Reduce length of long lines in the reference manual.
Some are too long for the PDF version.
This commit is contained in:
parent
40d3f726d6
commit
7c99361c26
|
@ -82,10 +82,10 @@
|
|||
following format:</para>
|
||||
<para>
|
||||
<programlisting>
|
||||
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
|
||||
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
|
||||
|
||||
expirationTime: The date and time when the nonce expires, expressed in milliseconds
|
||||
key: A private key to prevent modification of the nonce token
|
||||
expirationTime: The date and time when the nonce expires, expressed in milliseconds
|
||||
key: A private key to prevent modification of the nonce token
|
||||
</programlisting>
|
||||
</para>
|
||||
<para>The <classname>DigestAuthenticatonEntryPoint</classname> has a property specifying the
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
<classname>ExceptionTranslationFilter</classname>. A typical configuration example
|
||||
is shown below: <programlisting language="xml"><![CDATA[
|
||||
<bean id="filterSecurityInterceptor"
|
||||
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
|
||||
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="accessDecisionManager" ref="accessDecisionManager"/>
|
||||
<property name="securityMetadataSource">
|
||||
|
@ -70,7 +70,7 @@
|
|||
be written as follows:</para>
|
||||
<programlisting language="xml"><![CDATA[
|
||||
<bean id="filterInvocationInterceptor"
|
||||
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
|
||||
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="accessDecisionManager" ref="accessDecisionManager"/>
|
||||
<property name="runAsManager" ref="runAsManager"/>
|
||||
|
@ -108,14 +108,14 @@
|
|||
doesn't do any actual security enforcement itself, but handles exceptions thrown by the
|
||||
security interceptors and provides suitable and HTTP responses. <programlisting language="xml"><![CDATA[
|
||||
<bean id="exceptionTranslationFilter"
|
||||
class="org.springframework.security.web.access.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
|
||||
<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
|
||||
class="org.springframework.security.web.access.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
|
||||
<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationEntryPoint"
|
||||
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
|
||||
<property name="loginFormUrl" value="/login.jsp"/>
|
||||
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
|
||||
<property name="loginFormUrl" value="/login.jsp"/>
|
||||
</bean>
|
||||
|
||||
<bean id="accessDeniedHandler"
|
||||
|
@ -181,7 +181,7 @@
|
|||
you would configure it for use with a <classname>FilterChainProxy</classname>. A basic
|
||||
configuration only requires the bean itself <programlisting><![CDATA[
|
||||
<bean id="securityContextPersistenceFilter"
|
||||
class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
|
||||
class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
|
||||
]]></programlisting> As we saw previously, this filter has two main tasks. It is responsible for
|
||||
storage of the <classname>SecurityContext</classname> contents between HTTP requests and
|
||||
for clearing the <classname>SecurityContextHolder</classname> when a request is
|
||||
|
|
|
@ -170,7 +170,8 @@
|
|||
<property name="password" value=""/>
|
||||
</bean>
|
||||
|
||||
<bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
|
||||
<bean id="userDetailsService"
|
||||
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
|
||||
<property name="dataSource" ref="dataSource"/>
|
||||
</bean> ]]> </programlisting>
|
||||
</para>
|
||||
|
|
|
@ -136,14 +136,16 @@
|
|||
<para>The most obviously useful annotation is <literal>@PreAuthorize</literal> which
|
||||
decides whether a method can actually be invoked or not. For example (from the
|
||||
<quote>Contacts</quote> sample
|
||||
application)<programlisting> @PreAuthorize("hasRole('ROLE_USER')")
|
||||
public void create(Contact contact);</programlisting>which
|
||||
application)<programlisting>
|
||||
@PreAuthorize("hasRole('ROLE_USER')")
|
||||
public void create(Contact contact);</programlisting>which
|
||||
means that access will only be allowed for users with the role "ROLE_USER".
