Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-08 19:42:48 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1322: More doc updates following further user requests for clarification

Browse Source
This commit is contained in:
Luke Taylor 2009-12-14 15:13:57 +00:00
parent 6805761d85
commit 88caa4d221
4 changed files with 131 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
docs/manual/src/docbook/anon-auth-provider.xml
View File

@ -1,4 +1,5 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="anonymous" xmlns:xlink="http://www.w3.org/1999/xlink"> <chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="anonymous"
xmlns:xlink="http://www.w3.org/1999/xlink">
<info> <info>
<title>Anonymous Authentication</title> <title>Anonymous Authentication</title>
</info> </info>
@ -69,10 +70,10 @@
</programlisting> </programlisting>
</para> </para>
<para>The <literal>key</literal> is shared between the filter and authentication provider, <para>The <literal>key</literal> is shared between the filter and authentication provider,
so that tokens created by the former are accepted by the latter<footnote> so that tokens created by the former are accepted by the latter<footnote><para>The use
<para>The use of the <literal>key</literal> property should not be regarded as of the <literal>key</literal> property should not be regarded as providing any
providing any real security here. It is merely a book-keeping exercise. If you real security here. It is merely a book-keeping exercise. If you are sharing a
are sharing a <classname>ProviderManager</classname> which contains an <classname>ProviderManager</classname> which contains an
<classname>AnonymousAuthenticationProvider</classname> in a scenario where <classname>AnonymousAuthenticationProvider</classname> in a scenario where
it is possible for an authenticating client to construct the it is possible for an authenticating client to construct the
<interfacename>Authentication</interfacename> object (such as with RMI <interfacename>Authentication</interfacename> object (such as with RMI
@ -83,8 +84,8 @@
anonymous provider. This isn't a problem with normal usage but if you are using anonymous provider. This isn't a problem with normal usage but if you are using
RMI you would be best to use a customized <classname>ProviderManager</classname> RMI you would be best to use a customized <classname>ProviderManager</classname>
which omits the anonymous provider rather than sharing the one you use for your which omits the anonymous provider rather than sharing the one you use for your
HTTP authentication mechanisms.</para> HTTP authentication mechanisms.</para></footnote>. The
</footnote>. The <literal>userAttribute</literal> is expressed in the form of <literal>userAttribute</literal> is expressed in the form of
<literal>usernameInTheAuthenticationToken,grantedAuthority[,grantedAuthority]</literal>. <literal>usernameInTheAuthenticationToken,grantedAuthority[,grantedAuthority]</literal>.
This is the same syntax as used after the equals sign for This is the same syntax as used after the equals sign for
<literal>InMemoryDaoImpl</literal>'s <literal>userMap</literal> property.</para> <literal>InMemoryDaoImpl</literal>'s <literal>userMap</literal> property.</para>
@ -126,11 +127,16 @@
always be deemed <quote>authenticated</quote> and never be given an opportunity to login always be deemed <quote>authenticated</quote> and never be given an opportunity to login
via form, basic, digest or some other normal authentication mechanism. </para> via form, basic, digest or some other normal authentication mechanism. </para>
<para> You will often see the <literal>ROLE_ANONYMOUS</literal> attribute in the above <para> You will often see the <literal>ROLE_ANONYMOUS</literal> attribute in the above
interceptor configuration replaced with <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal>. interceptor configuration replaced with <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal>,
This is an example of the use of the <classname>AuthenticatedVoter</classname> which which is effectively the same thing when defining access controls. This is an example of
will see in the <link xlink:href="#authz-authenticated-voter">authorization the use of the <classname>AuthenticatedVoter</classname> which we will see in the <link
chapter</link>. It uses an xlink:href="#authz-authenticated-voter">authorization chapter</link>. It uses an
<interfacename>AuthenticationTrustResolver</interfacename> to process this <interfacename>AuthenticationTrustResolver</interfacename> to process this
