From c94a5cf8e268a4e8090c28268372d7d61c367028 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 23 Mar 2015 11:45:24 -0500 Subject: [PATCH] SEC-2916: disable-url-rewriting=true by default --- .../config/http/HttpConfigurationBuilder.java | 3 + .../security/config/spring-security-4.0.rnc | 954 +++--- .../security/config/spring-security-4.0.xsd | 19 +- .../web/builders/NamespaceHttpTests.groovy | 2 +- .../config/http/HttpConfigTests.groovy | 61 +- .../http/SessionManagementConfigTests.groovy | 2 +- docs/manual/src/docs/asciidoc/index.adoc | 2730 ++++++++--------- 7 files changed, 1896 insertions(+), 1875 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index d45876c561..fd606589b6 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -232,6 +232,9 @@ class HttpConfigurationBuilder { String repoRef = httpElt.getAttribute(ATT_SECURITY_CONTEXT_REPOSITORY); String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING); + if(!StringUtils.hasText(disableUrlRewriting)) { + disableUrlRewriting = "true"; + } if (StringUtils.hasText(repoRef)) { if (sessionPolicy == SessionCreationPolicy.ALWAYS) { diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc index 5f48189a25..df0dd01b84 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.rnc @@ -6,848 +6,848 @@ default namespace = "http://www.springframework.org/schema/security" start = http | ldap-server | authentication-provider | ldap-authentication-provider | any-user-service | ldap-server | ldap-authentication-provider hash = - ## Defines the hashing algorithm used on user passwords. Bcrypt is recommended. - attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md5" | "md4" | "{sha}" | "{ssha}"} + ## Defines the hashing algorithm used on user passwords. Bcrypt is recommended. + attribute hash {"bcrypt" | "plaintext" | "sha" | "sha-256" | "md5" | "md4" | "{sha}" | "{ssha}"} base64 = - ## Whether a string should be base64 encoded - attribute base64 {xsd:boolean} + ## Whether a string should be base64 encoded + attribute base64 {xsd:boolean} request-matcher = - ## Defines the strategy use for matching incoming requests. Currently the options are 'ant' (for ant path patterns), 'regex' for regular expressions and 'ciRegex' for case-insensitive regular expressions. - attribute request-matcher {"ant" | "regex" | "ciRegex"} + ## Defines the strategy use for matching incoming requests. Currently the options are 'ant' (for ant path patterns), 'regex' for regular expressions and 'ciRegex' for case-insensitive regular expressions. + attribute request-matcher {"ant" | "regex" | "ciRegex"} port = - ## Specifies an IP port number. Used to configure an embedded LDAP server, for example. - attribute port { xsd:positiveInteger } + ## Specifies an IP port number. Used to configure an embedded LDAP server, for example. + attribute port { xsd:positiveInteger } url = - ## Specifies a URL. - attribute url { xsd:token } + ## Specifies a URL. + attribute url { xsd:token } id = - ## A bean identifier, used for referring to the bean elsewhere in the context. - attribute id {xsd:token} + ## A bean identifier, used for referring to the bean elsewhere in the context. + attribute id {xsd:token} name = - ## A bean identifier, used for referring to the bean elsewhere in the context. - attribute name {xsd:token} + ## A bean identifier, used for referring to the bean elsewhere in the context. + attribute name {xsd:token} ref = - ## Defines a reference to a Spring bean Id. - attribute ref {xsd:token} + ## Defines a reference to a Spring bean Id. + attribute ref {xsd:token} cache-ref = - ## Defines a reference to a cache for use with a UserDetailsService. - attribute cache-ref {xsd:token} + ## Defines a reference to a cache for use with a UserDetailsService. + attribute cache-ref {xsd:token} user-service-ref = - ## A reference to a user-service (or UserDetailsService bean) Id - attribute user-service-ref {xsd:token} + ## A reference to a user-service (or UserDetailsService bean) Id + attribute user-service-ref {xsd:token} authentication-manager-ref = - ## A reference to an AuthenticationManager bean - attribute authentication-manager-ref {xsd:token} + ## A reference to an AuthenticationManager bean + attribute authentication-manager-ref {xsd:token} data-source-ref = - ## A reference to a DataSource bean - attribute data-source-ref {xsd:token} + ## A reference to a DataSource bean + attribute data-source-ref {xsd:token} debug = - ## Enables Spring Security debugging infrastructure. This will provide human-readable (multi-line) debugging information to monitor requests coming into the security filters. This may include sensitive information, such as request parameters or headers, and should only be used in a development environment. - element debug {empty} + ## Enables Spring Security debugging infrastructure. This will provide human-readable (multi-line) debugging information to monitor requests coming into the security filters. This may include sensitive information, such as request parameters or headers, and should only be used in a development environment. + element debug {empty} password-encoder = - ## element which defines a password encoding strategy. Used by an authentication provider to convert submitted passwords to hashed versions, for example. - element password-encoder {password-encoder.attlist, salt-source?} + ## element which defines a password encoding strategy. Used by an authentication provider to convert submitted passwords to hashed versions, for example. + element password-encoder {password-encoder.attlist, salt-source?} password-encoder.attlist &= - ref | (hash? & base64?) + ref | (hash? & base64?) salt-source = - ## Password salting strategy. A system-wide constant or a property from the UserDetails object can be used. - element salt-source {user-property | system-wide | ref} + ## Password salting strategy. A system-wide constant or a property from the UserDetails object can be used. + element salt-source {user-property | system-wide | ref} user-property = - ## A property of the UserDetails object which will be used as salt by a password encoder. Typically something like "username" might be used. - attribute user-property {xsd:token} + ## A property of the UserDetails object which will be used as salt by a password encoder. Typically something like "username" might be used. + attribute user-property {xsd:token} system-wide = - ## A single value that will be used as the salt for a password encoder. - attribute system-wide {xsd:token} + ## A single value that will be used as the salt for a password encoder. + attribute system-wide {xsd:token} role-prefix = - ## A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the default is non-empty. - attribute role-prefix {xsd:token} + ## A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the default is non-empty. + attribute role-prefix {xsd:token} use-expressions = - ## Enables the use of expressions in the 'access' attributes in elements rather than the traditional list of configuration attributes. Defaults to 'true'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted. - attribute use-expressions {xsd:boolean} + ## Enables the use of expressions in the 'access' attributes in elements rather than the traditional list of configuration attributes. Defaults to 'true'. If enabled, each attribute should contain a single boolean expression. If the expression evaluates to 'true', access will be granted. + attribute use-expressions {xsd:boolean} ldap-server = - ## Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied. - element ldap-server {ldap-server.attlist} + ## Defines an LDAP server location or starts an embedded server. The url indicates the location of a remote server. If no url is given, an embedded server will be started, listening on the supplied port number. The port is optional and defaults to 33389. A Spring LDAP ContextSource bean will be registered for the server with the id supplied. + element ldap-server {ldap-server.attlist} ldap-server.attlist &= id? ldap-server.attlist &= (url | port)? ldap-server.attlist &= - ## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. - attribute manager-dn {xsd:string}? + ## Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. + attribute manager-dn {xsd:string}? ldap-server.attlist &= - ## The password for the manager DN. This is required if the manager-dn is specified. - attribute manager-password {xsd:string}? + ## The password for the manager DN. This is required if the manager-dn is specified. + attribute manager-password {xsd:string}? ldap-server.attlist &= - ## Explicitly specifies an ldif file resource to load into an embedded LDAP server. The default is classpath*:*.ldiff - attribute ldif { xsd:string }? + ## Explicitly specifies an ldif file resource to load into an embedded LDAP server. The default is classpath*:*.ldiff + attribute ldif { xsd:string }? ldap-server.attlist &= - ## Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org" - attribute root { xsd:string }? + ## Optional root suffix for the embedded LDAP server. Default is "dc=springframework,dc=org" + attribute root { xsd:string }? ldap-server-ref-attribute = - ## The optional server to use. If omitted, and a default LDAP server is registered (using with no Id), that server will be used. - attribute server-ref {xsd:token} + ## The optional server to use. If omitted, and a default LDAP server is registered (using with no Id), that server will be used. + attribute server-ref {xsd:token} group-search-filter-attribute = - ## Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user. - attribute group-search-filter {xsd:token} + ## Group search filter. Defaults to (uniqueMember={0}). The substituted parameter is the DN of the user. + attribute group-search-filter {xsd:token} group-search-base-attribute = - ## Search base for group membership searches. Defaults to "" (searching from the root). - attribute group-search-base {xsd:token} + ## Search base for group membership searches. Defaults to "" (searching from the root). + attribute group-search-base {xsd:token} user-search-filter-attribute = - ## The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name. - attribute user-search-filter {xsd:token} + ## The LDAP filter used to search for users (optional). For example "(uid={0})". The substituted parameter is the user's login name. + attribute user-search-filter {xsd:token} user-search-base-attribute = - ## Search base for user searches. Defaults to "". Only used with a 'user-search-filter'. - attribute user-search-base {xsd:token} + ## Search base for user searches. Defaults to "". Only used with a 'user-search-filter'. + attribute user-search-base {xsd:token} group-role-attribute-attribute = - ## The LDAP attribute name which contains the role name which will be used within Spring Security. Defaults to "cn". - attribute group-role-attribute {xsd:token} + ## The LDAP attribute name which contains the role name which will be used within Spring Security. Defaults to "cn". + attribute group-role-attribute {xsd:token} user-details-class-attribute = - ## Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object - attribute user-details-class {"person" | "inetOrgPerson"} + ## Allows the objectClass of the user entry to be specified. If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object + attribute user-details-class {"person" | "inetOrgPerson"} user-context-mapper-attribute = - ## Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry - attribute user-context-mapper-ref {xsd:token} + ## Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry + attribute user-context-mapper-ref {xsd:token} ldap-user-service = - ## This element configures a LdapUserDetailsService which is a combination of a FilterBasedLdapUserSearch and a DefaultLdapAuthoritiesPopulator. - element ldap-user-service {ldap-us.attlist} + ## This element configures a LdapUserDetailsService which is a combination of a FilterBasedLdapUserSearch and a DefaultLdapAuthoritiesPopulator. + element ldap-user-service {ldap-us.attlist} ldap-us.attlist &= id? ldap-us.attlist &= - ldap-server-ref-attribute? + ldap-server-ref-attribute? ldap-us.attlist &= - user-search-filter-attribute? + user-search-filter-attribute? ldap-us.attlist &= - user-search-base-attribute? + user-search-base-attribute? ldap-us.attlist &= - group-search-filter-attribute? + group-search-filter-attribute? ldap-us.attlist &= - group-search-base-attribute? + group-search-base-attribute? ldap-us.attlist &= - group-role-attribute-attribute? + group-role-attribute-attribute? ldap-us.attlist &= - cache-ref? + cache-ref? ldap-us.attlist &= - role-prefix? + role-prefix? ldap-us.attlist &= - (user-details-class-attribute | user-context-mapper-attribute)? + (user-details-class-attribute | user-context-mapper-attribute)? ldap-authentication-provider = - ## Sets up an ldap authentication provider - element ldap-authentication-provider {ldap-ap.attlist, password-compare-element?} + ## Sets up an ldap authentication provider + element ldap-authentication-provider {ldap-ap.attlist, password-compare-element?} ldap-ap.attlist &= - ldap-server-ref-attribute? + ldap-server-ref-attribute? ldap-ap.attlist &= - user-search-base-attribute? + user-search-base-attribute? ldap-ap.attlist &= - user-search-filter-attribute? + user-search-filter-attribute? ldap-ap.attlist &= - group-search-base-attribute? + group-search-base-attribute? ldap-ap.attlist &= - group-search-filter-attribute? + group-search-filter-attribute? ldap-ap.attlist &= - group-role-attribute-attribute? + group-role-attribute-attribute? ldap-ap.attlist &= - ## A specific pattern used to build the user's DN, for example "uid={0},ou=people". The key "{0}" must be present and will be substituted with the username. - attribute user-dn-pattern {xsd:token}? + ## A specific pattern used to build the user's DN, for example "uid={0},ou=people". The key "{0}" must be present and will be substituted with the username. + attribute user-dn-pattern {xsd:token}? ldap-ap.attlist &= - role-prefix? + role-prefix? ldap-ap.attlist &= - (user-details-class-attribute | user-context-mapper-attribute)? + (user-details-class-attribute | user-context-mapper-attribute)? password-compare-element = - ## Specifies that an LDAP provider should use an LDAP compare operation of the user's password to authenticate the user - element password-compare {password-compare.attlist, password-encoder?} + ## Specifies that an LDAP provider should use an LDAP compare operation of the user's password to authenticate the user + element password-compare {password-compare.attlist, password-encoder?