SEC-624: Improved general consistency of ref docs. Tidied up program listings. Added namespace info on channel security.

This commit is contained in:
Luke Taylor 2008-04-10 14:38:41 +00:00
parent a3de51ea51
commit a7ab048f3b
18 changed files with 555 additions and 546 deletions

View File

@ -40,17 +40,17 @@
filter and authentication provider appears as follows:</para>
<para><programlisting>
&lt;bean id="anonymousProcessingFilter"
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter"&gt;
&lt;property name="key"&gt;&lt;value&gt;foobar&lt;/value&gt;&lt;/property&gt;
&lt;property name="userAttribute"&gt;&lt;value&gt;anonymousUser,ROLE_ANONYMOUS&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider"&gt;
&lt;property name="key"&gt;&lt;value&gt;foobar&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
<![CDATA[
<bean id="anonymousProcessingFilter"
class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>]]>
</programlisting></para>
<para>The <literal>key</literal> is shared between the filter and

View File

@ -3,7 +3,6 @@
<section xml:id="authorities"><info><title>Authorities</title></info>
<para>As briefly mentioned in the Authentication section, all
<literal>Authentication</literal> implementations are required to
store an array of <literal>GrantedAuthority</literal> objects. These
@ -15,11 +14,11 @@
decisions.</para>
<para><literal>GrantedAuthority</literal> is an interface with only
one method:</para>
<para><programlisting>public String getAuthority();</programlisting></para>
<para>This method allows <literal>AccessDecisionManager</literal>s to
one method:
<programlisting>
String getAuthority();
</programlisting>
This method allows <literal>AccessDecisionManager</literal>s to
obtain a precise <literal>String</literal> representation of the
<literal>GrantedAuthority</literal>. By returning a representation as
a <literal>String</literal>, a <literal>GrantedAuthority</literal> can
@ -58,13 +57,13 @@
<literal>AbstractSecurityInterceptor</literal> and is responsible for
making final access control decisions. The
<literal>AccessDecisionManager</literal> interface contains three
methods:</para>
<para><programlisting>public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);</programlisting></para>
<para>As can be seen from the first method, the
methods:
<programlisting>
void decide(Authentication authentication, Object object, ConfigAttributeDefinition config) throws AccessDeniedException;
boolean supports(ConfigAttribute attribute);
boolean supports(Class clazz);
</programlisting>
As can be seen from the first method, the
<literal>AccessDecisionManager</literal> is passed via method
parameters all information that is likely to be of value in assessing
an authorization decision. In particular, passing the secure
@ -115,13 +114,13 @@ public boolean supports(Class clazz);</programlisting></para>
assessment of the votes.</para>
<para>The <literal>AccessDecisionVoter</literal> interface has three
methods:</para>
<para><programlisting>public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);</programlisting></para>
<para>Concrete implementations return an <literal>int</literal>, with
methods:
<programlisting>
int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
boolean supports(ConfigAttribute attribute);
boolean supports(Class clazz);
</programlisting>
Concrete implementations return an <literal>int</literal>, with
possible values being reflected in the
<literal>AccessDecisionVoter</literal> static fields
<literal>ACCESS_ABSTAIN</literal>, <literal>ACCESS_DENIED</literal>
@ -176,34 +175,36 @@ public boolean supports(Class clazz);</programlisting></para>
voter included with Spring Security. It integrates with Spring
Security's <literal>AclManager</literal> (discussed later). This voter
is designed to have multiple instances in the same application
context, such as:</para>
context, such as:
<programlisting>
<![CDATA[
<bean id="aclContactReadVoter"
class="org.springframework.security.vote.BasicAclEntryVoter">
<property name="processConfigAttribute" value="ACL_CONTACT_READ"/>
<property name="processDomainObjectClass" value="sample.contact.Contact"/>
<property name="aclManager" ref="aclManager"/>
<property name="requirePermission">
<list>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
</list>
</property>
</bean>
<para><programlisting>&lt;bean id="aclContactReadVoter"
class="org.springframework.security.vote.BasicAclEntryVoter"&gt;
&lt;property name="processConfigAttribute"&gt;&lt;value&gt;ACL_CONTACT_READ&lt;/value&gt;&lt;/property&gt;
&lt;property name="processDomainObjectClass"&gt;&lt;value&gt;sample.contact.Contact&lt;/value&gt;&lt;/property&gt;
&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
&lt;property name="requirePermission"&gt;
&lt;list&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="aclContactDeleteVoter" class="org.springframework.security.vote.BasicAclEntryVoter"&gt;
&lt;property name="processConfigAttribute"&gt;&lt;value&gt;ACL_CONTACT_DELETE&lt;/value&gt;&lt;/property&gt;
&lt;property name="processDomainObjectClass"&gt;&lt;value&gt;sample.contact.Contact&lt;/value&gt;&lt;/property&gt;
&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
&lt;property name="requirePermission"&gt;
&lt;list&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para>In the above example, you'd define
<bean id="aclContactDeleteVoter"
class="org.springframework.security.vote.BasicAclEntryVoter">
<property name="processConfigAttribute" value="ACL_CONTACT_DELETE"/>
<property name="processDomainObjectClass" value="sample.contact.Contact"/>
<property name="aclManager" ref="aclManager"/>
<property name="requirePermission">
<list>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/>
</list>
</property>
</bean>
]]></programlisting>
In the above example, you'd define
<literal>ACL_CONTACT_READ</literal> or
<literal>ACL_CONTACT_DELETE</literal> against some methods on a
<literal>MethodSecurityInterceptor</literal> or
@ -251,9 +252,8 @@ public boolean supports(Class clazz);</programlisting></para>
to the chapter describing the new ACL implementation.</para>
</section>
<section xml:id="after-invocation"><info><title>After Invocation Handling</title></info>
<section xml:id="after-invocation">
<info><title>After Invocation Handling</title></info>
<para>Whilst the <literal>AccessDecisionManager</literal> is called by
the <literal>AbstractSecurityInterceptor</literal> before proceeding
with the secure object invocation, some applications need a way of
@ -274,7 +274,6 @@ public boolean supports(Class clazz);</programlisting></para>
<imageobject>
<imagedata role="html" align="center" fileref="images/AfterInvocation.gif" format="GIF"/>
</imageobject>
<caption>
<para>Figure 5: After Invocation Implementation</para>
</caption>
@ -341,22 +340,20 @@ public boolean supports(Class clazz);</programlisting></para>
