From b7284964b76f64a1989acd1739385d57c8c520bc Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 21 Sep 2007 18:31:54 +0000 Subject: [PATCH] SEC-562: Other pepackaging (apart from adapters which are currently broken svn-wise). --- pom.xml | 6 +- src/docbkx/springsecurity.xml | 727 +++++++++++++++++----- src/site/apt/petclinic-tutorial.apt | 18 +- src/site/resources/dbinit.txt | 12 +- src/site/site.xml | 4 +- src/site/xdoc/upgrade/upgrade-090-100.xml | 25 +- 6 files changed, 606 insertions(+), 186 deletions(-) diff --git a/pom.xml b/pom.xml index 7bb54ab484..d97e276ff5 100644 --- a/pom.xml +++ b/pom.xml @@ -1,7 +1,7 @@ 4.0.0 - org.acegisecurity - acegi-security-parent + org.springframework.security + spring-security-parent 2.0-SNAPSHOT Acegi Security pom @@ -15,7 +15,7 @@ ntlm - Acegi Security System for Spring + Spring Security Interface21, Inc http://sourceforge.net/projects/acegisecurity diff --git a/src/docbkx/springsecurity.xml b/src/docbkx/springsecurity.xml index 5e6a8f4eee..a15a8c3736 100644 --- a/src/docbkx/springsecurity.xml +++ b/src/docbkx/springsecurity.xml @@ -27,7 +27,7 @@ Reference Documentation - 1.0.5 + 2.0-SNAPSHOT @@ -878,7 +878,7 @@ if (obj instanceof UserDetails) { instead are hard-coded in English within Acegi Security's code. Shipping in the acegi-security-xx.jar you - will find an org.acegisecurity package that in turn + will find an org.springframework.security package that in turn contains a messages.properties file. This should be referred to by your ApplicationContext, as Acegi Security classes implement Spring's @@ -940,10 +940,10 @@ if (obj instanceof UserDetails) { <filter> <filter-name>Acegi HTTP Request Security Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> - <param-value>org.acegisecurity.ClassThatImplementsFilter</param-value> + <param-value>org.springframework.security.ClassThatImplementsFilter</param-value> </init-param> </filter> @@ -1005,11 +1005,12 @@ if (obj instanceof UserDetails) { FilterChainProxy class. It is wired using a FilterToBeanProxy (just like in the example above), but the target class is - org.acegisecurity.util.FilterChainProxy. The filter + org.springframework.security.util.FilterChainProxy. The filter chain is then declared in the application context, using code such as this: - <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> + <bean id="filterChainProxy" + class="org.springframework.security.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON @@ -1223,10 +1224,10 @@ if (obj instanceof UserDetails) { <filter> <filter-name>Acegi Channel Processing Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> - <param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value> + <param-value>org.springframework.security.securechannel.ChannelProcessingFilter</param-value> </init-param> </filter> @@ -1242,7 +1243,7 @@ if (obj instanceof UserDetails) { context: -<bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter"> +<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"> <property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property> <property name="filterInvocationDefinitionSource"> <value> @@ -1255,7 +1256,7 @@ if (obj instanceof UserDetails) { </property> </bean> -<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> +<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"> <property name="channelProcessors"> <list> <ref bean="secureChannelProcessor"/> @@ -1264,8 +1265,8 @@ if (obj instanceof UserDetails) { </property> </bean> -<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/> -<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/> +<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/> +<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/> @@ -1437,10 +1438,10 @@ if (obj instanceof UserDetails) { <filter> <filter-name>Acegi Filter Chain Proxy</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> - <param-value>org.acegisecurity.util.FilterChainProxy</param-value> + <param-value>org.springframework.security.util.FilterChainProxy</param-value> </init-param> </filter> @@ -1459,7 +1460,8 @@ if (obj instanceof UserDetails) { bean definition would look like inside your application context: - <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> + <bean id="filterChainProxy" + class="org.springframework.security.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON @@ -1539,7 +1541,8 @@ if (obj instanceof UserDetails) { Security, so let's look at how it's configured for the example we're using in this chapter: - <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <bean id="authenticationManager" + class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider"/> @@ -1600,16 +1603,18 @@ if (obj instanceof UserDetails) { header or HTTP redirect in order to start authentication. Continuing on with our earlier example: - <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> + <bean id="exceptionTranslationFilter" + class="org.springframework.security.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property> <property name="accessDeniedHandler"> - <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> + <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.jsp"/> </bean> </property> </bean> -<bean id="authenticationProcessingFilterEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> +<bean id="authenticationProcessingFilterEntryPoint" + class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl"><value>/acegilogin.jsp</value></property> <property name="forceHttps"><value>false</value></property> </bean> @@ -1698,7 +1703,8 @@ if (obj instanceof UserDetails) { configure the InMemoryDaoImpl implementation: - <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> + <bean id="inMemoryDaoImpl" + class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR @@ -1758,7 +1764,7 @@ if (obj instanceof UserDetails) { <property name="password"><value></value></property> </bean> -<bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> +<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource"><ref bean="dataSource"/></property> </bean> @@ -1800,11 +1806,11 @@ if (obj instanceof UserDetails) { following to web.xml: <listener> - <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class> + <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> In addition, you will need to add the - org.acegisecurity.concurrent.ConcurrentSessionFilter + org.springframework.security.concurrent.ConcurrentSessionFilter to your FilterChainProxy. The ConcurrentSessionFilter requires two properties, sessionRegistry, which generally points to an @@ -1824,19 +1830,21 @@ if (obj instanceof UserDetails) { ConcurrentSessionControllerImpl and refer to it from your ProviderManager bean: - <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <bean id="authenticationManager" + class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <!