SEC-639: Updated to filter-chain-map syntax. Also removed use of property editor configuration for FilterSecurityInterceptor examples

src/docbkx/anon-auth-provider.xml

@@ -67,23 +67,21 @@
         example:</para>
     
     <para><programlisting>
-        &lt;bean id="filterInvocationInterceptor"
+<![CDATA[        
-        class="org.springframework.security.intercept.web.FilterSecurityInterceptor"&gt;
+<bean id="filterInvocationInterceptor"
-        &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
+    class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
-        &lt;property name="accessDecisionManager"&gt;&lt;ref local="httpRequestAccessDecisionManager"/&gt;&lt;/property&gt;
+  <property name="authenticationManager" ref="authenticationManager"/>
-        &lt;property name="objectDefinitionSource"&gt;
+  <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
-        &lt;value&gt;
+  <property name="objectDefinitionSource">
-        CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+    <security:filter-invocation-definition-source>
-        PATTERN_TYPE_APACHE_ANT
+      <security:intercept-url pattern='/index.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
-        /index.jsp=ROLE_ANONYMOUS,ROLE_USER
+      <security:intercept-url pattern='/hello.htm' access='ROLE_ANONYMOUS,ROLE_USER'/>
-        /hello.htm=ROLE_ANONYMOUS,ROLE_USER
+      <security:intercept-url pattern='/logoff.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
-        /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
+      <security:intercept-url pattern='/login.jsp' access='ROLE_ANONYMOUS,ROLE_USER'/>
-        /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
+      <security:intercept-url pattern='/**' access='ROLE_USER'/>
-        /**=ROLE_USER
+    </security:filter-invocation-definition-source>" +
-        &lt;/value&gt;
+  </property>
-        &lt;/property&gt;
+</bean>]]>
-        &lt;/bean&gt;
-        
     </programlisting>Rounding out the anonymous authentication discussion
         is the <literal>AuthenticationTrustResolver</literal> interface, with
         its corresponding <literal>AuthenticationTrustResolverImpl</literal>

src/docbkx/common-auth-services.xml

@@ -1,7 +1,8 @@
-<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services"><info><title>Common Authentication Services</title></info>
+<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services">
-  
+  <info><title>Common Authentication Services</title></info>
 
-  <section xml:id="mechanisms-providers-entry-points"><info><title>Mechanisms, Providers and Entry Points</title></info>
+  <section xml:id="mechanisms-providers-entry-points">
+    <info><title>Mechanisms, Providers and Entry Points</title></info>
     
 
     <para>If you're using Spring Security-provided authentication
@@ -18,17 +19,16 @@
     Spring Security application will have such an entry, and it looks like
     this:</para>
 
-    <para><programlisting>
+    <para><programlisting><![CDATA[
- 
+    <filter>
-    &lt;filter&gt;
+        <filter-name>filterChainProxy</filter-name>
-        &lt;filter-name&gt;filterChainProxy&lt;/filter-name&gt;
+        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
-        &lt;filter-class&gt;org.springframework.web.filter.DelegatingFilterProxy&lt;/filter-class&gt;
+    </filter>
-    &lt;/filter&gt;
 
-    &lt;filter-mapping&gt;
+    <filter-mapping>
-      &lt;filter-name&gt;filterChainProxy&lt;/filter-name&gt;
+      <filter-name>filterChainProxy</filter-name>
-      &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
+      <url-pattern>/*</url-pattern>
-    &lt;/filter-mapping&gt;
+    </filter-mapping>]]>
 </programlisting></para>
 
     <para>The above declarations will cause every web request to be passed
@@ -38,30 +38,27 @@
      As explained in the filters section of this reference guide, the
     <classname>FilterChainProxy</classname> is a generally-useful class
     that enables web requests to be passed to different filters based on
-    the URL patterns. Those delegated filters are managed inside the
+    URL patterns. Those delegated filters are managed inside the
     application context, so they can benefit from dependency injection.
     Let's have a look at what the FilterChainProxy bean definition would
     look like inside your application context:</para>
 
-    <para><programlisting>&lt;bean id="filterChainProxy"
+    <para><programlisting><![CDATA[
-        class="org.springframework.security.util.FilterChainProxy"&gt;
+<bean id="filterChainProxy"
-&lt;property name="filterInvocationDefinitionSource"&gt;
+        class="org.springframework.security.util.FilterChainProxy">
-&lt;value&gt;
+  <security:filter-chain-map path-type="ant">
-  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+    <security:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter"/>
-  PATTERN_TYPE_APACHE_ANT
+  </security:filter-chain-map>
-  /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor,switchUserProcessingFilter
+</bean>]]></programlisting></para>
-&lt;/value&gt;
-&lt;/property&gt;
-&lt;/bean&gt;</programlisting></para>
 