particular configuration attribute and grant access to aonymous users. </para> particular configuration attribute and grant access to aonymous users. The
<classname>AuthenticatedVoter</classname> approach is more powerful, since it allows
you to differentiate between anonymous, remember-me and fully-authenticated users. If
you don't need this functionality though, then you can stick with
<literal>ROLE_ANONYMOUS</literal>, which will be processed by Spring Security's
standard <classname>RoleVoter</classname>. </para>
</section> </section>
</chapter> </chapter>

23
docs/manual/src/docbook/authorization-common.xml
View File

@ -100,7 +100,7 @@
--> -->
<imageobject> <imageobject>
<imagedata align="center" scalefit="1" fileref="images/AccessDecisionVoting.gif" <imagedata align="center" scalefit="1" fileref="images/AccessDecisionVoting.gif"
format="GIF" /> format="GIF"/>
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</figure> </figure>
@ -160,10 +160,13 @@ boolean supports(Class clazz);
<title><classname>AuthenticatedVoter</classname></title> <title><classname>AuthenticatedVoter</classname></title>
<para> Another voter which we've implicitly seen is the <para> Another voter which we've implicitly seen is the
<classname>AuthenticatedVoter</classname>, which can be used to differentiate between <classname>AuthenticatedVoter</classname>, which can be used to differentiate between
anonymous, fully-authenticated and remember-me authenticated users. When we've used the anonymous, fully-authenticated and remember-me authenticated users. Many sites allow
attribute <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> to grant anonymous access, this certain limited access under remember-me authentication, but require a user to confirm
attribute was being processed by the <classname>AuthenticatedVoter</classname>. See the their identity by logging in for full access.</para>
Javadoc for this class for more information. </para> <para>When we've used the attribute <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> to grant
anonymous access, this attribute was being processed by the
<classname>AuthenticatedVoter</classname>. See the Javadoc for this class for more
information. </para>
</section> </section>
<section> <section>
<title>Custom Voters</title> <title>Custom Voters</title>
@ -197,15 +200,11 @@ boolean supports(Class clazz);
that integrate with its ACL capabilities.</para> that integrate with its ACL capabilities.</para>
<para><xref linkend="authz-after-invocation"/> illustrates Spring Security's <para><xref linkend="authz-after-invocation"/> illustrates Spring Security's
<literal>AfterInvocationManager</literal> and its concrete implementations. <figure <literal>AfterInvocationManager</literal> and its concrete implementations. <figure
xml:id="authz-after-invocation"> xml:id="authz-after-invocation"><title>After Invocation
<title>After Invocation Implementation</title> Implementation</title><mediaobject><imageobject>
<mediaobject>
<imageobject>
<imagedata align="center" scalefit="1" fileref="images/AfterInvocation.gif" format="GIF" <imagedata align="center" scalefit="1" fileref="images/AfterInvocation.gif" format="GIF"
/> />
</imageobject> </imageobject></mediaobject></figure></para>
</mediaobject>
</figure></para>
<para>Like many other parts of Spring Security, <literal>AfterInvocationManager</literal> has a <para>Like many other parts of Spring Security, <literal>AfterInvocationManager</literal> has a
single concrete implementation, <literal>AfterInvocationProviderManager</literal>, which polls single concrete implementation, <literal>AfterInvocationProviderManager</literal>, which polls
a list of <literal>AfterInvocationProvider</literal>s. Each a list of <literal>AfterInvocationProvider</literal>s. Each

272
docs/manual/src/docbook/namespace-config.xml
View File

@ -21,13 +21,13 @@
]]></programlisting> This is much simpler than wiring up the equivalent Apache Directory Server ]]></programlisting> This is much simpler than wiring up the equivalent Apache Directory Server
beans. The most common alternative configuration requirements are supported by attributes on beans. The most common alternative configuration requirements are supported by attributes on
the <literal>ldap-server</literal> element and the user is isolated from worrying about which the <literal>ldap-server</literal> element and the user is isolated from worrying about which
beans they need to create and what the bean property names are. <footnote> beans they need to create and what the bean property names are. <footnote><para>You can find
<para>You can find out more about the use of the <literal>ldap-server</literal> element in out more about the use of the <literal>ldap-server</literal> element in the chapter on
