SEC-624: Improved general consistency of ref docs. Tidied up program listings. Added namespace info on channel security.
This commit is contained in:
parent
a3de51ea51
commit
a7ab048f3b
|
@ -40,17 +40,17 @@
|
||||||
filter and authentication provider appears as follows:</para>
|
filter and authentication provider appears as follows:</para>
|
||||||
|
|
||||||
<para><programlisting>
|
<para><programlisting>
|
||||||
<bean id="anonymousProcessingFilter"
|
<![CDATA[
|
||||||
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
|
<bean id="anonymousProcessingFilter"
|
||||||
<property name="key"><value>foobar</value></property>
|
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
|
||||||
<property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property>
|
<property name="key" value="foobar"/>
|
||||||
</bean>
|
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
|
||||||
|
</bean>
|
||||||
<bean id="anonymousAuthenticationProvider"
|
|
||||||
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
|
|
||||||
<property name="key"><value>foobar</value></property>
|
|
||||||
</bean>
|
|
||||||
|
|
||||||
|
<bean id="anonymousAuthenticationProvider"
|
||||||
|
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
|
||||||
|
<property name="key" value="foobar"/>
|
||||||
|
</bean>]]>
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
|
||||||
<para>The <literal>key</literal> is shared between the filter and
|
<para>The <literal>key</literal> is shared between the filter and
|
||||||
|
|
|
@ -3,7 +3,6 @@
|
||||||
|
|
||||||
<section xml:id="authorities"><info><title>Authorities</title></info>
|
<section xml:id="authorities"><info><title>Authorities</title></info>
|
||||||
|
|
||||||
|
|
||||||
<para>As briefly mentioned in the Authentication section, all
|
<para>As briefly mentioned in the Authentication section, all
|
||||||
<literal>Authentication</literal> implementations are required to
|
<literal>Authentication</literal> implementations are required to
|
||||||
store an array of <literal>GrantedAuthority</literal> objects. These
|
store an array of <literal>GrantedAuthority</literal> objects. These
|
||||||
|
@ -15,11 +14,11 @@
|
||||||
decisions.</para>
|
decisions.</para>
|
||||||
|
|
||||||
<para><literal>GrantedAuthority</literal> is an interface with only
|
<para><literal>GrantedAuthority</literal> is an interface with only
|
||||||
one method:</para>
|
one method:
|
||||||
|
<programlisting>
|
||||||
<para><programlisting>public String getAuthority();</programlisting></para>
|
String getAuthority();
|
||||||
|
</programlisting>
|
||||||
<para>This method allows <literal>AccessDecisionManager</literal>s to
|
This method allows <literal>AccessDecisionManager</literal>s to
|
||||||
obtain a precise <literal>String</literal> representation of the
|
obtain a precise <literal>String</literal> representation of the
|
||||||
<literal>GrantedAuthority</literal>. By returning a representation as
|
<literal>GrantedAuthority</literal>. By returning a representation as
|
||||||
a <literal>String</literal>, a <literal>GrantedAuthority</literal> can
|
a <literal>String</literal>, a <literal>GrantedAuthority</literal> can
|
||||||
|
@ -58,13 +57,13 @@
|
||||||
<literal>AbstractSecurityInterceptor</literal> and is responsible for
|
<literal>AbstractSecurityInterceptor</literal> and is responsible for
|
||||||
making final access control decisions. The
|
making final access control decisions. The
|
||||||
<literal>AccessDecisionManager</literal> interface contains three
|
<literal>AccessDecisionManager</literal> interface contains three
|
||||||
methods:</para>
|
methods:
|
||||||
|
<programlisting>
|
||||||
<para><programlisting>public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
|
void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
|
||||||
public boolean supports(ConfigAttribute attribute);
|
boolean supports(ConfigAttribute attribute);
|
||||||
public boolean supports(Class clazz);</programlisting></para>
|
boolean supports(Class clazz);
|
||||||
|
</programlisting>
|
||||||
<para>As can be seen from the first method, the
|
As can be seen from the first method, the
|
||||||
<literal>AccessDecisionManager</literal> is passed via method
|
<literal>AccessDecisionManager</literal> is passed via method
|
||||||
parameters all information that is likely to be of value in assessing
|
parameters all information that is likely to be of value in assessing
|
||||||
an authorization decision. In particular, passing the secure
|
an authorization decision. In particular, passing the secure
|
||||||
|
@ -115,13 +114,13 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
assessment of the votes.</para>
|
assessment of the votes.</para>
|
||||||
|
|
||||||
<para>The <literal>AccessDecisionVoter</literal> interface has three
|
<para>The <literal>AccessDecisionVoter</literal> interface has three
|
||||||
methods:</para>
|
methods:
|
||||||
|
<programlisting>
|
||||||
<para><programlisting>public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
||||||
public boolean supports(ConfigAttribute attribute);
|
boolean supports(ConfigAttribute attribute);
|
||||||
public boolean supports(Class clazz);</programlisting></para>
|
boolean supports(Class clazz);
|
||||||
|
</programlisting>
|
||||||
<para>Concrete implementations return an <literal>int</literal>, with
|
Concrete implementations return an <literal>int</literal>, with
|
||||||
possible values being reflected in the
|
possible values being reflected in the
|
||||||
<literal>AccessDecisionVoter</literal> static fields
|
<literal>AccessDecisionVoter</literal> static fields
|
||||||
<literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>
|
<literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>
|
||||||
|
@ -176,34 +175,36 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
voter included with Spring Security. It integrates with Spring
|
voter included with Spring Security. It integrates with Spring
|
||||||
Security's <literal>AclManager</literal> (discussed later). This voter
|
Security's <literal>AclManager</literal> (discussed later). This voter
|
||||||
is designed to have multiple instances in the same application
|
is designed to have multiple instances in the same application
|
||||||
context, such as:</para>
|
context, such as:
|
||||||
|
<programlisting>
|
||||||
|
<![CDATA[
|
||||||
|
<bean id="aclContactReadVoter"
|
||||||
|
class="org.springframework.security.vote.BasicAclEntryVoter">
|
||||||
|
<property name="processConfigAttribute" value="ACL_CONTACT_READ"/>
|
||||||
|
<property name="processDomainObjectClass" value="sample.contact.Contact"/>
|
||||||
|
<property name="aclManager" ref="aclManager"/>
|
||||||
|
<property name="requirePermission">
|
||||||
|
<list>
|
||||||
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
||||||
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
|
||||||
|
</list>
|
||||||
|
</property>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<para><programlisting><bean id="aclContactReadVoter"
|
<bean id="aclContactDeleteVoter"
|
||||||
class="org.springframework.security.vote.BasicAclEntryVoter">
|
class="org.springframework.security.vote.BasicAclEntryVoter">
|
||||||
<property name="processConfigAttribute"><value>ACL_CONTACT_READ</value></property>
|
<property name="processConfigAttribute" value="ACL_CONTACT_DELETE"/>
|
||||||
<property name="processDomainObjectClass"><value>sample.contact.Contact</value></property>
|
<property name="processDomainObjectClass" value="sample.contact.Contact"/>
|
||||||
<property name="aclManager"><ref local="aclManager"/></property>
|
<property name="aclManager" ref="aclManager"/>
|
||||||
<property name="requirePermission">
|
<property name="requirePermission">
|
||||||
<list>
|
<list>
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/>
|
||||||
</list>
|
</list>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
]]></programlisting>
|
||||||
<bean id="aclContactDeleteVoter" class="org.springframework.security.vote.BasicAclEntryVoter">
|
In the above example, you'd define
|
||||||
<property name="processConfigAttribute"><value>ACL_CONTACT_DELETE</value></property>
|
|
||||||
<property name="processDomainObjectClass"><value>sample.contact.Contact</value></property>
|
|
||||||
<property name="aclManager"><ref local="aclManager"/></property>
|
|
||||||
<property name="requirePermission">
|
|
||||||
<list>
|
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/>
|
|
||||||
</list>
|
|
||||||
</property>
|
|
||||||
</bean> </programlisting></para>
|
|
||||||
|
|
||||||
<para>In the above example, you'd define
|
|
||||||
<literal>ACL_CONTACT_READ</literal> or
|
<literal>ACL_CONTACT_READ</literal> or
|
||||||
<literal>ACL_CONTACT_DELETE</literal> against some methods on a
|
<literal>ACL_CONTACT_DELETE</literal> against some methods on a
|
||||||
<literal>MethodSecurityInterceptor</literal> or
|
<literal>MethodSecurityInterceptor</literal> or
|
||||||
|
@ -251,9 +252,8 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
to the chapter describing the new ACL implementation.</para>
|
to the chapter describing the new ACL implementation.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="after-invocation"><info><title>After Invocation Handling</title></info>
|
<section xml:id="after-invocation">
|
||||||
|
<info><title>After Invocation Handling</title></info>
|
||||||
|
|
||||||
<para>Whilst the <literal>AccessDecisionManager</literal> is called by
|
<para>Whilst the <literal>AccessDecisionManager</literal> is called by
|
||||||
the <literal>AbstractSecurityInterceptor</literal> before proceeding
|
the <literal>AbstractSecurityInterceptor</literal> before proceeding
|
||||||
with the secure object invocation, some applications need a way of
|
with the secure object invocation, some applications need a way of
|
||||||
|
@ -274,7 +274,6 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
<imageobject>
|
<imageobject>
|
||||||
<imagedata role="html" align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
|
<imagedata role="html" align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
|
||||||
</imageobject>
|
</imageobject>
|
||||||
|
|
||||||
<caption>
|
<caption>
|
||||||
<para>Figure 5: After Invocation Implementation</para>
|
<para>Figure 5: After Invocation Implementation</para>
|
||||||
</caption>
|
</caption>
|
||||||
|