-    <para>Internally Spring Security will use a
+    <para>The <literal>filter-chain-map</literal> syntax from the security namespace
-    <literal>PropertyEditor</literal> to convert the string presented in
+      allows you to define the mapping from URLs to filter chains, using a sequence of
-    the above XML fragment into a
+      <literal>filter-chain</literal> child elements. Each of these defines a set of URLs using
-    <literal>FilterInvocationDefinitionSource</literal> object. What's
+      the <literal>pattern</literal> attribute and a chain of filters using the <literal>filters</literal>
-    important to note at this stage is that a series of filters will be
+      attribute.What's important to note at this stage is that a series of filters will be
     run - in the order specified by the declaration - and each of those
-    filters are actually the <literal>&lt;bean id&gt;</literal> of another
+    filters are actually the <literal>id</literal> of another
-    bean inside the application context. So, in our case some extra beans
+    bean in the application context. So, in our case some extra beans
     will also appear in the application context, and they'll be named
     <literal>httpSessionContextIntegrationFilter</literal>,
     <literal>logoutFilter</literal> and so on. The order that the filters

src/docbkx/secured-objects.xml

@@ -347,29 +347,29 @@ if (this.securityInterceptor == null)
     beans:</para>
 
     <programlisting> 
-&lt;bean id="exceptionTranslationFilter"
+<![CDATA[
-        class="org.springframework.security.ui.ExceptionTranslationFilter"&gt;
+<bean id="exceptionTranslationFilter"
-    &lt;property name="authenticationEntryPoint"&gt;&lt;ref local="authenticationEntryPoint"/&gt;&lt;/property&gt;
+        class="org.springframework.security.ui.ExceptionTranslationFilter">
-&lt;/bean&gt;
+  <property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
+</bean>
 
-&lt;bean id="authenticationEntryPoint"
+<bean id="authenticationEntryPoint"
-        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt;
+        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
-    &lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt;
+  <property name="loginFormUrl" value="/acegilogin.jsp"/>
-    &lt;property name="forceHttps"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt;
+  <property name="forceHttps" value="false"/>
-&lt;/bean&gt;
+</bean>
 
-&lt;bean id="filterSecurityInterceptor"
+<bean id="filterSecurityInterceptor"
-        class="org.springframework.security.intercept.web.FilterSecurityInterceptor"&gt;
+        class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
-    &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
+  <property name="authenticationManager" ref="authenticationManager"/>
-    &lt;property name="accessDecisionManager"&gt;&lt;ref bean="accessDecisionManager"/&gt;&lt;/property&gt;
+  <property name="accessDecisionManager" ref="accessDecisionManager"/>
-    &lt;property name="objectDefinitionSource"&gt;
+  <property name="objectDefinitionSource">
-    &lt;property name="filterInvocationDefinitionSource"&gt;
+    <security:filter-invocation-definition-source>
-        &lt;security:filter-invocation-definition-source path-type="regex"&gt;
+      <security:intercept-url pattern="/secure/super/**" access="ROLE_WE_DONT_HAVE"/>
-            &lt;security:intercept-url pattern="\A/secure/super/.*\Z" access="ROLE_WE_DONT_HAVE"/&gt;
+      <security:intercept-url pattern="/secure/**" access="ROLE_SUPERVISOR,ROLE_TELLER"/>    
-            &lt;security:intercept-url pattern="\A/secure/.*\" access="ROLE_SUPERVISOR,ROLE_TELLER"/&gt;
+    </security:filter-invocation-definition-source>                
-        &lt;/security:filter-invocation-definition-source&gt;                
+  </property>
-    &lt;/property&gt;
+</bean>]]>         </programlisting>
-&lt;/bean&gt;         </programlisting>
 
     <para>The <classname>ExceptionTranslationFilter</classname> provides
     the bridge between Java exceptions and HTTP responses. It is solely
@@ -407,9 +407,12 @@ if (this.securityInterceptor == null)
     Level Design section of this document.</para>
 
     <para>The <literal>FilterSecurityInterceptor</literal> can be
-    configured with configuration attributes in two ways. The first is via
+    configured with configuration attributes in two ways. The first, 
-    a property editor and the application context, which is shown above.
+    which is shown above, is using the <literal>&lt;filter-invocation-definition-source&gt;</literal>
-    The second is via writing your own
+    namespace element. This is similar to the <literal>&lt;filter-chain-map&gt;</literal>
+    used to configure a <literal>FilterChainProxy</literal> but the <literal>&lt;intercept-url&gt;</literal>
+    child elements only use the <literal>pattern</literal> and <literal>access</literal> attributes.
+    The second is by writing your own
     <literal>ObjectDefinitionSource</literal>, although this is beyond the
     scope of this document. Irrespective of the approach used, the
     <literal>ObjectDefinitionSource</literal> is responsible for returning
@@ -430,8 +433,8 @@ if (this.securityInterceptor == null)
     little relevance to most users of the
     <literal>FilterSecurityInterceptor</literal>.</para>
 