<literal>Contact</literal> is all that is available before the
secure object is invoked. The
<literal>AclAfterInvocationProvider</literal> delivers a solution,
and is configured as follows:</para>
<para><programlisting>&lt;bean id="afterAclRead"
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider"&gt;
&lt;constructor-arg&gt;
&lt;ref bean="aclService"/&gt;
&lt;/constructor-arg&gt;
&lt;constructor-arg&gt;
&lt;list&gt;
&lt;ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/&gt;
&lt;ref local="org.springframework.security.acls.domain.BasePermission.READ"/&gt;
&lt;/list&gt;
&lt;/constructor-arg&gt;
&lt;/bean&gt; </programlisting></para>
<para>In the above example, the <literal>Contact</literal> will be
and is configured as follows:
<programlisting><![CDATA[
<bean id="afterAclRead"
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
<constructor-arg ref="aclService"/>
<constructor-arg>
<list>
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
<ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
</list>
</constructor-arg>
</bean>
]]></programlisting>
In the above example, the <literal>Contact</literal> will be
retrieved and passed to the
<literal>AclEntryAfterInvocationProvider</literal>. The provider
will thrown an <literal>AccessDeniedException</literal> if one of
@ -373,22 +370,20 @@ public boolean supports(Class clazz);</programlisting></para>
elements for which a principal does not have access. It never thrown
an <literal>AccessDeniedException</literal> - simply silently
removes the offending elements. The provider is configured as
follows:</para>
<para><programlisting>&lt;bean id="afterAclCollectionRead"
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"&gt;
&lt;constructor-arg&gt;
&lt;ref bean="aclService"/&gt;
&lt;/constructor-arg&gt;
&lt;constructor-arg&gt;
&lt;list&gt;
&lt;ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/&gt;
&lt;ref local="org.springframework.security.acls.domain.BasePermission.READ"/&gt;
&lt;/list&gt;
&lt;/constructor-arg&gt;
&lt;/bean&gt; </programlisting></para>
<para>As you can imagine, the returned <literal>Object</literal>
follows:
<programlisting><![CDATA[
<bean id="afterAclCollectionRead"
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
<constructor-arg ref="aclService"/>
<constructor-arg>
<list>
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
<ref local="org.springframework.security.acls.domain.BasePermission.READ"/>
</list>
</constructor-arg>
</bean>
]]> </programlisting>
As you can imagine, the returned <literal>Object</literal>
must be a <literal>Collection</literal> or array for this provider
to operate. It will remove any element if the
<literal>AclManager</literal> indicates the
@ -427,16 +422,18 @@ public boolean supports(Class clazz);</programlisting></para>
<literal>BasicAclAfterInvocationProvider</literal> delivers a
solution, and is configured as follows:</para>
<para><programlisting>&lt;bean id="afterAclRead"
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider"&gt;
&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
&lt;property name="requirePermission"&gt;
&lt;list&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para><programlisting><![CDATA[
<bean id="afterAclRead"
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider">
<property name="aclManager"><ref local="aclManager"/></property>
<property name="requirePermission">
<list>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
</list>
</property>
</bean>
]]> </programlisting></para>
<para>In the above example, the <literal>Contact</literal> will be
retrieved and passed to the
@ -455,20 +452,20 @@ public boolean supports(Class clazz);</programlisting></para>
elements for which a principal does not have access. It never thrown
an <literal>AccessDeniedException</literal> - simply silently
removes the offending elements. The provider is configured as
follows:</para>
<para><programlisting>&lt;bean id="afterAclCollectionRead"
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"&gt;
&lt;property name="aclManager"&gt;&lt;ref local="aclManager"/&gt;&lt;/property&gt;
&lt;property name="requirePermission"&gt;
&lt;list&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/&gt;
&lt;ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para>As you can imagine, the returned <literal>Object</literal>
follows:
<programlisting><![CDATA[
<bean id="afterAclCollectionRead"
class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
<property name="aclManager"><ref local="aclManager"/></property>
<property name="requirePermission">
<list>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
<ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/>
</list>
</property>
</bean>
]]></programlisting>
As you can imagine, the returned <literal>Object</literal>
must be a <literal>Collection</literal> or array for this provider
to operate. It will remove any element if the
<literal>AclManager</literal> indicates the
@ -490,11 +487,14 @@ public boolean supports(Class clazz);</programlisting></para>
<para>The following JSP fragment illustrates how to use the
<literal>AuthorizeTag</literal>:</para>
<para><programlisting>&lt;security:authorize ifAllGranted="ROLE_SUPERVISOR"&gt;
&lt;td&gt;
&lt;A HREF="del.htm?id=&lt;c:out value="${contact.id}"/&gt;"&gt;Del&lt;/A&gt;
&lt;/td&gt;
&lt;/security:authorize&gt; </programlisting></para>
<para><programlisting>
<![CDATA[
<security:authorize ifAllGranted="ROLE_SUPERVISOR">
<td>
<a href="del.htm?id=<c:out value="${contact.id}"/>">Del</a>
</td>
</security:authorize>
]]></programlisting></para>
<para>This tag would cause the tag's body to be output if the
principal has been granted ROLE_SUPERVISOR.</para>
@ -551,13 +551,13 @@ public boolean supports(Class clazz);</programlisting></para>
object.</para>
<para>The following JSP fragment illustrates how to use the
<literal>AccessControlListTag</literal>:</para>
<para><programlisting>&lt;security:accesscontrollist domainObject="${contact}" hasPermission="8,16"&gt;
&lt;td&gt;&lt;A HREF="&lt;c:url value="del.htm"&gt;&lt;c:param name="contactId" value="${contact.id}"/&gt;&lt;/c:url&gt;"&gt;Del&lt;/A&gt;&lt;/td&gt;
&lt;/security:accesscontrollist&gt;</programlisting></para>
<para>This tag would cause the tag's body to be output if the
<literal>AccessControlListTag</literal>:
<programlisting><![CDATA[
<security:accesscontrollist domainObject="${contact}" hasPermission="8,16">
<td><a href="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</a></td>
</security:accesscontrollist>
]]></programlisting>
This tag would cause the tag's body to be output if the
principal holds either permission 16 or permission 1 for the "contact"
domain object. The numbers are actually integers that are used with
<literal>BasePermission</literal> bit masking. Please refer to the ACL