the chapter on <link xlink:href="#ldap">LDAP</link>.</para> <link xlink:href="#ldap">LDAP</link>.</para></footnote>. Use of a good XML editor while
</footnote>. Use of a good XML editor while editing the application context file should editing the application context file should provide information on the attributes and elements
provide information on the attributes and elements that are available. We would recommend that that are available. We would recommend that you try out the <link
you try out the <link xlink:href="http://www.springsource.com/products/sts">SpringSource Tool xlink:href="http://www.springsource.com/products/sts">SpringSource Tool Suite</link> as it
Suite</link> as it has special features for working with standard Spring namespaces. </para> has special features for working with standard Spring namespaces. </para>
<para> To start using the security namespace in your application context, all you need to do is <para> To start using the security namespace in your application context, all you need to do is
add the schema declaration to your application context file: <programlisting language="xml"> add the schema declaration to your application context file: <programlisting language="xml">
<![CDATA[ <![CDATA[
@ -61,41 +61,25 @@
<para> The namespace is designed to capture the most common uses of the framework and provide <para> The namespace is designed to capture the most common uses of the framework and provide
a simplified and concise syntax for enabling them within an application. The design is based a simplified and concise syntax for enabling them within an application. The design is based
around the large-scale dependencies within the framework, and can be divided up into the around the large-scale dependencies within the framework, and can be divided up into the
following areas: <itemizedlist> following areas: <itemizedlist><listitem><para>
<listitem>
<para>
<emphasis>Web/HTTP Security</emphasis> - the most complex part. Sets up the filters <emphasis>Web/HTTP Security</emphasis> - the most complex part. Sets up the filters
and related service beans used to apply the framework authentication mechanisms, to and related service beans used to apply the framework authentication mechanisms, to
secure URLs, render login and error pages and much more.</para> secure URLs, render login and error pages and much
</listitem> more.</para></listitem><listitem><para>
<listitem>
<para>
<emphasis>Business Object (Method) Security</emphasis> - options for securing the <emphasis>Business Object (Method) Security</emphasis> - options for securing the
service layer.</para> service layer.</para></listitem><listitem><para>
</listitem>
<listitem>
<para>
<emphasis>AuthenticationManager</emphasis> - handles authentication requests from <emphasis>AuthenticationManager</emphasis> - handles authentication requests from
other parts of the framework.</para> other parts of the framework.</para></listitem><listitem><para>
</listitem>
<listitem>
<para>
<emphasis>AccessDecisionManager</emphasis> - provides access decisions for web and <emphasis>AccessDecisionManager</emphasis> - provides access decisions for web and
method security. A default one will be registered, but you can also choose to use a method security. A default one will be registered, but you can also choose to use a
custom one, declared using normal Spring bean syntax.</para> custom one, declared using normal Spring bean
</listitem> syntax.</para></listitem><listitem><para>
<listitem>
<para>
<emphasis>AuthenticationProvider</emphasis>s - mechanisms against which the <emphasis>AuthenticationProvider</emphasis>s - mechanisms against which the
authentication manager authenticates users. The namespace provides supports for authentication manager authenticates users. The namespace provides supports for
several standard options and also a means of adding custom beans declared using a several standard options and also a means of adding custom beans declared using a
traditional syntax. </para> traditional syntax. </para></listitem><listitem><para>
</listitem>
<listitem>
<para>
<emphasis>UserDetailsService</emphasis> - closely related to authentication providers, <emphasis>UserDetailsService</emphasis> - closely related to authentication providers,
but often also required by other beans.</para> but often also required by other beans.</para></listitem>
</listitem>
<!-- todo: diagram and link to other sections which describe the interfaces --> <!-- todo: diagram and link to other sections which describe the interfaces -->
