parent
48c8532a21
commit
76ebbb84f7
|
@ -16,9 +16,10 @@
|
|||
|
||||
package org.springframework.security.config.doc;
|
||||
|
||||
import java.io.File;
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Paths;
|
||||
import java.nio.file.Path;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
|
@ -60,7 +61,7 @@ public class XsdDocumentedTests {
|
|||
"nsa-frame-options-from-parameter");
|
||||
// @formatter:on
|
||||
|
||||
String referenceLocation = "../docs/modules/ROOT/pages/servlet/appendix/namespace.adoc";
|
||||
String referenceLocation = "../docs/modules/ROOT/pages/servlet/appendix/namespace";
|
||||
|
||||
String schema31xDocumentLocation = "org/springframework/security/config/spring-security-3.1.xsd";
|
||||
|
||||
|
@ -163,7 +164,7 @@ public class XsdDocumentedTests {
|
|||
public void countReferencesWhenReviewingDocumentationThenEntireSchemaIsIncluded() throws IOException {
|
||||
Map<String, Element> elementsByElementName = this.xml.elementsByElementName(this.schemaDocumentLocation);
|
||||
// @formatter:off
|
||||
List<String> documentIds = Files.lines(Paths.get(this.referenceLocation))
|
||||
List<String> documentIds = namespaceLines()
|
||||
.filter((line) -> line.matches("\\[\\[(nsa-.*)\\]\\]"))
|
||||
.map((line) -> line.substring(2, line.length() - 2))
|
||||
.collect(Collectors.toList());
|
||||
|
@ -189,7 +190,7 @@ public class XsdDocumentedTests {
|
|||
Map<String, List<String>> docAttrNameToParents = new TreeMap<>();
|
||||
String docAttrName = null;
|
||||
Map<String, List<String>> currentDocAttrNameToElmt = null;
|
||||
List<String> lines = Files.readAllLines(Paths.get(this.referenceLocation));
|
||||
List<String> lines = namespaceLines().collect(Collectors.toList());
|
||||
for (String line : lines) {
|
||||
if (line.matches("^\\[\\[.*\\]\\]$")) {
|
||||
String id = line.substring(2, line.length() - 2);
|
||||
|
@ -212,6 +213,13 @@ public class XsdDocumentedTests {
|
|||
String elmtId = line.replaceAll(expression, "$1");
|
||||
currentDocAttrNameToElmt.computeIfAbsent(docAttrName, (key) -> new ArrayList<>()).add(elmtId);
|
||||
}
|
||||
else {
|
||||
expression = ".*xref:.*#(nsa-.*)\\[.*\\]";
|
||||
if (line.matches(expression)) {
|
||||
String elmtId = line.replaceAll(expression, "$1");
|
||||
currentDocAttrNameToElmt.computeIfAbsent(docAttrName, (key) -> new ArrayList<>()).add(elmtId);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Map<String, Element> elementNameToElement = this.xml.elementsByElementName(this.schemaDocumentLocation);
|
||||
|
@ -295,4 +303,17 @@ public class XsdDocumentedTests {
|
|||
assertThat(notDocAttrIds).isEmpty();
|
||||
}
|
||||
|
||||
private Stream<String> namespaceLines() {
|
||||
return Stream.of(new File(this.referenceLocation).listFiles()).map(File::toPath).flatMap(this::fileLines);
|
||||
}
|
||||
|
||||
private Stream<String> fileLines(Path path) {
|
||||
try {
|
||||
return Files.lines(path);
|
||||
}
|
||||
catch (Exception ex) {
|
||||
throw new RuntimeException(ex);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -100,7 +100,12 @@
|
|||
*** xref:servlet/test/mockmvc/result-handlers.adoc[Security ResultHandlers]
|
||||
** xref:servlet/appendix/index.adoc[Appendix]
|
||||
*** xref:servlet/appendix/database-schema.adoc[Database Schemas]
|
||||
*** xref:servlet/appendix/namespace.adoc[XML Namespace]
|
||||
*** xref:servlet/appendix/namespace/index.adoc[XML Namespace]
|
||||
**** xref:servlet/appendix/namespace/authentication-manager.adoc[Authentication Services]
|
||||
**** xref:servlet/appendix/namespace/http.adoc[Web Security]
|
||||
**** xref:servlet/appendix/namespace/method-security.adoc[Method Security]
|
||||
**** xref:servlet/appendix/namespace/ldap.adoc[LDAP Security]
|
||||
**** xref:servlet/appendix/namespace/websocket.adoc[WebSocket Security]
|
||||
*** xref:servlet/appendix/faq.adoc[FAQ]
|
||||
* xref:reactive/index.adoc[Reactive Applications]
|
||||
** xref:reactive/getting-started.adoc[Getting Started]
|
||||
|
|
|
@ -44,7 +44,7 @@ fun run() {
|
|||
|
||||
While very simple, it makes it seamless to transfer the SecurityContext from one Thread to another.
|
||||
This is important since, in most cases, the SecurityContextHolder acts on a per Thread basis.
|
||||
For example, you might have used Spring Security's xref:servlet/appendix/namespace.adoc#nsa-global-method-security[<global-method-security>] support to secure one of your services.
|
||||
For example, you might have used Spring Security's xref:servlet/appendix/namespace/method-security.adoc#nsa-global-method-security[<global-method-security>] support to secure one of your services.
|
||||
You can now easily transfer the `SecurityContext` of the current `Thread` to the `Thread` that invokes the secured service.
|
||||
An example of how you might do this can be found below:
|
||||
|
||||
|
|
|
@ -4,5 +4,5 @@ This is an appendix for Servlet based Spring Security.
|
|||
It has the following sections:
|
||||
|
||||
* xref:servlet/appendix/database-schema.adoc[Database Schemas]
|
||||
* xref:servlet/appendix/namespace.adoc[XML Namespace]
|
||||
* xref:servlet/appendix/namespace/index.adoc[XML Namespace]
|
||||
* xref:servlet/appendix/faq.adoc[FAQ]
|
||||
|
|
|
@ -0,0 +1,292 @@
|
|||
[[nsa-authentication]]
|
||||
= Authentication Services
|
||||
Before Spring Security 3.0, an `AuthenticationManager` was automatically registered internally.
|
||||
Now you must register one explicitly using the `<authentication-manager>` element.