} password-compare.attlist &= - ## The attribute in the directory which contains the user password. Defaults to "userPassword". - attribute password-attribute {xsd:token}? + ## The attribute in the directory which contains the user password. Defaults to "userPassword". + attribute password-attribute {xsd:token}? password-compare.attlist &= - hash? + hash? intercept-methods = - ## Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods - element intercept-methods {intercept-methods.attlist, protect+} + ## Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods + element intercept-methods {intercept-methods.attlist, protect+} intercept-methods.attlist &= - ## Optional AccessDecisionManager bean ID to be used by the created method security interceptor. - attribute access-decision-manager-ref {xsd:token}? + ## Optional AccessDecisionManager bean ID to be used by the created method security interceptor. + attribute access-decision-manager-ref {xsd:token}? protect = - ## Defines a protected method and the access control configuration attributes that apply to it. We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security". - element protect {protect.attlist, empty} + ## Defines a protected method and the access control configuration attributes that apply to it. We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security". + element protect {protect.attlist, empty} protect.attlist &= - ## A method name - attribute method {xsd:token} + ## A method name + attribute method {xsd:token} protect.attlist &= - ## Access configuration attributes list that applies to the method, e.g. "ROLE_A,ROLE_B". - attribute access {xsd:token} + ## Access configuration attributes list that applies to the method, e.g. "ROLE_A,ROLE_B". + attribute access {xsd:token} method-security-metadata-source = - ## Creates a MethodSecurityMetadataSource instance - element method-security-metadata-source {msmds.attlist, protect+} + ## Creates a MethodSecurityMetadataSource instance + element method-security-metadata-source {msmds.attlist, protect+} msmds.attlist &= id? msmds.attlist &= use-expressions? global-method-security = - ## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for matches with the ordered list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all four sources of method security metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed in annotations. If using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and finally JSR-250. - element global-method-security {global-method-security.attlist, (pre-post-annotation-handling | expression-handler)?, protect-pointcut*, after-invocation-provider*} + ## Provides method security for all beans registered in the Spring application context. Specifically, beans will be scanned for matches with the ordered list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, the beans will automatically be proxied and security authorization applied to the methods accordingly. If you use and enable all four sources of method security metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security annotations), the metadata sources will be queried in that order. In practical terms, this enables you to use XML to override method security metadata expressed in annotations. If using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and finally JSR-250. + element global-method-security {global-method-security.attlist, (pre-post-annotation-handling | expression-handler)?, protect-pointcut*, after-invocation-provider*} global-method-security.attlist &= - ## Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled". - attribute pre-post-annotations {"disabled" | "enabled" }? + ## Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. Defaults to "disabled". + attribute pre-post-annotations {"disabled" | "enabled" }? global-method-security.attlist &= - ## Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context. Defaults to "disabled". - attribute secured-annotations {"disabled" | "enabled" }? + ## Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context. Defaults to "disabled". + attribute secured-annotations {"disabled" | "enabled" }? global-method-security.attlist &= - ## Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. Defaults to "disabled". - attribute jsr250-annotations {"disabled" | "enabled" }? + ## Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. Defaults to "disabled". + attribute jsr250-annotations {"disabled" | "enabled" }? global-method-security.attlist &= - ## Optional AccessDecisionManager bean ID to override the default used for method security. - attribute access-decision-manager-ref {xsd:token}? + ## Optional AccessDecisionManager bean ID to override the default used for method security. + attribute access-decision-manager-ref {xsd:token}? global-method-security.attlist &= - ## Optional RunAsmanager implementation which will be used by the configured MethodSecurityInterceptor - attribute run-as-manager-ref {xsd:token}? + ## Optional RunAsmanager implementation which will be used by the configured MethodSecurityInterceptor + attribute run-as-manager-ref {xsd:token}? global-method-security.attlist &= - ## Allows the advice "order" to be set for the method security interceptor. - attribute order {xsd:token}? + ## Allows the advice "order" to be set for the method security interceptor. + attribute order {xsd:token}? global-method-security.attlist &= - ## If true, class based proxying will be used instead of interface based proxying. - attribute proxy-target-class {xsd:boolean}? + ## If true, class based proxying will be used instead of interface based proxying. + attribute proxy-target-class {xsd:boolean}? global-method-security.attlist &= - ## Can be used to specify that AspectJ should be used instead of the default Spring AOP. If set, secured classes must be woven with the AnnotationSecurityAspect from the spring-security-aspects module. - attribute mode {"aspectj"}? + ## Can be used to specify that AspectJ should be used instead of the default Spring AOP. If set, secured classes must be woven with the AnnotationSecurityAspect from the spring-security-aspects module. + attribute mode {"aspectj"}? global-method-security.attlist &= - ## An external MethodSecurityMetadataSource instance can be supplied which will take priority over other sources (such as the default annotations). - attribute metadata-source-ref {xsd:token}? + ## An external MethodSecurityMetadataSource instance can be supplied which will take priority over other sources (such as the default annotations). + attribute metadata-source-ref {xsd:token}? global-method-security.attlist &= - authentication-manager-ref? + authentication-manager-ref? after-invocation-provider = - ## Allows addition of extra AfterInvocationProvider beans which should be called by the MethodSecurityInterceptor created by global-method-security. - element after-invocation-provider {ref} + ## Allows addition of extra AfterInvocationProvider beans which should be called by the MethodSecurityInterceptor created by global-method-security. + element after-invocation-provider {ref} pre-post-annotation-handling = - ## Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these annotations are enabled. - element pre-post-annotation-handling {invocation-attribute-factory, pre-invocation-advice, post-invocation-advice} + ## Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these annotations are enabled. + element pre-post-annotation-handling {invocation-attribute-factory, pre-invocation-advice, post-invocation-advice} invocation-attribute-factory = - ## Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods. - element invocation-attribute-factory {ref} + ## Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods. + element invocation-attribute-factory {ref} pre-invocation-advice = - ## Customizes the PreInvocationAuthorizationAdviceVoter with the ref as the PreInvocationAuthorizationAdviceVoter for the element. - element pre-invocation-advice {ref} + ## Customizes the PreInvocationAuthorizationAdviceVoter with the ref as the PreInvocationAuthorizationAdviceVoter for the element. + element pre-invocation-advice {ref} post-invocation-advice = - ## Customizes the PostInvocationAdviceProvider with the ref as the PostInvocationAuthorizationAdvice for the element. - element post-invocation-advice {ref} + ## Customizes the PostInvocationAdviceProvider with the ref as the PostInvocationAuthorizationAdvice for the element. + element post-invocation-advice {ref} expression-handler = - ## Defines the SecurityExpressionHandler instance which will be used if expression-based access-control is enabled. A default implementation (with no ACL support) will be used if not supplied. - element expression-handler {ref} + ## Defines the SecurityExpressionHandler instance which will be used if expression-based access-control is enabled. A default implementation (with no ACL support) will be used if not supplied. + element expression-handler {ref} protect-pointcut = - ## Defines a protected pointcut and the access control configuration attributes that apply to it. Every bean registered in the Spring application context that provides a method that matches the pointcut will receive security authorization. - element protect-pointcut {protect-pointcut.attlist, empty} + ## Defines a protected pointcut and the access control configuration attributes that apply to it. Every bean registered in the Spring application context that provides a method that matches the pointcut will receive security authorization. + element protect-pointcut {protect-pointcut.attlist, empty} protect-pointcut.attlist &= - ## An AspectJ expression, including the 'execution' keyword. For example, 'execution(int com.foo.TargetObject.countLength(String))' (without the quotes). - attribute expression {xsd:string} + ## An AspectJ expression, including the 'execution' keyword. For example, 'execution(int com.foo.TargetObject.countLength(String))' (without the quotes). + attribute expression {xsd:string} protect-pointcut.attlist &= - ## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B" - attribute access {xsd:token} + ## Access configuration attributes list that applies to all methods matching the pointcut, e.g. "ROLE_A,ROLE_B" + attribute access {xsd:token} websocket-message-broker = - ## Allows securing a Message Broker. There are two modes. If no id is specified: ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel. If the id is specified, creates a ChannelSecurityInterceptor that can be manually registered with the clientInboundChannel. - element websocket-message-broker { websocket-message-broker.attrlist, (intercept-message*) } + ## Allows securing a Message Broker. There are two modes. If no id is specified: ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel. If the id is specified, creates a ChannelSecurityInterceptor that can be manually registered with the clientInboundChannel. + element websocket-message-broker { websocket-message-broker.attrlist, (intercept-message*) } websocket-message-broker.attrlist &= - ## A bean identifier, used for referring to the bean elsewhere in the context. If specified, explicit configuration within clientInboundChannel is required. If not specified, ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel. - attribute id {xsd:token}? + ## A bean identifier, used for referring to the bean elsewhere in the context. If specified, explicit configuration within clientInboundChannel is required. If not specified, ensures that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver; ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel; and that a ChannelSecurityInterceptor is registered with the clientInboundChannel. + attribute id {xsd:token}? websocket-message-broker.attrlist &= - ## Disables the requirement for CSRF token to be present in the Stomp headers (default false). Changing the default is useful if it is necessary to allow other origins to make SockJS connections. - attribute same-origin-disabled {xsd:boolean}? + ## Disables the requirement for CSRF token to be present in the Stomp headers (default false). Changing the default is useful if it is necessary to allow other origins to make SockJS connections. + attribute same-origin-disabled {xsd:boolean}? intercept-message = - ## Creates an authorization rule for a websocket message. - element intercept-message {intercept-message.attrlist} + ## Creates an authorization rule for a websocket message. + element intercept-message {intercept-message.attrlist} intercept-message.attrlist &= - ## The destination ant pattern which will be mapped to the access attribute. For example, /** matches any message with a destination, /admin/** matches any message that has a destination that starts with admin. - attribute pattern {xsd:token}? + ## The destination ant pattern which will be mapped to the access attribute. For example, /** matches any message with a destination, /admin/** matches any message that has a destination that starts with admin. + attribute pattern {xsd:token}? intercept-message.attrlist &= - ## The access configuration attributes that apply for the configured message. For example, permitAll grants access to anyone, hasRole('ROLE_ADMIN') requires the user have the role 'ROLE_ADMIN'. - attribute access {xsd:token}? + ## The access configuration attributes that apply for the configured message. For example, permitAll grants access to anyone, hasRole('ROLE_ADMIN') requires the user have the role 'ROLE_ADMIN'. + attribute access {xsd:token}? intercept-message.attrlist &= - ## The type of message to match on. Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER). - attribute type {"CONNECT" | "CONNECT_ACK" | "HEARTBEAT" | "MESSAGE" | "SUBSCRIBE"| "UNSUBSCRIBE" | "DISCONNECT" | "DISCONNECT_ACK" | "OTHER"}? + ## The type of message to match on. Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER). + attribute type {"CONNECT" | "CONNECT_ACK" | "HEARTBEAT" | "MESSAGE" | "SUBSCRIBE"| "UNSUBSCRIBE" | "DISCONNECT" | "DISCONNECT_ACK" | "OTHER"}? http-firewall = - ## Allows a custom instance of HttpFirewall to be injected into the FilterChainProxy created by the namespace. - element http-firewall {ref} + ## Allows a custom instance of HttpFirewall to be injected into the FilterChainProxy created by the namespace. + element http-firewall {ref} http = - ## Container element for HTTP security configuration. Multiple elements can now be defined, each with a specific pattern to which the enclosed security configuration applies. A pattern can also be configured to bypass Spring Security's filters completely by setting the "security" attribute to "none". - element http {http.attlist, (intercept-url* & access-denied-handler? & form-login? & openid-login? & x509? & jee? & http-basic? & logout? & session-management & remember-me? & anonymous? & port-mappings & custom-filter* & request-cache? & expression-handler? & headers? & csrf?) } + ## Container element for HTTP security configuration. Multiple elements can now be defined, each with a specific pattern to which the enclosed security configuration applies. A pattern can also be configured to bypass Spring Security's filters completely by setting the "security" attribute to "none". + element http {http.attlist, (intercept-url* & access-denied-handler? & form-login? & openid-login? & x509? & jee? & http-basic? & logout? & session-management & remember-me? & anonymous? & port-mappings & custom-filter* & request-cache? & expression-handler? & headers? & csrf?) } http.attlist &= - ## The request URL pattern which will be mapped to the filter chain created by this element. If omitted, the filter chain will match all requests. - attribute pattern {xsd:token}? + ## The request URL pattern which will be mapped to the filter chain created by this element. If omitted, the filter chain will match all requests. + attribute pattern {xsd:token}? http.attlist &= - ## When set to 'none', requests matching the pattern attribute will be ignored by Spring Security. No security filters will be applied and no SecurityContext will be available. If set, the element must be empty, with no children. - attribute security {"none"}? + ## When set to 'none', requests matching the pattern attribute will be ignored by Spring Security. No security filters will be applied and no SecurityContext will be available. If set, the element must be empty, with no children. + attribute security {"none"}? http.attlist &= - ## Allows a RequestMatcher instance to be used, as an alternative to pattern-matching. - attribute request-matcher-ref { xsd:token }? + ## Allows a RequestMatcher instance to be used, as an alternative to pattern-matching. + attribute request-matcher-ref { xsd:token }? http.attlist &= - ## A legacy attribute which automatically registers a login form, BASIC authentication and a logout URL and logout services. If unspecified, defaults to "false". We'd recommend you avoid using this and instead explicitly configure the services you require. - attribute auto-config {xsd:boolean}? + ## A legacy attribute which automatically registers a login form, BASIC authentication and a logout URL and logout services. If unspecified, defaults to "false". We'd recommend you avoid using this and instead explicitly configure the services you require. + attribute auto-config {xsd:boolean}? http.attlist &= - use-expressions? + use-expressions? http.attlist &= - ## Controls the eagerness with which an HTTP session is created by Spring Security classes. If not set, defaults to "ifRequired". If "stateless" is used, this implies that the application guarantees that it will not create a session. This differs from the use of "never" which mans that Spring Security will not create a session, but will make use of one if the application does. - attribute create-session {"ifRequired" | "always" | "never" | "stateless"}? + ## Controls the eagerness with which an HTTP session is created by Spring Security classes. If not set, defaults to "ifRequired". If "stateless" is used, this implies that the application guarantees that it will not create a session. This differs from the use of "never" which mans that Spring Security will not create a session, but will make use of one if the application does. + attribute create-session {"ifRequired" | "always" | "never" | "stateless"}? http.attlist &= - ## A reference to a SecurityContextRepository bean. This can be used to customize how the SecurityContext is stored between requests. - attribute security-context-repository-ref {xsd:token}? + ## A reference to a SecurityContextRepository bean. This can be used to customize how the SecurityContext is stored between requests. + attribute security-context-repository-ref {xsd:token}? http.attlist &= - request-matcher? + request-matcher? http.attlist &= - ## Provides versions of HttpServletRequest security methods such as isUserInRole() and getPrincipal() which are implemented by accessing the Spring SecurityContext. Defaults to "true". - attribute servlet-api-provision {xsd:boolean}? + ## Provides versions of HttpServletRequest security methods such as isUserInRole() and getPrincipal() which are implemented by accessing the Spring SecurityContext. Defaults to "true". + attribute servlet-api-provision {xsd:boolean}? http.attlist &= - ## If available, runs the request as the Subject acquired from the JaasAuthenticationToken. Defaults to "false". - attribute jaas-api-provision {xsd:boolean}? + ## If available, runs the request as the Subject acquired from the JaasAuthenticationToken. Defaults to "false". + attribute jaas-api-provision {xsd:boolean}? http.attlist &= - ## Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests. - attribute access-decision-manager-ref {xsd:token}? + ## Optional attribute specifying the ID of the AccessDecisionManager implementation which should be used for authorizing HTTP requests. + attribute access-decision-manager-ref {xsd:token}? http.attlist &= - ## Optional attribute specifying the realm name that will be used for all authentication features that require a realm name (eg BASIC and Digest authentication). If unspecified, defaults to "Spring Security Application". - attribute realm {xsd:token}? + ## Optional attribute specifying the realm name that will be used for all authentication features that require a realm name (eg BASIC and Digest authentication). If unspecified, defaults to "Spring Security Application". + attribute realm {xsd:token}? http.attlist &= - ## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter. - attribute entry-point-ref {xsd:token}? + ## Allows a customized AuthenticationEntryPoint to be set on the ExceptionTranslationFilter. + attribute entry-point-ref {xsd:token}? http.attlist &= - ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true" - attribute once-per-request {xsd:boolean}? + ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true" + attribute once-per-request {xsd:boolean}? http.attlist &= - ## Prevents the jsessionid parameter from being added to rendered URLs. - attribute disable-url-rewriting {xsd:boolean}? + ## Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" (rewriting is disabled). + attribute disable-url-rewriting {xsd:boolean}? http.attlist &= - ## Exposes the list of filters defined by this configuration under this bean name in the application context. - name? + ## Exposes the list of filters defined by this configuration under this bean name in the application context. + name? http.attlist &= - authentication-manager-ref? + authentication-manager-ref? access-denied-handler = - ## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance. - element access-denied-handler {access-denied-handler.attlist, empty} + ## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance. + element access-denied-handler {access-denied-handler.attlist, empty} access-denied-handler.attlist &= (ref | access-denied-handler-page) access-denied-handler-page = - ## The access denied page that an authenticated user will be redirected to if they request a page which they don't have the authority to access. - attribute error-page {xsd:token} + ## The access denied page that an authenticated user will be redirected to if they request a page which they don't have the authority to access. + attribute error-page {xsd:token} intercept-url = - ## Specifies the access attributes and/or filter list for a particular set of URLs. - element intercept-url {intercept-url.attlist, empty} + ## Specifies the access attributes and/or filter list for a particular set of URLs. + element intercept-url {intercept-url.attlist, empty} intercept-url.attlist &= - ## The pattern which defines the URL path. The content will depend on the type set in the containing http element, so will default to ant path syntax. - attribute pattern {xsd:token} + ## The pattern which defines the URL path. The content will depend on the type set in the containing http element, so will default to ant path syntax. + attribute pattern {xsd:token} intercept-url.attlist &= - ## The access configuration attributes that apply for the configured path. - attribute access {xsd:token}? + ## The access configuration attributes that apply for the configured path. + attribute access {xsd:token}? intercept-url.attlist &= - ## The HTTP Method for which the access configuration attributes should apply. If not specified, the attributes will apply to any method. - attribute method {"GET" | "DELETE" | "HEAD" | "OPTIONS" | "POST" | "PUT" | "PATCH" | "TRACE"}? + ## The HTTP Method for which the access configuration attributes should apply. If not specified, the attributes will apply to any method. + attribute method {"GET" | "DELETE" | "HEAD" | "OPTIONS" | "POST" | "PUT" | "PATCH" | "TRACE"}? intercept-url.attlist &= - ## The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied. The full filter stack (consisting of all filters created by the namespace configuration, and any added using 'custom-filter'), will be applied to any other paths. - attribute filters {"none"}? + ## The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied. The full filter stack (consisting of all filters created by the namespace configuration, and any added using 'custom-filter'), will be applied to any other paths. + attribute filters {"none"}? intercept-url.attlist &= - ## Used to specify that a URL must be accessed over http or https, or that there is no preference. The value should be "http", "https" or "any", respectively. - attribute requires-channel {xsd:token}? + ## Used to specify that a URL must be accessed over http or https, or that there is no preference. The value should be "http", "https" or "any", respectively. + attribute requires-channel {xsd:token}? logout = - ## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic. - element logout {logout.attlist, empty} + ## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic. + element logout {logout.attlist, empty} logout.attlist &= - ## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified. - attribute logout-url {xsd:token}? + ## Specifies the URL that will cause a logout. Spring Security will initialize a filter that responds to this particular URL. Defaults to /logout if unspecified. + attribute logout-url {xsd:token}? logout.attlist &= - ## Specifies the URL to display once the user has logged out. If not specified, defaults to /. - attribute logout-success-url {xsd:token}? + ## Specifies the URL to display once the user has logged out. If not specified, defaults to /. + attribute logout-success-url {xsd:token}? logout.attlist &= - ## Specifies whether a logout also causes HttpSession invalidation, which is generally desirable. If unspecified, defaults to true. - attribute invalidate-session {xsd:boolean}? + ## Specifies whether a logout also causes HttpSession invalidation, which is generally desirable. If unspecified, defaults to true. + attribute invalidate-session {xsd:boolean}? logout.attlist &= - ## A reference to a LogoutSuccessHandler implementation which will be used to determine the destination to which the user is taken after logging out. - attribute success-handler-ref {xsd:token}? + ## A reference to a LogoutSuccessHandler implementation which will be used to determine the destination to which the user is taken after logging out. + attribute success-handler-ref {xsd:token}? logout.attlist &= - ## A comma-separated list of the names of cookies which should be deleted when the user logs out - attribute delete-cookies {xsd:token}? + ## A comma-separated list of the names of cookies which should be deleted when the user logs out + attribute delete-cookies {xsd:token}? request-cache = - ## Allow the RequestCache used for saving requests during the login process to be set - element request-cache {ref} + ## Allow the RequestCache used for saving requests during the login process to be set + element request-cache {ref} form-login = - ## Sets up a form login configuration for authentication with a username and password - element form-login {form-login.attlist, empty} + ## Sets up a form login configuration for authentication with a username and password + element form-login {form-login.attlist, empty} form-login.attlist &= - ## The URL that the login form is posted to. If unspecified, it defaults to /login. - attribute login-processing-url {xsd:token}? + ## The URL that the login form is posted to. If unspecified, it defaults to /login. + attribute login-processing-url {xsd:token}? form-login.attlist &= - ## The name of the request parameter which contains the username. Defaults to 'username'. - attribute username-parameter {xsd:token}? + ## The name of the request parameter which contains the username. Defaults to 'username'. + attribute username-parameter {xsd:token}? form-login.attlist &= - ## The name of the request parameter which contains the password. Defaults to 'password'. - attribute password-parameter {xsd:token}? + ## The name of the request parameter which contains the password. Defaults to 'password'. + attribute password-parameter {xsd:token}? form-login.attlist &= - ## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application. - attribute default-target-url {xsd:token}? + ## The URL that will be redirected to after successful authentication, if the user's previous action could not be resumed. This generally happens if the user visits a login page without having first requested a secured operation that triggers authentication. If unspecified, defaults to the root of the application. + attribute default-target-url {xsd:token}? form-login.attlist &= - ## Whether the user should always be redirected to the default-target-url after login. - attribute always-use-default-target {xsd:boolean}? + ## Whether the user should always be redirected to the default-target-url after login. + attribute always-use-default-target {xsd:boolean}? form-login.attlist &= - ## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at GET /login and a corresponding filter to render that login URL when requested. - attribute login-page {xsd:token}? + ## The URL for the login page. If no login URL is specified, Spring Security will automatically create a login URL at GET /login and a corresponding filter to render that login URL when requested. + attribute login-page {xsd:token}? form-login.attlist &= - ## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /login?error and a corresponding filter to render that login failure URL when requested. - attribute authentication-failure-url {xsd:token}? + ## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /login?error and a corresponding filter to render that login failure URL when requested. + attribute authentication-failure-url {xsd:token}? form-login.attlist &= - ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful authentication request. Should not be used in combination with default-target-url (or always-use-default-target-url) as the implementation should always deal with navigation to the subsequent destination - attribute authentication-success-handler-ref {xsd:token}? + ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful authentication request. Should not be used in combination with default-target-url (or always-use-default-target-url) as the implementation should always deal with navigation to the subsequent destination + attribute authentication-success-handler-ref {xsd:token}? form-login.attlist &= - ## Reference to an AuthenticationFailureHandler bean which should be used to handle a failed authentication request. Should not be used in combination with authentication-failure-url as the implementation should always deal with navigation to the subsequent destination - attribute authentication-failure-handler-ref {xsd:token}? + ## Reference to an AuthenticationFailureHandler bean which should be used to handle a failed authentication request. Should not be used in combination with authentication-failure-url as the implementation should always deal with navigation to the subsequent destination + attribute authentication-failure-handler-ref {xsd:token}? form-login.attlist &= - ## Reference to an AuthenticationDetailsSource which will be used by the authentication filter - attribute authentication-details-source-ref {xsd:token}? + ## Reference to an AuthenticationDetailsSource which will be used by the authentication filter + attribute authentication-details-source-ref {xsd:token}? openid-login = - ## Sets up form login for authentication with an Open ID identity - element openid-login {form-login.attlist, user-service-ref?, attribute-exchange*} + ## Sets up form login for authentication with an Open ID identity + element openid-login {form-login.attlist, user-service-ref?, attribute-exchange*} attribute-exchange = - ## Sets up an attribute exchange configuration to request specified attributes from the OpenID identity provider. When multiple elements are used, each must have an identifier-attribute attribute. Each configuration will be matched in turn against the supplied login identifier until a match is found. - element attribute-exchange {attribute-exchange.attlist, openid-attribute+} + ## Sets up an attribute exchange configuration to request specified attributes from the OpenID identity provider. When multiple elements are used, each must have an identifier-attribute attribute. Each configuration will be matched in turn against the supplied login identifier until a match is found. + element attribute-exchange {attribute-exchange.attlist, openid-attribute+} attribute-exchange.attlist &= - ## A regular expression which will be compared against the claimed identity, when deciding which attribute-exchange configuration to use during authentication. - attribute identifier-match {xsd:token}? + ## A regular expression which will be compared against the claimed identity, when deciding which attribute-exchange configuration to use during authentication. + attribute identifier-match {xsd:token}? openid-attribute = - ## Attributes used when making an OpenID AX Fetch Request - element openid-attribute {openid-attribute.attlist} + ## Attributes used when making an OpenID AX Fetch Request + element openid-attribute {openid-attribute.attlist} openid-attribute.attlist &= - ## Specifies the name of the attribute that you wish to get back. For example, email. - attribute name {xsd:token} + ## Specifies the name of the attribute that you wish to get back. For example, email. + attribute name {xsd:token} openid-attribute.attlist &= - ## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types. - attribute type {xsd:token} + ## Specifies the attribute type. For example, http://axschema.org/contact/email. See your OP's documentation for valid attribute types. + attribute type {xsd:token} openid-attribute.attlist &= - ## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false. - attribute required {xsd:boolean}? + ## Specifies if this attribute is required to the OP, but does not error out if the OP does not return the attribute. Default is false. + attribute required {xsd:boolean}? openid-attribute.attlist &= - ## Specifies the number of attributes that you wish to get back. For example, return 3 emails. The default value is 1. - attribute count {xsd:int}? + ## Specifies the number of attributes that you wish to get back. For example, return 3 emails. The