</itemizedlist></para> </itemizedlist></para>
<para>We'll see how to configure these in the following sections.</para> <para>We'll see how to configure these in the following sections.</para>
@ -148,20 +132,20 @@
requirements for requests matching the given pattern. With the default configuration, this requirements for requests matching the given pattern. With the default configuration, this
is typically a comma-separated list of roles, one of which a user must have to be allowed to is typically a comma-separated list of roles, one of which a user must have to be allowed to
make the request. Access-control in Spring Security is not limited to the use of simple make the request. Access-control in Spring Security is not limited to the use of simple
roles, however, and we'll see later how the interpretation can vary<footnote> roles, however, and we'll see later how the interpretation can vary<footnote><para>The
<para>The interpretation of the comma-separated values in the <literal>access</literal> interpretation of the comma-separated values in the <literal>access</literal> attribute
attribute depends on the implementation of the <link xlink:href="#ns-access-manager" depends on the implementation of the <link xlink:href="#ns-access-manager"
>AccessDecisionManager</link> which is used. In Spring Security 3.0, the attribute can >AccessDecisionManager</link> which is used. In Spring Security 3.0, the attribute can
also be populated with an <link xlink:href="#el-access">EL expression</link>.</para> also be populated with an <link xlink:href="#el-access">EL
</footnote>.</para> expression</link>.</para></footnote>.</para>
<note> <note>
<para>You can use multiple <literal>&lt;intercept-url&gt;</literal> elements to define <para>You can use multiple <literal>&lt;intercept-url&gt;</literal> elements to define
different access requirements for different sets of URLs, but they will be evaluated in different access requirements for different sets of URLs, but they will be evaluated in
the order listed and the first match will be used. So you must put the most specific the order listed and the first match will be used. So you must put the most specific
matches at the top. You can also add a <literal>method</literal> attribute to limit the matches at the top. You can also add a <literal>method</literal> attribute to limit the
match to a particular HTTP method (<literal>GET</literal>, <literal>POST</literal>, match to a particular HTTP method (<literal>GET</literal>, <literal>POST</literal>,
<literal>PUT</literal> etc.). For a pattern defined both with and without a method, the <literal>PUT</literal> etc.). If a request matches multiple patterns, the
method-specific match will take precedence regardless of ordering. </para> method-specific match will take precedence regardless of ordering.</para>
</note> </note>
<para> To add some users, you can define a set of test data directly in the namespace: <programlisting language="xml"><![CDATA[ <para> To add some users, you can define a set of test data directly in the namespace: <programlisting language="xml"><![CDATA[
<authentication-manager> <authentication-manager>
@ -184,8 +168,8 @@
<classname>DaoAuthenticationProvider</classname> bean and the <classname>DaoAuthenticationProvider</classname> bean and the
<literal>&lt;user-service&gt;</literal> element creates an <literal>&lt;user-service&gt;</literal> element creates an
<classname>InMemoryDaoImpl</classname>. All <literal>authentication-provider</literal> <classname>InMemoryDaoImpl</classname>. All <literal>authentication-provider</literal>
elements must be within the <literal>authentication-manager</literal> element, which elements must be children of the <literal>&lt;authentication-manager></literal> element,
creates a <classname>ProviderManager</classname> and registers the authentication which creates a <classname>ProviderManager</classname> and registers the authentication
providers with it. You can find more detailed information on the beans that are created in providers with it. You can find more detailed information on the beans that are created in
the <link xlink:href="#appendix-namespace">namespace appendix</link>. It's worth the <link xlink:href="#appendix-namespace">namespace appendix</link>. It's worth
cross-checking this if you want to start understanding what the important classes in the cross-checking this if you want to start understanding what the important classes in the
@ -217,15 +201,14 @@
<logout /> <logout />
</http> </http>
]]></programlisting> These other elements are responsible for setting up form-login, basic ]]></programlisting> These other elements are responsible for setting up form-login, basic