-- your providers go here --> </property> <property name="sessionController"><ref bean="concurrentSessionController"/></property> </bean> -<bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> +<bean id="concurrentSessionController" + class="org.springframework.security.concurrent.ConcurrentSessionControllerImpl"> <property name="maximumSessions"><value>1</value></property> <property name="sessionRegistry"><ref local="sessionRegistry"/></property> </bean> -<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/> +<bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl"/> @@ -1891,7 +1899,8 @@ if (obj instanceof UserDetails) { configured to present a UsernamePasswordAuthenticationToken, the configuration of the provider itself is rather simple: - <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <bean id="daoAuthenticationProvider" + class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> <property name="saltSource"><ref bean="saltSource"/></property> <property name="passwordEncoder"><ref bean="passwordEncoder"/></property> @@ -1927,7 +1936,8 @@ if (obj instanceof UserDetails) { EhCacheBasedUserCache, which is configured as follows: - <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <bean id="daoAuthenticationProvider" + class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="userDetailsService"/></property> <property name="userCache"><ref bean="userCache"/></property> </bean> @@ -1947,7 +1957,7 @@ if (obj instanceof UserDetails) { </property> </bean> -<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache"> +<bean id="userCache" class="org.springframework.security.providers.dao.cache.EhCacheBasedUserCache"> <property name="cache"><ref local="userCacheBackend"/></property> </bean> @@ -2023,7 +2033,8 @@ if (obj instanceof UserDetails) { above JAAS login configuration file: -<bean id="jaasAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider"> +<bean id="jaasAuthenticationProvider" + class="org.springframework.security.providers.jaas.JaasAuthenticationProvider"> <property name="loginConfig"> <value>/WEB-INF/login.conf</value> </property> @@ -2032,13 +2043,13 @@ if (obj instanceof UserDetails) { </property> <property name="callbackHandlers"> <list> - <bean class="org.acegisecurity.providers.jaas.JaasNameCallbackHandler"/> - <bean class="org.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/> + <bean class="org.springframework.security.providers.jaas.JaasNameCallbackHandler"/> + <bean class="org.springframework.security.providers.jaas.JaasPasswordCallbackHandler"/> </list> </property> <property name="authorityGranters"> <list> - <bean class="org.acegisecurity.providers.jaas.TestAuthorityGranter"/> + <bean class="org.springframework.security.providers.jaas.TestAuthorityGranter"/> </list> </property> </bean> @@ -2167,7 +2178,8 @@ if (obj instanceof UserDetails) { sent to the SiteminderAuthenticationProvider. Let's look at an example: - <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.SiteminderAuthenticationProcessingFilter"> + <bean id="authenticationProcessingFilter" + class="org.springframework.security.ui.webapp.SiteminderAuthenticationProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property> <property name="defaultTargetUrl"><value>/security.do?method=getMainMenu</value></property> @@ -2296,11 +2308,12 @@ public boolean supports(Class clazz); bean context with the same key: -<bean id="runAsManager" class="org.acegisecurity.runas.RunAsManagerImpl"> +<bean id="runAsManager" class="org.springframework.security.runas.RunAsManagerImpl"> <property name="key"><value>my_run_as_password</value></property> </bean> -<bean id="runAsAuthenticationProvider" class="org.acegisecurity.runas.RunAsImplAuthenticationProvider"> +<bean id="runAsAuthenticationProvider" + class="org.springframework.security.runas.RunAsImplAuthenticationProvider"> <property name="key"><value>my_run_as_password</value></property> </bean> @@ -2339,10 +2352,10 @@ public boolean supports(Class clazz); <filter> <filter-name>Acegi Authentication Processing Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> - <param-value>org.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value> + <param-value>org.springframework.security.ui.webapp.AuthenticationProcessingFilter</param-value> </init-param> </filter> @@ -2355,7 +2368,8 @@ public boolean supports(Class clazz); refer to the Filters section. The application context will need to define the AuthenticationProcessingFilter: - <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> + <bean id="authenticationProcessingFilter" + class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property> <property name="defaultTargetUrl"><value>/</value></property> @@ -2420,12 +2434,13 @@ public boolean supports(Class clazz); collaborator: -<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> +<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property> </bean> -<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"> +<bean id="authenticationEntryPoint" + class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint"> <property name="realmName"><value>Name Of Your Realm</value></property> </bean> @@ -2541,13 +2556,14 @@ key: A private key to prevent modification of the nonce token collaborators: -<bean id="digestProcessingFilter" class="org.acegisecurity.ui.digestauth.DigestProcessingFilter"> +<bean id="digestProcessingFilter" class="org.springframework.security.ui.digestauth.DigestProcessingFilter"> <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> <property name="authenticationEntryPoint"><ref local="digestProcessingFilterEntryPoint"/></property> <property name="userCache"><ref local="userCache"/></property> </bean> -<bean id="digestProcessingFilterEntryPoint" class="org.acegisecurity.ui.digestauth.DigestProcessingFilterEntryPoint"> +<bean id="digestProcessingFilterEntryPoint" + class="org.springframework.security.ui.digestauth.DigestProcessingFilterEntryPoint"> <property name="realmName"><value>Contacts Realm via Digest Authentication</value></property> <property name="key"><value>acegi</value></property> <property name="nonceValiditySeconds"><value>10</value></property> @@ -2633,12 +2649,14 @@ key: A private key to prevent modification of the nonce token filter and authentication provider appears as follows: -<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> +<bean id="anonymousProcessingFilter" + class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter"> <property name="key"><value>foobar</value></property> <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property> </bean> -<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> +<bean id="anonymousAuthenticationProvider" + class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider"> <property name="key"><value>foobar</value></property> </bean> @@ -2658,7 +2676,8 @@ key: A private key to prevent modification of the nonce token example: -<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> +<bean id="filterInvocationInterceptor" + class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property> <property name="objectDefinitionSource"> @@ -2785,16 +2804,18 @@ key: A private key to prevent modification of the remember-me token remember-me services are as follows: -<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> +<bean id="rememberMeProcessingFilter" + class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter"> <property name="rememberMeServices"><ref local="rememberMeServices"/></property> </bean> -<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> +<bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> <property name="key"><value>springRocks</value></property> </bean> -<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> +<bean id="rememberMeAuthenticationProvider" + class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key"><value>springRocks</value></property> </bean> @@ -2984,7 +3005,7 @@ key: A private key to prevent modification of the remember-me token Using LDAP with Acegi Security The main LDAP provider class is - org.acegisecurity.providers.ldap.LdapAuthenticationProvider. + org.springframework.security.providers.ldap.LdapAuthenticationProvider. This bean doesn't actually do much itself other than implement the retrieveUser method required by its base class, @@ -3057,7 +3078,7 @@ key: A private key to prevent modification of the remember-me token BindAuthenticator The class - org.acegisecurity.providers.ldap.authenticator.BindAuthenticator + org.springframework.security.providers.ldap.authenticator.BindAuthenticator implements the bind authentication strategy. It simply attempts to bind as the user. @@ -3066,7 +3087,7 @@ key: A private key to prevent modification of the remember-me token PasswordComparisonAuthenticator The class - org.acegisecurity.providers.ldap.authenticator.PasswordComparisonAuthenticator + org.springframework.security.providers.ldap.authenticator.PasswordComparisonAuthenticator implements the password comparison authentication strategy. @@ -3146,14 +3167,14 @@ key: A private key to prevent modification of the remember-me token A typical configuration, using some of the beans we've discussed above, might look like this: <bean id="initialDirContextFactory" - class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> + class="org.springframework.security.