|
||||
Obviously the same thing could easily be achieved using a traditional
|
||||
configuration and a simple configuration attribute for the required role. But
|
||||
what
|
||||
about:<programlisting> @PreAuthorize("hasPermission(#contact, 'admin')")
|
||||
public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here
|
||||
about:<programlisting>
|
||||
@PreAuthorize("hasPermission(#contact, 'admin')")
|
||||
public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here
|
||||
we're actually using a method argument as part of the expression to decide
|
||||
whether the current user has the <quote>admin</quote>permission for the given
|
||||
contact. The built-in <literal>hasPermission()</literal> expression is linked
|
||||
|
@ -154,8 +156,9 @@
|
|||
within the expression, so you can also access properties on the arguments. For
|
||||
example, if you wanted a particular method to only allow access to a user whose
|
||||
username matched that of the contact, you could write</para>
|
||||
<programlisting> @PreAuthorize("#contact.name == principal.name)")
|
||||
public void doSomething(Contact contact);</programlisting>
|
||||
<programlisting>
|
||||
@PreAuthorize("#contact.name == principal.name)")
|
||||
public void doSomething(Contact contact);</programlisting>
|
||||
<para>Here we are accessing another built–in expression, which is the
|
||||
<literal>principal</literal> of the current Spring Security
|
||||
<interfacename>Authentication</interfacename> object obtained from the
|
||||
|
@ -205,9 +208,13 @@
|
|||
permissions. It has no explicit dependencies on the ACL module, so you could
|
||||
swap that out for an alternative implementation if required. The interface has
|
||||
two methods:
|
||||
<programlisting language="java"> boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission);
|
||||
<programlisting language="java">
|
||||
boolean hasPermission(Authentication authentication, Object targetDomainObject,
|
||||
Object permission);
|
||||
|
||||
boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permission);</programlisting>which
|
||||
boolean hasPermission(Authentication authentication, Serializable targetId,
|
||||
String targetType, Object permission);
|
||||
</programlisting>which
|
||||
map directly to the available versions of the expression, with the exception
|
||||
that the first argument (the <interfacename>Authentication</interfacename>
|
||||
object) is not supplied. The first is used in situations where the domain
|
||||
|
@ -220,14 +227,16 @@
|
|||
long as it is consistent with how the permissions are loaded.</para>
|
||||
<para>To use <literal>hasPermission()</literal> expressions, you have to explicitly
|
||||
configure a <interfacename>PermissionEvaluator</interfacename> in your
|
||||
application context. This would look something like this:<programlisting language="xml"> <![CDATA[ <security:global-method-security pre-post-annotations="enabled">
|
||||
<security:expression-handler ref="expressionHandler"/>
|
||||
</security:global-method-security>
|
||||
application context. This would look something like this:
|
||||
<programlisting language="xml"> <![CDATA[
|
||||
<security:global-method-security pre-post-annotations="enabled">
|
||||
<security:expression-handler ref="expressionHandler"/>
|
||||
</security:global-method-security>
|
||||
|
||||
<bean id="expressionHandler"
|
||||
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
|
||||
<property name="permissionEvaluator" ref="myPermissionEvaluator"/>
|
||||
</bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which
|
||||
<bean id="expressionHandler" class=
|
||||
"org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
|
||||
<property name="permissionEvaluator" ref="myPermissionEvaluator"/>
|
||||
</bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which
|
||||
implements <interfacename>PermissionEvaluator</interfacename>. Usually this will
|
||||
be the implementation from the ACL module which is called
|
||||
<classname>AclPermissionEvaluator</classname>. See the
|
||||
|
|
|
@ -499,19 +499,22 @@
|
|||
xlink:href="http://openid.net/specs/openid-attribute-exchange-1_0.html">attribute
|
||||
exchange</link>. As an example, the following configuration would attempt to retrieve
|
||||
the email and full name from the OpenID provider, for use by the application:<programlisting language="xml"><![CDATA[
|
||||
<openid-login>
|
||||
<attribute-exchange>
|
||||
<openid-attribute name="email" type="http://axschema.org/contact/email" required="true" />
|
||||