@ -341,22 +340,20 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
<literal>Contact</literal> is all that is available before the
|
<literal>Contact</literal> is all that is available before the
|
||||||
secure object is invoked. The
|
secure object is invoked. The
|
||||||
<literal>AclAfterInvocationProvider</literal> delivers a solution,
|
<literal>AclAfterInvocationProvider</literal> delivers a solution,
|
||||||
and is configured as follows:</para>
|
and is configured as follows:
|
||||||
|
<programlisting><![CDATA[
|
||||||
<para><programlisting><bean id="afterAclRead"
|
<bean id="afterAclRead"
|
||||||
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
|
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
|
||||||
<constructor-arg>
|
<constructor-arg ref="aclService"/>
|
||||||
<ref bean="aclService"/>
|
<constructor-arg>
|
||||||
</constructor-arg>
|
<list>
|
||||||
<constructor-arg>
|
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
|
||||||
<list>
|
<ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
|
||||||
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
|
</list>
|
||||||
<ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
|
</constructor-arg>
|
||||||
</list>
|
</bean>
|
||||||
</constructor-arg>
|
]]></programlisting>
|
||||||
</bean> </programlisting></para>
|
In the above example, the <literal>Contact</literal> will be
|
||||||
|
|
||||||
<para>In the above example, the <literal>Contact</literal> will be
|
|
||||||
retrieved and passed to the
|
retrieved and passed to the
|
||||||
<literal>AclEntryAfterInvocationProvider</literal>. The provider
|
<literal>AclEntryAfterInvocationProvider</literal>. The provider
|
||||||
will thrown an <literal>AccessDeniedException</literal> if one of
|
will thrown an <literal>AccessDeniedException</literal> if one of
|
||||||
|
@ -373,22 +370,20 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
elements for which a principal does not have access. It never thrown
|
elements for which a principal does not have access. It never thrown
|
||||||
an <literal>AccessDeniedException</literal> - simply silently
|
an <literal>AccessDeniedException</literal> - simply silently
|
||||||
removes the offending elements. The provider is configured as
|
removes the offending elements. The provider is configured as
|
||||||
follows:</para>
|
follows:
|
||||||
|
<programlisting><![CDATA[
|
||||||
<para><programlisting><bean id="afterAclCollectionRead"
|
<bean id="afterAclCollectionRead"
|
||||||
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
|
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
|
||||||
<constructor-arg>
|
<constructor-arg ref="aclService"/>
|
||||||
<ref bean="aclService"/>
|
<constructor-arg>
|
||||||
</constructor-arg>
|
<list>
|
||||||
<constructor-arg>
|
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
|
||||||
<list>
|
<ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
|
||||||
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
|
</list>
|
||||||
<ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
|
</constructor-arg>
|
||||||
</list>
|
</bean>
|
||||||
</constructor-arg>
|
]]> </programlisting>
|
||||||
</bean> </programlisting></para>
|
As you can imagine, the returned <literal>Object</literal>
|
||||||
|
|
||||||
<para>As you can imagine, the returned <literal>Object</literal>
|
|
||||||
must be a <literal>Collection</literal> or array for this provider
|
must be a <literal>Collection</literal> or array for this provider
|
||||||
to operate. It will remove any element if the
|
to operate. It will remove any element if the
|
||||||
<literal>AclManager</literal> indicates the
|
<literal>AclManager</literal> indicates the
|
||||||
|
@ -427,16 +422,18 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
<literal>BasicAclAfterInvocationProvider</literal> delivers a
|
<literal>BasicAclAfterInvocationProvider</literal> delivers a
|
||||||
solution, and is configured as follows:</para>
|
solution, and is configured as follows:</para>
|
||||||
|
|
||||||
<para><programlisting><bean id="afterAclRead"
|
<para><programlisting><![CDATA[
|
||||||
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider">
|
<bean id="afterAclRead"
|
||||||
<property name="aclManager"><ref local="aclManager"/></property>
|
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider">
|
||||||
<property name="requirePermission">
|
<property name="aclManager"><ref local="aclManager"/></property>
|
||||||
<list>
|
<property name="requirePermission">
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
<list>
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
||||||
</list>
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
|
||||||
</property>
|
</list>
|
||||||
</bean> </programlisting></para>
|
</property>
|
||||||
|
</bean>
|
||||||
|
]]> </programlisting></para>
|
||||||
|
|
||||||
<para>In the above example, the <literal>Contact</literal> will be
|
<para>In the above example, the <literal>Contact</literal> will be
|
||||||
retrieved and passed to the
|
retrieved and passed to the
|
||||||
|
@ -455,20 +452,20 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
elements for which a principal does not have access. It never thrown
|
elements for which a principal does not have access. It never thrown
|
||||||
an <literal>AccessDeniedException</literal> - simply silently
|
an <literal>AccessDeniedException</literal> - simply silently
|
||||||
removes the offending elements. The provider is configured as
|
removes the offending elements. The provider is configured as
|
||||||
follows:</para>
|
follows:
|
||||||
|
<programlisting><![CDATA[
|
||||||
<para><programlisting><bean id="afterAclCollectionRead"
|
<bean id="afterAclCollectionRead"
|
||||||
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
|
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
|
||||||
<property name="aclManager"><ref local="aclManager"/></property>
|
<property name="aclManager"><ref local="aclManager"/></property>
|
||||||
<property name="requirePermission">
|
<property name="requirePermission">
|
||||||
<list>
|
<list>
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
|
||||||
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
|
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
|
||||||
</list>
|
</list>
|
||||||
</property>
|
</property>
|
||||||
</bean> </programlisting></para>
|
</bean>
|
||||||
|
]]></programlisting>
|
||||||
<para>As you can imagine, the returned <literal>Object</literal>
|
As you can imagine, the returned <literal>Object</literal>
|
||||||
must be a <literal>Collection</literal> or array for this provider
|
must be a <literal>Collection</literal> or array for this provider
|
||||||
to operate. It will remove any element if the
|
to operate. It will remove any element if the
|
||||||
<literal>AclManager</literal> indicates the
|
<literal>AclManager</literal> indicates the
|
||||||
|
@ -490,11 +487,14 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
<para>The following JSP fragment illustrates how to use the
|
<para>The following JSP fragment illustrates how to use the
|
||||||
<literal>AuthorizeTag</literal>:</para>
|
<literal>AuthorizeTag</literal>:</para>
|
||||||
|
|
||||||
<para><programlisting><security:authorize ifAllGranted="ROLE_SUPERVISOR">
|
<para><programlisting>
|
||||||
<td>
|
<![CDATA[
|
||||||
<A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A>
|
<security:authorize ifAllGranted="ROLE_SUPERVISOR">
|
||||||
</td>
|
<td>
|
||||||
</security:authorize> </programlisting></para>
|
<a href="del.htm?id=<c:out value="${contact.id}"/>">Del</a>
|
||||||
|
</td>
|
||||||
|
</security:authorize>
|
||||||
|
]]></programlisting></para>
|
||||||
|
|
||||||
<para>This tag would cause the tag's body to be output if the
|
<para>This tag would cause the tag's body to be output if the
|
||||||
principal has been granted ROLE_SUPERVISOR.</para>
|
principal has been granted ROLE_SUPERVISOR.</para>
|
||||||
|
@ -551,13 +551,13 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||||
object.</para>
|
object.</para>
|
||||||
|
|
||||||
<para>The following JSP fragment illustrates how to use the
|
<para>The following JSP fragment illustrates how to use the
|
||||||
<literal>AccessControlListTag</literal>:</para>
|
<literal>AccessControlListTag</literal>:
|
||||||
|
<programlisting><![CDATA[
|
||||||
<para><programlisting><security:accesscontrollist domainObject="${contact}" hasPermission="8,16">
|
<security:accesscontrollist domainObject="${contact}" hasPermission="8,16">
|
||||||
<td><A HREF="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</A></td>
|
<td><a href="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</a></td>
|
||||||
</security:accesscontrollist></programlisting></para>
|
</security:accesscontrollist>
|
||||||
|
]]></programlisting>
|
||||||
<para>This tag would cause the tag's body to be output if the
|
This tag would cause the tag's body to be output if the
|
||||||
principal holds either permission 16 or permission 1 for the "contact"
|
principal holds either permission 16 or permission 1 for the "contact"
|
||||||
domain object. The numbers are actually integers that are used with
|
domain object. The numbers are actually integers that are used with
|
||||||
<literal>BasePermission</literal> bit masking. Please refer to the ACL
|
<literal>BasePermission</literal> bit masking. Please refer to the ACL
|
||||||
|
|
|
@ -4,7 +4,6 @@
|
||||||
<section xml:id="cas-overview">
|
<section xml:id="cas-overview">
|
||||||
<info><title>Overview</title></info>
|
<info><title>Overview</title></info>
|
||||||
|
|
||||||
|
|
||||||
<para>JA-SIG produces an enterprise-wide single sign on system known
|
<para>JA-SIG produces an enterprise-wide single sign on system known
|
||||||
as CAS. Unlike other initiatives, JA-SIG's Central Authentication
|
as CAS. Unlike other initiatives, JA-SIG's Central Authentication
|
||||||
Service is open source, widely used, simple to understand, platform
|
Service is open source, widely used, simple to understand, platform
|
||||||
|
@ -15,22 +14,17 @@
|
||||||
server.</para>
|
server.</para>
|
||||||
|
|
||||||
<para>You can learn more about CAS at
|
<para>You can learn more about CAS at
|
||||||
<literal>http://www.ja-sig.org/products/cas/</literal>. You will need
|
<literal>http://www.ja-sig.org/products/cas/</literal>. You will also need
|
||||||