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> <property name="managerPassword"><value>password</value></property> </bean> <bean id="userSearch" - class="org.acegisecurity.ldap.search.FilterBasedLdapUserSearch"> + class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> <constructor-arg index="0"> <value></value> </constructor-arg> @@ -3169,15 +3190,15 @@ key: A private key to prevent modification of the remember-me token </bean> <bean id="ldapAuthProvider" - class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> + class="org.springframework.security.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> - <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> + <bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property> </bean> </constructor-arg> <constructor-arg> - <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> + <bean class="org.springframework.security.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> <constructor-arg><value>ou=groups</value></constructor-arg> <property name="groupRoleAttribute"><value>ou</value></property> @@ -3536,7 +3557,7 @@ key: A private key to prevent modification of the remember-me token applicationContext.xml is included below: -<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> +<bean id="inMemoryDaoImpl" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> marissa=koala,ROLES_IGNORED_BY_CAS @@ -3547,11 +3568,12 @@ key: A private key to prevent modification of the remember-me token </property> </bean> -<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> +<bean id="daoAuthenticationProvider" + class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> </bean> -<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> +<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref bean="daoAuthenticationProvider"/> @@ -3559,7 +3581,7 @@ key: A private key to prevent modification of the remember-me token </property> </bean> -<bean id="casPasswordHandler" class="org.acegisecurity.adapters.cas.CasPasswordHandler"> +<bean id="casPasswordHandler" class="org.springframework.security.adapters.cas.CasPasswordHandler"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> </bean> @@ -3579,7 +3601,7 @@ key: A private key to prevent modification of the remember-me token <context-param> <param-name>edu.yale.its.tp.cas.authHandler</param-name> - <param-value>org.acegisecurity.adapters.cas.CasPasswordHandlerProxy</param-value> + <param-value>org.springframework.security.adapters.cas.CasPasswordHandlerProxy</param-value> </context-param> <context-param> @@ -3643,7 +3665,7 @@ key: A private key to prevent modification of the remember-me token <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> - <bean class="org.acegisecurity.adapters.cas3.CasAuthenticationHandler"> + <bean class="org.springframework.security.adapters.cas3.CasAuthenticationHandler"> <property name="authenticationManager" ref="acegiAuthenticationManager" /> </bean> </list> @@ -3651,7 +3673,7 @@ key: A private key to prevent modification of the remember-me token </bean> - <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> + <bean id="inMemoryDaoImpl" class="org.springframework.security.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> marissa=koala,ROLES_IGNORED_BY_CAS @@ -3662,11 +3684,12 @@ key: A private key to prevent modification of the remember-me token </property> </bean> - <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> + <bean id="daoAuthenticationProvider" + class="org.springframework.security.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> </bean> - <bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> + <bean id="acegiAuthenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref bean="daoAuthenticationProvider"/> @@ -3712,7 +3735,7 @@ key: A private key to prevent modification of the remember-me token -<bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties"> +<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> <property name="service"><value>https://localhost:8443/contacts-cas/j_acegi_cas_security_check</value></property> <property name="sendRenew"><value>false</value></property> </bean> @@ -3731,18 +3754,19 @@ key: A private key to prevent modification of the remember-me token authentication process: -<bean id="casProcessingFilter" class="org.acegisecurity.ui.cas.CasProcessingFilter"> +<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property> <property name="defaultTargetUrl"><value>/</value></property> <property name="filterProcessesUrl"><value>/j_acegi_cas_security_check</value></property> </bean> -<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> +<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> </bean> -<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> +<bean id="casProcessingFilterEntryPoint" + class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl"><value>https://localhost:8443/cas/login</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> </bean> @@ -3755,10 +3779,10 @@ key: A private key to prevent modification of the remember-me token <filter> <filter-name>Acegi CAS Processing Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> - <param-value>org.acegisecurity.ui.cas.CasProcessingFilter</param-value> + <param-value>org.springframework.security.ui.cas.CasProcessingFilter</param-value> </init-param> </filter> @@ -3789,7 +3813,7 @@ key: A private key to prevent modification of the remember-me token collaborators: -<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> +<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref bean="casAuthenticationProvider"/> @@ -3797,7 +3821,8 @@ key: A private key to prevent modification of the remember-me token </property> </bean> -<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> +<bean id="casAuthenticationProvider" + class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> <property name="casProxyDecider"><ref bean="casProxyDecider"/></property> <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> @@ -3805,7 +3830,8 @@ key: A private key to prevent modification of the remember-me token <property name="key"><value>my_password_for_this_auth_provider_only</value></property> </bean> -<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> +<bean id="casProxyTicketValidator" + class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator"> <property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property> <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> <property name="serviceProperties"><ref bean="serviceProperties"/></property> @@ -3827,15 +3853,16 @@ key: A private key to prevent modification of the remember-me token </property> </bean> -<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> +<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache"> <property name="cache"><ref local="ticketCacheBackend"/></property> </bean> -<bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> +<bean id="casAuthoritiesPopulator" + class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> </bean> -<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> +<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets"/> @@ -4006,7 +4033,8 @@ key: A private key