default value is 1. + attribute count {xsd:int}? filter-chain-map = - ## Used to explicitly configure a FilterChainProxy instance with a FilterChainMap - element filter-chain-map {filter-chain-map.attlist, filter-chain+} + ## Used to explicitly configure a FilterChainProxy instance with a FilterChainMap + element filter-chain-map {filter-chain-map.attlist, filter-chain+} filter-chain-map.attlist &= - request-matcher? + request-matcher? filter-chain = - ## Used within to define a specific URL pattern and the list of filters which apply to the URLs matching that pattern. When multiple filter-chain elements are assembled in a list in order to configure a FilterChainProxy, the most specific patterns must be placed at the top of the list, with most general ones at the bottom. - element filter-chain {filter-chain.attlist, empty} + ## Used within to define a specific URL pattern and the list of filters which apply to the URLs matching that pattern. When multiple filter-chain elements are assembled in a list in order to configure a FilterChainProxy, the most specific patterns must be placed at the top of the list, with most general ones at the bottom. + element filter-chain {filter-chain.attlist, empty} filter-chain.attlist &= - (pattern | request-matcher-ref) + (pattern | request-matcher-ref) filter-chain.attlist &= - ## A comma separated list of bean names that implement Filter that should be processed for this FilterChain. If the value is none, then no Filters will be used for this FilterChain. - attribute filters {xsd:token} + ## A comma separated list of bean names that implement Filter that should be processed for this FilterChain. If the value is none, then no Filters will be used for this FilterChain. + attribute filters {xsd:token} pattern = - ## The request URL pattern which will be mapped to the FilterChain. - attribute pattern {xsd:token} + ## The request URL pattern which will be mapped to the FilterChain. + attribute pattern {xsd:token} request-matcher-ref = - ## Allows a RequestMatcher instance to be used, as an alternative to pattern-matching. - attribute request-matcher-ref {xsd:token} + ## Allows a RequestMatcher instance to be used, as an alternative to pattern-matching. + attribute request-matcher-ref {xsd:token} filter-security-metadata-source = - ## Used to explicitly configure a FilterSecurityMetadataSource bean for use with a FilterSecurityInterceptor. Usually only needed if you are configuring a FilterChainProxy explicitly, rather than using the element. The intercept-url elements used should only contain pattern, method and access attributes. Any others will result in a configuration error. - element filter-security-metadata-source {fsmds.attlist, intercept-url+} + ## Used to explicitly configure a FilterSecurityMetadataSource bean for use with a FilterSecurityInterceptor. Usually only needed if you are configuring a FilterChainProxy explicitly, rather than using the element. The intercept-url elements used should only contain pattern, method and access attributes. Any others will result in a configuration error. + element filter-security-metadata-source {fsmds.attlist, intercept-url+} fsmds.attlist &= - use-expressions? + use-expressions? fsmds.attlist &= - id? + id? fsmds.attlist &= - ## Compare after forcing to lowercase - attribute lowercase-comparisons {xsd:boolean}? + ## Compare after forcing to lowercase + attribute lowercase-comparisons {xsd:boolean}? fsmds.attlist &= - request-matcher? + request-matcher? http-basic = - ## Adds support for basic authentication - element http-basic {http-basic.attlist, empty} + ## Adds support for basic authentication + element http-basic {http-basic.attlist, empty} http-basic.attlist &= - ## Sets the AuthenticationEntryPoint which is used by the BasicAuthenticationFilter. - attribute entry-point-ref {xsd:token}? + ## Sets the AuthenticationEntryPoint which is used by the BasicAuthenticationFilter. + attribute entry-point-ref {xsd:token}? http-basic.attlist &= - ## Reference to an AuthenticationDetailsSource which will be used by the authentication filter - attribute authentication-details-source-ref {xsd:token}? + ## Reference to an AuthenticationDetailsSource which will be used by the authentication filter + attribute authentication-details-source-ref {xsd:token}? session-management = - ## Session-management related functionality is implemented by the addition of a SessionManagementFilter to the filter stack. - element session-management {session-management.attlist, concurrency-control?} + ## Session-management related functionality is implemented by the addition of a SessionManagementFilter to the filter stack. + element session-management {session-management.attlist, concurrency-control?} session-management.attlist &= - ## Indicates how session fixation protection will be applied when a user authenticates. If set to "none", no protection will be applied. "newSession" will create a new empty session, with only Spring Security-related attributes migrated. "migrateSession" will create a new session and copy all session attributes to the new session. In Servlet 3.1 (Java EE 7) and newer containers, specifying "changeSessionId" will keep the existing session and use the container-supplied session fixation protection (HttpServletRequest#changeSessionId()). Defaults to "changeSessionId" in Servlet 3.1 and newer containers, "migrateSession" in older containers. Throws an exception if "changeSessionId" is used in older containers. - attribute session-fixation-protection {"none" | "newSession" | "migrateSession" | "changeSessionId" }? + ## Indicates how session fixation protection will be applied when a user authenticates. If set to "none", no protection will be applied. "newSession" will create a new empty session, with only Spring Security-related attributes migrated. "migrateSession" will create a new session and copy all session attributes to the new session. In Servlet 3.1 (Java EE 7) and newer containers, specifying "changeSessionId" will keep the existing session and use the container-supplied session fixation protection (HttpServletRequest#changeSessionId()). Defaults to "changeSessionId" in Servlet 3.1 and newer containers, "migrateSession" in older containers. Throws an exception if "changeSessionId" is used in older containers. + attribute session-fixation-protection {"none" | "newSession" | "migrateSession" | "changeSessionId" }? session-management.attlist &= - ## The URL to which a user will be redirected if they submit an invalid session indentifier. Typically used to detect session timeouts. - attribute invalid-session-url {xsd:token}? + ## The URL to which a user will be redirected if they submit an invalid session indentifier. Typically used to detect session timeouts. + attribute invalid-session-url {xsd:token}? session-management.attlist &= - ## Allows injection of the SessionAuthenticationStrategy instance used by the SessionManagementFilter - attribute session-authentication-strategy-ref {xsd:token}? + ## Allows injection of the SessionAuthenticationStrategy instance used by the SessionManagementFilter + attribute session-authentication-strategy-ref {xsd:token}? session-management.attlist &= - ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence. - attribute session-authentication-error-url {xsd:token}? + ## Defines the URL of the error page which should be shown when the SessionAuthenticationStrategy raises an exception. If not set, an unauthorized (401) error code will be returned to the client. Note that this attribute doesn't apply if the error occurs during a form-based login, where the URL for authentication failure will take precedence. + attribute session-authentication-error-url {xsd:token}? concurrency-control = - ## Enables concurrent session control, limiting the number of authenticated sessions a user may have at the same time. - element concurrency-control {concurrency-control.attlist, empty} + ## Enables concurrent session control, limiting the number of authenticated sessions a user may have at the same time. + element concurrency-control {concurrency-control.attlist, empty} concurrency-control.attlist &= - ## The maximum number of sessions a single authenticated user can have open at the same time. Defaults to "1". - attribute max-sessions {xsd:positiveInteger}? + ## The maximum number of sessions a single authenticated user can have open at the same time. Defaults to "1". + attribute max-sessions {xsd:positiveInteger}? concurrency-control.attlist &= - ## The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again. - attribute expired-url {xsd:token}? + ## The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again. + attribute expired-url {xsd:token}? concurrency-control.attlist &= - ## Specifies that an unauthorized error should be reported when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session. If the session-authentication-error-url attribute is set on the session-management URL, the user will be redirected to this URL. - attribute error-if-maximum-exceeded {xsd:boolean}? + ## Specifies that an unauthorized error should be reported when a user attempts to login when they already have the maximum configured sessions open. The default behaviour is to expire the original session. If the session-authentication-error-url attribute is set on the session-management URL, the user will be redirected to this URL. + attribute error-if-maximum-exceeded {xsd:boolean}? concurrency-control.attlist &= - ## Allows you to define an alias for the SessionRegistry bean in order to access it in your own configuration. - attribute session-registry-alias {xsd:token}? + ## Allows you to define an alias for the SessionRegistry bean in order to access it in your own configuration. + attribute session-registry-alias {xsd:token}? concurrency-control.attlist &= - ## Allows you to define an external SessionRegistry bean to be used by the concurrency control setup. - attribute session-registry-ref {xsd:token}? + ## Allows you to define an external SessionRegistry bean to be used by the concurrency control setup. + attribute session-registry-ref {xsd:token}? remember-me = - ## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach. - element remember-me {remember-me.attlist} + ## Sets up remember-me authentication. If used with the "key" attribute (or no attributes) the cookie-only implementation will be used. Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, persisten token approach. + element remember-me {remember-me.attlist} remember-me.attlist &= - ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application. If unset, it will default to a random value generated by SecureRandom. - attribute key {xsd:token}? + ## The "key" used to identify cookies from a specific token-based remember-me application. You should set this to a unique value for your application. If unset, it will default to a random value generated by SecureRandom. + attribute key {xsd:token}? remember-me.attlist &= - (token-repository-ref | remember-me-data-source-ref | remember-me-services-ref) + (token-repository-ref | remember-me-data-source-ref | remember-me-services-ref) remember-me.attlist &= - user-service-ref? + user-service-ref? remember-me.attlist &= - ## Exports the internally defined RememberMeServices as a bean alias, allowing it to be used by other beans in the application context. - attribute services-alias {xsd:token}? + ## Exports the internally defined RememberMeServices as a bean alias, allowing it to be used by other beans in the application context. + attribute services-alias {xsd:token}? remember-me.attlist &= - ## Determines whether the "secure" flag will be set on the remember-me cookie. If set to true, the cookie will only be submitted over HTTPS (recommended). By default, secure cookies will be used if the request is made on a secure connection. - attribute use-secure-cookie {xsd:boolean}? + ## Determines whether the "secure" flag will be set on the remember-me cookie. If set to true, the cookie will only be submitted over HTTPS (recommended). By default, secure cookies will be used if the request is made on a secure connection. + attribute use-secure-cookie {xsd:boolean}? remember-me.attlist &= - ## The period (in seconds) for which the remember-me cookie should be valid. - attribute token-validity-seconds {xsd:string}? + ## The period (in seconds) for which the remember-me cookie should be valid. + attribute token-validity-seconds {xsd:string}? remember-me.attlist &= - ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication. - attribute authentication-success-handler-ref {xsd:token}? + ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful remember-me authentication. + attribute authentication-success-handler-ref {xsd:token}? remember-me.attlist &= - ## The name of the request parameter which toggles remember-me authentication. Defaults to 'remember-me'. - attribute remember-me-parameter {xsd:token}? + ## The name of the request parameter which toggles remember-me authentication. Defaults to 'remember-me'. + attribute remember-me-parameter {xsd:token}? remember-me.attlist &= - ## The name of cookie which store the token for remember-me authentication. Defaults to 'remember-me'. - attribute remember-me-cookie {xsd:token}? + ## The name of cookie which store the token for remember-me authentication. Defaults to 'remember-me'. + attribute remember-me-cookie {xsd:token}? token-repository-ref = - ## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation. - attribute token-repository-ref {xsd:token} + ## Reference to a PersistentTokenRepository bean for use with the persistent token remember-me implementation. + attribute token-repository-ref {xsd:token} remember-me-services-ref = - ## Allows a custom implementation of RememberMeServices to be used. Note that this implementation should return RememberMeAuthenticationToken instances with the same "key" value as specified in the remember-me element. Alternatively it should register its own AuthenticationProvider. It should also implement the LogoutHandler interface, which will be invoked when a user logs out. Typically the remember-me cookie would be removed on logout. - attribute services-ref {xsd:token}? + ## Allows a custom implementation of RememberMeServices to be used. Note that this implementation should return RememberMeAuthenticationToken instances with the same "key" value as specified in the remember-me element. Alternatively it should register its own AuthenticationProvider. It should also implement the LogoutHandler interface, which will be invoked when a user logs out. Typically the remember-me cookie would be removed on logout. + attribute services-ref {xsd:token}? remember-me-data-source-ref = - ## DataSource bean for the database that contains the token repository schema. - data-source-ref + ## DataSource bean for the database that contains the token repository schema. + data-source-ref anonymous = - ## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority. - element anonymous {anonymous.attlist} + ## Adds support for automatically granting all anonymous web requests a particular principal identity and a corresponding granted authority. + element anonymous {anonymous.attlist} anonymous.attlist &= - ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to a random value generated by SecureRandom. - attribute key {xsd:token}? + ## The key shared between the provider and filter. This generally does not need to be set. If unset, it will default to a random value generated by SecureRandom. + attribute key {xsd:token}? anonymous.attlist &= - ## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser". - attribute username {xsd:token}? + ## The username that should be assigned to the anonymous request. This allows the principal to be identified, which may be important for logging and auditing. if unset, defaults to "anonymousUser". + attribute username {xsd:token}? anonymous.attlist &= - ## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions. If unset, defaults to "ROLE_ANONYMOUS". - attribute granted-authority {xsd:token}? + ## The granted authority that should be assigned to the anonymous request. Commonly this is used to assign the anonymous request particular roles, which can subsequently be used in authorization decisions. If unset, defaults to "ROLE_ANONYMOUS". + attribute granted-authority {xsd:token}? anonymous.attlist &= - ## With the default namespace setup, the anonymous "authentication" facility is automatically enabled. You can disable it using this property. - attribute enabled {xsd:boolean}? + ## With the default namespace setup, the anonymous "authentication" facility is automatically enabled. You can disable it using this property. + attribute enabled {xsd:boolean}? port-mappings = - ## Defines the list of mappings between http and https ports for use in redirects - element port-mappings {port-mappings.attlist, port-mapping+} + ## Defines the list of mappings between http and https ports for use in redirects + element port-mappings {port-mappings.attlist, port-mapping+} port-mappings.attlist &= empty port-mapping = - ## Provides a method to map http ports to https ports when forcing a redirect. - element port-mapping {http-port, https-port} + ## Provides a method to map http ports to https ports when forcing a redirect. + element port-mapping {http-port, https-port} http-port = - ## The http port to use. - attribute http {xsd:token} + ## The http port to use. + attribute http {xsd:token} https-port = - ## The https port to use. - attribute https {xsd:token} + ## The https port to use. + attribute https {xsd:token} x509 = - ## Adds support for X.509 client authentication. - element x509 {x509.attlist} + ## Adds support for X.509 client authentication. + element x509 {x509.attlist} x509.attlist &= - ## The regular expression used to obtain the username from the certificate's subject. Defaults to matching on the common name using the pattern "CN=(.