authentication and logout handling services respectively <footnote> authentication and logout handling services respectively <footnote><para>In versions prior
<para>In versions prior to 3.0, this list also included remember-me functionality. This to 3.0, this list also included remember-me functionality. This could cause some
could cause some confusing errors with some configurations and was removed in 3.0. In confusing errors with some configurations and was removed in 3.0. In 3.0, the addition
3.0, the addition of an <classname>AnonymousAuthenticationFilter</classname> is part of an <classname>AnonymousAuthenticationFilter</classname> is part of the default
of the default <literal>&lt;http></literal> configuration, so the <literal>&lt;http></literal> configuration, so the <literal>&lt;anonymous
<literal>&lt;anonymous /></literal> element is added regardless of whether /></literal> element is added regardless of whether <literal>auto-config</literal>
<literal>auto-config</literal> is enabled.</para> is enabled.</para></footnote> . They each have attributes which can be used to alter
</footnote> . They each have attributes which can be used to alter their behaviour. their behaviour. </para>
</para>
</section> </section>
<section xml:id="ns-form-and-basic"> <section xml:id="ns-form-and-basic">
<title>Form and Basic Login Options</title> <title>Form and Basic Login Options</title>
@ -246,16 +229,15 @@
</programlisting> Note that you can still use <literal>auto-config</literal>. The </programlisting> Note that you can still use <literal>auto-config</literal>. The
<literal>form-login</literal> element just overrides the default settings. Also note <literal>form-login</literal> element just overrides the default settings. Also note
that we've added an extra <literal>intercept-url</literal> element to say that any that we've added an extra <literal>intercept-url</literal> element to say that any
requests for the login page should be available to anonymous users <footnote> requests for the login page should be available to anonymous users <footnote><para>See the
<para>See the chapter on <link xlink:href="#anonymous">anonymous authentication</link> chapter on <link xlink:href="#anonymous">anonymous authentication</link> and also the
and also the <link xlink:href="#authz-authenticated-voter">AuthenticatedVoter</link> <link xlink:href="#authz-authenticated-voter">AuthenticatedVoter</link> class for
class for more details on how the value more details on how the value <literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> is
<literal>IS_AUTHENTICATED_ANONYMOUSLY</literal> is processed.</para> processed.</para></footnote>. Otherwise the request would be matched by the pattern
</footnote>. Otherwise the request would be matched by the pattern <literal>/**</literal> <literal>/**</literal> and it wouldn't be possible to access the login page itself! This
and it wouldn't be possible to access the login page itself! This is a common is a common configuration error and will result in an infinite loop in the application.
configuration error and will result in an infinite loop in the application. Spring Spring Security will emit a warning in the log if your login page appears to be secured.
Security will emit a warning in the log if your login page appears to be secured. It is It is also possible to have all requests matching a particular pattern bypass the security
also possible to have all requests matching a particular pattern bypass the security
filter chain completely: <programlisting language="xml"><![CDATA[ filter chain completely: <programlisting language="xml"><![CDATA[
<http auto-config='true'> <http auto-config='true'>
<intercept-url pattern="/css/**" filters="none"/> <intercept-url pattern="/css/**" filters="none"/>
@ -476,20 +458,14 @@
logs in. If you don't require this protection, or it conflicts with some other logs in. If you don't require this protection, or it conflicts with some other
requirement, you can control the behaviour using the requirement, you can control the behaviour using the
<literal>session-fixation-protection</literal> attribute on <literal>session-fixation-protection</literal> attribute on
<literal>&lt;session-management&gt;</literal>, which has three options <itemizedlist> <literal>&lt;session-management&gt;</literal>, which has three options
<listitem> <itemizedlist><listitem><para><literal>migrateSession</literal> - creates a new
<para><literal>migrateSession</literal> - creates a new session and copies the session and copies the existing session attributes to the new session. This is the