to prevent modification of the remember-me token to be validated by the AuthByAdapterProvider. This authentication provider is defined as follows: - <bean id="authByAdapterProvider" class="org.acegisecurity.adapters.AuthByAdapterProvider"> + <bean id="authByAdapterProvider" + class="org.springframework.security.adapters.AuthByAdapterProvider"> <property name="key"><value>my_password</value></property> </bean> @@ -4059,7 +4087,7 @@ key: A private key to prevent modification of the remember-me token <Call name="addRealm"> <Arg> - <New class="org.acegisecurity.adapters.jetty.JettyAcegiUserRealm"> + <New class="org.springframework.security.adapters.jetty.JettyAcegiUserRealm"> <Arg>Spring Powered Realm</Arg> <Arg>my_password</Arg> <Arg>etc/acegisecurity.xml</Arg> @@ -4132,8 +4160,8 @@ key: A private key to prevent modification of the remember-me token <application-policy name = "SpringPoweredRealm"> <authentication> - <login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule" - flag = "required"> + <login-module code = "org.springframework.security.adapters.jboss.JbossAcegiLoginModule" + flag = "required"> <module-option name = "appContextLocation">acegisecurity.xml</module-option> <module-option name = "key">my_password</module-option> </login-module> @@ -4158,8 +4186,8 @@ key: A private key to prevent modification of the remember-me token <application-policy name = "SpringPoweredRealm"> <authentication> - <login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule" - flag = "required"> + <login-module code = "org.springframework.security.adapters.jboss.JbossAcegiLoginModule" + flag = "required"> <module-option name = "singletonId">springRealm</module-option> <module-option name = "key">my_password</module-option> <module-option name = "authenticationManager">authenticationManager</module-option> @@ -4300,7 +4328,7 @@ key: A private key to prevent modification of the remember-me token <web-app> <authenticator> - <type>org.acegisecurity.adapters.resin.ResinAcegiAuthenticator</type> + <type>org.springframework.security.adapters.resin.ResinAcegiAuthenticator</type> <init> <app-context-location>WEB-INF/resin-acegisecurity.xml</app-context-location> <key>my_password</key> @@ -4332,8 +4360,9 @@ key: A private key to prevent modification of the remember-me token active <Realm> entry. An example realm entry: - <Realm className="org.acegisecurity.adapters.catalina.CatalinaAcegiUserRealm" - appContextLocation="conf/acegisecurity.xml" + <Realm + className="org.springframework.security.adapters.catalina.CatalinaAcegiUserRealm" + appContextLocation="conf/acegisecurity.xml" key="my_password" /> Be sure to remove any other <Realm> @@ -4389,6 +4418,370 @@ $CATALINA_HOME/bin/startup.sh Finally, restart Tomcat. + + + Context propagation support for EJBs + +
+ Rationale + + Spring Security does provide transparent propagation of security + context information in specific remoting scenarios. That means that the + security context of the invoker is passed along with each method + invocation to the server. There the context is being reestablished so that + a service method can take place in the security context of the invoker. + There is out-of-the-box support for RMI or Spring's own HttpInvoker + protocol. Now many applications around are based on EJB remoting because + of requirements or policy, which are precluded from that benefit. + + If you have an EJB application you have two options for integrating + Spring Security: + + + + Use a container adapter for integrating with that application + server's proprietary security mechanism (Spring Security provides some + ready usable adapters for use in legacy scenarios) + + + + Create wrappers on the client side (and on the server side when + using POJO delegation) to propagate the security context + + + + Both approaches have the benefit that the implementation of your + service, as well as its clients, are agnostic to remoting and security + context propagation taking place. The drawback of the first approach is, + that you have to reimplement parts of your security infrastructure when + switching the container (or maybe upgrading it, as sometimes the security + strategy changes over time). That issue does not arise in the second + approach, but the problem here is the implementation overhead of creating + according wrappers to hide the context propagation. + + The following chapters describe the infrastructure classes which + wrap the context propagation and abstract it away from both client usage + and service implementation. +
+ +
+ How it works + + See figure 1 which describes the recommended POJO delegation model, + where an EJB session bean only serves as remoting wrapper. The actual + service implementation resides inside a POJO that implements the given + business interface. The EJB implementation does nothing more than just + delegating invocations of service operations to the POJO. Using Spring's + support classes for wiring the POJO to the EJB is simple. Spring also + allows wiring the service interface to the client by transparently + wrapping the remote interface. + +
+ Figure 1: Using EJB as remoting wrapper + + + + + + +
+ + This concept is now slightly enhanced by the context propagation + module. As it is not possible to intercept the invocation of a remote + interface in a portable manner, we have to extend the remote interface + methods to include an additional parameter that holdes the SecurityContext + we wish to propagate. In consequence we also have to modify the method + implementations in the EJB implementation class to take that additional + argument. This is depicted in figure 2. Note however, that the client + still works with the plain business interface we had before and that the + actual service implementation class is still the same. + +
+ Figure 2: Using EJB as enhanced remoting wrapper + + + + + + +
+ + Now how does this work? On the client side a proxy translates + invocations from the business interface (Service) to invocations of the + extended business interface (XService) which is actually exposed by the + remote interface. The current security context is extracted and passed + into the additionally provided method parameter. + + On the server side the EJB implementation refers to a delegate which + also exposes the extended service interface (XService). Behind that + service interface hides a proxy which extracts the passed-in + SecurityContext and establishes it in the current thread. Then it + delegates the invocation to the actual delegate class (ServiceImpl), + translating the method invocation as the target does not know about the + SecurityContext parameter. The invocation chain is exemplified in figure + 3. + +
+ Figure 3: Invocation chain + + + + + + +
The yellow colored elements indicate instances exposing the + extended business interface while the green colored elements indicate + instances exposing the real business interface. +
+ +
+ How to use it + + The following subsections show how to use the provided + infrastructure classes and how to enable your code to use them. + +
+ The building blocks + +
+ The business interface + + public interface Service { + + Result operation(Parameter param); + }How the business interface looks like depends just on, well, + your business requirements. Nothing special about it. +
+ +
+ The service implementation + + public class ServiceImpl implements Service { + + public Result operation(Parameter param) { + ... + } + }The service implementation just implements the business + interface, nothing more. +
+ +