to visit this URL to download the CAS Server files. Whilst Spring
|
to visit this site to download the CAS Server files.</para>
|
||||||
Security includes two CAS libraries in the "-with-dependencies" ZIP
|
|
||||||
file, you will still need the CAS Java Server Pages and
|
|
||||||
<literal>web.xml</literal> to customise and deploy your CAS
|
|
||||||
server.</para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="cas-how-it-works"><info><title>How CAS Works</title></info>
|
<section xml:id="cas-how-it-works">
|
||||||
|
<info><title>How CAS Works</title></info>
|
||||||
|
|
||||||
|
<para>Whilst the CAS web site contains documents that detail
|
||||||
<para>Whilst the CAS web site above contains two documents that detail
|
|
||||||
the architecture of CAS, we present the general overview again here
|
the architecture of CAS, we present the general overview again here
|
||||||
within the context of Spring Security. The following refers to both
|
within the context of Spring Security. Spring Security 2.0 supports
|
||||||
CAS 2.0 (produced by Yale) and CAS 3.0 (produced by JA-SIG), being the
|
CAS 3. At the time of writing, the CAS server was at version 3.2.</para>
|
||||||
versions of CAS that Spring Security supports.</para>
|
|
||||||
|
|
||||||
<para>Somewhere in your enterprise you will need to setup a CAS
|
<para>Somewhere in your enterprise you will need to setup a CAS
|
||||||
server. The CAS server is simply a standard WAR file, so there isn't
|
server. The CAS server is simply a standard WAR file, so there isn't
|
||||||
|
@ -38,69 +32,27 @@
|
||||||
you will customise the login and other single sign on pages displayed
|
you will customise the login and other single sign on pages displayed
|
||||||
to users.</para>
|
to users.</para>
|
||||||
|
|
||||||
<para>If you are deploying CAS 2.0, you will also need to specify in
|
<para>When deploying a CAS 3.2 server, you will also need to specify an
|
||||||
the web.xml a <literal>PasswordHandler</literal>. The
|
|
||||||
<literal>PasswordHandler</literal> has a simple method that returns a
|
|
||||||
boolean as to whether a given username and password is valid. Your
|
|
||||||
<literal>PasswordHandler</literal> implementation will need to link
|
|
||||||
into some type of backend authentication repository, such as an LDAP
|
|
||||||
server or database.</para>
|
|
||||||
|
|
||||||
<para>If you are already running an existing CAS 2.0 server instance,
|
|
||||||
you will have already established a
|
|
||||||
<literal>PasswordHandler</literal>. If you do not already have a
|
|
||||||
<literal>PasswordHandler</literal>, you might prefer to use Spring
|
|
||||||
Security's <literal>CasPasswordHandler</literal> class. This class
|
|
||||||
delegates through to the standard Spring Security
|
|
||||||
<literal>AuthenticationManager</literal>, enabling you to use a
|
|
||||||
security configuration you might already have in place. You do not
|
|
||||||
need to use the <literal>CasPasswordHandler</literal> class on your
|
|
||||||
CAS server if you do not wish. Spring Security will function as a CAS
|
|
||||||
client successfully irrespective of the
|
|
||||||
<literal>PasswordHandler</literal> you've chosen for your CAS
|
|
||||||
server.</para>
|
|
||||||
|
|
||||||
<para>If you are deploying CAS 3.0, you will also need to specify an
|
|
||||||
<literal>AuthenticationHandler</literal> in the
|
<literal>AuthenticationHandler</literal> in the
|
||||||
deployerConfigContext.xml included with CAS. The
|
<filename>deployerConfigContext.xml</filename> included with CAS. The
|
||||||
<literal>AuthenticationHandler</literal> has a simple method that
|
<literal>AuthenticationHandler</literal> has a simple method that
|
||||||
returns a boolean as to whether a given set of Credentials is valid.
|
returns a boolean as to whether a given set of Credentials is valid.
|
||||||
Your <literal>AuthenticationHandler</literal> implementation will need
|
Your <literal>AuthenticationHandler</literal> implementation will need
|
||||||
to link into some type of backend authentication repository, such as
|
to link into some type of backend authentication repository, such as
|
||||||
an LDAP server or database. CAS itself includes numerous
|
an LDAP server or database. CAS itself includes numerous
|
||||||
<literal>AuthenticationHandler</literal>s out of the box to assist
|
<literal>AuthenticationHandler</literal>s out of the box to assist
|
||||||
with this.</para>
|
with this. When you download and deploy the server war file, it is set up
|
||||||
|
to successfully authenticate users who enter a password matching their
|
||||||
|
username, which is sueful for testing.</para>
|
||||||
|
|
||||||
<para>If you are already running an existing CAS 3.0 server instance,
|
<para>Apart from the CAS server itself, the other key players are of
|
||||||
you will have already established an
|
|
||||||
<literal>AuthenticationHandler</literal>. If you do not already have
|
|
||||||
an <literal>AuthenticationHandler</literal>, you might prefer to use
|
|
||||||
Spring Security <literal>CasAuthenticationHandler</literal> class.
|
|
||||||
This class delegates through to the standard Spring Security
|
|
||||||
<literal>AuthenticationManager</literal>, enabling you to use a
|
|
||||||
security configuration you might already have in place. You do not
|
|
||||||
need to use the <literal>CasAuthenticationHandler</literal> class on
|
|
||||||
your CAS server if you do not wish. Spring Security will function as a
|
|
||||||
CAS client successfully irrespective of the
|
|
||||||
<literal>AuthenticationHandler</literal> you've chosen for your CAS
|
|
||||||
server.</para>
|
|
||||||
|
|
||||||
<para>Apart from the CAS server itself, the other key player is of
|
|
||||||
course the secure web applications deployed throughout your
|
course the secure web applications deployed throughout your
|
||||||
enterprise. These web applications are known as "services". There are
|
enterprise. These web applications are known as "services". There are
|
||||||
two types of services: standard services and proxy services. A proxy
|
two types of services: standard services and proxy services. A proxy
|
||||||
service is able to request resources from other services on behalf of
|
service is able to request resources from other services on behalf of
|
||||||
the user. This will be explained more fully later.</para>
|
the user. This will be explained more fully later.</para>
|
||||||
|
|
||||||
<para>Services can be developed in a large variety of languages, due
|
<para>The basic interaction between a web browser, CAS server and a
|
||||||
to CAS 2.0's very light XML-based protocol. The JA-SIG CAS home page
|
|
||||||
contains a clients archive which demonstrates CAS clients in Java,
|
|
||||||
Active Server Pages, Perl, Python and others. Naturally, Java support
|
|
||||||
is very strong given the CAS server is written in Java. You do not
|
|
||||||
need to use any of CAS' client classes in applications secured by
|
|
||||||
Spring Security. This is handled transparently for you.</para>
|
|
||||||
|
|
||||||
<para>The basic interaction between a web browser, CAS server and n
|
|
||||||
Spring Security-secured service is as follows:</para>
|
Spring Security-secured service is as follows:</para>
|
||||||
|
|
||||||
<orderedlist inheritnum="ignore" continuation="restarts">
|
<orderedlist inheritnum="ignore" continuation="restarts">
|
||||||
|
|
|
@ -1,11 +1,10 @@
|
||||||
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security">
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||||
|
|
||||||
<info><title>Channel Security</title></info>
|
<info><title>Channel Security</title></info>
|
||||||
|
|
||||||
<section xml:id="channel-security-overview">
|
<section xml:id="channel-security-overview">
|
||||||
<info><title>Overview</title></info>
|
<info><title>Overview</title></info>
|
||||||
|
|
||||||
|
|
||||||
<para>In addition to coordinating the authentication and authorization
|
<para>In addition to coordinating the authentication and authorization
|
||||||
requirements of your application, Spring Security is also able to
|
requirements of your application, Spring Security is also able to
|
||||||
ensure unauthenticated web requests have certain properties. These
|
ensure unauthenticated web requests have certain properties. These
|
||||||
|
@ -35,10 +34,12 @@
|
||||||
Security provides a solution to assist with the latter.</para>
|
Security provides a solution to assist with the latter.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="channel-security-config"><info><title>Configuration</title></info>
|
<section xml:id="channel-security-config">
|
||||||
|
<info><title>Configuration</title></info>
|
||||||
|
<para>Channel security is supported by the <link xlink:href="#namespace-auto-config">security namespace</link>
|
||||||
<para>To use chanel security, you should define the following the filter in your application
|
by means of the <literal>requires-channel</literal> attribute on the <literal><intercept-url></literal>
|
||||||
|
element and this is the simplest (and recommended approach)</para>
|
||||||
|
<para>To confiure channel security explicitly, you would define the following the filter in your application
|
||||||
context:</para>
|
context:</para>
|
||||||
|
|
||||||
<para><programlisting>
|
<para><programlisting>
|
||||||
|
@ -65,7 +66,6 @@
|
||||||
|
|
||||||
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
|
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
|
||||||
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
|
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
|
||||||
|
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
|
||||||
<para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
|
<para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
|
||||||
|
@ -124,8 +124,8 @@
|
||||||
property is <literal>true</literal>.</para>
|
property is <literal>true</literal>.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="channel-security-conclusion"><info><title>Conclusion</title></info>
|
<section xml:id="channel-security-conclusion">
|
||||||
|
<info><title>Conclusion</title></info>
|
||||||
|
|
||||||
<para>Once configured, using the channel security filter is very easy.
|
<para>Once configured, using the channel security filter is very easy.