|
||||
This creates an instance of Spring Security's `ProviderManager` class, which needs to be configured with a list of one or more `AuthenticationProvider` instances.
|
||||
These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the `authentication-provider` element.
|
||||
|
||||
|
||||
[[nsa-authentication-manager]]
|
||||
== <authentication-manager>
|
||||
Every Spring Security application which uses the namespace must have include this element somewhere.
|
||||
It is responsible for registering the `AuthenticationManager` which provides authentication services to the application.
|
||||
All elements which create `AuthenticationProvider` instances should be children of this element.
|
||||
|
||||
|
||||
[[nsa-authentication-manager-attributes]]
|
||||
=== <authentication-manager> Attributes
|
||||
|
||||
|
||||
[[nsa-authentication-manager-alias]]
|
||||
* **alias**
|
||||
This attribute allows you to define an alias name for the internal instance for use in your own configuration.
|
||||
|
||||
|
||||
[[nsa-authentication-manager-erase-credentials]]
|
||||
* **erase-credentials**
|
||||
If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated.
|
||||
Literally it maps to the `eraseCredentialsAfterAuthentication` property of the xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`].
|
||||
|
||||
|
||||
[[nsa-authentication-manager-id]]
|
||||
* **id**
|
||||
This attribute allows you to define an id for the internal instance for use in your own configuration.
|
||||
It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute.
|
||||
|
||||
|
||||
[[nsa-authentication-manager-children]]
|
||||
=== Child Elements of <authentication-manager>
|
||||
|
||||
|
||||
* <<nsa-authentication-provider,authentication-provider>>
|
||||
* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-authentication-provider[ldap-authentication-provider]
|
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider]]
|
||||
== <authentication-provider>
|
||||
Unless used with a `ref` attribute, this element is shorthand for configuring a `DaoAuthenticationProvider`.
|
||||
`DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login.
|
||||
The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context).
|
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-parents]]
|
||||
=== Parent Elements of <authentication-provider>
|
||||
|
||||
|
||||
* <<nsa-authentication-manager,authentication-manager>>
|
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-attributes]]
|
||||
=== <authentication-provider> Attributes
|
||||
|
||||
|
||||
[[nsa-authentication-provider-ref]]
|
||||
* **ref**
|
||||
Defines a reference to a Spring bean that implements `AuthenticationProvider`.
|
||||
|
||||
If you have written your own `AuthenticationProvider` implementation (or want to configure one of Spring Security's own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of `ProviderManager`:
|
||||
|
||||
[source,xml]
|
||||
----
|
||||
|
||||
<security:authentication-manager>
|
||||
<security:authentication-provider ref="myAuthenticationProvider" />
|
||||
</security:authentication-manager>
|
||||
<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider"/>
|
||||
|
||||
----
|
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-user-service-ref]]
|
||||
* **user-service-ref**
|
||||
A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element.
|
||||
|
||||
|
||||
[[nsa-authentication-provider-children]]
|
||||
=== Child Elements of <authentication-provider>
|
||||
|
||||
|
||||
* <<nsa-jdbc-user-service,jdbc-user-service>>
|
||||
* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-user-service[ldap-user-service]
|
||||
* <<nsa-password-encoder,password-encoder>>
|
||||
* <<nsa-user-service,user-service>>
|
||||
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service]]
|
||||
== <jdbc-user-service>
|
||||
Causes creation of a JDBC-based UserDetailsService.
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-attributes]]
|
||||
=== <jdbc-user-service> Attributes
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-authorities-by-username-query]]
|
||||
* **authorities-by-username-query**
|
||||
An SQL statement to query for a user's granted authorities given a username.
|
||||
|
||||
The default is
|
||||
|
||||
[source]
|
||||
----
|
||||
select username, authority from authorities where username = ?
|
||||
----
|
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-cache-ref]]
|
||||
* **cache-ref**
|
||||
Defines a reference to a cache for use with a UserDetailsService.
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-data-source-ref]]
|
||||
* **data-source-ref**
|
||||
The bean ID of the DataSource which provides the required tables.
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-group-authorities-by-username-query]]
|
||||
* **group-authorities-by-username-query**
|
||||
An SQL statement to query user's group authorities given a username.
|
||||
The default is
|
||||
|
||||
+
|
||||
|
||||
[source]
|
||||
----
|
||||
select
|
||||
g.id, g.group_name, ga.authority
|
||||
from
|
||||
groups g, group_members gm, group_authorities ga
|
||||
where
|
||||
gm.username = ? and g.id = ga.group_id and g.id = gm.group_id
|
||||
----
|
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-id]]
|
||||
* **id**
|
||||
A bean identifier, used for referring to the bean elsewhere in the context.
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-role-prefix]]
|
||||
* **role-prefix**
|
||||
A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE_").
|
||||
Use the value "none" for no prefix in cases where the default is non-empty.
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-users-by-username-query]]
|
||||
* **users-by-username-query**
|
||||
An SQL statement to query a username, password, and enabled status given a username.
|
||||
The default is
|
||||
|
||||
+
|
||||
|
||||
[source]
|
||||
----
|
||||
select username, password, enabled from users where username = ?
|
||||
----
|
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-password-encoder]]
|
||||
== <password-encoder>
|
||||
Authentication providers can optionally be configured to use a password encoder as described in the xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage].
|
||||
This will result in the bean being injected with the appropriate `PasswordEncoder` instance.
|
||||
|
||||
|
||||
[[nsa-password-encoder-parents]]
|
||||
=== Parent Elements of <password-encoder>
|
||||
|
||||
|
||||
* <<nsa-authentication-provider,authentication-provider>>
|
||||
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-compare[password-compare]
|
||||
|
||||
|
||||
|
||||
[[nsa-password-encoder-attributes]]
|
||||
=== <password-encoder> Attributes
|
||||
|
||||
|
||||
[[nsa-password-encoder-hash]]
|
||||
* **hash**
|
||||
Defines the hashing algorithm used on user passwords.
|
||||
We recommend strongly against using MD4, as it is a very weak hashing algorithm.
|
||||
|
||||
|
||||
[[nsa-password-encoder-ref]]
|
||||
* **ref**
|
||||
Defines a reference to a Spring bean that implements `PasswordEncoder`.
|
||||
|
||||
|
||||
[[nsa-user-service]]
|
||||
== <user-service>
|
||||
Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
|
||||
Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required.