+ The extended business interface and the remote + interface + + // Extended business interface + public interface XService { + + public Result operation(SecurityContext securityCtx, Parameter param) throws SecurityServiceException, RemoteException; + } + + // Remote interface + public interface ServiceRemote extends XService, EJBObject {}The + extended business interface introduces an additional parameter for + each method (which is by convention the first parameter). Besides that + augmentation of the parameter list we have to consider that this + interface is being used in an EJB remoting scenario, so we specify a + "throws RemoteException" for each method. This is not strictly + necessary but it allows us to greatly simplify the definition of the + actual remote interface as could be seen in the second listing. + + + In addition to the RemoteException, each method also should + declare throwing a + org.springframework.security.ejb.server.SecurityServiceException. This + is because of the EJB spec: If an EJB method throws an unchecked + exception (all Spring Security exceptions are unchecked) that + exception will be wrapped into a RemoteException and the bean instance + will be dropped from the container. As this is unwanted and negatively + impacts performance we declare the SecurityServiceException to be + thrown. So any security exceptions will be wrapped into a + SecurityServiceException to be passed to the client. Note that + everything still works when that declaration is omitted, but consider + the negative consequences for the EJB in question. +
+ +
+ The EJB implementation + + public class ServiceBean extends AbstractStatelessSessionBean implements XService { + + private static final long serialVersionUID = 1L; + + /** + * Delegate bean name. + */ + private static final String DELEGATE_BEAN_NAME = "xService"; + + /** + * The delegate. + */ + private XService delegate; + + + /** + * @see org.springframework.ejb.support.AbstractStatelessSessionBean#onEjbCreate() + */ + protected void onEjbCreate() throws CreateException { + this.delegate = (XService) getBeanFactory().getBean(DELEGATE_BEAN_NAME, XService.class); + } + + /** + * @see XService#operation(SecurityContext, Parameter) + */ + public Result operation(SecurityContext securityCtx, Parameter param) throws SecurityServiceException, RemoteException { + return this.delegate.operation(ctx, name); + } + } + + It is recommended to use the convenience + AbstractStatelessSessionBean base class provided by the Spring + Framework. Implementation is then reduced to implementing the + onEjbCreate()-callback method to retrieve the delegate bean and to + implement the methods to do the delegation. +
+
+ +
+ Wiring the client-side + + <?xml version="1.0" encoding="UTF-8"?> + <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> + + <beans> + + <bean id="client" class="client.Client"> + <property name="service" ref="service"/> + </bean> + + <bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate"> + <property name="environment"> + <value> + // ... + </value> + </property> + </bean> + + <bean id="service" class="org.springframework.security.ejb.client.SecurityContextInjectingRemoteSlsbProxyFactoryBean"> + + <property name="businessInterface" value="server.Service"/> + + <property name="slsbBusinessInterface" value="server.XService"/> + + <property name="jndiTemplate" ref="jndiTemplate"/> + + <property name="jndiName" value="ejb/Service"/> + + <property name="extraArgumentPosition" value="0"/> + + <property name="methodRegexpPatterns"> + <list> + <value>.*</value> + </list> + </property> + + </bean> + </beans>The above listing shows how the the service is + being wired to the client. Instead of using a + SimpleRemoteStatelessSessionProxyFactoryBean we use a + SecurityContextInjectingRemoteSlsbProxyFactoryBean which provides the + same functionality but is enhanced for hiding context + propagation. + + The specified "businessInterface" property designates the actual + business interface while the property "slsbBusinessInterface" specifies + the extended business interface (it conforms to the + SimpleRemoteStatelessSessionProxyFactoryBean#businessInterface + property). + + The "extraArgumentPosition" and "methodRegexpPatterns" properties + are optional. The former specifies the index of the parameter to insert. + The default is 0 which means that the SecurityContext parameter will be + the first one in the parameter list. The latter parameter specifies + which methods to enhance by an additional SecurityContext parameter. By + default all exposed methods are enhanced. + + Most other properties correspond to those in + SimpleRemoteStatelessSessionProxyFactoryBean. Please refer to the API + documentation for more details. +
+ +
+ Wiring the server-side + + <?xml version="1.0" encoding="UTF-8"?> + <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> + + <beans> + + <!-- Proxy for extracting secure context information --> + <bean id="xService" class="org.springframework.security.ejb.server.support.SecurityContextExtractingProxyFactoryBean"> + + <property name="businessInterface" value="server.XService"/> + + <property name="interceptorNames"> + <list> + <value>serviceSecurityInterceptor</value> + </list> + </property> + + <property name="target" ref="serviceTarget"/> + + <property name="extraArgumentPosition" value="0"/> + + <property name="methodRegexpPatterns"> + <list> + <value>.*</value> + </list> + </property> + </bean> + + <!-- Security interceptor --> + <bean id="helloServiceSecurityInterceptor" class="org.springframework.security.ejb.server.support.TranslatingMethodSecurityInterceptor"> + <property name="validateConfigAttributes" value="true"/> + <property name="authenticationManager" ref="authenticationManager"/> + <property name="accessDecisionManager" ref="accessDecisionManager"/> + <property name="runAsManager" ref="runAsManager"/> + + <property name="objectDefinitionSource"> + <value>server.Service.*=ROLE_USER</value> + </property> + </bean> + + <!-- Service implementation --> + <bean id="serviceTarget" class="server.ServiceImpl"> + </bean> + + </beans> + + The definition of the EJB's delegate bean (xService) is actually a + SecurityContextExtractingProxyFactoryBean which creates a proxy that + takes care of extracting the SecurityContext, establishing it, and + delegating to the target bean (serviceTarget). + + The "businessInterface" property is again the extended business + interface exposed by proxies created by the factory bean. The "target" + refers to the actual target bean, while the "interceptorNames" property + refers to a list of interceptor names which have to be defined in the + application context. + + Note that the security interceptor is of type + "TranslatingMethodSecurityInterceptor". It is a subclass of + org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor + and additionaly wraps all security exceptions into a + SecurityServiceException, if possible. For its parameterization refer to + the documentation of MethodSecurityInterceptor. + + The "extraArgumentPosition" and "methodRegexpPatterns" properties + are again optional, specifying the position of the additional + SecurityContext parameter and which methods will be augmented by it. It + is important that both properties are specified the same on client and + server. As recommendation just omit specifying these properties and + stick with the default values. +
+