|
||||||
Simply request pages without regard to the protocol (ie HTTP or HTTPS)
|
Simply request pages without regard to the protocol (ie HTTP or HTTPS)
|
||||||
|
|
|
@ -1,9 +1,10 @@
|
||||||
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services">
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||||
<info><title>Common Authentication Services</title></info>
|
<info><title>Common Authentication Services</title></info>
|
||||||
|
|
||||||
<section xml:id="mechanisms-providers-entry-points">
|
<section xml:id="mechanisms-providers-entry-points">
|
||||||
<info><title>Mechanisms, Providers and Entry Points</title></info>
|
<info>
|
||||||
|
<title>Mechanisms, Providers and Entry Points</title>
|
||||||
|
</info>
|
||||||
|
|
||||||
<para>If you're using Spring Security-provided authentication
|
<para>If you're using Spring Security-provided authentication
|
||||||
approaches, you'll usually need to configure a web filter, together
|
approaches, you'll usually need to configure a web filter, together
|
||||||
|
@ -184,21 +185,22 @@
|
||||||
header or HTTP redirect in order to start authentication. Continuing
|
header or HTTP redirect in order to start authentication. Continuing
|
||||||
on with our earlier example:</para>
|
on with our earlier example:</para>
|
||||||
|
|
||||||
<para><programlisting><bean id="exceptionTranslationFilter"
|
<para><programlisting><![CDATA[
|
||||||
class="org.springframework.security.ui.ExceptionTranslationFilter">
|
<bean id="exceptionTranslationFilter"
|
||||||
<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
|
class="org.springframework.security.ui.ExceptionTranslationFilter">
|
||||||
<property name="accessDeniedHandler">
|
<property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint"/>
|
||||||
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
|
<property name="accessDeniedHandler">
|
||||||
<property name="errorPage" value="/accessDenied.jsp"/>
|
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
|
||||||
</bean>
|
<property name="errorPage" value="/accessDenied.jsp"/>
|
||||||
</property>
|
</bean>
|
||||||
</bean>
|
</property>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<bean id="authenticationProcessingFilterEntryPoint"
|
<bean id="authenticationProcessingFilterEntryPoint"
|
||||||
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
||||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
<property name="loginFormUrl" value="/login.jsp"/>
|
||||||
<property name="forceHttps"><value>false</value></property>
|
<property name="forceHttps">< value="false"/>
|
||||||
</bean></programlisting></para>
|
</bean>]]></programlisting></para>
|
||||||
|
|
||||||
<para>Notice that the <literal>ExceptionTranslationFilter</literal>
|
<para>Notice that the <literal>ExceptionTranslationFilter</literal>
|
||||||
requires two collaborators. The first,
|
requires two collaborators. The first,
|
||||||
|
@ -270,9 +272,8 @@
|
||||||
that, Spring Security does include a couple of useful base
|
that, Spring Security does include a couple of useful base
|
||||||
implementations, which we'll look at below.</para>
|
implementations, which we'll look at below.</para>
|
||||||
|
|
||||||
<section xml:id="in-memory-service"><info><title>In-Memory Authentication</title></info>
|
<section xml:id="in-memory-service">
|
||||||
|
<info><title>In-Memory Authentication</title></info>
|
||||||
|
|
||||||
<para>Whilst it is easy to use create a custom
|
<para>Whilst it is easy to use create a custom
|
||||||
<literal>UserDetailsService</literal> implementation that extracts
|
<literal>UserDetailsService</literal> implementation that extracts
|
||||||
information from a persistence engine of choice, many applications
|
information from a persistence engine of choice, many applications
|
||||||
|
@ -281,52 +282,34 @@
|
||||||
Security, when you don't really want to spend time configuring
|
Security, when you don't really want to spend time configuring
|
||||||
databases or writing <literal>UserDetailsService</literal>
|
databases or writing <literal>UserDetailsService</literal>
|
||||||
implementations. For this sort of situation, a simple option is to
|
implementations. For this sort of situation, a simple option is to
|
||||||
configure the <literal>InMemoryDaoImpl</literal>
|
use the <literal>user-service</literal> element from the security
|
||||||
implementation:</para>
|
<link xlink:href="#namespace-minimal" >namespace</link>:
|
||||||
|
<programlisting><![CDATA[
|
||||||
<para><programlisting><bean id="inMemoryDaoImpl"
|
<user-service id="userDetailsService">
|
||||||
class="org.springframework.security.userdetails.memory.InMemoryDaoImpl">
|
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
|
||||||
<property name="userMap">
|
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
|
||||||
<value>
|
</user-service>
|
||||||
rod=koala,ROLE_TELLER,ROLE_SUPERVISOR
|
]]>
|
||||||
dianne=emu,ROLE_TELLER
|
</programlisting>
|
||||||
scott=wombat,ROLE_TELLER
|
This also suppots the use of an external properties file:
|
||||||
peter=opal,disabled,ROLE_TELLER
|
<programlisting><![CDATA[
|
||||||
</value>
|
<user-service id="userDetailsService" properties="users.properties"/>
|
||||||
</property>
|
]]>
|
||||||
</bean> </programlisting></para>
|
</programlisting>
|
||||||
|
The properties file should contain entries in the form
|
||||||
<para>In the above example, the <literal>userMap</literal> property
|
<programlisting>
|
||||||
contains each of the usernames, passwords, a list of granted
|
username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
|
||||||
authorities and an optional enabled/disabled keyword. Commas are
|
</programlisting>
|
||||||
used to delimit each token. The username must appear to the left of
|
For example
|
||||||
the equals sign, and the password must be the first token to the
|
<programlisting>
|
||||||
right of the equals sign. The <literal>enabled</literal> and
|
jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
|
||||||
<literal>disabled</literal> keywords (case insensitive) may appear
|
bob=bobspassword,ROLE_USER,enabled
|
||||||
in the second or any subsequent token. Any remaining tokens are
|
</programlisting>
|
||||||
treated as granted authorities, which are created as
|
</para>
|
||||||
<literal>GrantedAuthorityImpl</literal> objects (this is just for
|
|
||||||
your reference - most applications don't need custom
|
|
||||||
<literal>GrantedAuthority</literal> implementations, so using the
|
|
||||||
default implementation in this manner is just fine). Note that if a
|
|
||||||
user has no password and/or no granted authorities, the user will
|
|
||||||
not be created in the in-memory authentication repository.</para>
|
|
||||||
|
|
||||||
<para><literal>InMemoryDaoImpl</literal> also offers a
|
|
||||||
<literal>setUserProperties(Properties)</literal> method, which
|
|
||||||
allows you to externalise the
|
|
||||||
<literal>java.util.Properties</literal> in another Spring configured
|
|
||||||
bean or an external properties file. You might like to use Spring's
|
|
||||||
<literal>PropertiesFactoryBean</literal>, which is useful for
|
|
||||||
loading such external properties files. This setter might prove
|
|
||||||
useful for simple applications that have a larger number of users,
|
|
||||||
or deployment-time configuration changes, but do not wish to use a
|
|
||||||
full database for handling authentication details.</para>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="jdbc-service"><info><title>JDBC Authentication</title></info>
|
<section xml:id="jdbc-service">
|
||||||
|
<info><title>JDBC Authentication</title></info>
|
||||||
|
|
||||||
<para>Spring Security also includes a
|
<para>Spring Security also includes a
|
||||||
<literal>UserDetailsService</literal> that can obtain authentication
|
<literal>UserDetailsService</literal> that can obtain authentication
|
||||||
information from a JDBC data source. Internally Spring JDBC is used,
|
information from a JDBC data source. Internally Spring JDBC is used,
|
||||||
|
@ -338,16 +321,18 @@
|
||||||
<literal>JdbcDaoImpl</literal>, an example configuration is shown
|
<literal>JdbcDaoImpl</literal>, an example configuration is shown
|
||||||
below:</para>
|
below:</para>
|
||||||
|
|
||||||
<para><programlisting><bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
|
<para><programlisting>
|
||||||
<property name="driverClassName"><value>org.hsqldb.jdbcDriver</value></property>
|
<![CDATA[
|
||||||
<property name="url"><value>jdbc:hsqldb:hsql://localhost:9001</value></property>
|
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
|
||||||
<property name="username"><value>sa</value></property>
|
<property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
|
||||||
<property name="password"><value></value></property>
|
<property name="url" value="jdbc:hsqldb:hsql://localhost:9001"/>
|
||||||
</bean>
|
<property name="username" value="sa"/>
|
||||||
|
<property name="password" value=""/>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
|
<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
|
||||||
<property name="dataSource"><ref bean="dataSource"/></property>
|
<property name="dataSource" ref="dataSource"/>
|
||||||
</bean> </programlisting></para>
|
</bean> ]]> </programlisting></para>
|
||||||
|
|
||||||
<para>You can use different relational database management systems
|
<para>You can use different relational database management systems
|
||||||
by modifying the <literal>DriverManagerDataSource</literal> shown
|
by modifying the <literal>DriverManagerDataSource</literal> shown
|
||||||
|
@ -372,8 +357,8 @@
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="concurrent-sessions"><info><title>Concurrent Session Handling</title></info>
|
<section xml:id="concurrent-sessions">
|
||||||
|
<info><title>Concurrent Session Handling</title></info>
|
||||||
|
|
||||||
<para>Spring Security is able to prevent a principal from concurrently
|
<para>Spring Security is able to prevent a principal from concurrently
|
||||||
authenticating to the same application more than a specified number of
|
authenticating to the same application more than a specified number of
|
||||||
|
@ -411,40 +396,42 @@
|
||||||
<literal>ConcurrentSessionControllerImpl</literal> and refer to it
|
<literal>ConcurrentSessionControllerImpl</literal> and refer to it
|
||||||
from your <literal>ProviderManager</literal> bean:</para>
