Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-01 00:02:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reduce length of long lines in the reference manual.

Browse Source 
Some are too long for the PDF version.
This commit is contained in:
Luke Taylor 2010-02-20 01:00:14 +00:00
parent 40d3f726d6
commit 7c99361c26
9 changed files with 90 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/manual/src/docbook/core-services.xml
View File

@ -170,7 +170,8 @@
<property name="password" value=""/> <property name="password" value=""/>
</bean> </bean>
<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/> <property name="dataSource" ref="dataSource"/>
</bean> ]]> </programlisting> </bean> ]]> </programlisting>
</para> </para>

25
docs/manual/src/docbook/el-access.xml
View File

@ -136,13 +136,15 @@
<para>The most obviously useful annotation is <literal>@PreAuthorize</literal> which <para>The most obviously useful annotation is <literal>@PreAuthorize</literal> which
decides whether a method can actually be invoked or not. For example (from the decides whether a method can actually be invoked or not. For example (from the
<quote>Contacts</quote> sample <quote>Contacts</quote> sample
application)<programlisting> @PreAuthorize("hasRole('ROLE_USER')") application)<programlisting>
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);</programlisting>which public void create(Contact contact);</programlisting>which
means that access will only be allowed for users with the role "ROLE_USER". means that access will only be allowed for users with the role "ROLE_USER".
Obviously the same thing could easily be achieved using a traditional Obviously the same thing could easily be achieved using a traditional
configuration and a simple configuration attribute for the required role. But configuration and a simple configuration attribute for the required role. But
what what
about:<programlisting> @PreAuthorize("hasPermission(#contact, 'admin')") about:<programlisting>
@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here
we're actually using a method argument as part of the expression to decide we're actually using a method argument as part of the expression to decide
whether the current user has the <quote>admin</quote>permission for the given whether the current user has the <quote>admin</quote>permission for the given
@ -154,7 +156,8 @@
within the expression, so you can also access properties on the arguments. For within the expression, so you can also access properties on the arguments. For
example, if you wanted a particular method to only allow access to a user whose example, if you wanted a particular method to only allow access to a user whose
username matched that of the contact, you could write</para> username matched that of the contact, you could write</para>
<programlisting> @PreAuthorize("#contact.name == principal.name)") <programlisting>
@PreAuthorize("#contact.name == principal.name)")
public void doSomething(Contact contact);</programlisting> public void doSomething(Contact contact);</programlisting>
<para>Here we are accessing another builtin expression, which is the <para>Here we are accessing another builtin expression, which is the
<literal>principal</literal> of the current Spring Security <literal>principal</literal> of the current Spring Security
@ -205,9 +208,13 @@
permissions. It has no explicit dependencies on the ACL module, so you could permissions. It has no explicit dependencies on the ACL module, so you could
swap that out for an alternative implementation if required. The interface has swap that out for an alternative implementation if required. The interface has
two methods: two methods:
<programlisting language="java"> boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission); <programlisting language="java">
boolean hasPermission(Authentication authentication, Object targetDomainObject,
Object permission);
boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission);</programlisting>which boolean hasPermission(Authentication authentication, Serializable targetId,
String targetType, Object permission);
</programlisting>which
map directly to the available versions of the expression, with the exception map directly to the available versions of the expression, with the exception
that the first argument (the <interfacename>Authentication</interfacename> that the first argument (the <interfacename>Authentication</interfacename>
object) is not supplied. The first is used in situations where the domain object) is not supplied. The first is used in situations where the domain
@ -220,12 +227,14 @@
long as it is consistent with how the permissions are loaded.</para> long as it is consistent with how the permissions are loaded.</para>
<para>To use <literal>hasPermission()</literal> expressions, you have to explicitly <para>To use <literal>hasPermission()</literal> expressions, you have to explicitly
configure a <interfacename>PermissionEvaluator</interfacename> in your configure a <interfacename>PermissionEvaluator</interfacename> in your
application context. This would look something like this:<programlisting language="xml"> <![CDATA[ <security:global-method-security pre-post-annotations="enabled"> application context. This would look something like this:
<programlisting language="xml"> <![CDATA[
<security:global-method-security pre-post-annotations="enabled">
<security:expression-handler ref="expressionHandler"/> <security:expression-handler ref="expressionHandler"/>
</security:global-method-security> </security:global-method-security>
<bean id="expressionHandler" <bean id="expressionHandler" class=
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<property name="permissionEvaluator" ref="myPermissionEvaluator"/> <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
</bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which </bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which
implements <interfacename>PermissionEvaluator</interfacename>. Usually this will implements <interfacename>PermissionEvaluator</interfacename>. Usually this will

5
docs/manual/src/docbook/namespace-config.xml
View File

@ -511,7 +511,10 @@
attributes supported will depend on your OpenID provider. The attribute values are attributes supported will depend on your OpenID provider. The attribute values are
returned as part of the authentication process and can be accessed afterwards using the returned as part of the authentication process and can be accessed afterwards using the
following following
code:<programlisting language="java">OpenIDAuthenticationToken token = (OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication(); code:
<programlisting language="java">
OpenIDAuthenticationToken token =
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
<classname>OpenIDAttribute</classname> contains the attribute type and the retrieved <classname>OpenIDAttribute</classname> contains the attribute type and the retrieved
value (or values in the case of multi-valued attributes). We'll see more about how the value (or values in the case of multi-valued attributes). We'll see more about how the