View File

@ -4,7 +4,6 @@
<section xml:id="cas-overview">
<info><title>Overview</title></info>
<para>JA-SIG produces an enterprise-wide single sign on system known
as CAS. Unlike other initiatives, JA-SIG's Central Authentication
Service is open source, widely used, simple to understand, platform
@ -15,22 +14,17 @@
server.</para>
<para>You can learn more about CAS at
<literal>http://www.ja-sig.org/products/cas/</literal>. You will need
to visit this URL to download the CAS Server files. Whilst Spring
Security includes two CAS libraries in the "-with-dependencies" ZIP
file, you will still need the CAS Java Server Pages and
<literal>web.xml</literal> to customise and deploy your CAS
server.</para>
<literal>http://www.ja-sig.org/products/cas/</literal>. You will also need
to visit this site to download the CAS Server files.</para>
</section>
<section xml:id="cas-how-it-works"><info><title>How CAS Works</title></info>
<section xml:id="cas-how-it-works">
<info><title>How CAS Works</title></info>
<para>Whilst the CAS web site above contains two documents that detail
<para>Whilst the CAS web site contains documents that detail
the architecture of CAS, we present the general overview again here
within the context of Spring Security. The following refers to both
CAS 2.0 (produced by Yale) and CAS 3.0 (produced by JA-SIG), being the
versions of CAS that Spring Security supports.</para>
within the context of Spring Security. Spring Security 2.0 supports
CAS 3. At the time of writing, the CAS server was at version 3.2.</para>
<para>Somewhere in your enterprise you will need to setup a CAS
server. The CAS server is simply a standard WAR file, so there isn't
@ -38,69 +32,27 @@
you will customise the login and other single sign on pages displayed
to users.</para>
<para>If you are deploying CAS 2.0, you will also need to specify in
the web.xml a <literal>PasswordHandler</literal>. The
<literal>PasswordHandler</literal> has a simple method that returns a
boolean as to whether a given username and password is valid. Your
<literal>PasswordHandler</literal> implementation will need to link
into some type of backend authentication repository, such as an LDAP
server or database.</para>
<para>If you are already running an existing CAS 2.0 server instance,
you will have already established a
<literal>PasswordHandler</literal>. If you do not already have a
<literal>PasswordHandler</literal>, you might prefer to use Spring
Security's <literal>CasPasswordHandler</literal> class. This class
delegates through to the standard Spring Security
<literal>AuthenticationManager</literal>, enabling you to use a
security configuration you might already have in place. You do not
need to use the <literal>CasPasswordHandler</literal> class on your
CAS server if you do not wish. Spring Security will function as a CAS
client successfully irrespective of the
<literal>PasswordHandler</literal> you've chosen for your CAS
server.</para>
<para>If you are deploying CAS 3.0, you will also need to specify an
<para>When deploying a CAS 3.2 server, you will also need to specify an
<literal>AuthenticationHandler</literal> in the
deployerConfigContext.xml included with CAS. The
<filename>deployerConfigContext.xml</filename> included with CAS. The
<literal>AuthenticationHandler</literal> has a simple method that
returns a boolean as to whether a given set of Credentials is valid.
Your <literal>AuthenticationHandler</literal> implementation will need
to link into some type of backend authentication repository, such as
an LDAP server or database. CAS itself includes numerous
<literal>AuthenticationHandler</literal>s out of the box to assist
with this.</para>
with this. When you download and deploy the server war file, it is set up
to successfully authenticate users who enter a password matching their
username, which is sueful for testing.</para>
<para>If you are already running an existing CAS 3.0 server instance,
you will have already established an
<literal>AuthenticationHandler</literal>. If you do not already have
an <literal>AuthenticationHandler</literal>, you might prefer to use
Spring Security <literal>CasAuthenticationHandler</literal> class.
This class delegates through to the standard Spring Security
<literal>AuthenticationManager</literal>, enabling you to use a
security configuration you might already have in place. You do not
need to use the <literal>CasAuthenticationHandler</literal> class on
your CAS server if you do not wish. Spring Security will function as a
CAS client successfully irrespective of the
<literal>AuthenticationHandler</literal> you've chosen for your CAS
server.</para>
<para>Apart from the CAS server itself, the other key player is of
<para>Apart from the CAS server itself, the other key players are of
course the secure web applications deployed throughout your
enterprise. These web applications are known as "services". There are
two types of services: standard services and proxy services. A proxy
service is able to request resources from other services on behalf of
the user. This will be explained more fully later.</para>
<para>Services can be developed in a large variety of languages, due
to CAS 2.0's very light XML-based protocol. The JA-SIG CAS home page
contains a clients archive which demonstrates CAS clients in Java,
Active Server Pages, Perl, Python and others. Naturally, Java support
is very strong given the CAS server is written in Java. You do not
need to use any of CAS' client classes in applications secured by
Spring Security. This is handled transparently for you.</para>
<para>The basic interaction between a web browser, CAS server and n
<para>The basic interaction between a web browser, CAS server and a
Spring Security-secured service is as follows:</para>
<orderedlist inheritnum="ignore" continuation="restarts">

View File

@ -1,11 +1,10 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security">
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="channel-security" xmlns:xlink="http://www.w3.org/1999/xlink">
<info><title>Channel Security</title></info>
<section xml:id="channel-security-overview">
<info><title>Overview</title></info>
<para>In addition to coordinating the authentication and authorization
requirements of your application, Spring Security is also able to
ensure unauthenticated web requests have certain properties. These
@ -35,14 +34,16 @@
Security provides a solution to assist with the latter.</para>
</section>
<section xml:id="channel-security-config"><info><title>Configuration</title></info>
<para>To use chanel security, you should define the following the filter in your application
<section xml:id="channel-security-config">
<info><title>Configuration</title></info>
<para>Channel security is supported by the <link xlink:href="#namespace-auto-config">security namespace</link>
by means of the <literal>requires-channel</literal> attribute on the <literal>&lt;intercept-url&gt;</literal>
element and this is the simplest (and recommended approach)</para>
<para>To confiure channel security explicitly, you would define the following the filter in your application
context:</para>
<para><programlisting>
&lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
&lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt;
&lt;property name="channelDecisionManager" ref="channelDecisionManager"/&gt;
&lt;property name="filterInvocationDefinitionSource"&gt;
&lt;security:filter-invocation-definition-source path-type="regex"&gt;
@ -54,18 +55,17 @@
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
&lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt;
&lt;property name="channelProcessors"&gt;
&lt;list&gt;
&lt;ref bean="secureChannelProcessor"/&gt;
&lt;ref bean="insecureChannelProcessor"/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
&lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
&lt;/bean&gt;
&lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
&lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
</programlisting></para>
<para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
@ -124,8 +124,8 @@
property is <literal>true</literal>.</para>
</section>
<section xml:id="channel-security-conclusion"><info><title>Conclusion</title></info>
<section xml:id="channel-security-conclusion">
<info><title>Conclusion</title></info>
<para>Once configured, using the channel security filter is very easy.
Simply request pages without regard to the protocol (ie HTTP or HTTPS)