*?),". - attribute subject-principal-regex {xsd:token}? + ## The regular expression used to obtain the username from the certificate's subject. Defaults to matching on the common name using the pattern "CN=(.*?),". + attribute subject-principal-regex {xsd:token}? x509.attlist &= - ## Explicitly specifies which user-service should be used to load user data for X.509 authenticated clients. If ommitted, the default user-service will be used. - user-service-ref? + ## Explicitly specifies which user-service should be used to load user data for X.509 authenticated clients. If ommitted, the default user-service will be used. + user-service-ref? x509.attlist &= - ## Reference to an AuthenticationDetailsSource which will be used by the authentication filter - attribute authentication-details-source-ref {xsd:token}? + ## Reference to an AuthenticationDetailsSource which will be used by the authentication filter + attribute authentication-details-source-ref {xsd:token}? jee = - ## Adds a J2eePreAuthenticatedProcessingFilter to the filter chain to provide integration with container authentication. - element jee {jee.attlist} + ## Adds a J2eePreAuthenticatedProcessingFilter to the filter chain to provide integration with container authentication. + element jee {jee.attlist} jee.attlist &= - ## A comma-separate list of roles to look for in the incoming HttpServletRequest. - attribute mappable-roles {xsd:token} + ## A comma-separate list of roles to look for in the incoming HttpServletRequest. + attribute mappable-roles {xsd:token} jee.attlist &= - ## Explicitly specifies which user-service should be used to load user data for container authenticated clients. If ommitted, the set of mappable-roles will be used to construct the authorities for the user. - user-service-ref? + ## Explicitly specifies which user-service should be used to load user data for container authenticated clients. If ommitted, the set of mappable-roles will be used to construct the authorities for the user. + user-service-ref? authentication-manager = - ## Registers the AuthenticationManager instance and allows its list of AuthenticationProviders to be defined. Also allows you to define an alias to allow you to reference the AuthenticationManager in your own beans. - element authentication-manager {authman.attlist & authentication-provider* & ldap-authentication-provider*} + ## Registers the AuthenticationManager instance and allows its list of AuthenticationProviders to be defined. Also allows you to define an alias to allow you to reference the AuthenticationManager in your own beans. + element authentication-manager {authman.attlist & authentication-provider* & ldap-authentication-provider*} authman.attlist &= - id? + id? authman.attlist &= - ## An alias you wish to use for the AuthenticationManager bean (not required it you are using a specific id) - attribute alias {xsd:token}? + ## An alias you wish to use for the AuthenticationManager bean (not required it you are using a specific id) + attribute alias {xsd:token}? authman.attlist &= - ## If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. - attribute erase-credentials {xsd:boolean}? + ## If set to true, the AuthenticationManger will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. + attribute erase-credentials {xsd:boolean}? authentication-provider = - ## Indicates that the contained user-service should be used as an authentication source. - element authentication-provider {ap.attlist & any-user-service & password-encoder?} + ## Indicates that the contained user-service should be used as an authentication source. + element authentication-provider {ap.attlist & any-user-service & password-encoder?} ap.attlist &= - ## Specifies a reference to a separately configured AuthenticationProvider instance which should be registered within the AuthenticationManager. - ref? + ## Specifies a reference to a separately configured AuthenticationProvider instance which should be registered within the AuthenticationManager. + ref? ap.attlist &= - ## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data. - user-service-ref? + ## Specifies a reference to a separately configured UserDetailsService from which to obtain authentication data. + user-service-ref? user-service = - ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements. Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required. - element user-service {id? & (properties-file | (user*))} + ## Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements. Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required. + element user-service {id? & (properties-file | (user*))} properties-file = - ## The location of a Properties file where each line is in the format of username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] - attribute properties {xsd:token}? + ## The location of a Properties file where each line is in the format of username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] + attribute properties {xsd:token}? user = - ## Represents a user in the application. - element user {user.attlist, empty} + ## Represents a user in the application. + element user {user.attlist, empty} user.attlist &= - ## The username assigned to the user. - attribute name {xsd:token} + ## The username assigned to the user. + attribute name {xsd:token} user.attlist &= - ## The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element). This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities. If omitted, the namespace will generate a random value, preventing its accidental use for authentication. Cannot be empty. - attribute password {xsd:string}? + ## The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element). This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities. If omitted, the namespace will generate a random value, preventing its accidental use for authentication. Cannot be empty. + attribute password {xsd:string}? user.attlist &= - ## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" - attribute authorities {xsd:token} + ## One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" + attribute authorities {xsd:token} user.attlist &= - ## Can be set to "true" to mark an account as locked and unusable. - attribute locked {xsd:boolean}? + ## Can be set to "true" to mark an account as locked and unusable. + attribute locked {xsd:boolean}? user.attlist &= - ## Can be set to "true" to mark an account as disabled and unusable. - attribute disabled {xsd:boolean}? + ## Can be set to "true" to mark an account as disabled and unusable. + attribute disabled {xsd:boolean}? jdbc-user-service = - ## Causes creation of a JDBC-based UserDetailsService. - element jdbc-user-service {id? & jdbc-user-service.attlist} + ## Causes creation of a JDBC-based UserDetailsService. + element jdbc-user-service {id? & jdbc-user-service.attlist} jdbc-user-service.attlist &= - ## The bean ID of the DataSource which provides the required tables. - attribute data-source-ref {xsd:token} + ## The bean ID of the DataSource which provides the required tables. + attribute data-source-ref {xsd:token} jdbc-user-service.attlist &= - cache-ref? + cache-ref? jdbc-user-service.attlist &= - ## An SQL statement to query a username, password, and enabled status given a username. Default is "select username,password,enabled from users where username = ?" - attribute users-by-username-query {xsd:token}? + ## An SQL statement to query a username, password, and enabled status given a username. Default is "select username,password,enabled from users where username = ?" + attribute users-by-username-query {xsd:token}? jdbc-user-service.attlist &= - ## An SQL statement to query for a user's granted authorities given a username. The default is "select username, authority from authorities where username = ?" - attribute authorities-by-username-query {xsd:token}? + ## An SQL statement to query for a user's granted authorities given a username. The default is "select username, authority from authorities where username = ?" + attribute authorities-by-username-query {xsd:token}? jdbc-user-service.attlist &= - ## An SQL statement to query user's group authorities given a username. The default is "select g.id, g.group_name, ga.authority from groups g, group_members gm, group_authorities ga where gm.username = ? and g.id = ga.group_id and g.id = gm.group_id" - attribute group-authorities-by-username-query {xsd:token}? + ## An SQL statement to query user's group authorities given a username. The default is "select g.id, g.group_name, ga.authority from groups g, group_members gm, group_authorities ga where gm.username = ? and g.id = ga.group_id and g.id = gm.group_id" + attribute group-authorities-by-username-query {xsd:token}? jdbc-user-service.attlist &= - role-prefix? + role-prefix? csrf = - ## Element for configuration of the CsrfFilter for protection against CSRF. It also updates the default RequestCache to only replay "GET" requests. - element csrf {csrf-options.attlist} +## Element for configuration of the CsrfFilter for protection against CSRF. It also updates the default RequestCache to only replay "GET" requests. + element csrf {csrf-options.attlist} csrf-options.attlist &= - ## Specifies if csrf protection should be disabled. Default false (i.e. CSRF protection is enabled). - attribute disabled {xsd:boolean}? + ## Specifies if csrf protection should be disabled. Default false (i.e. CSRF protection is enabled). + attribute disabled {xsd:boolean}? csrf-options.attlist &= - ## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS" - attribute request-matcher-ref { xsd:token }? + ## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS" + attribute request-matcher-ref { xsd:token }? csrf-options.attlist &= - ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository - attribute token-repository-ref { xsd:token }? + ## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository + attribute token-repository-ref { xsd:token }? headers = - ## Element for configuration of the HeaderWritersFilter. Enables easy setting for the X-Frame-Options, X-XSS-Protection and X-Content-Type-Options headers. - element headers { headers-options.attlist, (cache-control? & xss-protection? & hsts? & frame-options? & content-type-options? & header*)} +## Element for configuration of the HeaderWritersFilter. Enables easy setting for the X-Frame-Options, X-XSS-Protection and X-Content-Type-Options headers. +element headers { headers-options.attlist, (cache-control? & xss-protection? & hsts? & frame-options? & content-type-options? & header*)} headers-options.attlist &= - ## Specifies if the default headers should be disabled. Default false. - attribute defaults-disabled {xsd:boolean}? + ## Specifies if the default headers should be disabled. Default false. + attribute defaults-disabled {xsd:boolean}? headers-options.attlist &= - ## Specifies if headers should be disabled. Default false. - attribute disabled {xsd:boolean}? + ## Specifies if headers should be disabled. Default false. + attribute disabled {xsd:boolean}? hsts = - ## Adds support for HTTP Strict Transport Security (HSTS) - element hsts {hsts-options.attlist} + ## Adds support for HTTP Strict Transport Security (HSTS) + element hsts {hsts-options.attlist} hsts-options.attlist &= - ## Specifies if HTTP Strict Transport Security (HSTS) should be disabled. Default false. - attribute disabled {xsd:boolean}? + ## Specifies if HTTP Strict Transport Security (HSTS) should be disabled. Default false. + attribute disabled {xsd:boolean}? hsts-options.attlist &= - ## Specifies if subdomains should be included. Default true. - attribute include-subdomains {xsd:boolean}? + ## Specifies if subdomains should be included. Default true. + attribute include-subdomains {xsd:boolean}? hsts-options.attlist &= - ## Specifies the maximum ammount of time the host should be considered a Known HSTS Host. Default one year. - attribute max-age-seconds {xsd:integer}? + ## Specifies the maximum ammount of time the host should be considered a Known HSTS Host. Default one year. + attribute max-age-seconds {xsd:integer}? hsts-options.attlist &= - ## The RequestMatcher instance to be used to determine if the header should be set. Default is if HttpServletRequest.isSecure() is true. - attribute request-matcher-ref { xsd:token }? + ## The RequestMatcher instance to be used to determine if the header should be set. Default is if HttpServletRequest.isSecure() is true. + attribute request-matcher-ref { xsd:token }? cache-control = - ## Adds Cache-Control no-cache, no-store, must-revalidate, Pragma no-cache, and Expires 0 for every request - element cache-control {cache-control.attlist} + ## Adds Cache-Control no-cache, no-store, must-revalidate, Pragma no-cache, and Expires 0 for every request + element cache-control {cache-control.attlist} cache-control.attlist &= - ## Specifies if Cache Control should be disabled. Default false. - attribute disabled {xsd:boolean}? + ## Specifies if Cache Control should be disabled. Default false. + attribute disabled {xsd:boolean}? frame-options = - ## Enable basic clickjacking support for newer browsers (IE8+), will set the X-Frame-Options header. - element frame-options {frame-options.attlist,empty} + ## Enable basic clickjacking support for newer browsers (IE8+), will set the X-Frame-Options header. + element frame-options {frame-options.attlist,empty} frame-options.attlist &= - ## If disabled, the X-Frame-Options header will not be included. Default false. - attribute disabled {xsd:boolean}? + ## If disabled, the X-Frame-Options header will not be included. Default false. + attribute disabled {xsd:boolean}? frame-options.attlist &= - ## Specify the policy to use for the X-Frame-Options-Header. - attribute policy {"DENY","SAMEORIGIN","ALLOW-FROM"}? + ## Specify the policy to use for the X-Frame-Options-Header. + attribute policy {"DENY","SAMEORIGIN","ALLOW-FROM"}? frame-options.attlist &= - ## Specify the strategy to use when ALLOW-FROM is chosen. - attribute strategy {"static","whitelist","regexp"}? + ## Specify the strategy to use when ALLOW-FROM is chosen. + attribute strategy {"static","whitelist","regexp"}? frame-options.attlist &= - ## Specify the a reference to the custom AllowFromStrategy to use when ALLOW-FROM is chosen. - ref? + ## Specify the a reference to the custom AllowFromStrategy to use when ALLOW-FROM is chosen. + ref? frame-options.attlist &= - ## Specify the a value to use for the chosen strategy. - attribute value {xsd:string}? + ## Specify the a value to use for the chosen strategy. + attribute value {xsd:string}? frame-options.attlist &= - ## Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' based strategy. Default is 'from'. - attribute from-parameter {xsd:string}? + ## Specify the request parameter to use for the origin when using a 'whitelist' or 'regexp' based strategy. Default is 'from'. + attribute from-parameter {xsd:string}? xss-protection = - ## Enable basic XSS browser protection, supported by newer browsers (IE8+), will set the X-XSS-Protection header. - element xss-protection {xss-protection.attlist,empty} + ## Enable basic XSS browser protection, supported by newer browsers (IE8+), will set the X-XSS-Protection header. + element xss-protection {xss-protection.attlist,empty} xss-protection.attlist &= - ## disable the X-XSS-Protection header. Default is 'false' meaning it is enabled. - attribute disabled {xsd:boolean}? + ## disable the X-XSS-Protection header. Default is 'false' meaning it is enabled. + attribute disabled {xsd:boolean}? xss-protection.attlist &= - ## specify that XSS Protection should be explicitly enabled or disabled. Default is 'true' meaning it is enabled. - attribute enabled {xsd:boolean}? + ## specify that XSS Protection should be explicitly enabled or disabled. Default is 'true' meaning it is enabled. + attribute enabled {xsd:boolean}? xss-protection.attlist &= - ## Add mode=block to the header or not, default is on. - attribute block {xsd:boolean}? + ## Add mode=block to the header or not, default is on. + attribute block {xsd:boolean}? content-type-options = - ## Add a X-Content-Type-Options header to the resopnse. Value is always 'nosniff'. - element content-type-options {content-type-options.attlist, empty} + ## Add a X-Content-Type-Options header to the resopnse. Value is always 'nosniff'. + element content-type-options {content-type-options.attlist, empty} content-type-options.attlist &= - ## If disabled, the X-Content-Type-Options header will not be included. Default false. - attribute disabled {xsd:boolean}? + ## If disabled, the X-Content-Type-Options header will not be included. Default false. + attribute disabled {xsd:boolean}? header= - ## Add additional headers to the response. - element header {header.attlist} + ## Add additional headers to the response. + element header {header.attlist} header.attlist &= - ## The name of the header to add. - attribute name {xsd:token}? + ## The name of the header to add. + attribute name {xsd:token}? header.attlist &= - ## The value for the header. - attribute value {xsd:token}? + ## The value for the header. + attribute value {xsd:token}? header.attlist &= - ## Reference to a custom HeaderWriter implementation. - ref? + ## Reference to a custom HeaderWriter implementation. + ref? any-user-service = user-service | jdbc-user-service | ldap-user-service custom-filter = - ## Used to indicate that a filter bean declaration should be incorporated into the security filter chain. - element custom-filter {custom-filter.attlist} + ## Used to indicate that a filter bean declaration should be incorporated into the security filter chain. + element custom-filter {custom-filter.attlist} custom-filter.attlist &= - ref + ref custom-filter.attlist &= - (after | before | position) + (after | before | position) after = - ## The filter immediately after which the custom-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters. - attribute after {named-security-filter} + ## The filter immediately after which the custom-filter should be placed in the chain. This feature will only be needed by advanced users who wish to mix their own filters into the security filter chain and have some knowledge of the standard Spring Security filters. The filter names map to specific Spring Security implementation filters. + attribute after {named-security-filter} before = - ## The filter immediately before which the custom-filter should be placed in the chain - attribute before {named-security-filter} + ## The filter immediately before which the custom-filter should be placed in the chain + attribute before {named-security-filter} position = - ## The explicit position at which the custom-filter should be placed in the chain. Use if you are replacing a standard filter. - attribute position {named-security-filter} + ## The explicit position at which the custom-filter should be placed in the chain. Use if you are replacing a standard filter. + attribute position {named-security-filter} named-security-filter = "FIRST" | "CHANNEL_FILTER" | "SECURITY_CONTEXT_FILTER" | "CONCURRENT_SESSION_FILTER" | "WEB_ASYNC_MANAGER_FILTER" | "HEADERS_FILTER" | "CSRF_FILTER" | "LOGOUT_FILTER" | "X509_FILTER" | "PRE_AUTH_FILTER" | "CAS_FILTER" | "FORM_LOGIN_FILTER" | "OPENID_FILTER" | "LOGIN_PAGE_FILTER" | "DIGEST_AUTH_FILTER" | "BASIC_AUTH_FILTER" | "REQUEST_CACHE_FILTER" | "SERVLET_API_SUPPORT_FILTER" | "JAAS_API_SUPPORT_FILTER" | "REMEMBER_ME_FILTER" | "ANONYMOUS_FILTER" | "SESSION_MANAGEMENT_FILTER" | "EXCEPTION_TRANSLATION_FILTER" | "FILTER_SECURITY_INTERCEPTOR" | "SWITCH_USER_FILTER" | "LAST" diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd index 6783146b78..5935e76c88 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-4.0.xsd @@ -872,9 +872,9 @@ - Disables the requrement for CSRF token to be present in the Stomp headers (default false). - Changing the default is useful if it is necessary to allow other origins to make SockJS - connections. + Disables the requirement for CSRF token to be present in the Stomp headers (default + false). Changing the default is useful if it is necessary to allow other origins to make + SockJS connections. @@ -1233,7 +1233,8 @@ - Prevents the jsessionid parameter from being added to rendered URLs. + Prevents the jsessionid parameter from being added to rendered URLs. Defaults to "true" + (rewriting is disabled). @@ -1828,11 +1829,11 @@ - - The name of cookie which store the token for remember-me authentication. Defaults to - 'remember-me'. - - + + The name of cookie which store the token for remember-me authentication. Defaults to + 'remember-me'. + + diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy index 4c9e6b3615..780ccb3701 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy @@ -248,7 +248,7 @@ public class NamespaceHttpTests extends BaseSpringSpec { static class EnableUrlRewritingConfig extends BaseWebConfig { protected void configure(HttpSecurity http) throws Exception { HttpSessionSecurityContextRepository repository = new HttpSessionSecurityContextRepository() - repository.disableUrlRewriting = false // explicitly configured (not necessary due to default values) + repository.disableUrlRewriting = false // explicitly configured http. securityContext() diff --git a/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy index 59f1d812bb..00545fb508 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/HttpConfigTests.groovy @@ -12,32 +12,17 @@ */ package org.springframework.security.config.http -import org.springframework.mock.web.MockFilterChain -import org.springframework.mock.web.MockHttpServletRequest -import org.springframework.mock.web.MockHttpServletResponse -import org.springframework.security.access.AccessDeniedException -import org.springframework.security.authentication.UsernamePasswordAuthenticationToken -import org.springframework.security.core.Authentication -import org.springframework.security.core.authority.AuthorityUtils -import org.springframework.security.core.context.SecurityContextImpl -import org.springframework.security.web.access.AccessDeniedHandler -import org.springframework.security.web.context.HttpRequestResponseHolder -import org.springframework.security.web.context.HttpSessionSecurityContextRepository -import org.springframework.security.web.csrf.CsrfFilter -import org.springframework.security.web.csrf.CsrfToken -import org.springframework.security.web.csrf.CsrfTokenRepository -import org.springframework.security.web.csrf.DefaultCsrfToken -import org.springframework.security.web.util.matcher.RequestMatcher -import org.springframework.web.servlet.support.RequestDataValueProcessor -import spock.lang.Unroll - -import javax.servlet.http.HttpServletRequest -import javax.servlet.http.HttpServletResponse - import static org.mockito.Matchers.any import static org.mockito.Matchers.eq import static org.mockito.Mockito.* +import javax.servlet.http.HttpServletResponse +import javax.servlet.http.HttpServletResponseWrapper + +import org.springframework.mock.web.MockFilterChain +import org.springframework.mock.web.MockHttpServletRequest +import org.springframework.mock.web.MockHttpServletResponse + /** * * @author Rob Winch @@ -59,4 +44,36 @@ class HttpConfigTests extends AbstractHttpConfigTests { response.status == HttpServletResponse.SC_MOVED_TEMPORARILY response.redirectedUrl == 'http://localhost/login' } + + def 'http disable-url-rewriting defaults to true'() { + setup: + xml.http() {} + createAppContext(""" + + """) + HttpServletResponse testResponse = new HttpServletResponseWrapper(response) { + public String encodeURL(String url) { + throw new RuntimeException("Unexpected invocation of encodeURL") + } + public String encodeRedirectURL(String url) { + throw new RuntimeException("Unexpected invocation of encodeURL") + } + public String encodeUrl(String url) { + throw new RuntimeException("Unexpected invocation of encodeURL") + } + public String encodeRedirectUrl(String url) { + throw new RuntimeException("Unexpected invocation of encodeURL") + } + } + when: 'request protected URL' + springSecurityFilterChain.doFilter(request,testResponse,{ request,response-> + response.encodeURL("/url") + response.encodeRedirectURL("/url") + response.encodeUrl("/url") + response.encodeRedirectUrl("/url") + }) + then: 'sent to login page' + response.status == HttpServletResponse.SC_MOVED_TEMPORARILY + response.redirectedUrl == 'http://localhost/login' + } } \ No newline at end of file diff --git a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy index 865321b0b1..bd3ffd9647 100644 --- a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy @@ -67,7 +67,7 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests { expect: filter.forceEagerSessionCreation filter.repo.allowSessionCreation - !filter.repo.disableUrlRewriting + filter.repo.disableUrlRewriting } def settingCreateSessionToNeverSetsFilterPropertiesCorrectly() { diff --git a/docs/manual/src/docs/asciidoc/index.adoc b/docs/manual/src/docs/asciidoc/index.adoc index 3e97a18e0f..32dc487989 100644 --- a/docs/manual/src/docs/asciidoc/index.adoc +++ b/docs/manual/src/docs/asciidoc/index.adoc @@ -148,17 +148,17 @@ A minimal Spring Security Maven set of dependencies typically looks like the fol [subs="verbatim,attributes"] ---- - - - org.springframework.security - spring-security-web - {spring-security-version} - - - org.springframework.security - spring-security-config - {spring-security-version} - + + + org.springframework.security + spring-security-web + {spring-security-version} + + + org.springframework.security + spring-security-config + {spring-security-version} + ---- @@ -174,12 +174,12 @@ If you are using a SNAPSHOT version, you will need to ensure you have the Spring [source,xml] ---- - - - spring-snapshot - Spring Snapshot Repository - http://repo.springsource.org/snapshot - + + + spring-snapshot + Spring Snapshot Repository + http://repo.springsource.org/snapshot + ---- @@ -189,12 +189,12 @@ If you are using a milestone or release candidate version, you will need to ensu [source,xml] ---- - - - spring-milestone - Spring Milestone Repository - http://repo.springsource.org/milestone - + + + spring-milestone + Spring Milestone Repository + http://repo.springsource.org/milestone + ---- @@ -210,15 +210,15 @@ One (tedious) way to circumvent this issue would be to include all the Spring Fr [subs="verbatim,attributes"] ---- - - - org.springframework - spring-framework-bom - {spring-version} - pom - import - - + + + org.springframework + spring-framework-bom + {spring-version} + pom + import + + ---- @@ -235,8 +235,8 @@ A minimal Spring Security Gradle set of dependencies typically looks like the fo [subs="verbatim,attributes"] ---- dependencies { - compile 'org.springframework.security:spring-security-web:{spring-security-version}' - compile 'org.springframework.security:spring-security-config:{spring-security-version}' + compile 'org.springframework.security:spring-security-web:{spring-security-version}' + compile 'org.springframework.security:spring-security-config:{spring-security-version}' } ---- @@ -250,7 +250,7 @@ All GA releases (i.e. versions ending in .RELEASE) are deployed to Maven Central [source,groovy] ---- repositories { - mavenCentral() + mavenCentral() } ---- @@ -260,7 +260,7 @@ If you are using a SNAPSHOT version, you will need to ensure you have the Spring [source,groovy] ---- repositories { - maven { url 'https://repo.spring.io/snapshot' } + maven { url 'https://repo.spring.io/snapshot' } } ---- @@ -270,7 +270,7 @@ If you are using a milestone or release candidate version, you will need to ensu [source,groovy] ---- repositories { - maven { url 'https://repo.spring.io/milestone' } + maven { url 'https://repo.spring.io/milestone' } } ---- @@ -284,11 +284,11 @@ By default Gradle will use the newest version when resolving transitive versions [subs="verbatim,attributes"] ---- configurations.all { - resolutionStrategy.eachDependency { DependencyResolveDetails details -> - if (details.requested.group == 'org.springframework') { - details.useVersion '{spring-version}' - } - } + resolutionStrategy.eachDependency { DependencyResolveDetails details -> + if (details.requested.group == 'org.springframework') { + details.useVersion '{spring-version}' + } + } } ---- @@ -468,12 +468,12 @@ import org.springframework.security.config.annotation.web.configuration.*; @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { - @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER"); - } + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { + auth + .inMemoryAuthentication() + .withUser("user").password("password").roles("USER"); + } } ---- @@ -516,11 +516,11 @@ If you are not using Spring or Spring MVC, you will need to pass in the `Securit import org.springframework.security.web.context.*; public class SecurityWebApplicationInitializer - extends AbstractSecurityWebApplicationInitializer { + extends AbstractSecurityWebApplicationInitializer { - public SecurityWebApplicationInitializer() { - super(SecurityConfig.class); - } + public SecurityWebApplicationInitializer() { + super(SecurityConfig.class); + } } ---- @@ -538,7 +538,7 @@ If we were using Spring elsewhere in our application we probably already had a ` import org.springframework.security.web.context.*; public class SecurityWebApplicationInitializer - extends AbstractSecurityWebApplicationInitializer { + extends AbstractSecurityWebApplicationInitializer { } ---- @@ -549,14 +549,14 @@ This would simply only register the springSecurityFilterChain Filter for every U [source,java] ---- public class MvcWebApplicationInitializer extends - AbstractAnnotationConfigDispatcherServletInitializer { + AbstractAnnotationConfigDispatcherServletInitializer { - @Override - protected Class[] getRootConfigClasses() { - return new Class[] { SecurityConfig.class }; - } + @Override + protected Class[] getRootConfigClasses() { + return new Class[] { SecurityConfig.class }; + } - // ... other overrides ... + // ... other overrides ... } ---- @@ -568,13 +568,13 @@ Thus far our <> only contains information about ho [source,java] ---- protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .formLogin() - .and() - .httpBasic(); + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .formLogin() + .and() + .httpBasic(); } ---- @@ -589,9 +589,9 @@ You will notice that this configuration is quite similar the XML Namespace confi [source,xml] ---- - - - + + + ---- @@ -609,13 +609,13 @@ While the automatically generated log in page is convenient to get up and runnin [source,java] ---- protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .formLogin() - .loginPage("/login") // <1> - .permitAll(); // <2> + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .formLogin() + .loginPage("/login") // <1> + .permitAll(); // <2> } ---- @@ -630,28 +630,28 @@ NOTE: The login page below represents our current configuration. We could easily ----
<1> - <2> -