|
||||
|
||||
|
||||
[[nsa-user-service-attributes]]
|
||||
=== <user-service> Attributes
|
||||
|
||||
|
||||
[[nsa-user-service-id]]
|
||||
* **id**
|
||||
A bean identifier, used for referring to the bean elsewhere in the context.
|
||||
|
||||
|
||||
[[nsa-user-service-properties]]
|
||||
* **properties**
|
||||
The location of a Properties file where each line is in the format of
|
||||
|
||||
+
|
||||
|
||||
[source]
|
||||
----
|
||||
username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
|
||||
----
|
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-user-service-children]]
|
||||
=== Child Elements of <user-service>
|
||||
|
||||
|
||||
* <<nsa-user,user>>
|
||||
|
||||
|
||||
|
||||
[[nsa-user]]
|
||||
== <user>
|
||||
Represents a user in the application.
|
||||
|
||||
|
||||
[[nsa-user-parents]]
|
||||
=== Parent Elements of <user>
|
||||
|
||||
|
||||
* <<nsa-user-service,user-service>>
|
||||
|
||||
|
||||
|
||||
[[nsa-user-attributes]]
|
||||
=== <user> Attributes
|
||||
|
||||
|
||||
[[nsa-user-authorities]]
|
||||
* **authorities**
|
||||
One of more authorities granted to the user.
|
||||
Separate authorities with a comma (but no space).
|
||||
For example, "ROLE_USER,ROLE_ADMINISTRATOR"
|
||||
|
||||
|
||||
[[nsa-user-disabled]]
|
||||
* **disabled**
|
||||
Can be set to "true" to mark an account as disabled and unusable.
|
||||
|
||||
|
||||
[[nsa-user-locked]]
|
||||
* **locked**
|
||||
Can be set to "true" to mark an account as locked and unusable.
|
||||
|
||||
|
||||
[[nsa-user-name]]
|
||||
* **name**
|
||||
The username assigned to the user.
|
||||
|
||||
|
||||
[[nsa-user-password]]
|
||||
* **password**
|
||||
The password assigned to the user.
|
||||
This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
|
||||
This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities.
|
||||
If omitted, the namespace will generate a random value, preventing its accidental use for authentication.
|
||||
Cannot be empty.
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,9 @@
|
|||
[[appendix-namespace]]
|
||||
= The Security Namespace
|
||||
:page-section-summary-toc: 1
|
||||
|
||||
This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document).
|
||||
If you haven't used the namespace before, please read the xref:servlet/configuration/xml-namespace.adoc#ns-config[introductory chapter] on namespace configuration, as this is intended as a supplement to the information there.
|
||||
Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose.
|
||||
The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema.
|
||||
If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/main/config/src/main/resources/org/springframework/security/config/spring-security-5.6.rnc[schema file] directly.
|
|
@ -0,0 +1,291 @@
|
|||
[[nsa-ldap]]
|
||||
= LDAP Namespace Options
|
||||
LDAP is covered in some details in xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[its own chapter].
|
||||
We will expand on that here with some explanation of how the namespace options map to Spring beans.
|
||||
The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful.
|
||||
|
||||
|
||||
[[nsa-ldap-server]]
|
||||
== Defining the LDAP Server using the
|
||||
`<ldap-server>` Element
|
||||
This element sets up a Spring LDAP `ContextSource` for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn't allow anonymous access) for connecting to it.
|
||||
It can also be used to create an embedded server for testing.
|
||||
Details of the syntax for both options are covered in the xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP chapter].
|
||||
The actual `ContextSource` implementation is `DefaultSpringSecurityContextSource` which extends Spring LDAP's `LdapContextSource` class.
|
||||
The `manager-dn` and `manager-password` attributes map to the latter's `userDn` and `password` properties respectively.
|
||||
|
||||
If you only have one server defined in your application context, the other LDAP namespace-defined beans will use it automatically.
|
||||
Otherwise, you can give the element an "id" attribute and refer to it from other namespace beans using the `server-ref` attribute.
|
||||
This is actually the bean `id` of the `ContextSource` instance, if you want to use it in other traditional Spring beans.
|
||||
|
||||
|
||||
[[nsa-ldap-server-attributes]]
|
||||
=== <ldap-server> Attributes
|
||||
|
||||
[[nsa-ldap-server-mode]]
|
||||
* **mode**
|
||||
Explicitly specifies which embedded ldap server should use. Values are `apacheds` and `unboundid`. By default, it will depends if the library is available in the classpath.
|
||||
|
||||
[[nsa-ldap-server-id]]
|
||||
* **id**
|
||||
A bean identifier, used for referring to the bean elsewhere in the context.
|
||||
|
||||
|
||||
[[nsa-ldap-server-ldif]]
|
||||
* **ldif**
|
||||
Explicitly specifies an ldif file resource to load into an embedded LDAP server.
|
||||
The ldif should be a Spring resource pattern (i.e. classpath:init.ldif).
|
||||
The default is classpath*:*.ldif
|
||||
|
||||
|
||||
[[nsa-ldap-server-manager-dn]]
|
||||
* **manager-dn**
|
||||
Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server.
|
||||
If omitted, anonymous access will be used.
|
||||
|
||||
|
||||
[[nsa-ldap-server-manager-password]]
|
||||
* **manager-password**
|
||||
The password for the manager DN.
|
||||
This is required if the manager-dn is specified.
|
||||
|
||||
|
||||
[[nsa-ldap-server-port]]
|
||||
* **port**
|
||||
Specifies an IP port number.
|
||||
Used to configure an embedded LDAP server, for example.
|
||||
The default value is 33389.
|
||||
|
||||
|
||||
[[nsa-ldap-server-root]]
|
||||
* **root**
|
||||
Optional root suffix for the embedded LDAP server.
|
||||
Default is "dc=springframework,dc=org"
|
||||
|
||||
|
||||
[[nsa-ldap-server-url]]
|
||||
* **url**
|
||||
Specifies the ldap server URL when not using the embedded LDAP server.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider]]
|
||||
== <ldap-authentication-provider>
|
||||
This element is shorthand for the creation of an `LdapAuthenticationProvider` instance.
|
||||
By default this will be configured with a `BindAuthenticator` instance and a `DefaultAuthoritiesPopulator`.
|
||||
As with all namespace authentication providers, it must be included as a child of the `authentication-provider` element.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-parents]]
|
||||
=== Parent Elements of <ldap-authentication-provider>
|
||||
|
||||
|
||||
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-authentication-manager[authentication-manager]
|
||||
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-attributes]]
|
||||
=== <ldap-authentication-provider> Attributes
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-group-role-attribute]]
|
||||
* **group-role-attribute**
|
||||
The LDAP attribute name which contains the role name which will be used within Spring Security.
|
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupRoleAttribute` property.
|
||||
Defaults to "cn".