existing session attributes to the new session. This is the default.</para> default.</para></listitem><listitem><para><literal>none</literal> - Don't do
</listitem> anything. The original session will be
<listitem> retained.</para></listitem><listitem><para><literal>newSession</literal> - Create
<para><literal>none</literal> - Don't do anything. The original session will be a new "clean" session, without copying the existing session
retained.</para> data.</para></listitem></itemizedlist></para>
</listitem>
<listitem>
<para><literal>newSession</literal> - Create a new "clean" session, without copying
the existing session data.</para>
</listitem>
</itemizedlist></para>
</section> </section>
</section> </section>
<section xml:id="ns-openid"> <section xml:id="ns-openid">
@ -526,112 +502,48 @@
<para>The order of the filters is always strictly enforced when using the namespace. When the <para>The order of the filters is always strictly enforced when using the namespace. When the
application context is being created, the filter beans are sorted by the namespace handling application context is being created, the filter beans are sorted by the namespace handling
code and the standard Spring Security filters each have an alias in the namespace and a code and the standard Spring Security filters each have an alias in the namespace and a
well-known position.<note> well-known position.<note><para>In previous versions, the sorting took place after the
<para>In previous versions, the sorting took place after the filter instances had been filter instances had been created, during post-processing of the application context. In
created, during post-processing of the application context. In version 3.0+ the sorting version 3.0+ the sorting is now done at the bean metadata level, before the classes have
is now done at the bean metadata level, before the classes have been instantiated. This been instantiated. This has implications for how you add your own filters to the stack
has implications for how you add your own filters to the stack as the entire filter list as the entire filter list must be known during the parsing of the
must be known during the parsing of the <literal>&lt;http></literal> element, so the <literal>&lt;http></literal> element, so the syntax has changed slightly in
syntax has changed slightly in 3.0.</para> 3.0.</para></note>The filters, aliases and namespace elements/attributes which create
</note>The filters, aliases and namespace elements/attributes which create the filters are the filters are shown in <xref linkend="filter-stack"/>. The filters are listed in the order
shown in <xref linkend="filter-stack"/>. The filters are listed in the order in which they in which they occur in the filter chain. <table xml:id="filter-stack"><title>Standard Filter
occur in the filter chain. <table xml:id="filter-stack"> Aliases and Ordering</title><tgroup cols="3" align="left"><thead><row><entry
<title>Standard Filter Aliases and Ordering</title> align="center">Alias</entry><entry align="center">Filter Class</entry><entry
<tgroup cols="3" align="left"> align="center">Namespace Element or
<thead> Attribute</entry></row></thead><tbody><row><entry>
<row> CHANNEL_FILTER</entry><entry><literal>ChannelProcessingFilter</literal></entry><entry><literal>http/intercept-url@requires-channel</literal></entry></row><row><entry>
<entry align="center">Alias</entry> CONCURRENT_SESSION_FILTER</entry><entry><literal>ConcurrentSessionFilter</literal>
<entry align="center">Filter Class</entry> </entry><entry><literal>session-management/concurrency-control</literal></entry></row><row><entry>
<entry align="center">Namespace Element or Attribute</entry> SECURITY_CONTEXT_FILTER</entry><entry><classname>SecurityContextPersistenceFilter</classname></entry><entry><literal>http</literal></entry></row><row><entry>
</row> LOGOUT_FILTER
</thead> </entry><entry><literal>LogoutFilter</literal></entry><entry><literal>http/logout</literal></entry></row><row><entry>
<tbody> X509_FILTER
<row> </entry><entry><literal>X509AuthenticationFilter</literal></entry><entry><literal>http/x509</literal></entry></row><row><entry>
<entry> CHANNEL_FILTER</entry> PRE_AUTH_FILTER
<entry><literal>ChannelProcessingFilter</literal></entry> </entry><entry><literal>AstractPreAuthenticatedProcessingFilter</literal>
<entry><literal>http/intercept-url@requires-channel</literal></entry> Subclasses</entry><entry>N/A</entry></row><row><entry> CAS_FILTER
</row> </entry><entry><literal>CasAuthenticationFilter</literal></entry><entry>N/A</entry></row><row><entry>
<row> FORM_LOGIN_FILTER