-    <para>If using the application context property editor approach (as
+    <para>When using the namespace option to configure the interceptor, 
-    shown above), commas are used to delimit the different configuration
+        commas are used to delimit the different configuration
     attributes that apply to each HTTP URL. Each configuration attribute
     is assigned into its own <literal>SecurityConfig</literal> object. The
     <literal>SecurityConfig</literal> object is discussed in the High
@@ -441,27 +444,26 @@ if (this.securityInterceptor == null)
     configuration attributes against <literal>FilterInvocations</literal>
     based on expression evaluation of the request URL. Two standard
     expression syntaxes are supported. The default is to treat all
-    expressions as regular expressions. Alternatively, the presence of a
+    expressions as Apache Ant paths and regular expressions are also supported
-    <literal>PATTERN_TYPE_APACHE_ANT</literal> directive will cause all
+    for ore complex cases. The <literal>path-type</literal> attribute is used
-    expressions to be treated as Apache Ant paths. It is not possible to
+    to specify the type of pattern being used. It is not possible to
     mix expression syntaxes within the same definition. For example, the
-    earlier configuration could be generated using Apache Ant paths as
+    previous configuration using regular expressions instead of Ant paths would be
-    follows:</para>
+    written as follows:</para>
 
-    <programlisting>&lt;bean id="filterInvocationInterceptor"
+    <programlisting><![CDATA[
-        class="org.springframework.security.intercept.web.FilterSecurityInterceptor"&gt;
+<bean id="filterInvocationInterceptor"
-&lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
+        class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
-&lt;property name="accessDecisionManager"&gt;&lt;ref bean="accessDecisionManager"/&gt;&lt;/property&gt;
+  <property name="authenticationManager" ref="authenticationManager"/>
-&lt;property name="runAsManager"&gt;&lt;ref bean="runAsManager"/&gt;&lt;/property&gt;
+  <property name="accessDecisionManager" ref="accessDecisionManager"/>
-&lt;property name="objectDefinitionSource"&gt;
+  <property name="runAsManager" ref="runAsManager"/>
-&lt;value&gt;
+  <property name="objectDefinitionSource">
-  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+    <security:filter-invocation-definition-source path-type="regex">
-  PATTERN_TYPE_APACHE_ANT
+      <security:intercept-url pattern="\A/secure/super/.*\Z" access="ROLE_WE_DONT_HAVE"/>
-  /secure/super/**=ROLE_WE_DONT_HAVE
+      <security:intercept-url pattern="\A/secure/.*\" access="ROLE_SUPERVISOR,ROLE_TELLER"/>
-  /secure/**=ROLE_SUPERVISOR,ROLE_TELLER
+    </security:filter-invocation-definition-source>  
-&lt;/value&gt;
+  </property>
-&lt;/property&gt;
+</bean>]]>        </programlisting>
-&lt;/bean&gt;        </programlisting>
 
     <para>Irrespective of the type of expression syntax used, expressions
     are always evaluated in the order they are defined. Thus it is
@@ -474,15 +476,6 @@ if (this.securityInterceptor == null)
     <literal>/secure/super/</literal> pattern would never be
     evaluated.</para>
 
-    <para>The special keyword
-    <literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> causes
-    the <literal>FilterInvocationDefinitionSource</literal> to
-    automatically convert a request URL to lowercase before comparison
-    against the expressions. Whilst by default the case of the request URL
-    is not converted, it is generally recommended to use
-    <literal>CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON</literal> and
-    write each expression assuming lowercase.</para>
-
     <para>As with other security interceptors, the
     <literal>validateConfigAttributes</literal> property is observed. When
     set to <literal>true</literal> (the default), at startup time the

src/docbkx/siteminder-auth-provider.xml

@@ -58,7 +58,7 @@
         username parameter as well - just don't do this in production!</para>
     
     <para>Note that you'll need a
-        <literal><literal>SiteminderAuthenticationProvider</literal></literal>
+        <literal>SiteminderAuthenticationProvider</literal>
         configured against your <literal>ProviderManager</literal> in order to
         use the Siteminder authentication mechanism. Normally an
         <literal>AuthenticationProvider</literal> expects the password

src/docbkx/supporting-infrastructure.xml

@@ -145,13 +145,15 @@
     The filter chain is then declared in the application context, using
     code such as this:</para>
 
-    <para><programlisting> 
+    <para><programlisting><![CDATA[
-&lt;bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy"&gt;
+<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
-    &lt;sec:filter-chain-map path-type="ant"&gt;
+    <sec:filter-chain-map path-type="ant">
-        &lt;sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/&gt;
+        <sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
-        &lt;sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/&gt;
+        <sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
-    &lt;/sec:filter-chain-map&gt;
+    </sec:filter-chain-map>
-&lt;/bean&gt;         </programlisting></para>
+</bean>
+]]>         
+    </programlisting></para>
 
     <para>You may notice similarities with the way
     <literal>FilterSecurityInterceptor</literal> is declared. Both regular