+ + + @@ -4588,26 +4981,27 @@ public boolean supports(Class clazz); is designed to have multiple instances in the same application context, such as: - <bean id="aclContactReadVoter" class="org.acegisecurity.vote.BasicAclEntryVoter"> + <bean id="aclContactReadVoter" + class="org.springframework.security.vote.BasicAclEntryVoter"> <property name="processConfigAttribute"><value>ACL_CONTACT_READ</value></property> <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> <property name="aclManager"><ref local="aclManager"/></property> <property name="requirePermission"> <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/> </list> </property> </bean> -<bean id="aclContactDeleteVoter" class="org.acegisecurity.vote.BasicAclEntryVoter"> +<bean id="aclContactDeleteVoter" class="org.springframework.security.vote.BasicAclEntryVoter"> <property name="processConfigAttribute"><value>ACL_CONTACT_DELETE</value></property> <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> <property name="aclManager"><ref local="aclManager"/></property> <property name="requirePermission"> <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.DELETE"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.DELETE"/> </list> </property> </bean> @@ -4726,8 +5120,8 @@ public boolean supports(Class clazz); PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new ACL module. The new ACL module is a significant rewrite of the existing ACL module. The new module can be found under the - org.acegisecurity.acls package, with the old ACL - module under org.acegisecurity.acl. We encourage + org.springframework.security.acls package, with the old ACL + module under org.springframework.security.acl. We encourage users to consider testing with the new ACL module and build applications with it. The old ACL module should be considered deprecated and may be removed from a future release. The following @@ -4749,14 +5143,15 @@ public boolean supports(Class clazz); AclAfterInvocationProvider delivers a solution, and is configured as follows: - <bean id="afterAclRead" class="org.acegisecurity.afterinvocation.AclEntryAfterInvocationProvider"> + <bean id="afterAclRead" + class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider"> <constructor-arg> <ref bean="aclService"/> </constructor-arg> <constructor-arg> <list> - <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> - <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/> + <ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/> + <ref local="org.springframework.security.acls.domain.BasePermission.READ"/> </list> </constructor-arg> </bean> @@ -4780,14 +5175,15 @@ public boolean supports(Class clazz); removes the offending elements. The provider is configured as follows: - <bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"> + <bean id="afterAclCollectionRead" + class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"> <constructor-arg> <ref bean="aclService"/> </constructor-arg> <constructor-arg> <list> - <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> - <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/> + <ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/> + <ref local="org.springframework.security.acls.domain.BasePermission.READ"/> </list> </constructor-arg> </bean> @@ -4809,8 +5205,8 @@ public boolean supports(Class clazz); PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new ACL module. The new ACL module is a significant rewrite of the existing ACL module. The new module can be found under the - org.acegisecurity.acls package, with the old ACL - module under org.acegisecurity.acl. We encourage + org.springframework.security.acls package, with the old ACL + module under org.springframework.security.acl. We encourage users to consider testing with the new ACL module and build applications with it. The old ACL module should be considered deprecated and may be removed from a future release. @@ -4830,12 +5226,13 @@ public boolean supports(Class clazz); BasicAclAfterInvocationProvider delivers a solution, and is configured as follows: - <bean id="afterAclRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider"> + <bean id="afterAclRead" + class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationProvider"> <property name="aclManager"><ref local="aclManager"/></property> <property name="requirePermission"> <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/> </list> </property> </bean> @@ -4859,12 +5256,13 @@ public boolean supports(Class clazz); removes the offending elements. The provider is configured as follows: - <bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"> + <bean id="afterAclCollectionRead" + class="org.springframework.security.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"> <property name="aclManager"><ref local="aclManager"/></property> <property name="requirePermission"> <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.ADMINISTRATION"/> + <ref local="org.springframework.security.acl.basic.SimpleAclEntry.READ"/> </list> </property> </bean> @@ -4994,7 +5392,8 @@ public boolean supports(Class clazz); MethodSecurityInterceptor itself is configured as follows: - <bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> + <bean id="bankManagerSecurity" + class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor"> <property name="validateConfigAttributes"><value>true</value></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> @@ -5002,9 +5401,9 @@ public boolean supports(Class clazz); <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> - org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER - org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER - </value> + org.springframework.security.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER + org.springframework.security.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER + </value> </property> </bean> @@ -5057,11 +5456,13 @@ public boolean supports(Class clazz); bean context will be configured differently: <bean id="attributes" class="org.springframework.metadata.commons.CommonsAttributes"/> -<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes"> +<bean id="objectDefinitionSource" + class="org.springframework.security.intercept.method.MethodDefinitionAttributes"> <property name="attributes"><ref local="attributes"/></property> </bean> -<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> +<bean id="bankManagerSecurity" + class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor"> <property name="validateConfigAttributes"><value>false</value></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> @@ -5103,12 +5504,15 @@ public boolean supports(Class clazz); If you are using the Acegi Security Java 5 Annotations approach, your bean context will be configured as follows: - <bean id="attributes" class="org.acegisecurity.annotation.SecurityAnnotationAttributes"/> -<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes"> + <bean id="attributes" + class="org.springframework.security.annotation.SecurityAnnotationAttributes"/> +<bean id="objectDefinitionSource" + class="org.springframework.security.intercept.method.MethodDefinitionAttributes"> <property name="attributes"><ref local="attributes"/></property> </bean> -<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> +<bean id="bankManagerSecurity" + class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor"> <property name="validateConfigAttributes"><value>false</value></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> @@ -5123,9 +5527,9 @@ public boolean supports(Class clazz); security configuration as provided by the property editor approach: - import org.acegisecurity.annotation.Secured; + import org.springframework.security.annotation.Secured; -public interface BankManager { + public interface BankManager { /** * Delete something @@ -5204,7 +5608,8 @@ public interface BankManager { AspectJSecurityInterceptor is configured in the Spring application context: - <bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor"> + <bean id="bankManagerSecurity" + class="org.springframework.security.intercept.method.aspectj.AspectJSecurityInterceptor"> <property name="validateConfigAttributes"><value>true</value></property> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> @@ -5212,9 +5617,9 @@ public interface BankManager { <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> - org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER - org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER - </value> + org.springframework.security.