<openid-attribute name="name" type="http://axschema.org/namePerson" />
|
||||
</attribute-exchange>
|
||||
</openid-login>]]></programlisting>The <quote>type</quote> of each OpenID attribute is a URI,
|
||||
<openid-login>
|
||||
<attribute-exchange>
|
||||
<openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
|
||||
<openid-attribute name="name" type="http://axschema.org/namePerson"/>
|
||||
</attribute-exchange>
|
||||
</openid-login>]]></programlisting>The <quote>type</quote> of each OpenID attribute is a URI,
|
||||
determined by a particular schema, in this case <link xlink:href="http://axschema.org/"
|
||||
>http://axschema.org/</link>. If an attribute must be retrieved for successful
|
||||
authentication, the <literal>required</literal> attribute can be set. The exact schema and
|
||||
attributes supported will depend on your OpenID provider. The attribute values are
|
||||
returned as part of the authentication process and can be accessed afterwards using the
|
||||
following
|
||||
code:<programlisting language="java">OpenIDAuthenticationToken token = (OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
|
||||
code:
|
||||
<programlisting language="java">
|
||||
OpenIDAuthenticationToken token =
|
||||
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
|
||||
List<OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
|
||||
<classname>OpenIDAttribute</classname> contains the attribute type and the retrieved
|
||||
value (or values in the case of multi-valued attributes). We'll see more about how the
|
||||
|
|
|
@ -78,7 +78,10 @@
|
|||
<literal>persistent_logins</literal> table, created using the following SQL (or
|
||||
equivalent):
|
||||
<programlisting>
|
||||
create table persistent_logins (username varchar(64) not null, series varchar(64) primary key, token varchar(64) not null, last_used timestamp not null)
|
||||
create table persistent_logins (username varchar(64) not null,
|
||||
series varchar(64) primary key,
|
||||
token varchar(64) not null,
|
||||
last_used timestamp not null)
|
||||
</programlisting></para>
|
||||
<!-- TODO: Add more info on the implementation and behaviour when tokens are stolen etc. Also some info for admins on invalidating tokens using key, or deleting info from db -->
|
||||
</section>
|
||||
|
|
|
@ -27,8 +27,8 @@
|
|||
<title>Explicit MethodSecurityInterceptor Configuration</title>
|
||||
<para> You can of course configure a <classname>MethodSecurityIterceptor</classname> directly
|
||||
in your application context for use with one of Spring AOP's proxying mechanisms: <programlisting><![CDATA[
|
||||
<bean id="bankManagerSecurity"
|
||||
class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
|
||||
<bean id="bankManagerSecurity" class=
|
||||
"org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="accessDecisionManager" ref="accessDecisionManager"/>
|
||||
<property name="afterInvocationManager" ref="afterInvocationManager"/>
|
||||
|
@ -60,8 +60,8 @@
|
|||
<para>Let's first consider how the <literal>AspectJSecurityInterceptor</literal> is configured
|
||||
in the Spring application context:</para>
|
||||
<programlisting><![CDATA[
|
||||
<bean id="bankManagerSecurity"
|
||||
class="org.springframework.security.access.intercept.aspectj.AspectJSecurityInterceptor">
|
||||
<bean id="bankManagerSecurity" class=
|
||||
"org.springframework.security.access.intercept.aspectj.AspectJSecurityInterceptor">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="accessDecisionManager" ref="accessDecisionManager"/>
|
||||
<property name="afterInvocationManager" ref="afterInvocationManager"/>
|
||||
|
|
|
@ -38,22 +38,22 @@
|
|||
<classname>AbstractAuthenticationProcessingFilter</classname>, so if you are using a
|
||||
customized form-login class, for example, you will need to inject it into both of these. In
|
||||
this case, a typical configuration, combining the namespace and custom beans might look like this:<programlisting><![CDATA[
|
||||
<http>
|
||||
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
|
||||
<session-management session-authentication-strategy-ref="sas"/>
|
||||
</http>
|
||||
<http>
|
||||
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
|
||||
<session-management session-authentication-strategy-ref="sas"/>
|
||||
</http>
|
||||
|
||||
<beans:bean id="myAuthFilter"
|
||||
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
|
||||
<beans:bean id="myAuthFilter" class=
|
||||
"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
|
||||
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
|
||||
...