|
from your <literal>ProviderManager</literal> bean:</para>
|
||||||
|
|
||||||
<para><programlisting><bean id="authenticationManager"
|
<para>
|
||||||
class="org.springframework.security.providers.ProviderManager">
|
<programlisting><![CDATA[
|
||||||
<property name="providers">
|
<bean id="authenticationManager"
|
||||||
<!-- your providers go here -->
|
class="org.springframework.security.providers.ProviderManager">
|
||||||
</property>
|
<property name="providers">
|
||||||
<property name="sessionController"><ref bean="concurrentSessionController"/></property>
|
<!-- your providers go here -->
|
||||||
</bean>
|
</property>
|
||||||
|
<property name="sessionController" ref="concurrentSessionController"/>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<bean id="concurrentSessionController"
|
<bean id="concurrentSessionController"
|
||||||
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
|
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
|
||||||
<property name="maximumSessions"><value>1</value></property>
|
<property name="maximumSessions" value="1"/>
|
||||||
<property name="sessionRegistry"><ref local="sessionRegistry"/></property>
|
<property name="sessionRegistry">
|
||||||
</bean>
|
<bean class="org.springframework.security.concurrent.SessionRegistryImpl"/>
|
||||||
|
<property>
|
||||||
<bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl"/></programlisting></para>
|
</bean>
|
||||||
|
]]></programlisting></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="authentication-taglibs"><info><title>Authentication Tag Libraries</title></info>
|
<section xml:id="authentication-taglibs">
|
||||||
|
<info><title>Authentication Tag Libraries</title></info>
|
||||||
|
|
||||||
<para><literal>AuthenticationTag</literal> is used to simply output a
|
<para><literal>AuthenticationTag</literal> is used to simply output a
|
||||||
property of the current principal's
|
property of the current <literal>Authentication</literal> object to the web
|
||||||
<literal>Authentication.getPrincipal()</literal> object to the web
|
|
||||||
page.</para>
|
page.</para>
|
||||||
|
|
||||||
<para>The following JSP fragment illustrates how to use the
|
<para>The following JSP fragment illustrates how to use the
|
||||||
<literal>AuthenticationTag</literal>:</para>
|
<literal>AuthenticationTag</literal>:</para>
|
||||||
|
|
||||||
<para><programlisting><security:authentication operation="username"/></programlisting></para>
|
<para><programlisting><security:authentication property="principal.username"/></programlisting></para>
|
||||||
|
|
||||||
<para>This tag would cause the principal's name to be output. Here we
|
<para>This tag would cause the principal's name to be output. Here we
|
||||||
are assuming the <literal>Authentication.getPrincipal()</literal> is a
|
are assuming the <literal>Authentication.getPrincipal()</literal> is a
|
||||||
<literal>UserDetails</literal> object, which is generally the case
|
<literal>UserDetails</literal> object, which is generally the case
|
||||||
when using the typical
|
when using one of Spring Security's stadard <literal>AuthenticationProvider</literal>
|
||||||
<literal>DaoAuthenticationProvider</literal>.</para>
|
implementations.</para>
|
||||||
</section>
|
</section>
|
||||||
</chapter>
|
</chapter>
|
|
@ -1,8 +1,9 @@
|
||||||
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider"><info><title>DAO Authentication Provider</title></info>
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider">
|
||||||
|
|
||||||
|
<info><title>DAO Authentication Provider</title></info>
|
||||||
|
|
||||||
<section xml:id="dao-provider-overview"><info><title>Overview</title></info>
|
<section xml:id="dao-provider-overview">
|
||||||
|
<info><title>Overview</title></info>
|
||||||
|
|
||||||
<para>Spring Security includes a production-quality
|
<para>Spring Security includes a production-quality
|
||||||
<literal>AuthenticationProvider</literal> implementation called
|
<literal>AuthenticationProvider</literal> implementation called
|
||||||
|
@ -20,8 +21,8 @@
|
||||||
object.</para>
|
object.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="dao-provider-config"><info><title>Configuration</title></info>
|
<section xml:id="dao-provider-config">
|
||||||
|
<info><title>Configuration</title></info>
|
||||||
|
|
||||||
<para>Aside from adding DaoAuthenticationProvider to your
|
<para>Aside from adding DaoAuthenticationProvider to your
|
||||||
ProviderManager list (as discussed at the start of this part of the
|
ProviderManager list (as discussed at the start of this part of the
|
||||||
|
@ -29,12 +30,15 @@
|
||||||
configured to present a UsernamePasswordAuthenticationToken, the
|
configured to present a UsernamePasswordAuthenticationToken, the
|
||||||
configuration of the provider itself is rather simple:</para>
|
configuration of the provider itself is rather simple:</para>
|
||||||
|
|
||||||
<para><programlisting><bean id="daoAuthenticationProvider"
|
<para><programlisting>
|
||||||
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
|
<![CDATA[
|
||||||
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
<bean id="daoAuthenticationProvider"
|
||||||
<property name="saltSource"><ref bean="saltSource"/></property>
|
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
|
||||||
<property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
|
<property name="userDetailsService" ref="inMemoryDaoImpl"/>
|
||||||
</bean> </programlisting></para>
|
<property name="saltSource" ref bean="saltSource"/>
|
||||||
|
<property name="passwordEncoder" ref="passwordEncoder"/>
|
||||||
|
</bean> ]]>
|
||||||
|
</programlisting></para>
|
||||||
|
|
||||||
<para>The <literal>PasswordEncoder</literal> and
|
<para>The <literal>PasswordEncoder</literal> and
|
||||||
<literal>SaltSource</literal> are optional. A
|
<literal>SaltSource</literal> are optional. A
|
||||||
|
@ -65,31 +69,26 @@
|
||||||
A usable caching implementation is also provided,
|
A usable caching implementation is also provided,
|
||||||
<literal>EhCacheBasedUserCache</literal>, which is configured as
|
<literal>EhCacheBasedUserCache</literal>, which is configured as
|
||||||
follows:</para>
|
follows:</para>
|
||||||
|
<para><programlisting><![CDATA[
|
||||||
|
<bean id="daoAuthenticationProvider"
|
||||||
|
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
|
||||||
|
<property name="userDetailsService"><ref bean="userDetailsService"/></property>
|
||||||
|
<property name="userCache"><ref bean="userCache"/></property>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<para><programlisting><bean id="daoAuthenticationProvider"
|
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
|
||||||
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
|
<property name="configLocation" value="classpath:/ehcache-failsafe.xml"/>
|
||||||
<property name="userDetailsService"><ref bean="userDetailsService"/></property>
|
</bean>
|
||||||
<property name="userCache"><ref bean="userCache"/></property>
|
|
||||||
</bean>
|
|
||||||
|
|
||||||
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
|
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||||
<property name="configLocation">
|
<property name="cacheManager" ref="cacheManager"/>
|
||||||
<value>classpath:/ehcache-failsafe.xml</value>
|
<property name="cacheName" value="userCache"/>
|
||||||
</property>
|
</bean>
|
||||||
</bean>
|
|
||||||
|
|
||||||
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
|
||||||
<property name="cacheManager">
|
<property name="cache" ref="userCacheBackend"/>
|
||||||
<ref local="cacheManager"/>
|
</bean>]]>
|
||||||
</property>
|
</programlisting></para>
|
||||||
<property name="cacheName">
|
|
||||||
<value>userCache</value>
|
|
||||||
</property>
|
|
||||||
</bean>
|
|
||||||
|
|
||||||
<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
|
|
||||||
<property name="cache"><ref local="userCacheBackend"/></property>
|
|
||||||
</bean> </programlisting></para>
|
|
||||||
|
|
||||||
<para>All Spring Security EH-CACHE implementations (including
|
<para>All Spring Security EH-CACHE implementations (including
|
||||||
<literal>EhCacheBasedUserCache</literal>) require an EH-CACHE
|
<literal>EhCacheBasedUserCache</literal>) require an EH-CACHE
|
||||||
|
|
|
@ -33,7 +33,8 @@
|
||||||
This is a value the server generates. Spring Security's nonce adopts
|
This is a value the server generates. Spring Security's nonce adopts
|
||||||
the following format:</para>
|
the following format:</para>
|
||||||
|
|
||||||
<para><programlisting>base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
|
<para><programlisting>
|
||||||
|
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
|
||||||
|
|
||||||
expirationTime: The date and time when the nonce expires, expressed in milliseconds
|
expirationTime: The date and time when the nonce expires, expressed in milliseconds
|
||||||
key: A private key to prevent modification of the nonce token
|
key: A private key to prevent modification of the nonce token
|
||||||
|
@ -89,18 +90,20 @@
|
||||||
collaborators:</para>
|
collaborators:</para>
|
||||||
|
|
||||||
<para><programlisting>
|
<para><programlisting>
|
||||||
<bean id="digestProcessingFilter" class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
|
<![CDATA[
|
||||||
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
<bean id="digestProcessingFilter"
|
||||||
<property name="authenticationEntryPoint"><ref local="digestProcessingFilterEntryPoint"/></property>
|
class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
|
||||||
<property name="userCache"><ref local="userCache"/></property>
|
<property name="userDetailsService" ref="jdbcDaoImpl"/>
|
||||||
</bean>
|
<property name="authenticationEntryPoint" ref="digestProcessingFilterEntryPoint"/>
|
||||||
|
<property name="userCache" ref="userCache"/>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<bean id="digestProcessingFilterEntryPoint"
|
<bean id="digestProcessingFilterEntryPoint"
|
||||||
class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
|
class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
|
||||||
<property name="realmName"><value>Contacts Realm via Digest Authentication</value></property>
|
<property name="realmName" value="Contacts Realm via Digest Authentication"/>
|
||||||
<property name="key"><value>acegi</value></property>
|
<property name="key" value="acegi"/>