View File

@ -1,9 +1,10 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services">
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="authentication-common-auth-services" xmlns:xlink="http://www.w3.org/1999/xlink">
<info><title>Common Authentication Services</title></info>
<section xml:id="mechanisms-providers-entry-points">
<info><title>Mechanisms, Providers and Entry Points</title></info>
<info>
<title>Mechanisms, Providers and Entry Points</title>
</info>
<para>If you're using Spring Security-provided authentication
approaches, you'll usually need to configure a web filter, together
@ -20,15 +21,15 @@
this:</para>
<para><programlisting><![CDATA[
<filter>
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
</filter>
<filter-mapping>
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>]]>
</filter-mapping>]]>
</programlisting></para>
<para>The above declarations will cause every web request to be passed
@ -184,21 +185,22 @@
header or HTTP redirect in order to start authentication. Continuing
on with our earlier example:</para>
<para><programlisting>&lt;bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter"&gt;
&lt;property name="authenticationEntryPoint"&gt;&lt;ref local="authenticationProcessingFilterEntryPoint"/&gt;&lt;/property&gt;
&lt;property name="accessDeniedHandler"&gt;
&lt;bean class="org.springframework.security.ui.AccessDeniedHandlerImpl"&gt;
&lt;property name="errorPage" value="/accessDenied.jsp"/&gt;
&lt;/bean&gt;
&lt;/property&gt;
&lt;/bean&gt;
<para><programlisting><![CDATA[
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="authenticationProcessingFilterEntryPoint"/>
<property name="accessDeniedHandler">
<bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/accessDenied.jsp"/>
</bean>
</property>
</bean>
&lt;bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"&gt;
&lt;property name="loginFormUrl"&gt;&lt;value&gt;/acegilogin.jsp&lt;/value&gt;&lt;/property&gt;
&lt;property name="forceHttps"&gt;&lt;value&gt;false&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;</programlisting></para>
<bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.jsp"/>
<property name="forceHttps">< value="false"/>
</bean>]]></programlisting></para>
<para>Notice that the <literal>ExceptionTranslationFilter</literal>
requires two collaborators. The first,
@ -270,9 +272,8 @@
that, Spring Security does include a couple of useful base
implementations, which we'll look at below.</para>
<section xml:id="in-memory-service"><info><title>In-Memory Authentication</title></info>
<section xml:id="in-memory-service">
<info><title>In-Memory Authentication</title></info>
<para>Whilst it is easy to use create a custom
<literal>UserDetailsService</literal> implementation that extracts
information from a persistence engine of choice, many applications
@ -281,52 +282,34 @@
Security, when you don't really want to spend time configuring
databases or writing <literal>UserDetailsService</literal>
implementations. For this sort of situation, a simple option is to
configure the <literal>InMemoryDaoImpl</literal>
implementation:</para>
<para><programlisting>&lt;bean id="inMemoryDaoImpl"
class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"&gt;
&lt;property name="userMap"&gt;
&lt;value&gt;
rod=koala,ROLE_TELLER,ROLE_SUPERVISOR
dianne=emu,ROLE_TELLER
scott=wombat,ROLE_TELLER
peter=opal,disabled,ROLE_TELLER
&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para>In the above example, the <literal>userMap</literal> property
contains each of the usernames, passwords, a list of granted
authorities and an optional enabled/disabled keyword. Commas are
used to delimit each token. The username must appear to the left of
the equals sign, and the password must be the first token to the
right of the equals sign. The <literal>enabled</literal> and
<literal>disabled</literal> keywords (case insensitive) may appear
in the second or any subsequent token. Any remaining tokens are
treated as granted authorities, which are created as
<literal>GrantedAuthorityImpl</literal> objects (this is just for
your reference - most applications don't need custom
<literal>GrantedAuthority</literal> implementations, so using the
default implementation in this manner is just fine). Note that if a
user has no password and/or no granted authorities, the user will
not be created in the in-memory authentication repository.</para>
<para><literal>InMemoryDaoImpl</literal> also offers a
<literal>setUserProperties(Properties)</literal> method, which
allows you to externalise the
<literal>java.util.Properties</literal> in another Spring configured
bean or an external properties file. You might like to use Spring's
<literal>PropertiesFactoryBean</literal>, which is useful for
loading such external properties files. This setter might prove
useful for simple applications that have a larger number of users,
or deployment-time configuration changes, but do not wish to use a
full database for handling authentication details.</para>
use the <literal>user-service</literal> element from the security
<link xlink:href="#namespace-minimal" >namespace</link>:
<programlisting><![CDATA[
<user-service id="userDetailsService">
<user name="jimi" password="jimispassword" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
]]>
</programlisting>
This also suppots the use of an external properties file:
<programlisting><![CDATA[
<user-service id="userDetailsService" properties="users.properties"/>
]]>
</programlisting>
The properties file should contain entries in the form
<programlisting>
username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
</programlisting>
For example
<programlisting>
jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
bob=bobspassword,ROLE_USER,enabled
</programlisting>
</para>
</section>
<section xml:id="jdbc-service"><info><title>JDBC Authentication</title></info>
<section xml:id="jdbc-service">
<info><title>JDBC Authentication</title></info>
<para>Spring Security also includes a
<literal>UserDetailsService</literal> that can obtain authentication
information from a JDBC data source. Internally Spring JDBC is used,
@ -338,16 +321,18 @@
<literal>JdbcDaoImpl</literal>, an example configuration is shown
below:</para>
<para><programlisting>&lt;bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"&gt;
&lt;property name="driverClassName"&gt;&lt;value&gt;org.hsqldb.jdbcDriver&lt;/value&gt;&lt;/property&gt;
&lt;property name="url"&gt;&lt;value&gt;jdbc:hsqldb:hsql://localhost:9001&lt;/value&gt;&lt;/property&gt;
&lt;property name="username"&gt;&lt;value&gt;sa&lt;/value&gt;&lt;/property&gt;
&lt;property name="password"&gt;&lt;value&gt;&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
<para><programlisting>
<![CDATA[
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="org.hsqldb.jdbcDriver"/>
<property name="url" value="jdbc:hsqldb:hsql://localhost:9001"/>
<property name="username" value="sa"/>
<property name="password" value=""/>
</bean>
&lt;bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl"&gt;
&lt;property name="dataSource"&gt;&lt;ref bean="dataSource"/&gt;&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean> ]]> </programlisting></para>
<para>You can use different relational database management systems
by modifying the <literal>DriverManagerDataSource</literal> shown
@ -372,8 +357,8 @@
</section>
</section>
<section xml:id="concurrent-sessions"><info><title>Concurrent Session Handling</title></info>
<section xml:id="concurrent-sessions">
<info><title>Concurrent Session Handling</title></info>
<para>Spring Security is able to prevent a principal from concurrently
authenticating to the same application more than a specified number of
@ -411,40 +396,42 @@
<literal>ConcurrentSessionControllerImpl</literal> and refer to it
from your <literal>ProviderManager</literal> bean:</para>
<para><programlisting>&lt;bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager"&gt;
&lt;property name="providers"&gt;
&lt;!-- your providers go here --&gt;
&lt;/property&gt;
&lt;property name="sessionController"&gt;&lt;ref bean="concurrentSessionController"/&gt;&lt;/property&gt;
&lt;/bean&gt;
<para>
<programlisting><![CDATA[
<bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<!-- your providers go here -->
</property>
<property name="sessionController" ref="concurrentSessionController"/>
</bean>
&lt;bean id="concurrentSessionController"
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"&gt;
&lt;property name="maximumSessions"&gt;&lt;value&gt;1&lt;/value&gt;&lt;/property&gt;
&lt;property name="sessionRegistry"&gt;&lt;ref local="sessionRegistry"/&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl"/&gt;</programlisting></para>
<bean id="concurrentSessionController"
class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl">
<property name="maximumSessions" value="1"/>
<property name="sessionRegistry">
<bean class="org.springframework.security.concurrent.SessionRegistryImpl"/>
<property>
</bean>
]]></programlisting></para>
</section>
<section xml:id="authentication-taglibs"><info><title>Authentication Tag Libraries</title></info>
<section xml:id="authentication-taglibs">
<info><title>Authentication Tag Libraries</title></info>
<para><literal>AuthenticationTag</literal> is used to simply output a
property of the current principal's
<literal>Authentication.getPrincipal()</literal> object to the web
property of the current <literal>Authentication</literal> object to the web
page.</para>
<para>The following JSP fragment illustrates how to use the
<literal>AuthenticationTag</literal>:</para>
<para><programlisting>&lt;security:authentication operation="username"/&gt;</programlisting></para>
<para><programlisting>&lt;security:authentication property="principal.username"/&gt;</programlisting></para>
<para>This tag would cause the principal's name to be output. Here we
are assuming the <literal>Authentication.getPrincipal()</literal> is a
<literal>UserDetails</literal> object, which is generally the case
when using the typical
<literal>DaoAuthenticationProvider</literal>.</para>
when using one of Spring Security's stadard <literal>AuthenticationProvider</literal>
implementations.</para>
</section>
</chapter>