- Invalid username and password. -

- - <3> -

- You have been logged out. -

- -

- - <4> -

-

- - <5> -

- - name="${_csrf.parameterName}" - value="${_csrf.token}"/> - + <2> +

+ Invalid username and password. +

+ + <3> +

+ You have been logged out. +

+ +

+ + <4> +

+

+ + <5> +

+ + name="${_csrf.parameterName}" + value="${_csrf.token}"/> +
---- @@ -670,15 +670,15 @@ Our examples have only required users to be authenticated and have done so for e [source,java] ---- protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() <1> - .antMatchers("/resources/**", "/signup", "/about").permitAll() <2> - .antMatchers("/admin/**").hasRole("ADMIN") <3> - .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") <4> - .anyRequest().authenticated() <5> - .and() - // ... - .formLogin(); + http + .authorizeRequests() <1> + .antMatchers("/resources/**", "/signup", "/about").permitAll() <2> + .antMatchers("/admin/**").hasRole("ADMIN") <3> + .antMatchers("/db/**").access("hasRole('ADMIN') and hasRole('DBA')") <4> + .anyRequest().authenticated() <5> + .and() + // ... + .formLogin(); } ---- @@ -702,10 +702,10 @@ We have already seen an example of configuring in memory authentication for a si ---- @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); + auth + .inMemoryAuthentication() + .withUser("user").password("password").roles("USER").and() + .withUser("admin").password("password").roles("USER", "ADMIN"); } ---- @@ -721,12 +721,12 @@ private DataSource dataSource; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - auth - .jdbcAuthentication() - .dataSource(dataSource) - .withDefaultSchema() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); + auth + .jdbcAuthentication() + .dataSource(dataSource) + .withDefaultSchema() + .withUser("user").password("password").roles("USER").and() + .withUser("admin").password("password").roles("USER", "ADMIN"); } ---- @@ -741,10 +741,10 @@ private DataSource dataSource; @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { - auth - .ldapAuthentication() - .userDnPatterns("uid={0},ou=people") - .groupSearchBase("ou=groups"); + auth + .ldapAuthentication() + .userDnPatterns("uid={0},ou=people") + .groupSearchBase("ou=groups"); } ---- @@ -804,39 +804,39 @@ We can configure multiple HttpSecurity instances just as we can have multiple `< ---- @EnableWebSecurity public class MultiHttpSecurityConfig { - @Autowired - public void configureGlobal(AuthenticationManagerBuilder auth) { <1> - auth - .inMemoryAuthentication() - .withUser("user").password("password").roles("USER").and() - .withUser("admin").password("password").roles("USER", "ADMIN"); - } + @Autowired + public void configureGlobal(AuthenticationManagerBuilder auth) { <1> + auth + .inMemoryAuthentication() + .withUser("user").password("password").roles("USER").and() + .withUser("admin").password("password").roles("USER", "ADMIN"); + } - @Configuration - @Order(1) <2> - public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { - protected void configure(HttpSecurity http) throws Exception { - http - .antMatcher("/api/**") <3> - .authorizeRequests() - .anyRequest().hasRole("ADMIN") - .and() - .httpBasic(); - } - } + @Configuration + @Order(1) <2> + public static class ApiWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter { + protected void configure(HttpSecurity http) throws Exception { + http + .antMatcher("/api/**") <3> + .authorizeRequests() + .anyRequest().hasRole("ADMIN") + .and() + .httpBasic(); + } + } - @Configuration <4> - public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { + @Configuration <4> + public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .anyRequest().authenticated() - .and() - .formLogin(); - } - } + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .formLogin(); + } + } } ---- @@ -859,7 +859,7 @@ We can enable annotation-based security using the `@EnableGlobalMethodSecurity` ---- @EnableGlobalMethodSecurity(securedEnabled = true) public class MethodSecurityConfig { - // ... +// ... } ---- @@ -869,14 +869,14 @@ Adding an annotation to a method (on an class or interface) would then limit the ---- public interface BankService { - @Secured("IS_AUTHENTICATED_ANONYMOUSLY") - public Account readAccount(Long id); +@Secured("IS_AUTHENTICATED_ANONYMOUSLY") +public Account readAccount(Long id); - @Secured("IS_AUTHENTICATED_ANONYMOUSLY") - public Account[] findAccounts(); +@Secured("IS_AUTHENTICATED_ANONYMOUSLY") +public Account[] findAccounts(); - @Secured("ROLE_TELLER") - public Account post(Account account, double amount); +@Secured("ROLE_TELLER") +public Account post(Account account, double amount); } ---- @@ -886,7 +886,7 @@ Support for JSR-250 annotations can be enabled using ---- @EnableGlobalMethodSecurity(jsr250Enabled = true) public class MethodSecurityConfig { - // ... +// ... } ---- @@ -896,7 +896,7 @@ These are standards-based and allow simple role-based constraints to be applied ---- @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig { - // ... +// ... } ---- @@ -906,14 +906,14 @@ and the equivalent Java code would be ---- public interface BankService { - @PreAuthorize("isAnonymous()") - public Account readAccount(Long id); +@PreAuthorize("isAnonymous()") +public Account readAccount(Long id); - @PreAuthorize("isAnonymous()") - public Account[] findAccounts(); +@PreAuthorize("isAnonymous()") +public Account[] findAccounts(); - @PreAuthorize("hasAuthority('ROLE_TELLER')") - public Account post(Account account, double amount); +@PreAuthorize("hasAuthority('ROLE_TELLER')") +public Account post(Account account, double amount); } ---- @@ -925,11 +925,11 @@ Sometimes you may need to perform operations that are more complicated than are ---- @EnableGlobalMethodSecurity(prePostEnabled = true) public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration { - @Override - protected MethodSecurityExpressionHandler createExpressionHandler() { - // ... create and return custom MethodSecurityExpressionHandler ... - return expressionHander; - } + @Override + protected MethodSecurityExpressionHandler createExpressionHandler() { + // ... create and return custom MethodSecurityExpressionHandler ... + return expressionHander; + } } ---- @@ -945,16 +945,16 @@ While there are good reasons to not directly expose every property, users may st ---- @Override protected void configure(HttpSecurity http) throws Exception { - http - .authorizeRequests() - .anyRequest().authenticated() - .withObjectPostProcessor(new ObjectPostProcessor() { - public O postProcess( - O fsi) { - fsi.setPublishAuthorizationSuccess(true); - return fsi; - } - }); + http + .authorizeRequests() + .anyRequest().authenticated() + .withObjectPostProcessor(new ObjectPostProcessor() { + public O postProcess( + O fsi) { + fsi.setPublishAuthorizationSuccess(true); + return fsi; + } + }); } ---- @@ -981,33 +981,33 @@ To start using the security namespace in your application context, you need to h [source,xml] ---- - ... +xmlns:security="http://www.springframework.org/schema/security" +xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +xsi:schemaLocation="http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.0.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security.xsd"> + ... ---- In many of the examples you will see (and in the sample) applications, we - will often use "security" as the default namespace rather than "beans", which means we - can omit the prefix on all the security namespace elements, making the content easier to - read. You may also want to do this if you have your application context divided up into - separate files and have most of your security configuration in one of them. Your - security application context file would then start like this + will often use "security" as the default namespace rather than "beans", which means we + can omit the prefix on all the security namespace elements, making the content easier to + read. You may also want to do this if you have your application context divided up into + separate files and have most of your security configuration in one of them. Your + security application context file would then start like this [source,xml] ---- - ... +xmlns:beans="http://www.springframework.org/schema/beans" +xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +xsi:schemaLocation="http://www.springframework.org/schema/beans + http://www.springframework.org/schema/beans/spring-beans-3.0.xsd + http://www.springframework.org/schema/security + http://www.springframework.org/schema/security/spring-security.xsd"> + ... ---- @@ -1042,13 +1042,13 @@ The first thing you need to do is add the following filter declaration to your ` [source,xml] ---- - springSecurityFilterChain - org.springframework.web.filter.DelegatingFilterProxy +springSecurityFilterChain +org.springframework.web.filter.DelegatingFilterProxy - springSecurityFilterChain - /* +springSecurityFilterChain +/* ---- @@ -1063,9 +1063,9 @@ All you need to enable web security to begin with is [source,xml] ---- - - - + + + ---- @@ -1091,12 +1091,12 @@ To add some users, you can define a set of test data directly in the namespace: [source,xml] ---- - - - - - - + + + + + + ---- @@ -1119,9 +1119,9 @@ You might be wondering where the login form came from when you were prompted to [source,xml] ---- - - - + + + ---- @@ -1137,8 +1137,8 @@ secured. It is also possible to have all requests matching a particular pattern - - + + ---- @@ -1152,8 +1152,8 @@ If you want to use basic authentication instead of form login, then change the c [source,xml] ---- - - + + ---- @@ -1167,9 +1167,9 @@ If a form login isn't prompted by an attempt to access a protected resource, the ---- - - + + ---- @@ -1186,9 +1186,9 @@ In practice you will need a more scalable source of user information than a few [source,xml] ---- - - - + + + ---- @@ -1197,9 +1197,9 @@ If you want to use a database, then you can use [source,xml] ---- - - - + + + ---- @@ -1208,12 +1208,12 @@ Where "securityDataSource" is the name of a `DataSource` bean in the application [source,xml] ---- - + - + class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> + ---- @@ -1222,9 +1222,9 @@ You can also use standard `AuthenticationProvider` beans as follows [source,xml] ---- - - - + + + ---- @@ -1237,18 +1237,18 @@ Passwords should always be encoded using a secure hashing algorithm designed for [source,xml] ---- + class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> - - - - - - - + + + + + + + ---- @@ -1271,9 +1271,9 @@ If your application supports both HTTP and HTTPS, and you require that particula [source,xml] ---- - - - ... + + +... ---- @@ -1284,10 +1284,10 @@ If your application uses non-standard ports for HTTP and/or HTTPS, you can speci [source,xml] ---- - ... - - - +... + + + ---- @@ -1302,8 +1302,8 @@ You can configure Spring Security to detect the submission of an invalid session [source,xml] ---- - ... - +... + ---- @@ -1312,7 +1312,7 @@ Note that if you use this mechanism to detect session timeouts, it may falsely r [source,xml] ---- - + ---- @@ -1325,7 +1325,7 @@ If you are running your application behind a proxy, you may also be able to remo [source,xml] ---- - Header always set Set-Cookie "JSESSIONID=;Path=/tutorial;Expires=Thu, 01 Jan 1970 00:00:00 GMT" +Header always set Set-Cookie "JSESSIONID=;Path=/tutorial;Expires=Thu, 01 Jan 1970 00:00:00 GMT" ---- ==== @@ -1338,9 +1338,9 @@ If you wish to place constraints on a single user's ability to log in to your ap [source,xml] ---- - - org.springframework.security.web.session.HttpSessionEventPublisher - + + org.springframework.security.web.session.HttpSessionEventPublisher + ---- @@ -1349,10 +1349,10 @@ Then add the following lines to your application context: [source,xml] ---- - ... - - - +... + + + ---- @@ -1361,10 +1361,10 @@ This will prevent a user from logging in multiple times - a second login will ca [source,xml] ---- - ... - - - +... + + + ---- @@ -1395,8 +1395,8 @@ The namespace supports http://openid.net/[OpenID] login either instead of, or in [source,xml] ---- - - + + ---- @@ -1416,10 +1416,10 @@ Support for OpenID http://openid.net/specs/openid-attribute-exchange-1_0.html[at [source,xml] ---- - - - - + + + + ---- @@ -1428,7 +1428,7 @@ The "type" of each OpenID attribute is a URI, determined by a particular schema, [source,java] ---- OpenIDAuthenticationToken token = - (OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication(); + (OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication(); List