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-group-search-base]]
|
||||
* **group-search-base**
|
||||
Search base for group membership searches.
|
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupSearchBase` constructor argument.
|
||||
Defaults to "" (searching from the root).
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-group-search-filter]]
|
||||
* **group-search-filter**
|
||||
Group search filter.
|
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupSearchFilter` property.
|
||||
Defaults to `+(uniqueMember={0})+`.
|
||||
The substituted parameter is the DN of the user.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-role-prefix]]
|
||||
* **role-prefix**
|
||||
A non-empty string prefix that will be added to role strings loaded from persistent.
|
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `rolePrefix` property.
|
||||
Defaults to "ROLE_".
|
||||
Use the value "none" for no prefix in cases where the default is non-empty.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-server-ref]]
|
||||
* **server-ref**
|
||||
The optional server to use.
|
||||
If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-context-mapper-ref]]
|
||||
* **user-context-mapper-ref**
|
||||
Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-details-class]]
|
||||
* **user-details-class**
|
||||
Allows the objectClass of the user entry to be specified.
|
||||
If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-dn-pattern]]
|
||||
* **user-dn-pattern**
|
||||
If your users are at a fixed location in the directory (i.e. you can work out the DN directly from the username without doing a directory search), you can use this attribute to map directly to the DN.
|
||||
It maps directly to the `userDnPatterns` property of `AbstractLdapAuthenticator`.
|
||||
The value is a specific pattern used to build the user's DN, for example `+uid={0},ou=people+`.
|
||||
The key `+{0}+` must be present and will be substituted with the username.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-search-base]]
|
||||
* **user-search-base**
|
||||
Search base for user searches.
|
||||
Defaults to "".
|
||||
Only used with a 'user-search-filter'.
|
||||
|
||||
+
|
||||
|
||||
If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search.
|
||||
The `BindAuthenticator` will be configured with a `FilterBasedLdapUserSearch` and the attribute values map directly to the first two arguments of that bean's constructor.
|
||||
If these attributes aren't set and no `user-dn-pattern` has been supplied as an alternative, then the default search values of `+user-search-filter="(uid={0})"+` and `user-search-base=""` will be used.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-search-filter]]
|
||||
* **user-search-filter**
|
||||
The LDAP filter used to search for users (optional).
|
||||
For example `+(uid={0})+`.
|
||||
The substituted parameter is the user's login name.
|
||||
|
||||
+
|
||||
|
||||
If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search.
|
||||
The `BindAuthenticator` will be configured with a `FilterBasedLdapUserSearch` and the attribute values map directly to the first two arguments of that bean's constructor.
|
||||
If these attributes aren't set and no `user-dn-pattern` has been supplied as an alternative, then the default search values of `+user-search-filter="(uid={0})"+` and `user-search-base=""` will be used.
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-children]]
|
||||
=== Child Elements of <ldap-authentication-provider>
|
||||
|
||||
|
||||
* <<nsa-password-compare,password-compare>>
|
||||
|
||||
|
||||
|
||||
[[nsa-password-compare]]
|
||||
== <password-compare>
|
||||
This is used as child element to `<ldap-provider>` and switches the authentication strategy from `BindAuthenticator` to `PasswordComparisonAuthenticator`.
|
||||
|
||||
|
||||
[[nsa-password-compare-parents]]
|
||||
=== Parent Elements of <password-compare>
|
||||
|
||||
|
||||
* <<nsa-ldap-authentication-provider,ldap-authentication-provider>>
|
||||
|
||||
|
||||
|
||||
[[nsa-password-compare-attributes]]
|
||||
=== <password-compare> Attributes
|
||||
|
||||
|
||||
[[nsa-password-compare-hash]]
|
||||
* **hash**
|
||||
Defines the hashing algorithm used on user passwords.
|
||||
We recommend strongly against using MD4, as it is a very weak hashing algorithm.
|
||||
|
||||
|
||||
[[nsa-password-compare-password-attribute]]
|
||||
* **password-attribute**
|
||||
The attribute in the directory which contains the user password.
|
||||
Defaults to "userPassword".
|
||||
|
||||
|
||||
[[nsa-password-compare-children]]
|
||||
=== Child Elements of <password-compare>
|
||||
|
||||
|
||||
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-encoder[password-encoder]
|
||||
|
||||
|
||||
|
||||
[[nsa-ldap-user-service]]
|
||||
== <ldap-user-service>
|
||||
This element configures an LDAP `UserDetailsService`.
|
||||
The class used is `LdapUserDetailsService` which is a combination of a `FilterBasedLdapUserSearch` and a `DefaultLdapAuthoritiesPopulator`.
|
||||
The attributes it supports have the same usage as in `<ldap-provider>`.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-attributes]]
|
||||
=== <ldap-user-service> Attributes
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-cache-ref]]
|
||||
* **cache-ref**
|
||||
Defines a reference to a cache for use with a UserDetailsService.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-group-role-attribute]]
|
||||
* **group-role-attribute**
|
||||
The LDAP attribute name which contains the role name which will be used within Spring Security.
|
||||
Defaults to "cn".
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-group-search-base]]
|
||||
* **group-search-base**
|
||||
Search base for group membership searches.
|
||||
Defaults to "" (searching from the root).