View File

@ -1,8 +1,9 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider"><info><title>DAO Authentication Provider</title></info>
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dao-provider">
<info><title>DAO Authentication Provider</title></info>
<section xml:id="dao-provider-overview"><info><title>Overview</title></info>
<section xml:id="dao-provider-overview">
<info><title>Overview</title></info>
<para>Spring Security includes a production-quality
<literal>AuthenticationProvider</literal> implementation called
@ -20,8 +21,8 @@
object.</para>
</section>
<section xml:id="dao-provider-config"><info><title>Configuration</title></info>
<section xml:id="dao-provider-config">
<info><title>Configuration</title></info>
<para>Aside from adding DaoAuthenticationProvider to your
ProviderManager list (as discussed at the start of this part of the
@ -29,12 +30,15 @@
configured to present a UsernamePasswordAuthenticationToken, the
configuration of the provider itself is rather simple:</para>
<para><programlisting>&lt;bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider"&gt;
&lt;property name="userDetailsService"&gt;&lt;ref bean="inMemoryDaoImpl"/&gt;&lt;/property&gt;
&lt;property name="saltSource"&gt;&lt;ref bean="saltSource"/&gt;&lt;/property&gt;
&lt;property name="passwordEncoder"&gt;&lt;ref bean="passwordEncoder"/&gt;&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para><programlisting>
<![CDATA[
<bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="inMemoryDaoImpl"/>
<property name="saltSource" ref bean="saltSource"/>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean> ]]>
</programlisting></para>
<para>The <literal>PasswordEncoder</literal> and
<literal>SaltSource</literal> are optional. A
@ -65,31 +69,26 @@
A usable caching implementation is also provided,
<literal>EhCacheBasedUserCache</literal>, which is configured as
follows:</para>
<para><programlisting><![CDATA[
<bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService"><ref bean="userDetailsService"/></property>
<property name="userCache"><ref bean="userCache"/></property>
</bean>
<para><programlisting>&lt;bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider"&gt;
&lt;property name="userDetailsService"&gt;&lt;ref bean="userDetailsService"/&gt;&lt;/property&gt;
&lt;property name="userCache"&gt;&lt;ref bean="userCache"/&gt;&lt;/property&gt;
&lt;/bean&gt;
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation" value="classpath:/ehcache-failsafe.xml"/>
</bean>
&lt;bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"&gt;
&lt;property name="configLocation"&gt;
&lt;value&gt;classpath:/ehcache-failsafe.xml&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt;
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager" ref="cacheManager"/>
<property name="cacheName" value="userCache"/>
</bean>
&lt;bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"&gt;
&lt;property name="cacheManager"&gt;
&lt;ref local="cacheManager"/&gt;
&lt;/property&gt;
&lt;property name="cacheName"&gt;
&lt;value&gt;userCache&lt;/value&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache"&gt;
&lt;property name="cache"&gt;&lt;ref local="userCacheBackend"/&gt;&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache">
<property name="cache" ref="userCacheBackend"/>
</bean>]]>
</programlisting></para>
<para>All Spring Security EH-CACHE implementations (including
<literal>EhCacheBasedUserCache</literal>) require an EH-CACHE

View File

@ -33,7 +33,8 @@
This is a value the server generates. Spring Security's nonce adopts
the following format:</para>
<para><programlisting>base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
<para><programlisting>
base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))
expirationTime: The date and time when the nonce expires, expressed in milliseconds
key: A private key to prevent modification of the nonce token
@ -89,18 +90,20 @@
collaborators:</para>
<para><programlisting>
&lt;bean id="digestProcessingFilter" class="org.springframework.security.ui.digestauth.DigestProcessingFilter"&gt;
&lt;property name="userDetailsService"&gt;&lt;ref local="jdbcDaoImpl"/&gt;&lt;/property&gt;
&lt;property name="authenticationEntryPoint"&gt;&lt;ref local="digestProcessingFilterEntryPoint"/&gt;&lt;/property&gt;
&lt;property name="userCache"&gt;&lt;ref local="userCache"/&gt;&lt;/property&gt;
&lt;/bean&gt;
<![CDATA[
<bean id="digestProcessingFilter"
class="org.springframework.security.ui.digestauth.DigestProcessingFilter">
<property name="userDetailsService" ref="jdbcDaoImpl"/>
<property name="authenticationEntryPoint" ref="digestProcessingFilterEntryPoint"/>
<property name="userCache" ref="userCache"/>
</bean>
&lt;bean id="digestProcessingFilterEntryPoint"
class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint"&gt;
&lt;property name="realmName"&gt;&lt;value&gt;Contacts Realm via Digest Authentication&lt;/value&gt;&lt;/property&gt;
&lt;property name="key"&gt;&lt;value&gt;acegi&lt;/value&gt;&lt;/property&gt;
&lt;property name="nonceValiditySeconds"&gt;&lt;value&gt;10&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
<bean id="digestProcessingFilterEntryPoint"
class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint">
<property name="realmName" value="Contacts Realm via Digest Authentication"/>
<property name="key" value="acegi"/>
<property name="nonceValiditySeconds" value="10"/>
</bean>]]>
</programlisting></para>