<entry> CONCURRENT_SESSION_FILTER</entry> </entry><entry><literal>UsernamePasswordAuthenticationFilter</literal></entry><entry><literal>http/form-login</literal></entry></row><row><entry>
<entry><literal>ConcurrentSessionFilter</literal> BASIC_AUTH_FILTER
</entry> </entry><entry><literal>BasicAuthenticationFilter</literal></entry><entry><literal>http/http-basic</literal></entry></row><row><entry>
<entry><literal>session-management/concurrency-control</literal></entry> SERVLET_API_SUPPORT_FILTER</entry><entry><literal>SecurityContextHolderAwareFilter</literal></entry><entry><literal>http/@servlet-api-provision</literal></entry></row><row><entry>
</row> REMEMBER_ME_FILTER
<row> </entry><entry><classname>RememberMeAuthenticationFilter</classname></entry><entry><literal>http/remember-me</literal></entry></row><row><entry>
<entry> SECURITY_CONTEXT_FILTER</entry> ANONYMOUS_FILTER
<entry><classname>SecurityContextPersistenceFilter</classname></entry> </entry><entry><literal>AnonymousAuthenticationFilter</literal></entry><entry><literal>http/anonymous</literal></entry></row><row><entry>
<entry><literal>http</literal></entry> SESSION_MANAGEMENT_FILTER</entry><entry><literal>SessionManagementFilter</literal></entry><entry><literal>session-management</literal></entry></row><row><entry>EXCEPTION_TRANSLATION_FILTER
</row> </entry><entry><classname>ExceptionTranslationFilter</classname></entry><entry><literal>http</literal></entry></row><row><entry>
<row> FILTER_SECURITY_INTERCEPTOR
<entry> LOGOUT_FILTER </entry> </entry><entry><classname>FilterSecurityInterceptor</classname></entry><entry><literal>http</literal></entry></row><row><entry>
<entry><literal>LogoutFilter</literal></entry> SWITCH_USER_FILTER
<entry><literal>http/logout</literal></entry> </entry><entry><literal>SwitchUserFilter</literal></entry><entry>N/A</entry></row></tbody></tgroup></table>
</row> You can add your own filter to the stack, using the <literal>custom-filter</literal> element
<row> and one of these names to specify the position your filter should appear at: <programlisting language="xml"><![CDATA[
<entry> X509_FILTER </entry>
<entry><literal>X509AuthenticationFilter</literal></entry>
<entry><literal>http/x509</literal></entry>
</row>
<row>
<entry> PRE_AUTH_FILTER </entry>
<entry><literal>AstractPreAuthenticatedProcessingFilter</literal> Subclasses</entry>
<entry>N/A</entry>
</row>
<row>
<entry> CAS_FILTER </entry>
<entry><literal>CasAuthenticationFilter</literal></entry>
<entry>N/A</entry>
</row>
<row>
<entry> FORM_LOGIN_FILTER </entry>
<entry><literal>UsernamePasswordAuthenticationFilter</literal></entry>
<entry><literal>http/form-login</literal></entry>
</row>
<row>
<entry> BASIC_AUTH_FILTER </entry>
<entry><literal>BasicAuthenticationFilter</literal></entry>
<entry><literal>http/http-basic</literal></entry>
</row>
<row>
<entry> SERVLET_API_SUPPORT_FILTER</entry>
<entry><literal>SecurityContextHolderAwareFilter</literal></entry>
<entry><literal>http/@servlet-api-provision</literal></entry>
</row>
<row>
<entry> REMEMBER_ME_FILTER </entry>
<entry><classname>RememberMeAuthenticationFilter</classname></entry>
<entry><literal>http/remember-me</literal></entry>
</row>
<row>
<entry> ANONYMOUS_FILTER </entry>
<entry><literal>AnonymousAuthenticationFilter</literal></entry>
<entry><literal>http/anonymous</literal></entry>
</row>
<row>
<entry> SESSION_MANAGEMENT_FILTER</entry>
<entry><literal>SessionManagementFilter</literal></entry>
<entry><literal>session-management</literal></entry>
</row>
<row>
<entry>EXCEPTION_TRANSLATION_FILTER </entry>
<entry><classname>ExceptionTranslationFilter</classname></entry>
<entry><literal>http</literal></entry>
</row>
<row>
<entry> FILTER_SECURITY_INTERCEPTOR </entry>
<entry><classname>FilterSecurityInterceptor</classname></entry>
<entry><literal>http</literal></entry>
</row>
<row>
<entry> SWITCH_USER_FILTER </entry>
<entry><literal>SwitchUserFilter</literal></entry>
<entry>N/A</entry>
</row>
</tbody>
</tgroup>
</table> You can add your own filter to the stack, using the
<literal>custom-filter</literal> element and one of these names to specify the position
your filter should appear at: <programlisting language="xml"><![CDATA[
<http> <http>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" /> <custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
</http> </http>

10
docs/manual/src/resources/css/manual.css
View File

@ -57,3 +57,13 @@ div.table td {
padding-left: 7px; padding-left: 7px;
padding-right: 7px; padding-right: 7px;
} }
.sidebar {
float: right;
margin: 10px 0 10px 30px;
padding: 10px 20px 20px 20px;
width: 33%;
border: 1px solid black;
background-color: #F4F4F4;
font-size: 14px;
}