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-group-search-filter]]
|
||||
* **group-search-filter**
|
||||
Group search filter.
|
||||
Defaults to `+(uniqueMember={0})+`.
|
||||
The substituted parameter is the DN of the user.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-id]]
|
||||
* **id**
|
||||
A bean identifier, used for referring to the bean elsewhere in the context.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-role-prefix]]
|
||||
* **role-prefix**
|
||||
A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g.
|
||||
"ROLE_").
|
||||
Use the value "none" for no prefix in cases where the default is non-empty.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-server-ref]]
|
||||
* **server-ref**
|
||||
The optional server to use.
|
||||
If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-context-mapper-ref]]
|
||||
* **user-context-mapper-ref**
|
||||
Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-details-class]]
|
||||
* **user-details-class**
|
||||
Allows the objectClass of the user entry to be specified.
|
||||
If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-search-base]]
|
||||
* **user-search-base**
|
||||
Search base for user searches.
|
||||
Defaults to "".
|
||||
Only used with a 'user-search-filter'.
|
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-search-filter]]
|
||||
* **user-search-filter**
|
||||
The LDAP filter used to search for users (optional).
|
||||
For example `+(uid={0})+`.
|
||||
The substituted parameter is the user's login name.
|
|
@ -0,0 +1,340 @@
|
|||
= Method Security
|
||||
|
||||
[[nsa-method-security]]
|
||||
== <method-security>
|
||||
This element is the primary means of adding support for securing methods on Spring Security beans.
|
||||
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts.
|
||||
|
||||
[[nsa-method-security-attributes]]
|
||||
=== <method-security> attributes
|
||||
|
||||
[[nsa-method-security-pre-post-enabled]]
|
||||
* **pre-post-enabled**
|
||||
Enables Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context.
|
||||
Defaults to "true".
|
||||
|
||||
[[nsa-method-security-secured-enabled]]
|
||||
* **secured-enabled**
|
||||
Enables Spring Security's @Secured annotation for this application context.
|
||||
Defaults to "false".
|
||||
|
||||
[[nsa-method-security-jsr250-enabled]]
|
||||
* **jsr250-enabled**
|
||||
Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context.
|
||||
Defaults to "false".
|
||||
|
||||
[[nsa-method-security-proxy-target-class]]
|
||||
* **proxy-target-class**
|
||||
If true, class based proxying will be used instead of interface based proxying.
|
||||
Defaults to "false".
|
||||
|
||||
[[nsa-method-security-children]]
|
||||
=== Child Elements of <method-security>
|
||||
|
||||
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
|
||||
|
||||
[[nsa-global-method-security]]
|
||||
== <global-method-security>
|
||||
This element is the primary means of adding support for securing methods on Spring Security beans.
|
||||
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.
|
||||
|
||||
|
||||
[[nsa-global-method-security-attributes]]
|
||||
=== <global-method-security> Attributes
|
||||
|
||||
|
||||
[[nsa-global-method-security-access-decision-manager-ref]]
|
||||
* **access-decision-manager-ref**
|
||||
Method security uses the same `AccessDecisionManager` configuration as web security, but this can be overridden using this attribute.
|
||||
By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter.
|
||||
|
||||
|
||||
[[nsa-global-method-security-authentication-manager-ref]]
|
||||
* **authentication-manager-ref**
|
||||
A reference to an `AuthenticationManager` that should be used for method security.
|
||||
|
||||
|
||||
[[nsa-global-method-security-jsr250-annotations]]
|
||||
* **jsr250-annotations**
|
||||
Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed").
|
||||
This will require the javax.annotation.security classes on the classpath.
|
||||
Setting this to true also adds a `Jsr250Voter` to the `AccessDecisionManager`, so you need to make sure you do this if you are using a custom implementation and want to use these annotations.
|
||||
|
||||
|
||||
[[nsa-global-method-security-metadata-source-ref]]
|
||||
* **metadata-source-ref**
|
||||
An external `MethodSecurityMetadataSource` instance can be supplied which will take priority over other sources (such as the default annotations).
|
||||
|
||||
|
||||
[[nsa-global-method-security-mode]]
|
||||
* **mode**
|
||||
This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP.
|
||||
Secured methods must be woven with the `AnnotationSecurityAspect` from the `spring-security-aspects` module.
|
||||
|
||||
It is important to note that AspectJ follows Java's rule that annotations on interfaces are not inherited.
|
||||
This means that methods that define the Security annotations on the interface will not be secured.
|
||||
Instead, you must place the Security annotation on the class when using AspectJ.
|
||||
|
||||
|
||||
[[nsa-global-method-security-order]]
|
||||
* **order**
|
||||
Allows the advice "order" to be set for the method security interceptor.
|
||||
|
||||
|
||||
[[nsa-global-method-security-pre-post-annotations]]
|
||||
* **pre-post-annotations**
|
||||
Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context.
|
||||
Defaults to "disabled".
|
||||
|
||||
|
||||
[[nsa-global-method-security-proxy-target-class]]
|
||||
* **proxy-target-class**
|
||||
If true, class based proxying will be used instead of interface based proxying.
|
||||
|
||||
|
||||
[[nsa-global-method-security-run-as-manager-ref]]
|
||||
* **run-as-manager-ref**
|
||||
A reference to an optional `RunAsManager` implementation which will be used by the configured `MethodSecurityInterceptor`
|
||||
|
||||
|
||||
[[nsa-global-method-security-secured-annotations]]
|
||||
* **secured-annotations**
|
||||
Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context.
|
||||
Defaults to "disabled".
|
||||
|
||||
|
||||
[[nsa-global-method-security-children]]
|
||||
=== Child Elements of <global-method-security>
|
||||
|
||||
|
||||
* <<nsa-after-invocation-provider,after-invocation-provider>>
|
||||
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
|
||||
* <<nsa-protect-pointcut,protect-pointcut>>
|
||||
|
||||
|
||||
|
||||
[[nsa-after-invocation-provider]]
|
||||
== <after-invocation-provider>
|
||||
This element can be used to decorate an `AfterInvocationProvider` for use by the security interceptor maintained by the `<global-method-security>` namespace.
|
||||
You can define zero or more of these within the `global-method-security` element, each with a `ref` attribute pointing to an `AfterInvocationProvider` bean instance within your application context.
|
||||
|
||||
|
||||
[[nsa-after-invocation-provider-parents]]
|
||||
=== Parent Elements of <after-invocation-provider>
|
||||
|
||||
|
||||
* <<nsa-global-method-security,global-method-security>>
|
||||
|
||||
|
||||
|
||||
[[nsa-after-invocation-provider-attributes]]
|
||||
=== <after-invocation-provider> Attributes
|
||||
|
||||
|
||||
[[nsa-after-invocation-provider-ref]]
|
||||
* **ref**
|
||||
Defines a reference to a Spring bean that implements `AfterInvocationProvider`.