View File

@ -20,14 +20,14 @@
monitored by the filter (by default
<literal>j_spring_security_check</literal>). You should add an
<literal>AuthenticationProcessingFilter</literal> to you application context:
<programlisting>
&lt;bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"&gt;
&lt;property name="authenticationManager" ref="authenticationManager"/&gt;
&lt;property name="authenticationFailureUrl" value="/acegilogin.jsp?login_error=1"/&gt;
&lt;property name="defaultTargetUrl" value="/"/&gt;
&lt;property name="filterProcessesUrl" value="/j_spring_security_check"/&gt;
&lt;/bean&gt;
<programlisting><![CDATA[
<bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl" value="/j_spring_security_check"/>
</bean> ]]>
</programlisting></para>
<para>The configured <literal>AuthenticationManager</literal>

View File

@ -21,19 +21,16 @@
<para>Lets assume we have a JAAS login configuration file,
<literal>/WEB-INF/login.conf</literal>, with the following
contents:</para>
<para><programlisting>JAASTest {
contents:
<programlisting>
JAASTest {
sample.SampleLoginModule required;
};</programlisting></para>
};</programlisting></para>
<para>Like all Spring Security beans, the
<literal>JaasAuthenticationProvider</literal> is configured via the
application context. The following definitions would correspond to the
above JAAS login configuration file:</para>
<para><programlisting>
<![CDATA[
above JAAS login configuration file:
<programlisting><![CDATA[
<bean id="jaasAuthenticationProvider"
class="org.springframework.security.providers.jaas.JaasAuthenticationProvider">
<property name="loginConfig" value="/WEB-INF/login.conf"/>
@ -50,8 +47,7 @@
</list>
</property>
</bean>
]]>
</programlisting></para>
]]></programlisting></para>
<para>The <literal>CallbackHandler</literal>s and
<literal>AuthorityGranter</literal>s are discussed below.</para>
@ -99,7 +95,6 @@
<section xml:id="jaas-authoritygranter">
<info><title xml:id="jaas-authority-granter">JAAS AuthorityGranter</title></info>
<para>JAAS works with principals. Even "roles" are represented as
principals in JAAS. Spring Security, on the other hand, works with
<literal>Authentication</literal> objects. Each

View File

@ -112,8 +112,8 @@
</info>
<para>
This is the most common LDAP authentication scenario.
<programlisting>
<![CDATA[<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
<programlisting><![CDATA[
<ldap-authentication-provider user-dn-pattern="uid={0},ou=people"/>
]]></programlisting>
This simple example would obtain the DN for the user by substituting the user login
name in the supplied pattern and attempting to bind as that user with the login
@ -329,8 +329,7 @@
</info>
<para>A typical configuration, using some of the beans we've discussed here, might look
like this:
<programlisting>
<![CDATA[
<programlisting><![CDATA[
<bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<constructor-arg value="ldap://monkeymachine:389/dc=springframework,dc=org"/>
@ -343,7 +342,9 @@
<constructor-arg>
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg ref="contextSource"/>
<property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
<property name="userDnPatterns">
<list><value>uid={0},ou=people</value></list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
@ -370,14 +371,12 @@
<literal>(uid=&lt;user-login-name&gt;)</literal>
for use instead of the DN-pattern (or in addition to it), you would configure the
following bean
<programlisting>
<![CDATA[
<programlisting><![CDATA[
<bean id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<constructor-arg index="0" value=""/>
<constructor-arg index="1" value="(uid={0})"/>
<constructor-arg index="2" ref="contextSource" />
<property name="searchSubtree" value="true"/>
</bean> ]]>
</programlisting>
and use it by setting the authenticator's

View File

@ -141,15 +141,15 @@
<url-pattern>/*</url-pattern>
</filter-mapping>]]>
</programlisting>
This provides a hook into the Spring Security web infrastructure. You can find more details
This provides a hook into the Spring Security web infrastructure. <!-- You can find more details
of how this works in
<link xlink:href="#todo">TODO</link>. You're then ready to start editing your application
<link xlink:href="#todo">TODO</link>-->. You're then ready to start editing your application
context file. Web security services are configured using the <literal>&lt;http&gt;</literal>
element.
</para>
</section>
<section>
<section xml:id="namespace-minimal">
<info>
<title>A Minimal <literal>&lt;http&gt;</literal>Configuration</title>
</info>
@ -206,7 +206,7 @@
login page, but the namespace offers plenty of options to allow you to customize this
kind of thing.
</para>
<section>
<section xml:id="namespace-auto-config">
<title>What does <literal>auto-config</literal> Include?</title>
<para>
The <literal>auto-config</literal> attribute, as we have used it above, is just a
@ -281,13 +281,13 @@
Often your password data will be encoded using a hashing algorithm. This is supported by the <literal>&lt;password-encoder&gt;</literal>
element. With SHA encoded passwords, the original authentication provider configuration would look like this:
<programlisting><![CDATA[
<authentication-provider>
<authentication-provider>
<password-encoder hash="sha"/>
<user-service>
<user name="jimi" password="d7e6351eaa13189a5a3641bab846c8e8c69ba39f" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="4e7421b1b8765d8f9406d87e7cc6aa784c4ab97f" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-provider>
]]>
</programlisting>
</para>
@ -296,9 +296,9 @@
Ideally you would want to use a randomly generated salt value for each user, but you can use any property of the <classname>UserDetails</classname>
object which is loaded by your <classname>UserDetailsService</classname>. For example, to use the <literal>username</literal> property, you would use
<programlisting><![CDATA[
<password-encoder hash="sha">
<password-encoder hash="sha">
<salt-source user-property="username"/>
</password-encoder>
</password-encoder>
]]></programlisting>
You can use a custom password encoder bean by using the <literal>ref</literal> attribute of <literal>password-encoder</literal>. This should
contain the name of a bean in the application context which is an instance of Spring Security's <interfacename>PasswordEncoder</interfacename>
@ -306,5 +306,35 @@
</para>
</section>
</section>
<section xml:id="namespace-requires-channel">
<title>Adding HTTP/HTTPS Channel Security</title>
<para>If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is
directly supported using the <literal>requires-channel</literal> attribute on <literal>&lt;intercept-url&gt;</literal>:
<programlisting><![CDATA[
<http>
<intercept-url pattern="/secure/**" access="ROLE_USER" requires-channel="https"/>
<intercept-url pattern="/**" access="ROLE_USER" requires-channel="any"/>
...
</http>]]>
</programlisting>
With this configuration in place, if a user attempts to access anything matching the "/secure/**"
pattern using HTTP, they will first be redirected to an HTTPS URL.
The available options are "http", "https" or "any". Using the value "any" means that either HTTP or HTTPS
can be used.
</para>
<para>
If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows:
<programlisting>
<![CDATA[
<http>
...
<port-mappings>
<port-mapping http="9080" https="9443"/>
</port-mappings>
</http>]]>
</programlisting>
You can find a more in-depth discussion of channel security in <xref xlink:href="#channel-security"/>.
</para>
</section>
</section>
</chapter>