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER + org.springframework.security.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER + </value> </property> </bean> @@ -5233,11 +5638,11 @@ public interface BankManager { Next you'll need to define an AspectJ aspect. For example: - package org.acegisecurity.samples.aspectj; + package org.springframework.security.samples.aspectj; -import org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor; -import org.acegisecurity.intercept.method.aspectj.AspectJCallback; -import org.springframework.beans.factory.InitializingBean; + import org.springframework.security.intercept.method.aspectj.AspectJSecurityInterceptor; + import org.springframework.security.intercept.method.aspectj.AspectJCallback; + import org.springframework.beans.factory.InitializingBean; public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { @@ -5290,8 +5695,8 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { <bean id="domainObjectInstanceSecurityAspect" - class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect" - factory-method="aspectOf"> + class="org.springframework.security.samples.aspectj.DomainObjectInstanceSecurityAspect" + factory-method="aspectOf"> <property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property> </bean> @@ -5313,10 +5718,10 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { <filter> <filter-name>Acegi HTTP Request Security Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> + <filter-class>org.springframework.security.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> - <param-value>org.acegisecurity.intercept.web.FilterSecurityInterceptor</param-value> + <param-value>org.springframework.security.intercept.web.FilterSecurityInterceptor</param-value> </init-param> </filter> @@ -5333,16 +5738,19 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { In the application context you will need to configure three beans: - <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> + <bean id="exceptionTranslationFilter" + class="org.springframework.security.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="authenticationEntryPoint"/></property> </bean> -<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> +<bean id="authenticationEntryPoint" + class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl"><value>/acegilogin.jsp</value></property> <property name="forceHttps"><value>false</value></property> </bean> -<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> +<bean id="filterSecurityInterceptor" + class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> <property name="objectDefinitionSource"> @@ -5431,7 +5839,8 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { earlier configuration could be generated using Apache Ant paths as follows: - <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> + <bean id="filterInvocationInterceptor" + class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> <property name="runAsManager"><ref bean="runAsManager"/></property> @@ -5486,8 +5895,8 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new ACL module. The new ACL module is a significant rewrite of the existing ACL module. The new module can be found under the - org.acegisecurity.acls package, with the old ACL - module under org.acegisecurity.acl. We encourage + org.springframework.security.acls package, with the old ACL + module under org.springframework.security.acl. We encourage users to consider testing with the new ACL module and build applications with it. The old ACL module should be considered deprecated and may be removed from a future release. @@ -5572,7 +5981,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
Key Concepts - The org.acegisecurity.acls package should be consulted for its + The org.springframework.security.acls package should be consulted for its major interfaces. The key interfaces are: @@ -5662,8 +6071,8 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { PLEASE NOTE: Acegi Security 1.0.3 contains a preview of a new ACL module. The new ACL module is a significant rewrite of the existing ACL module. The new module can be found under the - org.acegisecurity.acls package, with the old ACL - module under org.acegisecurity.acl. We encourage + org.springframework.security.acls package, with the old ACL + module under org.springframework.security.acl. We encourage users to consider testing with the new ACL module and build applications with it. The old ACL module should be considered deprecated and may be removed from a future release. @@ -5755,7 +6164,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { in the planning stages. The Basic ACL services will be deprecated from release 1.1.0. - The org.acegisecurity.acl package is very + The org.springframework.security.acl package is very simple, comprising only a handful of interfaces and a single class, as shown in Figure 6. It provides the basic foundation for access control list (ACL) lookups. @@ -5800,7 +6209,7 @@ public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authen need to provide an implementation that reflects that ACL permissions for your application. - Rounding out the org.acegisecurity.acl + Rounding out the org.springframework.security.acl package is an AclProviderManager class, with a corresponding AclProvider interface. AclProviderManager is a concrete implementation of @@ -5835,7 +6244,7 @@ public AclEntry[] getAcls(java.lang.Object domainInstance, Authentication authen all about this type of permission masking (eg chmod 777). You'll find the classes and interfaces for the integer masking ACL package under - org.acegisecurity.acl.basic. + org.springframework.security.acl.basic. Extending the AclEntry interface is a BasicAclEntry interface, with the main methods @@ -5926,14 +6335,20 @@ CREATE TABLE acl_permission ( FOREIGN KEY (acl_object_identity) REFERENCES acl_object_identity(id) ); -INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (1, 'corp.DomainObject:1', null, + 'org.springframework.security.acl.basic.SimpleAclEntry'); + INSERT INTO acl_object_identity VALUES (2, 'corp.DomainObject:2', 1, + 'org.springframework.security.acl.basic.SimpleAclEntry'); + INSERT INTO acl_object_identity VALUES (3, 'corp.DomainObject:3', 1, + 'org.springframework.security.acl.basic.SimpleAclEntry'); + INSERT INTO acl_object_identity VALUES (4, 'corp.DomainObject:4', 1, + 'org.springframework.security.acl.basic.SimpleAclEntry'); + INSERT INTO acl_object_identity VALUES (5, 'corp.DomainObject:5', 3, + 'org.springframework.security.acl.basic.SimpleAclEntry'); + INSERT INTO acl_object_identity VALUES (6, 'corp.DomainObject:6', 3, + 'org.springframework.security.acl.basic.SimpleAclEntry'); -INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); + INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); INSERT INTO acl_permission VALUES (null, 2, 'marissa', 2); INSERT INTO acl_permission VALUES (null, 3, 'scott', 14); @@ -5982,7 +6397,7 @@ BEGIN SELECT ACL_PERMISSION_SEQ.NEXTVAL INTO :new.id FROM dual; END; -<bean id="basicAclExtendedDao" class="org.acegisecurity.acl.basic.jdbc.JdbcExtendedDaoImpl"> +<bean id="basicAclExtendedDao" class="org.springframework.security.acl.basic.jdbc.JdbcExtendedDaoImpl"> <property name="dataSource"> <ref bean="dataSource"/> </property> @@ -6173,15 +6588,17 @@ END;