|
||||||
<property name="nonceValiditySeconds"><value>10</value></property>
|
<property name="nonceValiditySeconds" value="10"/>
|
||||||
</bean>
|
</bean>]]>
|
||||||
|
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
|
||||||
|
|
|
@ -20,14 +20,14 @@
|
||||||
monitored by the filter (by default
|
monitored by the filter (by default
|
||||||
<literal>j_spring_security_check</literal>). You should add an
|
<literal>j_spring_security_check</literal>). You should add an
|
||||||
<literal>AuthenticationProcessingFilter</literal> to you application context:
|
<literal>AuthenticationProcessingFilter</literal> to you application context:
|
||||||
<programlisting>
|
<programlisting><![CDATA[
|
||||||
<bean id="authenticationProcessingFilter"
|
<bean id="authenticationProcessingFilter"
|
||||||
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
|
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
|
||||||
<property name="authenticationManager" ref="authenticationManager"/>
|
<property name="authenticationManager" ref="authenticationManager"/>
|
||||||
<property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/>
|
<property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
|
||||||
<property name="defaultTargetUrl" value="/"/>
|
<property name="defaultTargetUrl" value="/"/>
|
||||||
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
|
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
|
||||||
</bean>
|
</bean> ]]>
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
|
||||||
<para>The configured <literal>AuthenticationManager</literal>
|
<para>The configured <literal>AuthenticationManager</literal>
|
||||||
|
|
|
@ -21,19 +21,16 @@
|
||||||
|
|
||||||
<para>Let’s assume we have a JAAS login configuration file,
|
<para>Let’s assume we have a JAAS login configuration file,
|
||||||
<literal>/WEB-INF/login.conf</literal>, with the following
|
<literal>/WEB-INF/login.conf</literal>, with the following
|
||||||
contents:</para>
|
contents:
|
||||||
|
<programlisting>
|
||||||
<para><programlisting>JAASTest {
|
JAASTest {
|
||||||
sample.SampleLoginModule required;
|
sample.SampleLoginModule required;
|
||||||
};</programlisting></para>
|
};</programlisting></para>
|
||||||
|
|
||||||
<para>Like all Spring Security beans, the
|
<para>Like all Spring Security beans, the
|
||||||
<literal>JaasAuthenticationProvider</literal> is configured via the
|
<literal>JaasAuthenticationProvider</literal> is configured via the
|
||||||
application context. The following definitions would correspond to the
|
application context. The following definitions would correspond to the
|
||||||
above JAAS login configuration file:</para>
|
above JAAS login configuration file:
|
||||||
|
<programlisting><![CDATA[
|
||||||
<para><programlisting>
|
|
||||||
<![CDATA[
|
|
||||||
<bean id="jaasAuthenticationProvider"
|
<bean id="jaasAuthenticationProvider"
|
||||||
class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
|
class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
|
||||||
<property name="loginConfig" value="/WEB-INF/login.conf"/>
|
<property name="loginConfig" value="/WEB-INF/login.conf"/>
|
||||||
|
@ -50,8 +47,7 @@
|
||||||
</list>
|
</list>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
]]>
|
]]></programlisting></para>
|
||||||
</programlisting></para>
|
|
||||||
|
|
||||||
<para>The <literal>CallbackHandler</literal>s and
|
<para>The <literal>CallbackHandler</literal>s and
|
||||||
<literal>AuthorityGranter</literal>s are discussed below.</para>
|
<literal>AuthorityGranter</literal>s are discussed below.</para>
|
||||||
|
@ -99,7 +95,6 @@
|
||||||
<section xml:id="jaas-authoritygranter">
|
<section xml:id="jaas-authoritygranter">
|
||||||
<info><title xml:id="jaas-authority-granter">JAAS AuthorityGranter</title></info>
|
<info><title xml:id="jaas-authority-granter">JAAS AuthorityGranter</title></info>
|
||||||
|
|
||||||
|
|
||||||
<para>JAAS works with principals. Even "roles" are represented as
|
<para>JAAS works with principals. Even "roles" are represented as
|
||||||
principals in JAAS. Spring Security, on the other hand, works with
|
principals in JAAS. Spring Security, on the other hand, works with
|
||||||
<literal>Authentication</literal> objects. Each
|
<literal>Authentication</literal> objects. Each
|
||||||
|
|
|
@ -112,8 +112,8 @@
|
||||||
</info>
|
</info>
|
||||||
<para>
|
<para>
|
||||||
This is the most common LDAP authentication scenario.
|
This is the most common LDAP authentication scenario.
|
||||||
<programlisting>
|
<programlisting><![CDATA[
|
||||||
<![CDATA[<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
|
<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
|
||||||
]]></programlisting>
|
]]></programlisting>
|
||||||
This simple example would obtain the DN for the user by substituting the user login
|
This simple example would obtain the DN for the user by substituting the user login
|
||||||
name in the supplied pattern and attempting to bind as that user with the login
|
name in the supplied pattern and attempting to bind as that user with the login
|
||||||
|
@ -329,8 +329,7 @@
|
||||||
</info>
|
</info>
|
||||||
<para>A typical configuration, using some of the beans we've discussed here, might look
|
<para>A typical configuration, using some of the beans we've discussed here, might look
|
||||||
like this:
|
like this:
|
||||||
<programlisting>
|
<programlisting><![CDATA[
|
||||||
<![CDATA[
|
|
||||||
<bean id="contextSource"
|
<bean id="contextSource"
|
||||||
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
|
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
|
||||||
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
|
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
|
||||||
|
@ -343,7 +342,9 @@
|
||||||
<constructor-arg>
|
<constructor-arg>
|
||||||
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
|
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
|
||||||
<constructor-arg ref="contextSource"/>
|
<constructor-arg ref="contextSource"/>
|
||||||
<property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
|
<property name="userDnPatterns">
|
||||||
|
<list><value>uid={0},ou=people</value></list>
|
||||||
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
<constructor-arg>
|
<constructor-arg>
|
||||||
|
@ -370,14 +371,12 @@
|
||||||
<literal>(uid=<user-login-name>)</literal>
|
<literal>(uid=<user-login-name>)</literal>
|
||||||
for use instead of the DN-pattern (or in addition to it), you would configure the
|
for use instead of the DN-pattern (or in addition to it), you would configure the
|
||||||
following bean
|
following bean
|
||||||
<programlisting>
|
<programlisting><![CDATA[
|
||||||
<![CDATA[
|
|
||||||
<bean id="userSearch"
|
<bean id="userSearch"
|
||||||
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
|
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
|
||||||
<constructor-arg index="0" value=""/>
|
<constructor-arg index="0" value=""/>
|
||||||
<constructor-arg index="1" value="(uid={0})"/>
|
<constructor-arg index="1" value="(uid={0})"/>
|
||||||
<constructor-arg index="2" ref="contextSource" />
|
<constructor-arg index="2" ref="contextSource" />
|
||||||
<property name="searchSubtree" value="true"/>
|
|
||||||
</bean> ]]>
|
</bean> ]]>
|
||||||
</programlisting>
|
</programlisting>
|
||||||
and use it by setting the authenticator's
|
and use it by setting the authenticator's
|
||||||
|
|
|
@ -141,15 +141,15 @@
|
||||||
<url-pattern>/*</url-pattern>
|
<url-pattern>/*</url-pattern>
|
||||||
</filter-mapping>]]>
|
</filter-mapping>]]>
|
||||||
</programlisting>
|
</programlisting>
|
||||||
This provides a hook into the Spring Security web infrastructure. You can find more details
|
This provides a hook into the Spring Security web infrastructure. <!-- You can find more details
|
||||||
of how this works in
|
of how this works in
|
||||||
<link xlink:href="#todo">TODO</link>. You're then ready to start editing your application
|
<link xlink:href="#todo">TODO</link>-->. You're then ready to start editing your application
|
||||||
context file. Web security services are configured using the <literal><http></literal>
|
context file. Web security services are configured using the <literal><http></literal>
|
||||||
element.
|
element.
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section xml:id="namespace-minimal">
|
||||||
<info>
|
<info>
|
||||||
<title>A Minimal <literal><http></literal>Configuration</title>
|
<title>A Minimal <literal><http></literal>Configuration</title>
|
||||||
</info>
|
</info>
|
||||||
|
@ -206,7 +206,7 @@
|
||||||
login page, but the namespace offers plenty of options to allow you to customize this
|
login page, but the namespace offers plenty of options to allow you to customize this
|
||||||
kind of thing.
|
kind of thing.
|
||||||
</para>
|
</para>
|
||||||
<section>
|
<section xml:id="namespace-auto-config">
|
||||||
<title>What does <literal>auto-config</literal> Include?</title>
|
<title>What does <literal>auto-config</literal> Include?</title>
|
||||||
<para>
|
<para>
|
||||||
The <literal>auto-config</literal> attribute, as we have used it above, is just a
|
The <literal>auto-config</literal> attribute, as we have used it above, is just a
|
||||||
|
@ -306,5 +306,35 @@
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
</section>
|
</section>
|
||||||
|
<section xml:id="namespace-requires-channel">
|
||||||
|
<title>Adding HTTP/HTTPS Channel Security</title>
|
||||||
|
<para>If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is
|
||||||
|
directly supported using the <literal>requires-channel</literal> attribute on <literal><intercept-url></literal>:
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
<http>
|
||||||
|
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
|
||||||
|
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
|
||||||
|
...
|
||||||
|
</http>]]>
|
||||||
|
</programlisting>
|
||||||
|
With this configuration in place, if a user attempts to access anything matching the "/secure/**"
|
||||||
|
pattern using HTTP, they will first be redirected to an HTTPS URL.
|
||||||
|
The available options are "http", "https" or "any". Using the value "any" means that either HTTP or HTTPS
|
||||||
|
can be used.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows:
|
||||||
|
<programlisting>
|
||||||
|
<![CDATA[
|
||||||
|
<http>
|
||||||
|
...