View File

@ -25,13 +25,13 @@
via hooks in the <literal>AbstractProcessingFilter</literal>
superclass. The hooks will invoke a concrete
<literal>RememberMeServices</literal> at the appropriate times. The
interface looks like this:</para>
<para><programlisting>public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
public void loginFail(HttpServletRequest request, HttpServletResponse response);
public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);</programlisting></para>
<para>Please refer to JavaDocs for a fuller discussion on what the
interface looks like this:
<programlisting>
Authentication autoLogin(HttpServletRequest request, HttpServletResponse response);
void loginFail(HttpServletRequest request, HttpServletResponse response);
void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication);
</programlisting>
Please refer to JavaDocs for a fuller discussion on what the
methods do, although note at this stage
<literal>AbstractProcessingFilter</literal> only calls the
<literal>loginFail()</literal> and <literal>loginSuccess()</literal>
@ -53,12 +53,13 @@
the browser upon successful interactive authentication, with that
cookie being composed as follows:</para>
<para><programlisting>base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
<para><programlisting>
base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
username: As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
password: That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
expirationTime: The date and time when the remember-me token expires, expressed in milliseconds
key: A private key to prevent modification of the remember-me token
username: As identifiable to TokenBasedRememberMeServices.getUserDetailsService()
password: That matches the relevant UserDetails retrieved from TokenBasedRememberMeServices.getUserDetailsService()
expirationTime: The date and time when the remember-me token expires, expressed in milliseconds
key: A private key to prevent modification of the remember-me token
</programlisting></para>
<para>As such the remember-me token is valid only for the period
@ -90,21 +91,22 @@
remember-me services are as follows:</para>
<para><programlisting>
&lt;bean id="rememberMeProcessingFilter"
class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"&gt;
&lt;property name="rememberMeServices"&gt;&lt;ref local="rememberMeServices"/&gt;&lt;/property&gt;
&lt;/bean&gt;
<![CDATA[
<bean id="rememberMeProcessingFilter"
class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
<property name="rememberMeServices" ref="rememberMeServices"/>
</bean>
&lt;bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"&gt;
&lt;property name="userDetailsService"&gt;&lt;ref local="jdbcDaoImpl"/&gt;&lt;/property&gt;
&lt;property name="key"&gt;&lt;value&gt;springRocks&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"&gt;
&lt;property name="key"&gt;&lt;value&gt;springRocks&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="jdbcDaoImpl"/>
<property name="key" value="springRocks"/>
</bean>
<bean id="rememberMeAuthenticationProvider"
class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="springRocks"/>
</bean>
]]>
</programlisting>Don't forget to add your
<literal>RememberMeServices</literal> implementation to your
<literal>AuthenticationProcessingFilter.setRememberMeServices()</literal>

View File

@ -1,8 +1,8 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="runas"><info><title>Run-As Authentication Replacement</title></info>
<section xml:id="runas-overview"><info><title>Overview</title></info>
<section xml:id="runas-overview">
<info><title>Overview</title></info>
<para>The <literal>AbstractSecurityInterceptor</literal> is able to
temporarily replace the <literal>Authentication</literal> object in
@ -28,15 +28,15 @@
are particularly useful when calling remote web services</para>
</section>
<section xml:id="runas-config"><info><title>Configuration</title></info>
<para>A <literal>RunAsManager</literal> interface is provided by Acegi
Security:</para>
<para><programlisting>public Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);</programlisting></para>
<section xml:id="runas-config">
<info><title>Configuration</title></info>
<para>A <literal>RunAsManager</literal> interface is provided by Spring Security:
<programlisting>
Authentication buildRunAs(Authentication authentication, Object object, ConfigAttributeDefinition config);
boolean supports(ConfigAttribute attribute);
boolean supports(Class clazz);
</programlisting>
</para>
<para>The first method returns the <literal>Authentication</literal>
object that should replace the existing
@ -84,20 +84,17 @@
the hash of a key is stored in all generated tokens. The
<literal>RunAsManagerImpl</literal> and
<literal>RunAsImplAuthenticationProvider</literal> is created in the
bean context with the same key:</para>
<para><programlisting>
&lt;bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl"&gt;
&lt;property name="key"&gt;&lt;value&gt;my_run_as_password&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="runAsAuthenticationProvider"
class="org.springframework.security.runas.RunAsImplAuthenticationProvider"&gt;
&lt;property name="key"&gt;&lt;value&gt;my_run_as_password&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt;
</programlisting></para>
bean context with the same key:
<programlisting>
<![CDATA[
<bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl">
<property name="key" value="my_run_as_password"/>
</bean>
<bean id="runAsAuthenticationProvider"
class="org.springframework.security.runas.RunAsImplAuthenticationProvider">
<property name="key" value="my_run_as_password"/>
</bean>]]></programlisting></para>
<para>By using the same key, each <literal>RunAsUserToken</literal>
can be validated it was created by an approved
<literal>RunAsManagerImpl</literal>. The

View File

@ -118,7 +118,6 @@
<xi:include href="channel-security.xml" />
<xi:include href="taglibs.xml" />
</part>
<part xml:id="authentication">
@ -193,8 +192,7 @@
<partintro>
<para>In addition to this reference guide, a number of other resources
exist to help you learn how to use Spring Security. These resources are
discussed in this section.</para>
exist to help you learn how to use Spring Security.</para>
</partintro>
<xi:include href="samples.xml"/>