|
||||
|
||||
|
||||
[[nsa-pre-post-annotation-handling]]
|
||||
== <pre-post-annotation-handling>
|
||||
Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely.
|
||||
Only applies if these annotations are enabled.
|
||||
|
||||
|
||||
[[nsa-pre-post-annotation-handling-parents]]
|
||||
=== Parent Elements of <pre-post-annotation-handling>
|
||||
|
||||
|
||||
* <<nsa-global-method-security,global-method-security>>
|
||||
|
||||
|
||||
|
||||
[[nsa-pre-post-annotation-handling-children]]
|
||||
=== Child Elements of <pre-post-annotation-handling>
|
||||
|
||||
|
||||
* <<nsa-invocation-attribute-factory,invocation-attribute-factory>>
|
||||
* <<nsa-post-invocation-advice,post-invocation-advice>>
|
||||
* <<nsa-pre-invocation-advice,pre-invocation-advice>>
|
||||
|
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory]]
|
||||
== <invocation-attribute-factory>
|
||||
Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods.
|
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory-parents]]
|
||||
=== Parent Elements of <invocation-attribute-factory>
|
||||
|
||||
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
|
||||
|
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory-attributes]]
|
||||
=== <invocation-attribute-factory> Attributes
|
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory-ref]]
|
||||
* **ref**
|
||||
Defines a reference to a Spring bean Id.
|
||||
|
||||
|
||||
[[nsa-post-invocation-advice]]
|
||||
== <post-invocation-advice>
|
||||
Customizes the `PostInvocationAdviceProvider` with the ref as the `PostInvocationAuthorizationAdvice` for the <pre-post-annotation-handling> element.
|
||||
|
||||
|
||||
[[nsa-post-invocation-advice-parents]]
|
||||
=== Parent Elements of <post-invocation-advice>
|
||||
|
||||
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
|
||||
|
||||
|
||||
|
||||
[[nsa-post-invocation-advice-attributes]]
|
||||
=== <post-invocation-advice> Attributes
|
||||
|
||||
|
||||
[[nsa-post-invocation-advice-ref]]
|
||||
* **ref**
|
||||
Defines a reference to a Spring bean Id.
|
||||
|
||||
|
||||
[[nsa-pre-invocation-advice]]
|
||||
== <pre-invocation-advice>
|
||||
Customizes the `PreInvocationAuthorizationAdviceVoter` with the ref as the `PreInvocationAuthorizationAdviceVoter` for the <pre-post-annotation-handling> element.
|
||||
|
||||
|
||||
[[nsa-pre-invocation-advice-parents]]
|
||||
=== Parent Elements of <pre-invocation-advice>
|
||||
|
||||
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>>
|
||||
|
||||
|
||||
|
||||
[[nsa-pre-invocation-advice-attributes]]
|
||||
=== <pre-invocation-advice> Attributes
|
||||
|
||||
|
||||
[[nsa-pre-invocation-advice-ref]]
|
||||
* **ref**
|
||||
Defines a reference to a Spring bean Id.
|
||||
|
||||
|
||||
[[nsa-protect-pointcut]]
|
||||
== Securing Methods using
|
||||
`<protect-pointcut>`
|
||||
Rather than defining security attributes on an individual method or class basis using the `@Secured` annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the `<protect-pointcut>` element.
|
||||
You can find an example in the xref:servlet/authorization/method-security.adoc#ns-protect-pointcut[namespace introduction].
|
||||
|
||||
|
||||
[[nsa-protect-pointcut-parents]]
|
||||
=== Parent Elements of <protect-pointcut>
|
||||
|
||||
|
||||
* <<nsa-global-method-security,global-method-security>>
|
||||
|
||||
|
||||
|
||||
[[nsa-protect-pointcut-attributes]]
|
||||
=== <protect-pointcut> Attributes
|
||||
|
||||
|
||||
[[nsa-protect-pointcut-access]]
|
||||
* **access**
|
||||
Access configuration attributes list that applies to all methods matching the pointcut, e.g.
|
||||
"ROLE_A,ROLE_B"
|
||||
|
||||
|
||||
[[nsa-protect-pointcut-expression]]
|
||||
* **expression**
|
||||
An AspectJ expression, including the `execution` keyword.
|
||||
For example, `execution(int com.foo.TargetObject.countLength(String))`.
|
||||
|
||||
|
||||
[[nsa-intercept-methods]]
|
||||
== <intercept-methods>
|
||||
Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods
|
||||
|
||||
|
||||
[[nsa-intercept-methods-attributes]]
|
||||
=== <intercept-methods> Attributes
|
||||
|
||||
|
||||
[[nsa-intercept-methods-access-decision-manager-ref]]
|
||||
* **access-decision-manager-ref**
|
||||
Optional AccessDecisionManager bean ID to be used by the created method security interceptor.
|
||||
|
||||
|
||||
[[nsa-intercept-methods-children]]
|
||||
=== Child Elements of <intercept-methods>
|
||||
|
||||
|
||||
* <<nsa-protect,protect>>
|
||||
|
||||
|
||||
|
||||
[[nsa-method-security-metadata-source]]
|
||||
== <method-security-metadata-source>
|
||||
Creates a MethodSecurityMetadataSource instance
|
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-attributes]]
|
||||
=== <method-security-metadata-source> Attributes
|
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-id]]
|
||||
* **id**
|
||||
A bean identifier, used for referring to the bean elsewhere in the context.
|
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-use-expressions]]
|
||||
* **use-expressions**
|
||||
Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes.
|
||||
Defaults to 'false'.
|
||||
If enabled, each attribute should contain a single Boolean expression.
|
||||
If the expression evaluates to 'true', access will be granted.
|
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-children]]
|
||||
=== Child Elements of <method-security-metadata-source>
|
||||
|
||||
|
||||
* <<nsa-protect,protect>>
|
||||
|
||||
|
||||
|
||||
[[nsa-protect]]
|
||||
== <protect>
|
||||
Defines a protected method and the access control configuration attributes that apply to it.
|
||||
We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security".