|
||||||
|
<port-mappings>
|
||||||
|
<port-mapping http="9080" https="9443"/>
|
||||||
|
</port-mappings>
|
||||||
|
</http>]]>
|
||||||
|
</programlisting>
|
||||||
|
You can find a more in-depth discussion of channel security in <xref xlink:href="#channel-security"/>.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
</section>
|
</section>
|
||||||
</chapter>
|
</chapter>
|
|
@ -25,13 +25,13 @@
|
||||||
via hooks in the <literal>AbstractProcessingFilter</literal>
|
via hooks in the <literal>AbstractProcessingFilter</literal>
|
||||||
superclass. The hooks will invoke a concrete
|
superclass. The hooks will invoke a concrete
|
||||||
<literal>RememberMeServices</literal> at the appropriate times. The
|
<literal>RememberMeServices</literal> at the appropriate times. The
|
||||||
interface looks like this:</para>
|
interface looks like this:
|
||||||
|
<programlisting>
|
||||||
<para><programlisting>public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
|
Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
|
||||||
public void loginFail(HttpServletRequest request, HttpServletResponse response);
|
void loginFail(HttpServletRequest request, HttpServletResponse response);
|
||||||
public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);</programlisting></para>
|
void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);
|
||||||
|
</programlisting>
|
||||||
<para>Please refer to JavaDocs for a fuller discussion on what the
|
Please refer to JavaDocs for a fuller discussion on what the
|
||||||
methods do, although note at this stage
|
methods do, although note at this stage
|
||||||
<literal>AbstractProcessingFilter</literal> only calls the
|
<literal>AbstractProcessingFilter</literal> only calls the
|
||||||
<literal>loginFail()</literal> and <literal>loginSuccess()</literal>
|
<literal>loginFail()</literal> and <literal>loginSuccess()</literal>
|
||||||
|
@ -53,7 +53,8 @@
|
||||||
the browser upon successful interactive authentication, with that
|
the browser upon successful interactive authentication, with that
|
||||||
cookie being composed as follows:</para>
|
cookie being composed as follows:</para>
|
||||||
|
|
||||||
<para><programlisting>base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
|
<para><programlisting>
|
||||||
|
base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
|
||||||
|
|
||||||
username: As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
|
username: As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
|
||||||
password: That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
|
password: That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
|
||||||
|
@ -90,21 +91,22 @@
|
||||||
remember-me services are as follows:</para>
|
remember-me services are as follows:</para>
|
||||||
|
|
||||||
<para><programlisting>
|
<para><programlisting>
|
||||||
<bean id="rememberMeProcessingFilter"
|
<![CDATA[
|
||||||
class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
|
<bean id="rememberMeProcessingFilter"
|
||||||
<property name="rememberMeServices"><ref local="rememberMeServices"/></property>
|
class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
|
||||||
</bean>
|
<property name="rememberMeServices" ref="rememberMeServices"/>
|
||||||
|
</bean>
|
||||||
|
|
||||||
<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
|
<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
|
||||||
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
<property name="userDetailsService" ref="jdbcDaoImpl"/>
|
||||||
<property name="key"><value>springRocks</value></property>
|
<property name="key" value="springRocks"/>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="rememberMeAuthenticationProvider"
|
|
||||||
class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
|
|
||||||
<property name="key"><value>springRocks</value></property>
|
|
||||||
</bean>
|
|
||||||
|
|
||||||
|
<bean id="rememberMeAuthenticationProvider"
|
||||||
|
class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
|
||||||
|
<property name="key" value="springRocks"/>
|
||||||
|
</bean>
|
||||||
|
]]>
|
||||||
</programlisting>Don't forget to add your
|
</programlisting>Don't forget to add your
|
||||||
<literal>RememberMeServices</literal> implementation to your
|
<literal>RememberMeServices</literal> implementation to your
|
||||||
<literal>AuthenticationProcessingFilter.setRememberMeServices()</literal>
|
<literal>AuthenticationProcessingFilter.setRememberMeServices()</literal>
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="runas"><info><title>Run-As Authentication Replacement</title></info>
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="runas"><info><title>Run-As Authentication Replacement</title></info>
|
||||||
|
|
||||||
|
|
||||||
<section xml:id="runas-overview"><info><title>Overview</title></info>
|
<section xml:id="runas-overview">
|
||||||
|
<info><title>Overview</title></info>
|
||||||
|
|
||||||
<para>The <literal>AbstractSecurityInterceptor</literal> is able to
|
<para>The <literal>AbstractSecurityInterceptor</literal> is able to
|
||||||
temporarily replace the <literal>Authentication</literal> object in
|
temporarily replace the <literal>Authentication</literal> object in
|
||||||
|
@ -28,15 +28,15 @@
|
||||||
are particularly useful when calling remote web services</para>
|
are particularly useful when calling remote web services</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="runas-config"><info><title>Configuration</title></info>
|
<section xml:id="runas-config">
|
||||||
|
<info><title>Configuration</title></info>
|
||||||
|
<para>A <literal>RunAsManager</literal> interface is provided by Spring Security:
|
||||||
<para>A <literal>RunAsManager</literal> interface is provided by Acegi
|
<programlisting>
|
||||||
Security:</para>
|
Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
||||||
|
boolean supports(ConfigAttribute attribute);
|
||||||
<para><programlisting>public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
|
boolean supports(Class clazz);
|
||||||
public boolean supports(ConfigAttribute attribute);
|
</programlisting>
|
||||||
public boolean supports(Class clazz);</programlisting></para>
|
</para>
|
||||||
|
|
||||||
<para>The first method returns the <literal>Authentication</literal>
|
<para>The first method returns the <literal>Authentication</literal>
|
||||||
object that should replace the existing
|
object that should replace the existing
|
||||||
|
@ -84,20 +84,17 @@
|
||||||
the hash of a key is stored in all generated tokens. The
|
the hash of a key is stored in all generated tokens. The
|
||||||
<literal>RunAsManagerImpl</literal> and
|
<literal>RunAsManagerImpl</literal> and
|
||||||
<literal>RunAsImplAuthenticationProvider</literal> is created in the
|
<literal>RunAsImplAuthenticationProvider</literal> is created in the
|
||||||
bean context with the same key:</para>
|
bean context with the same key:
|
||||||
|
<programlisting>
|
||||||
<para><programlisting>
|
<![CDATA[
|
||||||
<bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
|
<bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
|
||||||
<property name="key"><value>my_run_as_password</value></property>
|
<property name="key" value="my_run_as_password"/>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="runAsAuthenticationProvider"
|
|
||||||
class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
|
|
||||||
<property name="key"><value>my_run_as_password</value></property>
|
|
||||||
</bean>
|
|
||||||
|
|
||||||
</programlisting></para>
|
|
||||||
|
|
||||||
|
<bean id="runAsAuthenticationProvider"
|
||||||
|
class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
|
||||||
|
<property name="key" value="my_run_as_password"/>
|
||||||
|
</bean>]]></programlisting></para>
|
||||||
<para>By using the same key, each <literal>RunAsUserToken</literal>
|
<para>By using the same key, each <literal>RunAsUserToken</literal>
|
||||||
can be validated it was created by an approved
|
can be validated it was created by an approved
|
||||||
<literal>RunAsManagerImpl</literal>. The
|
<literal>RunAsManagerImpl</literal>. The
|
||||||
|
|
|
@ -118,7 +118,6 @@
|
||||||
|
|
||||||
<xi:include href="channel-security.xml" />
|
<xi:include href="channel-security.xml" />
|
||||||
|
|
||||||
<xi:include href="taglibs.xml" />
|
|
||||||
</part>
|
</part>
|
||||||
|
|
||||||
<part xml:id="authentication">
|
<part xml:id="authentication">
|
||||||
|
@ -193,8 +192,7 @@
|
||||||
|
|
||||||
<partintro>
|
<partintro>
|
||||||
<para>In addition to this reference guide, a number of other resources
|
<para>In addition to this reference guide, a number of other resources
|
||||||
exist to help you learn how to use Spring Security. These resources are
|
exist to help you learn how to use Spring Security.</para>
|
||||||
discussed in this section.</para>
|
|
||||||
</partintro>
|
</partintro>
|
||||||
|
|
||||||
<xi:include href="samples.xml"/>
|
<xi:include href="samples.xml"/>
|
||||||
|
|
|
@ -1,4 +1,6 @@
|
||||||
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure"><info><title>Supporting Infrastructure</title></info>
|
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||||
|
|
||||||
|
<info><title>Supporting Infrastructure</title></info>
|
||||||
|
|
||||||
|
|
||||||
<para>This chapter introduces some of the supplementary and supporting
|
<para>This chapter introduces some of the supplementary and supporting
|
||||||
|
@ -6,9 +8,8 @@
|
||||||
related to security, yet included in the Spring Security project, we
|
related to security, yet included in the Spring Security project, we
|
||||||
will discuss it in this chapter.</para>
|
will discuss it in this chapter.</para>
|
||||||
|
|
||||||
<section xml:id="localization"><info><title>Localization</title></info>
|
<section xml:id="localization">
|
||||||
|
<title>Localization</title>
|
||||||
|
|
||||||
<para>Spring Security supports localization of exception messages that
|
<para>Spring Security supports localization of exception messages that
|
||||||
end users are likely to see. If your application is designed for
|
end users are likely to see. If your application is designed for
|
||||||
English users, you don't need to do anything as by default all
|
English users, you don't need to do anything as by default all
|
||||||
|
@ -36,9 +37,11 @@
|
||||||
inside your application context to refer to the messages. An example
|