View File

@ -1,4 +1,6 @@
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure"><info><title>Supporting Infrastructure</title></info>
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="supporting-infrastructure" xmlns:xlink="http://www.w3.org/1999/xlink">
<info><title>Supporting Infrastructure</title></info>
<para>This chapter introduces some of the supplementary and supporting
@ -6,9 +8,8 @@
related to security, yet included in the Spring Security project, we
will discuss it in this chapter.</para>
<section xml:id="localization"><info><title>Localization</title></info>
<section xml:id="localization">
<title>Localization</title>
<para>Spring Security supports localization of exception messages that
end users are likely to see. If your application is designed for
English users, you don't need to do anything as by default all
@ -36,9 +37,11 @@
inside your application context to refer to the messages. An example
is shown below:</para>
<para><programlisting>&lt;bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"&gt;
&lt;property name="basename"&gt;&lt;value&gt;org/acegisecurity/messages&lt;/value&gt;&lt;/property&gt;
&lt;/bean&gt; </programlisting></para>
<para><programlisting><![CDATA[
<bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource">
<property name="basename" value="org/acegisecurity/messages"/>
</bean>
]]></programlisting></para>
<para>The <literal>messages.properties</literal> is named in
accordance with standard resource bundles and represents the default
@ -73,12 +76,15 @@
<literal>SessionLocaleResolver</literal> etc)</para>
</section>
<section xml:id="filters"><info><title>Filters</title></info>
<section xml:id="filters">
<info><title>Filters</title></info>
<para>Spring Security uses many filters, as referred to throughout the
remainder of this reference guide. You have a choice in how these
filters are added to your web application, in that you can use either
remainder of this reference guide. If you are using <link xlink:href="#namespace-config">namespace configuration</link>,
then the you don't usually have to declare the filter beans explicitly. There may be times when you want full control
over the security filter chain, either because you are using features which aren't supported in the namespace, or you
are using your own customized versions of classes.</para>
<para>In this case, you have a choice in how these filters are added to your web application, in that you can use either
Spring's <literal>DelegatingFilterProxy</literal> or
<literal>FilterChainProxy</literal>. We'll look at both below.</para>
@ -86,7 +92,6 @@
something like this in the web.xml file:
<programlisting>
&lt;filter&gt;
&lt;filter-name&gt;myFilter&lt;/filter-name&gt;
&lt;filter-class&gt;org.springframework.web.filter.DelegatingFilterProxy&lt;/filter-class&gt;
@ -96,7 +101,6 @@
&lt;filter-name&gt;myFilter&lt;/filter-name&gt;
&lt;url-pattern&gt;/*&lt;/url-pattern&gt;
&lt;/filter-mapping&gt;
</programlisting>
Notice that the filter is actually a <literal>DelegatingFilterProxy</literal>,
@ -148,8 +152,10 @@
<para><programlisting><![CDATA[
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/webServices/**" filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
<sec:filter-chain pattern="/**" filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
<sec:filter-chain pattern="/webServices/**"
filters="httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
<sec:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor"/>
</sec:filter-chain-map>
</bean>
]]>
@ -209,7 +215,9 @@
any servlet container lifecycle invocations are not delegated through
to <literal>DelegatingFilterProxy</literal>.</para>
<para>You can also omit a URI pattern from the filter chain by using
<para>In the same way that you can use the attribute <literal>filters = "none"</literal>
when using <link xlink:href="#namespace-auto-config">namespace configuration</link>,
you can omit a URI pattern from the filter chain by using
the token <literal>#NONE#</literal> on the right-hand side of the
<literal>&lt;URI Pattern&gt; = &lt;Filter Chain&gt;</literal>
expression. For example, using the example above, if you wanted to
@ -311,4 +319,44 @@
<literal>SecurityContextHolder</literal> to be populated in time for
use by SiteMesh decorators</para>
</section>
<section xml:id="taglib">
<info><title>Tag Libraries</title></info>
<para>Spring Security comes bundled with several JSP tag libraries which provide a range of different
services.</para>
<section xml:id="taglib-config">
<info><title>Configuration</title></info>
<para>All taglib classes are included in the core
<literal>spring-security-xx.jar</literal> file, with the
<literal>security.tld</literal> located in the JAR's
<literal>META-INF</literal> directory. This means for JSP 1.2+ web
containers you can simply include the JAR in the WAR's
<literal>WEB-INF/lib</literal> directory and it will be available. If
you're using a JSP 1.1 container, you'll need to declare the JSP
taglib in your <literal>web.xml file</literal>, and include
<literal>security.tld</literal> in the <literal>WEB-INF/lib</literal>
directory. The following fragment is added to
<literal>web.xml</literal>:
<programlisting><![CDATA[
<taglib>
<taglib-uri>http://www.springframework.org/security/tags</taglib-uri>
<taglib-location>/WEB-INF/security.tld</taglib-location>
</taglib>
]]></programlisting></para>
</section>
<section xml:id="taglib-usage">
<info><title>Usage</title></info>
<para>Now that you've configured the tag libraries, refer to the
individual reference guide sections for details on how to use them.
Note that when using the tags, you should include the taglib reference
in your JSP:
<programlisting>
&lt;%@ taglib prefix='security' uri='http://www.springframework.org/security/tags' %&gt;
</programlisting></para>
</section>
</section>
</chapter>

View File

@ -2,17 +2,15 @@
<info><title>Tag Libraries</title></info>
<section xml:id="taglib-overview"><info><title>Overview</title></info>
<section xml:id="taglib-overview">
<info><title>Overview</title></info>
<para>Spring Security comes bundled with several JSP tag libraries
that eases JSP writing. The tag libraries provide a range of different
services.</para>
</section>
<section xml:id="taglib-config"><info><title>Configuration</title></info>
<section xml:id="taglib-config">
<info><title>Configuration</title></info>
<para>All taglib classes are included in the core
<literal>spring-security-xx.jar</literal> file, with the
<literal>security.tld</literal> located in the JAR's
@ -25,15 +23,16 @@
directory. The following fragment is added to
<literal>web.xml</literal>:</para>
<para><programlisting>&lt;taglib&gt;
<para><programlisting>
&lt;taglib&gt;
&lt;taglib-uri&gt;http://www.springframework.org/security/tags&lt;/taglib-uri&gt;
&lt;taglib-location&gt;/WEB-INF/security.tld&lt;/taglib-location&gt;
&lt;/taglib&gt; </programlisting></para>
&lt;/taglib&gt;
</programlisting></para>
</section>
<section xml:id="taglib-usage"><info><title>Usage</title></info>
<section xml:id="taglib-usage">
<info><title>Usage</title></info>
<para>Now that you've configured the tag libraries, refer to the
individual reference guide sections for details on how to use them.
Note that when using the tags, you should include the taglib reference

View File

@ -23,8 +23,8 @@
from one system to another and it will immediately work.</para>
</section>
<section xml:id="shared-components"><info><title>Shared Components</title></info>
<section xml:id="shared-components">
<info><title>Shared Components</title></info>
<para>Let's explore some of the most important shared components in
Spring Security. Components are considered "shared" if they are

View File

@ -25,11 +25,11 @@
<section><info><title>Adding X.509 Authentication to Your Web Application</title></info>
<para> Enabling X.509 client authentication is very straightforward. Just add the <literal>&lt;x509/&gt;</literal> element to your http security namespace configuration. <programlisting>
&lt;http&gt;
&lt;http&gt;
...
&lt;x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/&gt;
...
&lt;/http&gt;
&lt;/http&gt;
</programlisting> The element has two optional attributes: <itemizedlist>
<listitem>
<para><literal>subject-principal-regex</literal>. The regular expression used to
@ -69,13 +69,13 @@
tomcat <filename>conf</filename> directory and add the following connector to the
<filename>server.xml</filename> file
<programlisting>
&lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
&lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="${catalina.home}/conf/server.jks"
keystoreType="JKS" keystorePass="password"
truststoreFile="${catalina.home}/conf/server.jks"
truststoreType="JKS" truststorePass="password"
/&gt;
/&gt;
</programlisting>
<parameter>clientAuth</parameter> can also be set to <parameter>want</parameter> if you still
want SSL connections to succeed even if the client doesn't provide a certificate.