|
||||
</beans:bean>
|
||||
</beans:bean>
|
||||
|
||||
<beans:bean id="sas"
|
||||
class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
|
||||
<beans:bean id="sas" class=
|
||||
"org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
|
||||
<beans:property name="sessionRegistry" ref="sessionRegistry" />
|
||||
<beans:property name="maximumSessions" value="1" />
|
||||
</beans:bean>
|
||||
</beans:bean>
|
||||
]]>
|
||||
</programlisting></para>
|
||||
</section>
|
||||
|
@ -96,32 +96,33 @@
|
|||
points to the page to display when a session has expired. A configuration using the namespace
|
||||
to create the <classname>FilterChainProxy</classname> and other default beans might look like
|
||||
this: <programlisting><![CDATA[
|
||||
<http>
|
||||
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
|
||||
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
|
||||
<http>
|
||||
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
|
||||
<custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
|
||||
|
||||
<session-management session-authentication-strategy-ref="sas"/>
|
||||
</http>
|
||||
<session-management session-authentication-strategy-ref="sas"/>
|
||||
</http>
|
||||
|
||||
<beans:bean id="concurrencyFilter"
|
||||
class="org.springframework.security.web.session.ConcurrentSessionFilter">
|
||||
<beans:property name="sessionRegistry" ref="sessionRegistry" />
|
||||
<beans:property name="expiredUrl" value="/session-expired.htm" />
|
||||
</beans:bean>
|
||||
<beans:bean id="concurrencyFilter"
|
||||
class="org.springframework.security.web.session.ConcurrentSessionFilter">
|
||||
<beans:property name="sessionRegistry" ref="sessionRegistry" />
|
||||
<beans:property name="expiredUrl" value="/session-expired.htm" />
|
||||
</beans:bean>
|
||||
|
||||
<beans:bean id="myAuthFilter"
|
||||
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
|
||||
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
|
||||
<beans:property name="authenticationManager" ref="authenticationManager" />
|
||||
</beans:bean>
|
||||
<beans:bean id="myAuthFilter" class=
|
||||
"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
|
||||
<beans:property name="sessionAuthenticationStrategy" ref="sas" />
|
||||
<beans:property name="authenticationManager" ref="authenticationManager" />
|
||||
</beans:bean>
|
||||
|
||||
<beans:bean id="sas"
|
||||
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
|
||||
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
|
||||
<beans:property name="maximumSessions" value="1" />
|
||||
</beans:bean>
|
||||
<beans:bean id="sas" class=
|
||||
"org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
|
||||
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
|
||||
<beans:property name="maximumSessions" value="1" />
|
||||
</beans:bean>
|
||||
|
||||
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
|
||||
<beans:bean id="sessionRegistry"
|
||||
class="org.springframework.security.core.session.SessionRegistryImpl" />
|
||||
]]>
|
||||
</programlisting></para>
|
||||
<para>Adding the listener to <filename>web.xml</filename> causes an
|
||||
|
|
|
@ -426,8 +426,8 @@ Successfully authenticated. Security context contains: \
|
|||
Even though a <classname>ThreadLocal</classname> is being used, it is the same instance
|
||||
that is retrieved from the <interfacename>HttpSession</interfacename> for each thread.
|
||||
This has implications if you wish to temporarily change the context under which a thread
|
||||
is running. If you just use
|
||||
<code>SecurityContextHolder.getContext().setAuthentication(anAuthentication)</code>,
|
||||
is running. If you just use <code>SecurityContextHolder.getContext()</code>,
|
||||
and call <code>setAuthentication(anAuthentication)</code> on the returned context object,
|
||||
then the <interfacename>Authentication</interfacename> object will change in
|
||||
<emphasis>all</emphasis> concurrent threads which share the same
|
||||
<interfacename>SecurityContext</interfacename> instance. You can customize the behaviour
|
||||
|
|
Loading…
Reference in New Issue