|
||||
|
||||
|
||||
[[nsa-protect-parents]]
|
||||
=== Parent Elements of <protect>
|
||||
|
||||
|
||||
* <<nsa-intercept-methods,intercept-methods>>
|
||||
* <<nsa-method-security-metadata-source,method-security-metadata-source>>
|
||||
|
||||
|
||||
|
||||
[[nsa-protect-attributes]]
|
||||
=== <protect> Attributes
|
||||
|
||||
|
||||
[[nsa-protect-access]]
|
||||
* **access**
|
||||
Access configuration attributes list that applies to the method, e.g.
|
||||
"ROLE_A,ROLE_B".
|
||||
|
||||
|
||||
[[nsa-protect-method]]
|
||||
* **method**
|
||||
A method name
|
|
@ -0,0 +1,74 @@
|
|||
[[nsa-websocket-security]]
|
||||
= WebSocket Security
|
||||
|
||||
Spring Security 4.0+ provides support for authorizing messages.
|
||||
One concrete example of where this is useful is to provide authorization in WebSocket based applications.
|
||||
|
||||
[[nsa-websocket-message-broker]]
|
||||
== <websocket-message-broker>
|
||||
|
||||
The websocket-message-broker element has two different modes.
|
||||
If the <<nsa-websocket-message-broker-id,websocket-message-broker@id>> is not specified, then it will do the following things:
|
||||
|
||||
* Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver.
|
||||
This allows the use of `@AuthenticationPrincipal` to resolve the principal of the current `Authentication`
|
||||
* Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel.
|
||||
This populates the SecurityContextHolder with the user that is found in the Message
|
||||
* Ensures that a ChannelSecurityInterceptor is registered with the clientInboundChannel.
|
||||
This allows authorization rules to be specified for a message.
|
||||
* Ensures that a CsrfChannelInterceptor is registered with the clientInboundChannel.
|
||||
This ensures that only requests from the original domain are enabled.
|
||||
* Ensures that a CsrfTokenHandshakeInterceptor is registered with WebSocketHttpRequestHandler, TransportHandlingSockJsService, or DefaultSockJsService.
|
||||
This ensures that the expected CsrfToken from the HttpServletRequest is copied into the WebSocket Session attributes.
|
||||
|
||||
If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id.
|
||||
All the wiring with Spring's messaging infrastructure can then be done manually.
|
||||
This is more cumbersome, but provides greater control over the configuration.
|
||||
|
||||
|
||||
[[nsa-websocket-message-broker-attributes]]
|
||||
=== <websocket-message-broker> Attributes
|
||||
|
||||
[[nsa-websocket-message-broker-id]]
|
||||
* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context.
|
||||
If specified, Spring Security requires explicit configuration within Spring Messaging.
|
||||
If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <<nsa-websocket-message-broker>>
|
||||
|
||||
[[nsa-websocket-message-broker-same-origin-disabled]]
|
||||
* **same-origin-disabled** Disables the requirement for CSRF token to be present in the Stomp headers (default false).
|
||||
Changing the default is useful if it is necessary to allow other origins to make SockJS connections.
|
||||
|
||||
[[nsa-websocket-message-broker-children]]
|
||||
=== Child Elements of <websocket-message-broker>
|
||||
|
||||
|
||||
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler]
|
||||
* <<nsa-intercept-message,intercept-message>>
|
||||
|
||||
[[nsa-intercept-message]]
|
||||
== <intercept-message>
|
||||
|
||||
Defines an authorization rule for a message.
|
||||
|
||||
|
||||
[[nsa-intercept-message-parents]]
|
||||
=== Parent Elements of <intercept-message>
|
||||
|
||||
|
||||
* <<nsa-websocket-message-broker,websocket-message-broker>>
|
||||
|
||||
|
||||
[[nsa-intercept-message-attributes]]
|
||||
=== <intercept-message> Attributes
|
||||
|
||||
[[nsa-intercept-message-pattern]]
|
||||
* **pattern** An ant based pattern that matches on the Message destination.
|
||||
For example, "/**" matches any Message with a destination; "/admin/**" matches any Message that has a destination that starts with "/admin/**".
|
||||
|
||||
[[nsa-intercept-message-type]]
|
||||
* **type** The type of message to match on.
|
||||
Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER).
|
||||
|
||||
[[nsa-intercept-message-access]]
|
||||
* **access** The expression used to secure the Message.
|
||||
For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages.
|
|
@ -139,7 +139,7 @@ The following beans should be configured to commence the CAS authentication proc
|
|||
----
|
||||
|
||||
For CAS to operate, the `ExceptionTranslationFilter` must have its `authenticationEntryPoint` property set to the `CasAuthenticationEntryPoint` bean.
|
||||
This can easily be done using xref:servlet/appendix/namespace.adoc#nsa-http-entry-point-ref[entry-point-ref] as is done in the example above.
|
||||
This can easily be done using xref:servlet/appendix/namespace/http.adoc#nsa-http-entry-point-ref[entry-point-ref] as is done in the example above.
|
||||
The `CasAuthenticationEntryPoint` must refer to the `ServiceProperties` bean (discussed above), which provides the URL to the enterprise's CAS login server.
|
||||
This is where the user's browser will be redirected.
|
||||
|
||||
|
|
|
@ -166,5 +166,5 @@ This means that the `Subject` can be accessed using:
|
|||
Subject subject = Subject.getSubject(AccessController.getContext());
|
||||
----
|
||||
|
||||
This integration can easily be configured using the xref:servlet/appendix/namespace.adoc#nsa-http-jaas-api-provision[jaas-api-provision] attribute.
|
||||
This integration can easily be configured using the xref:servlet/appendix/namespace/http.adoc#nsa-http-jaas-api-provision[jaas-api-provision] attribute.
|
||||
This feature is useful when integrating with legacy or external API's that rely on the JAAS Subject being populated.
|
||||
|
|
|
@ -74,7 +74,7 @@ This is a shortcut for adding a `CookieClearingLogoutHandler` explicitly.
|
|||
[NOTE]
|
||||
====
|
||||
Logouts can of course also be configured using the XML Namespace notation.
|
||||
Please see the documentation for the xref:servlet/appendix/namespace.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section for further details.
|
||||
Please see the documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section for further details.
|
||||
====
|
||||
|
||||
Generally, in order to customize logout functionality, you can add
|
||||
|
@ -145,4 +145,4 @@ If not configured a status code 200 will be returned by default.
