequence.nextval INTO :new.id FROM dual;
END;
----
[[appendix-namespace]] [[appendix-namespace]]
== The Security Namespace == The Security Namespace
This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document).
@ -2965,268 +2609,3 @@ Only used with a 'user-search-filter'.
The LDAP filter used to search for users (optional). The LDAP filter used to search for users (optional).
For example "(uid={0})". For example "(uid={0})".
The substituted parameter is the user's login name. The substituted parameter is the user's login name.
[[appendix-dependencies]]
== Spring Security Dependencies
This appendix provides a reference of the modules in Spring Security and the additional dependencies that they require in order to function in a running application.
We don't include dependencies that are only used when building or testing Spring Security itself.
Nor do we include transitive dependencies which are required by external dependencies.
The version of Spring required is listed on the project website, so the specific versions are omitted for Spring dependencies below.
Note that some of the dependencies listed as "optional" below may still be required for other non-security functionality in a Spring application.
Also dependencies listed as "optional" may not actually be marked as such in the project's Maven POM files if they are used in most applications.
They are "optional" only in the sense that you don't need them unless you are using the specified functionality.
Where a module depends on another Spring Security module, the non-optional dependencies of the module it depends on are also assumed to be required and are not listed separately.
=== spring-security-core
The core module must be included in any project using Spring Security.
.Core Dependencies
|===
| Dependency | Version | Description
| ehcache
| 1.6.2
| Required if the Ehcache-based user cache implementation is used (optional).
| spring-aop
|
| Method security is based on Spring AOP
| spring-beans
|
| Required for Spring configuration
| spring-expression
|
| Required for expression-based method security (optional)
| spring-jdbc
|
| Required if using a database to store user data (optional).
| spring-tx
|
| Required if using a database to store user data (optional).
| aspectjrt
| 1.6.10
| Required if using AspectJ support (optional).
| jsr250-api
| 1.0
| Required if you are using JSR-250 method-security annotations (optional).
|===
=== spring-security-remoting
This module is typically required in web applications which use the Servlet API.
.Remoting Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-web
|
| Required for clients which use HTTP remoting support.
|===
=== spring-security-web
This module is typically required in web applications which use the Servlet API.
.Web Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-web
|
| Spring web support classes are used extensively.
| spring-jdbc
|
| Required for JDBC-based persistent remember-me token repository (optional).
| spring-tx
|
| Required by remember-me persistent token repository implementations (optional).
|===
=== spring-security-ldap
This module is only required if you are using LDAP authentication.
.LDAP Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-ldap-core
| 1.3.0
| LDAP support is based on Spring LDAP.
| spring-tx
|
| Data exception classes are required.
| apache-ds footnote:[The modules `apacheds-core`, `apacheds-core-entry`, `apacheds-protocol-shared`, `apacheds-protocol-ldap` and `apacheds-server-jndi` are required.
]
| 1.5.5
| Required if you are using an embedded LDAP server (optional).
| shared-ldap
| 0.9.15
| Required if you are using an embedded LDAP server (optional).
| ldapsdk
| 4.1
| Mozilla LdapSDK.
Used for decoding LDAP password policy controls if you are using password-policy functionality with OpenLDAP, for example.
|===
=== spring-security-config
This module is required if you are using Spring Security namespace configuration.
.Config Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
| Required if you are using any web-related namespace configuration (optional).
| spring-security-ldap
|
| Required if you are using the LDAP namespace options (optional).
| spring-security-openid
|
| Required if you are using OpenID authentication (optional).
| aspectjweaver
| 1.6.10
| Required if using the protect-pointcut namespace syntax (optional).
|===
=== spring-security-acl
The ACL module.
.ACL Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| ehcache
| 1.6.2
| Required if the Ehcache-based ACL cache implementation is used (optional if you are using your own implementation).
| spring-jdbc
|
| Required if you are using the default JDBC-based AclService (optional if you implement your own).
| spring-tx
|
| Required if you are using the default JDBC-based AclService (optional if you implement your own).
|===
=== spring-security-cas
The CAS module provides integration with JA-SIG CAS.
.CAS Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| cas-client-core
| 3.1.12
| The JA-SIG CAS Client.
This is the basis of the Spring Security integration.
| ehcache
| 1.6.2
| Required if you are using the Ehcache-based ticket cache (optional).
|===
=== spring-security-openid
The OpenID module.
.OpenID Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| openid4java-nodeps
| 0.9.6
| Spring Security's OpenID integration uses OpenID4Java.
| httpclient
| 4.1.1
| openid4java-nodeps depends on HttpClient 4.
| guice
| 2.0
| openid4java-nodeps depends on Guice 2.
|===
=== spring-security-taglibs
Provides Spring Security's JSP tag implementations.
.Taglib Dependencies
|===
| Dependency | Version | Description
| spring-security-core
|
|
| spring-security-web
|
|
| spring-security-acl
|
| Required if you are using the `accesscontrollist` tag or `hasPermission()` expressions with ACLs (optional).
| spring-expression
|
| Required if you are using SPEL expressions in your tag access constraints.
|===
include::proxy-server.adoc[]
include::faq.adoc[]

0
docs/manual/src/docs/asciidoc/_includes/proxy-server.adoc → docs/manual/src/docs/asciidoc/_includes/appendix/proxy-server.adoc
View File

2
docs/manual/src/docs/asciidoc/index.adoc
View File

@ -20,6 +20,6 @@ include::{include-dir}/additional-topics/index.adoc[]
include::{include-dir}/data/index.adoc[] include::{include-dir}/data/index.adoc[]
include::{include-dir}/appendix.adoc[] include::{include-dir}/appendix/index.adoc[]