inside your application context to refer to the messages. An example
|
||||||
is shown below:</para>
|
is shown below:</para>
|
||||||
|
|
||||||
<para><programlisting><bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
|
<para><programlisting><![CDATA[
|
||||||
<property name="basename"><value>org/acegisecurity/messages</value></property>
|
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
|
||||||
</bean> </programlisting></para>
|
<property name="basename" value="org/acegisecurity/messages"/>
|
||||||
|
</bean>
|
||||||
|
]]></programlisting></para>
|
||||||
|
|
||||||
<para>The <literal>messages.properties</literal> is named in
|
<para>The <literal>messages.properties</literal> is named in
|
||||||
accordance with standard resource bundles and represents the default
|
accordance with standard resource bundles and represents the default
|
||||||
|
@ -73,12 +76,15 @@
|
||||||
<literal>SessionLocaleResolver</literal> etc)</para>
|
<literal>SessionLocaleResolver</literal> etc)</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="filters"><info><title>Filters</title></info>
|
<section xml:id="filters">
|
||||||
|
<info><title>Filters</title></info>
|
||||||
|
|
||||||
<para>Spring Security uses many filters, as referred to throughout the
|
<para>Spring Security uses many filters, as referred to throughout the
|
||||||
remainder of this reference guide. You have a choice in how these
|
remainder of this reference guide. If you are using <link xlink:href="#namespace-config">namespace configuration</link>,
|
||||||
filters are added to your web application, in that you can use either
|
then the you don't usually have to declare the filter beans explicitly. There may be times when you want full control
|
||||||
|
over the security filter chain, either because you are using features which aren't supported in the namespace, or you
|
||||||
|
are using your own customized versions of classes.</para>
|
||||||
|
<para>In this case, you have a choice in how these filters are added to your web application, in that you can use either
|
||||||
Spring's <literal>DelegatingFilterProxy</literal> or
|
Spring's <literal>DelegatingFilterProxy</literal> or
|
||||||
<literal>FilterChainProxy</literal>. We'll look at both below.</para>
|
<literal>FilterChainProxy</literal>. We'll look at both below.</para>
|
||||||
|
|
||||||
|
@ -86,7 +92,6 @@
|
||||||
something like this in the web.xml file:
|
something like this in the web.xml file:
|
||||||
|
|
||||||
<programlisting>
|
<programlisting>
|
||||||
|
|
||||||
<filter>
|
<filter>
|
||||||
<filter-name>myFilter</filter-name>
|
<filter-name>myFilter</filter-name>
|
||||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||||
|
@ -96,7 +101,6 @@
|
||||||
<filter-name>myFilter</filter-name>
|
<filter-name>myFilter</filter-name>
|
||||||
<url-pattern>/*</url-pattern>
|
<url-pattern>/*</url-pattern>
|
||||||
</filter-mapping>
|
</filter-mapping>
|
||||||
|
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
Notice that the filter is actually a <literal>DelegatingFilterProxy</literal>,
|
Notice that the filter is actually a <literal>DelegatingFilterProxy</literal>,
|
||||||
|
@ -148,8 +152,10 @@
|
||||||
<para><programlisting><![CDATA[
|
<para><programlisting><![CDATA[
|
||||||
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
|
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
|
||||||
<sec:filter-chain-map path-type="ant">
|
<sec:filter-chain-map path-type="ant">
|
||||||
<sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
|
<sec:filter-chain pattern="/webServices/**"
|
||||||
<sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
|
filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
|
||||||
|
<sec:filter-chain pattern="/**"
|
||||||
|
filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
|
||||||
</sec:filter-chain-map>
|
</sec:filter-chain-map>
|
||||||
</bean>
|
</bean>
|
||||||
]]>
|
]]>
|
||||||
|
@ -209,7 +215,9 @@
|
||||||
any servlet container lifecycle invocations are not delegated through
|
any servlet container lifecycle invocations are not delegated through
|
||||||
to <literal>DelegatingFilterProxy</literal>.</para>
|
to <literal>DelegatingFilterProxy</literal>.</para>
|
||||||
|
|
||||||
<para>You can also omit a URI pattern from the filter chain by using
|
<para>In the same way that you can use the attribute <literal>filters = "none"</literal>
|
||||||
|
when using <link xlink:href="#namespace-auto-config">namespace configuration</link>,
|
||||||
|
you can omit a URI pattern from the filter chain by using
|
||||||
the token <literal>#NONE#</literal> on the right-hand side of the
|
the token <literal>#NONE#</literal> on the right-hand side of the
|
||||||
<literal><URI Pattern> = <Filter Chain></literal>
|
<literal><URI Pattern> = <Filter Chain></literal>
|
||||||
expression. For example, using the example above, if you wanted to
|
expression. For example, using the example above, if you wanted to
|
||||||
|
@ -311,4 +319,44 @@
|
||||||
<literal>SecurityContextHolder</literal> to be populated in time for
|
<literal>SecurityContextHolder</literal> to be populated in time for
|
||||||
use by SiteMesh decorators</para>
|
use by SiteMesh decorators</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="taglib">
|
||||||
|
<info><title>Tag Libraries</title></info>
|
||||||
|
|
||||||
|
<para>Spring Security comes bundled with several JSP tag libraries which provide a range of different
|
||||||
|
services.</para>
|
||||||
|
|
||||||
|
<section xml:id="taglib-config">
|
||||||
|
<info><title>Configuration</title></info>
|
||||||
|
<para>All taglib classes are included in the core
|
||||||
|
<literal>spring-security-xx.jar</literal> file, with the
|
||||||
|
<literal>security.tld</literal> located in the JAR's
|
||||||
|
<literal>META-INF</literal> directory. This means for JSP 1.2+ web
|
||||||
|
containers you can simply include the JAR in the WAR's
|
||||||
|
<literal>WEB-INF/lib</literal> directory and it will be available. If
|
||||||
|
you're using a JSP 1.1 container, you'll need to declare the JSP
|
||||||
|
taglib in your <literal>web.xml file</literal>, and include
|
||||||
|
<literal>security.tld</literal> in the <literal>WEB-INF/lib</literal>
|
||||||
|
directory. The following fragment is added to
|
||||||
|
<literal>web.xml</literal>:
|
||||||
|
<programlisting><![CDATA[
|
||||||
|
<taglib>
|
||||||
|
<taglib-uri>http://www.springframework.org/security/tags</taglib-uri>
|
||||||
|
<taglib-location>/WEB-INF/security.tld</taglib-location>
|
||||||
|
</taglib>
|
||||||
|
]]></programlisting></para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="taglib-usage">
|
||||||
|
<info><title>Usage</title></info>
|
||||||
|
<para>Now that you've configured the tag libraries, refer to the
|
||||||
|
individual reference guide sections for details on how to use them.
|
||||||
|
Note that when using the tags, you should include the taglib reference
|
||||||
|
in your JSP:
|
||||||
|
<programlisting>
|
||||||
|
<%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %>
|
||||||
|
|
||||||
|
</programlisting></para>
|
||||||
|
</section>
|
||||||
|
</section>
|
||||||
</chapter>
|
</chapter>
|
|
@ -2,17 +2,15 @@
|
||||||
<info><title>Tag Libraries</title></info>
|
<info><title>Tag Libraries</title></info>
|
||||||
|
|
||||||
|
|
||||||
<section xml:id="taglib-overview"><info><title>Overview</title></info>
|
<section xml:id="taglib-overview">
|
||||||
|
<info><title>Overview</title></info>
|
||||||
|
|
||||||
<para>Spring Security comes bundled with several JSP tag libraries
|
<para>Spring Security comes bundled with several JSP tag libraries
|
||||||
that eases JSP writing. The tag libraries provide a range of different
|
that eases JSP writing. The tag libraries provide a range of different
|
||||||
services.</para>
|
services.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="taglib-config"><info><title>Configuration</title></info>
|
<section xml:id="taglib-config">
|
||||||
|
<info><title>Configuration</title></info>
|
||||||
|
|
||||||
<para>All taglib classes are included in the core
|
<para>All taglib classes are included in the core
|
||||||
<literal>spring-security-xx.jar</literal> file, with the
|
<literal>spring-security-xx.jar</literal> file, with the
|
||||||
<literal>security.tld</literal> located in the JAR's
|
<literal>security.tld</literal> located in the JAR's
|
||||||
|
@ -25,15 +23,16 @@
|
||||||
directory. The following fragment is added to
|
directory. The following fragment is added to
|
||||||
<literal>web.xml</literal>:</para>
|
<literal>web.xml</literal>:</para>
|
||||||
|
|
||||||
<para><programlisting><taglib>
|
<para><programlisting>
|
||||||
|
<taglib>
|
||||||
<taglib-uri>http://www.springframework.org/security/tags</taglib-uri>
|
<taglib-uri>http://www.springframework.org/security/tags</taglib-uri>
|
||||||
<taglib-location>/WEB-INF/security.tld</taglib-location>
|
<taglib-location>/WEB-INF/security.tld</taglib-location>
|
||||||
</taglib> </programlisting></para>
|
</taglib>
|
||||||
|
</programlisting></para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="taglib-usage"><info><title>Usage</title></info>
|
<section xml:id="taglib-usage">
|
||||||
|
<info><title>Usage</title></info>
|
||||||
|
|
||||||
<para>Now that you've configured the tag libraries, refer to the
|
<para>Now that you've configured the tag libraries, refer to the
|
||||||
individual reference guide sections for details on how to use them.
|
individual reference guide sections for details on how to use them.
|
||||||
Note that when using the tags, you should include the taglib reference
|
Note that when using the tags, you should include the taglib reference
|
||||||
|
|
|
@ -23,8 +23,8 @@
|
||||||
from one system to another and it will immediately work.</para>
|
from one system to another and it will immediately work.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section xml:id="shared-components"><info><title>Shared Components</title></info>
|
<section xml:id="shared-components">
|
||||||
|
<info><title>Shared Components</title></info>
|
||||||
|
|
||||||
<para>Let's explore some of the most important shared components in
|
<para>Let's explore some of the most important shared components in
|
||||||
Spring Security. Components are considered "shared" if they are
|
Spring Security. Components are considered "shared" if they are
|
||||||
|
|
Loading…
Reference in New Issue