5
docs/manual/src/docbook/remember-me-authentication.xml
View File

@ -78,7 +78,10 @@
<literal>persistent_logins</literal> table, created using the following SQL (or <literal>persistent_logins</literal> table, created using the following SQL (or
equivalent): equivalent):
<programlisting> <programlisting>
create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null) create table persistent_logins (username varchar(64) not null,
series varchar(64) primary key,
token varchar(64) not null,
last_used timestamp not null)
</programlisting></para> </programlisting></para>
<!-- TODO: Add more info on the implementation and behaviour when tokens are stolen etc. Also some info for admins on invalidating tokens using key, or deleting info from db --> <!-- TODO: Add more info on the implementation and behaviour when tokens are stolen etc. Also some info for admins on invalidating tokens using key, or deleting info from db -->
</section> </section>

8
docs/manual/src/docbook/secured-objects.xml
View File

@ -27,8 +27,8 @@
<title>Explicit MethodSecurityInterceptor Configuration</title> <title>Explicit MethodSecurityInterceptor Configuration</title>
<para> You can of course configure a <classname>MethodSecurityIterceptor</classname> directly <para> You can of course configure a <classname>MethodSecurityIterceptor</classname> directly
in your application context for use with one of Spring AOP's proxying mechanisms: <programlisting><![CDATA[ in your application context for use with one of Spring AOP's proxying mechanisms: <programlisting><![CDATA[
<bean id="bankManagerSecurity" <bean id="bankManagerSecurity" class=
class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> "org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="afterInvocationManager" ref="afterInvocationManager"/> <property name="afterInvocationManager" ref="afterInvocationManager"/>
@ -60,8 +60,8 @@
<para>Let's first consider how the <literal>AspectJSecurityInterceptor</literal> is configured <para>Let's first consider how the <literal>AspectJSecurityInterceptor</literal> is configured
in the Spring application context:</para> in the Spring application context:</para>
<programlisting><![CDATA[ <programlisting><![CDATA[
<bean id="bankManagerSecurity" <bean id="bankManagerSecurity" class=
class="org.springframework.security.access.intercept.aspectj.AspectJSecurityInterceptor"> "org.springframework.security.access.intercept.aspectj.AspectJSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/> <property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="afterInvocationManager" ref="afterInvocationManager"/> <property name="afterInvocationManager" ref="afterInvocationManager"/>

19
docs/manual/src/docbook/session-mgmt.xml
View File

@ -43,14 +43,14 @@
<session-management session-authentication-strategy-ref="sas"/> <session-management session-authentication-strategy-ref="sas"/>
</http> </http>
<beans:bean id="myAuthFilter" <beans:bean id="myAuthFilter" class=
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" /> <beans:property name="sessionAuthenticationStrategy" ref="sas" />
... ...
</beans:bean> </beans:bean>
<beans:bean id="sas" <beans:bean id="sas" class=
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"> "org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
<beans:property name="sessionRegistry" ref="sessionRegistry" /> <beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" /> <beans:property name="maximumSessions" value="1" />
</beans:bean> </beans:bean>
@ -109,19 +109,20 @@
<beans:property name="expiredUrl" value="/session-expired.htm" /> <beans:property name="expiredUrl" value="/session-expired.htm" />
</beans:bean> </beans:bean>
<beans:bean id="myAuthFilter" <beans:bean id="myAuthFilter" class=
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="sessionAuthenticationStrategy" ref="sas" /> <beans:property name="sessionAuthenticationStrategy" ref="sas" />
<beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean> </beans:bean>
<beans:bean id="sas" <beans:bean id="sas" class=
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> "org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" /> <beans:property name="maximumSessions" value="1" />
</beans:bean> </beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="sessionRegistry"
class="org.springframework.security.core.session.SessionRegistryImpl" />
]]> ]]>
</programlisting></para> </programlisting></para>
<para>Adding the listener to <filename>web.xml</filename> causes an <para>Adding the listener to <filename>web.xml</filename> causes an

4
docs/manual/src/docbook/technical-overview.xml
View File

@ -426,8 +426,8 @@ Successfully authenticated. Security context contains: \
Even though a <classname>ThreadLocal</classname> is being used, it is the same instance Even though a <classname>ThreadLocal</classname> is being used, it is the same instance
that is retrieved from the <interfacename>HttpSession</interfacename> for each thread. that is retrieved from the <interfacename>HttpSession</interfacename> for each thread.
This has implications if you wish to temporarily change the context under which a thread This has implications if you wish to temporarily change the context under which a thread
is running. If you just use is running. If you just use <code>SecurityContextHolder.getContext()</code>,
<code>SecurityContextHolder.getContext().setAuthentication(anAuthentication)</code>, and call <code>setAuthentication(anAuthentication)</code> on the returned context object,
then the <interfacename>Authentication</interfacename> object will change in then the <interfacename>Authentication</interfacename> object will change in
<emphasis>all</emphasis> concurrent threads which share the same <emphasis>all</emphasis> concurrent threads which share the same
<interfacename>SecurityContext</interfacename> instance. You can customize the behaviour <interfacename>SecurityContext</interfacename> instance. You can customize the behaviour