Context on SecurityContextHolder is of type: - org.acegisecurity.context.SecurityContextImpl + org.springframework.security.context.SecurityContextImpl + The Context implements SecurityContext. Authentication object is of type: - org.acegisecurity.adapters.PrincipalAcegiUserToken + org.springframework.security.adapters.PrincipalAcegiUserToken + Authentication object as a String: - org.acegisecurity.adapters.PrincipalAcegiUserToken@e9a7c2: Username: + org.springframework.security.adapters.PrincipalAcegiUserToken@e9a7c2: Username: marissa; Password: [PROTECTED]; Authenticated: true; Granted Authorities: ROLE_TELLER, ROLE_SUPERVISOR diff --git a/src/site/apt/petclinic-tutorial.apt b/src/site/apt/petclinic-tutorial.apt index b54e272eb1..f4e9446fdb 100644 --- a/src/site/apt/petclinic-tutorial.apt +++ b/src/site/apt/petclinic-tutorial.apt @@ -20,7 +20,7 @@ Tutorial: Adding Security to Spring Petclinic You will also need to download: * Spring 2.0 M4 with dependencies ZIP file - + * Acegi Security 1.0.2 @@ -57,10 +57,10 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE Acegi Filter Chain Proxy - org.acegisecurity.util.FilterToBeanProxy + org.springframework.security.util.FilterToBeanProxy targetClass - org.acegisecurity.util.FilterChainProxy + org.springframework.security.util.FilterChainProxy @@ -118,7 +118,7 @@ copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WE * Start Petclinic's database Start the Hypersonic server (this is just normal Petclinic configuration): - + +------------------------------------------------------ cd %spring%\samples\petclinic\db\hsqldb server @@ -164,15 +164,15 @@ copy dist\petclinic.war %TOMCAT_HOME%\webapps +------------------------------------------------------ - + - + - - + + @@ -203,7 +203,7 @@ copy dist\petclinic.war %TOMCAT_HOME%\webapps +------------------------------------------------------ Next, scroll down and find the link to "add visit". Modify it as follows: - + +------------------------------------------------------ diff --git a/src/site/resources/dbinit.txt b/src/site/resources/dbinit.txt index 8665c82dbe..90e97a6b1f 100644 --- a/src/site/resources/dbinit.txt +++ b/src/site/resources/dbinit.txt @@ -76,12 +76,12 @@ CREATE TABLE acl_permission ( --- scott Administer (overrides parent #3) --------------------------------------------------------------------- -INSERT INTO acl_object_identity VALUES (1, 'org.acegisecurity.acl.DomainObject:1', null, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (2, 'org.acegisecurity.acl.DomainObject:2', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (3, 'org.acegisecurity.acl.DomainObject:3', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (4, 'org.acegisecurity.acl.DomainObject:4', 1, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (5, 'org.acegisecurity.acl.DomainObject:5', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry'); -INSERT INTO acl_object_identity VALUES (6, 'org.acegisecurity.acl.DomainObject:6', 3, 'org.acegisecurity.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (1, 'org.springframework.security.acl.DomainObject:1', null, 'org.springframework.security.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (2, 'org.springframework.security.acl.DomainObject:2', 1, 'org.springframework.security.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (3, 'org.springframework.security.acl.DomainObject:3', 1, 'org.springframework.security.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (4, 'org.springframework.security.acl.DomainObject:4', 1, 'org.springframework.security.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (5, 'org.springframework.security.acl.DomainObject:5', 3, 'org.springframework.security.acl.basic.SimpleAclEntry'); +INSERT INTO acl_object_identity VALUES (6, 'org.springframework.security.acl.DomainObject:6', 3, 'org.springframework.security.acl.basic.SimpleAclEntry'); INSERT INTO acl_permission VALUES (null, 1, 'ROLE_SUPERVISOR', 1); INSERT INTO acl_permission VALUES (null, 2, 'ROLE_SUPERVISOR', 0); diff --git a/src/site/site.xml b/src/site/site.xml index bd8fed22c3..312482fc70 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -56,11 +56,11 @@ - + - + diff --git a/src/site/xdoc/upgrade/upgrade-090-100.xml b/src/site/xdoc/upgrade/upgrade-090-100.xml index 7b2d897653..3fd7f5d9a7 100644 --- a/src/site/xdoc/upgrade/upgrade-090-100.xml +++ b/src/site/xdoc/upgrade/upgrade-090-100.xml @@ -5,7 +5,8 @@ applications:

  • The top level package name has changed. Simply find "net.sf.acegisecurity" and replace with -"org.acegisecurity".
    • + "org.springframework.security". +
  • DaoAuthenticationProvider has a property, authenticationDao. This property should now be renamed to @@ -17,8 +18,9 @@ In JSPs, each "authz" taglib prefix must be changed from uri="http://acegisecuri to uri="http://acegisecurity.org/authz".
    • -
  • net.sf.acegisecurity.providers.dao.AuthenticationDao is now org.acegisecurity.userdetails.UserDetailsService. -The interface signature has not changed. Similarly, User and UserDetails have moved into the latter's package as well. +
  • net.sf.acegisecurity.providers.dao.AuthenticationDao is now + org.springframework.security.userdetails.UserDetailsService. + The interface signature has not changed. Similarly, User and UserDetails have moved into the latter's package as well. If you've implemented your own AuthenticationDao, you'll need to change the class it's implementing and quite likely the import packages for User and UserDetails. In addition, if using JdbcDaoImpl or InMemoryDaoImpl please note they have moved to this new package.
    • @@ -35,18 +37,18 @@ so that we can include it in future Acegi Security releases.
  • -org.acegisecurity.ui.rememberme.RememberMeProcessingFilter now requires an authenticationManager property. This will generally -point to an implementation of org.acegisecurity.providers.ProviderManager. + org.springframework.security.ui.rememberme.RememberMeProcessingFilter now requires an authenticationManager property. This will generally +point to an implementation of org.springframework.security.providers.ProviderManager.
  • -org.acegisecurity.intercept.web.AuthenticationEntryPoint has moved to a new location, -org.acegisecurity.ui.AuthenticationEntryPoint. + org.springframework.security.intercept.web.AuthenticationEntryPoint has moved to a new location, + org.springframework.security.ui.AuthenticationEntryPoint.
  • -org.acegisecurity.intercept.web.SecurityEnforcementFilter has moved to a new location and name, -org.acegisecurity.ui.ExceptionTranslationFilter. In addition, the "filterSecurityInterceptor" + org.springframework.security.intercept.web.SecurityEnforcementFilter has moved to a new location and name, + org.springframework.security.ui.ExceptionTranslationFilter. In addition, the "filterSecurityInterceptor" property on the old SecurityEnforcementFilter class has been removed. This is because SecurityEnforcementFilter will no longer delegate to FilterSecurityInterceptor as it has in the past. Because this delegation feature has been removed (see SEC-144 for a background as to why), @@ -82,8 +84,9 @@ new AccessDeniedHandler instead if custom handling is required. There have been some changes to the LDAP provider APIs to allow for future improvements, as detailed in SEC-264. These should only affect users who have written their own extensions to the provider. The general LDAP -classes are now in the packages org.acegisecurity.ldap and the org.acegisecurity.userdetails.ldap -package has been introduced. The search and authentication classes now return an +classes are now in the packages org.springframework.security.ldap and the + org.springframework.security.userdetails.ldap + package has been introduced. The search and authentication classes now return an LdapUserDetails instance. The LdapAuthoritiesPopulator interface and its default implementation now both make use of LdapUserDetails. Any customized versions should be updated to use the new method signatures.