|
|||
- xref:servlet/authentication/rememberme.adoc#remember-me-impls[Remember-Me Interfaces and Implementations]
|
||||
- xref:servlet/exploits/csrf.adoc#servlet-considerations-csrf-logout[ Logging Out] in section CSRF Caveats
|
||||
- Section xref:servlet/authentication/cas.adoc#cas-singlelogout[ Single Logout] (CAS protocol)
|
||||
- Documentation for the xref:servlet/appendix/namespace.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section
|
||||
- Documentation for the xref:servlet/appendix/namespace/http.adoc#nsa-logout[ logout element] in the Spring Security XML Namespace section
|
||||
|
|
|
@ -192,7 +192,7 @@ Common problems like incorrect filter ordering are no longer an issue as the fil
|
|||
|
||||
The `<authentication-provider>` element creates a `DaoAuthenticationProvider` bean and the `<user-service>` element creates an `InMemoryDaoImpl`.
|
||||
All `authentication-provider` elements must be children of the `<authentication-manager>` element, which creates a `ProviderManager` and registers the authentication providers with it.
|
||||
You can find more detailed information on the beans that are created in the xref:servlet/appendix/namespace.adoc#appendix-namespace[namespace appendix].
|
||||
You can find more detailed information on the beans that are created in the xref:servlet/appendix/namespace/index.adoc#appendix-namespace[namespace appendix].
|
||||
It's worth cross-checking this if you want to start understanding what the important classes in the framework are and how they are used, particularly if you want to customise things later.
|
||||
****
|
||||
|
||||
|
|
|
@ -375,7 +375,7 @@ For details, refer to the <<servlet-csrf-configure-custom-repository>> section.
|
|||
|
||||
If a token does expire, you might want to customize how it is handled by specifying a custom `AccessDeniedHandler`.
|
||||
The custom `AccessDeniedHandler` can process the `InvalidCsrfTokenException` any way you like.
|
||||
For an example of how to customize the `AccessDeniedHandler` refer to the provided links for both xref:servlet/appendix/namespace.adoc#nsa-access-denied-handler[xml] and {gh-url}/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java#L64[Java configuration].
|
||||
For an example of how to customize the `AccessDeniedHandler` refer to the provided links for both xref:servlet/appendix/namespace/http.adoc#nsa-access-denied-handler[xml] and {gh-url}/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceHttpServerAccessDeniedHandlerTests.java#L64[Java configuration].
|
||||
// FIXME: We should add a custom AccessDeniedHandler section in the reference and update the links above
|
||||
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ This will ensure that:
|
|||
<2> The SecurityContextHolder is populated with the user within the simpUser header attribute for any inbound request.
|
||||
<3> Our messages require the proper authorization. Specifically, any inbound message that starts with "/user/" will require ROLE_USER. Additional details on authorization can be found in <<websocket-authorization>>
|
||||
|
||||
Spring Security also provides xref:servlet/appendix/namespace.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
|
||||
Spring Security also provides xref:servlet/appendix/namespace/websocket.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
|
||||
A comparable XML based configuration looks like the following:
|
||||
|
||||
[source,xml]
|
||||
|
@ -132,7 +132,7 @@ This will ensure that:
|
|||
<5> Any other message of type MESSAGE or SUBSCRIBE is rejected. Due to 6 we do not need this step, but it illustrates how one can match on specific message types.
|
||||
<6> Any other Message is rejected. This is a good idea to ensure that you do not miss any messages.
|
||||
|
||||
Spring Security also provides xref:servlet/appendix/namespace.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
|
||||
Spring Security also provides xref:servlet/appendix/namespace/websocket.adoc#nsa-websocket-security[XML Namespace] support for securing WebSockets.
|
||||
A comparable XML based configuration looks like the following:
|
||||
|
||||
[source,xml]
|
||||
|
@ -360,7 +360,7 @@ SockJS may use an https://github.com/sockjs/sockjs-client/tree/v0.3.4[transport
|
|||
By default Spring Security will xref:features/exploits/headers.adoc#headers-frame-options[deny] the site from being framed to prevent Clickjacking attacks.
|
||||
To allow SockJS frame based transports to work, we need to configure Spring Security to allow the same origin to frame the content.
|
||||
|
||||
You can customize X-Frame-Options with the xref:servlet/appendix/namespace.adoc#nsa-frame-options[frame-options] element.
|
||||
You can customize X-Frame-Options with the xref:servlet/appendix/namespace/http.adoc#nsa-frame-options[frame-options] element.
|
||||
For example, the following will instruct Spring Security to use "X-Frame-Options: SAMEORIGIN" which allows iframes within the same domain:
|
||||
|
||||
[source,xml]
|
||||
|
@ -486,7 +486,7 @@ open class WebSecurityConfig : WebSecurityConfigurerAdapter() {
|
|||
----
|
||||
====
|
||||
|
||||
If we are using XML based configuration, we can use the xref:servlet/appendix/namespace.adoc#nsa-csrf-request-matcher-ref[csrf@request-matcher-ref].
|
||||
If we are using XML based configuration, we can use the xref:servlet/appendix/namespace/http.adoc#nsa-csrf-request-matcher-ref[csrf@request-matcher-ref].
|
||||
For example:
|
||||
|
||||
[source,xml]
|
||||
|
|
|
@ -74,7 +74,7 @@ class OAuth2ClientSecurityConfig : WebSecurityConfigurerAdapter() {
|
|||
|
||||
In addition to the `HttpSecurity.oauth2Client()` DSL, XML configuration is also supported.
|
||||
|
||||
The following code shows the complete configuration options available in the xref:servlet/appendix/namespace.adoc#nsa-oauth2-client[ security namespace]:
|
||||
The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-client[ security namespace]:
|
||||
|
||||
.OAuth2 Client XML Configuration Options
|
||||
====
|
||||
|
|
|
@ -737,7 +737,7 @@ class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
|
|||
|
||||
In addition to the `oauth2Login()` DSL, XML configuration is also supported.
|
||||
|
||||
The following code shows the complete configuration options available in the xref:servlet/appendix/namespace.adoc#nsa-oauth2-login[ security namespace]:
|
||||
The following code shows the complete configuration options available in the xref:servlet/appendix/namespace/http.adoc#nsa-oauth2-login[ security namespace]:
|
||||
|
||||
.OAuth2 Login XML Configuration Options
|
||||
====
|
||||
|
|
Loading…
Reference in New Issue