attributes = token.getAttributes(); ---- @@ -1540,7 +1540,7 @@ You can add your own filter to the stack, using the `custom-filter` element and [source,xml] ---- - + @@ -1588,14 +1588,14 @@ Adding an annotation to a method (on an class or interface) would then limit the ---- public interface BankService { - @Secured("IS_AUTHENTICATED_ANONYMOUSLY") - public Account readAccount(Long id); +@Secured("IS_AUTHENTICATED_ANONYMOUSLY") +public Account readAccount(Long id); - @Secured("IS_AUTHENTICATED_ANONYMOUSLY") - public Account[] findAccounts(); +@Secured("IS_AUTHENTICATED_ANONYMOUSLY") +public Account[] findAccounts(); - @Secured("ROLE_TELLER") - public Account post(Account account, double amount); +@Secured("ROLE_TELLER") +public Account post(Account account, double amount); } ---- @@ -1619,14 +1619,14 @@ and the equivalent Java code would be ---- public interface BankService { - @PreAuthorize("isAnonymous()") - public Account readAccount(Long id); +@PreAuthorize("isAnonymous()") +public Account readAccount(Long id); - @PreAuthorize("isAnonymous()") - public Account[] findAccounts(); +@PreAuthorize("isAnonymous()") +public Account[] findAccounts(); - @PreAuthorize("hasAuthority('ROLE_TELLER')") - public Account post(Account account, double amount); +@PreAuthorize("hasAuthority('ROLE_TELLER')") +public Account post(Account account, double amount); } ---- @@ -1650,8 +1650,8 @@ The use of `protect-pointcut` is particularly powerful, as it allows you to appl [source,xml] ---- - + ---- @@ -1675,7 +1675,7 @@ For method security, you do this by setting the `access-decision-manager-ref` at [source,xml] ---- - ... +... ---- @@ -1684,7 +1684,7 @@ The syntax for web security is the same, but on the `http` element: [source,xml] ---- - ... +... ---- @@ -1697,12 +1697,12 @@ You may want to register additional `AuthenticationProvider` beans with the `Pro [source,xml] ---- - + - ... + class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> +... ---- @@ -1711,13 +1711,13 @@ Another common requirement is that another bean in the context may require a ref [source,xml] ---- - ... +... - - ... + class="com.somecompany.security.web.CustomFormLoginFilter"> + +... ---- @@ -1866,9 +1866,9 @@ Inside the `SecurityContextHolder` we store details of the principal currently i Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (principal instanceof UserDetails) { - String username = ((UserDetails)principal).getUsername(); +String username = ((UserDetails)principal).getUsername(); } else { - String username = principal.toString(); +String username = principal.toString(); } ---- @@ -1885,12 +1885,12 @@ By now you're probably wondering, so when do I provide a `UserDetails` object? H [source,java] ---- - UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; +UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; ---- This is the most common approach to loading information for a user within Spring - Security and you will see it used throughout the framework whenever information on a - user is required. + Security and you will see it used throughout the framework whenever information on a + user is required. On successful authentication, `UserDetails` is used to build the `Authentication` object that is stored in the `SecurityContextHolder` (more on this <>). The good news is that we provide a number of `UserDetailsService` implementations, including one that uses an in-memory map (`InMemoryDaoImpl`) and another that uses JDBC (`JdbcDaoImpl`). Most users tend to write their own, though, with their implementations often simply sitting on top of an existing Data Access Object (DAO) that represents their employees, customers, or other users of the application. Remember the advantage that whatever your `UserDetailsService` returns can always be obtained from the `SecurityContextHolder` using the above code fragment. @@ -1962,51 +1962,51 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; public class AuthenticationExample { - private static AuthenticationManager am = new SampleAuthenticationManager(); +private static AuthenticationManager am = new SampleAuthenticationManager(); - public static void main(String[] args) throws Exception { - BufferedReader in = new BufferedReader(new InputStreamReader(System.in)); +public static void main(String[] args) throws Exception { + BufferedReader in = new BufferedReader(new InputStreamReader(System.in)); - while(true) { - System.out.println("Please enter your username:"); - String name = in.readLine(); - System.out.println("Please enter your password:"); - String password = in.readLine(); - try { - Authentication request = new UsernamePasswordAuthenticationToken(name, password); - Authentication result = am.authenticate(request); - SecurityContextHolder.getContext().setAuthentication(result); - break; - } catch(AuthenticationException e) { - System.out.println("Authentication failed: " + e.getMessage()); - } - } - System.out.println("Successfully authenticated. Security context contains: " + - SecurityContextHolder.getContext().getAuthentication()); - } + while(true) { + System.out.println("Please enter your username:"); + String name = in.readLine(); + System.out.println("Please enter your password:"); + String password = in.readLine(); + try { + Authentication request = new UsernamePasswordAuthenticationToken(name, password); + Authentication result = am.authenticate(request); + SecurityContextHolder.getContext().setAuthentication(result); + break; + } catch(AuthenticationException e) { + System.out.println("Authentication failed: " + e.getMessage()); + } + } + System.out.println("Successfully authenticated. Security context contains: " + + SecurityContextHolder.getContext().getAuthentication()); +} } class SampleAuthenticationManager implements AuthenticationManager { - static final List AUTHORITIES = new ArrayList(); +static final List AUTHORITIES = new ArrayList(); - static { - AUTHORITIES.add(new SimpleGrantedAuthority("ROLE_USER")); - } +static { + AUTHORITIES.add(new SimpleGrantedAuthority("ROLE_USER")); +} - public Authentication authenticate(Authentication auth) throws AuthenticationException { - if (auth.getName().equals(auth.getCredentials())) { - return new UsernamePasswordAuthenticationToken(auth.getName(), - auth.getCredentials(), AUTHORITIES); - } - throw new BadCredentialsException("Bad Credentials"); - } +public Authentication authenticate(Authentication auth) throws AuthenticationException { + if (auth.getName().equals(auth.getCredentials())) { + return new UsernamePasswordAuthenticationToken(auth.getName(), + auth.getCredentials(), AUTHORITIES); + } + throw new BadCredentialsException("Bad Credentials"); +} } ---- Here - we have written a little program that asks the user to enter a username and password - and performs the above sequence. The - `AuthenticationManager` which we've implemented here will authenticate any user whose username and password are the same. It assigns a single role to every user. The output from the above will be something like: + we have written a little program that asks the user to enter a username and password + and performs the above sequence. The + `AuthenticationManager` which we've implemented here will authenticate any user whose username and password are the same. It assigns a single role to every user. The output from the above will be something like: [source,txt] ---- @@ -2021,10 +2021,10 @@ bob Please enter your password: bob Successfully authenticated. Security context contains: \ - org.springframework.security.authentication.UsernamePasswordAuthenticationToken@441d0230: \ - Principal: bob; Password: [PROTECTED]; \ - Authenticated: true; Details: null; \ - Granted Authorities: ROLE_USER +org.springframework.security.authentication.UsernamePasswordAuthenticationToken@441d0230: \ +Principal: bob; Password: [PROTECTED]; \ +Authenticated: true; Details: null; \ +Granted Authorities: ROLE_USER ---- @@ -2145,8 +2145,8 @@ Shipping in the `spring-security-core-xx.jar` you will find an `org.springframew [source,xml] ---- - + class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> + ---- @@ -2176,14 +2176,14 @@ If you are using the namespace, an instance of `ProviderManager` is created and ---- - - - - - - - + class="org.springframework.security.authentication.ProviderManager"> + + + + + + + ---- @@ -2207,9 +2207,9 @@ The simplest `AuthenticationProvider` implemented by Spring Security is `DaoAuth ---- - - + class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> + + ---- @@ -2236,8 +2236,8 @@ Is easy to use create a custom `UserDetailsService` implementation that extracts [source,xml] ---- - - + + ---- @@ -2270,15 +2270,15 @@ Spring Security also includes a `UserDetailsService` that can obtain authenticat [source,xml] ---- - - - - + + + + - + class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> + ---- @@ -2342,13 +2342,13 @@ When using `DelegatingFilterProxy`, you will see something like this in the `web [source,xml] ---- - myFilter - org.springframework.web.filter.DelegatingFilterProxy +myFilter +org.springframework.web.filter.DelegatingFilterProxy - myFilter - /* +myFilter +/* ---- @@ -2362,20 +2362,20 @@ Spring Security's web infrastructure should only be used by delegating to an ins [source,xml] ---- - - - - - - + + + + + + ---- @@ -2434,8 +2434,8 @@ As we saw earlier in the namespace chapter, it's possible to use multiple `http` ---- - - + + @@ -2443,9 +2443,9 @@ As we saw earlier in the namespace chapter, it's possible to use multiple `http` - - - + + + ---- @@ -2460,15 +2460,15 @@ We've already seen `FilterSecurityInterceptor` briefly when discussing < - - - - - - - - + class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> + + + + + + + + ---- @@ -2483,16 +2483,16 @@ The `SecurityMetadataSource` created by the namespace syntax obtains the configu [source,xml] ---- - - - - - - - - - + class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> + + + + + + + + + ---- @@ -2506,19 +2506,19 @@ The `ExceptionTranslationFilter` sits above the `FilterSecurityInterceptor` in t ---- - - +class="org.springframework.security.web.access.ExceptionTranslationFilter"> + + - +class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> + - + class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> + ---- @@ -2555,7 +2555,7 @@ We covered the purpose of this all-important filter in the < +class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/> ---- As we saw previously, this filter has two main tasks. It is responsible for storage of the `SecurityContext` contents between HTTP requests and for clearing the `SecurityContextHolder` when a request is completed. Clearing the `ThreadLocal` in which the context is stored is essential, as it might otherwise be possible for a thread to be replaced into the servlet container's thread pool, with the security context for a particular user still attached. This thread might then be used at a later stage, performing operations with the wrong credentials. @@ -2569,10 +2569,10 @@ From Spring Security 3.0, the job of loading and storing the security context is ---- public interface SecurityContextRepository { - SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder); +SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder); - void saveContext(SecurityContext context, HttpServletRequest request, - HttpServletResponse response); +void saveContext(SecurityContext context, HttpServletRequest request, + HttpServletResponse response); } ---- @@ -2583,12 +2583,12 @@ The default implementation is `HttpSessionSecurityContextRepository`, which stor [source,xml] ---- - - - - - + class="org.springframework.security.web.context.SecurityContextPersistenceFilter"> + + + + + ---- @@ -2610,7 +2610,7 @@ The login form simply contains `username` and `password` input fields, and posts ---- - + ---- @@ -2689,9 +2689,9 @@ The http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.ht [source,java] ---- try { - httpServletRequest.login("user","password"); +httpServletRequest.login("user","password"); } catch(ServletException e) { - // fail to authenticate +// fail to authenticate } ---- @@ -2714,17 +2714,17 @@ The http://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html#start%28 ---- final AsyncContext async = httpServletRequest.startAsync(); async.start(new Runnable() { - public void run() { - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); - try { - final HttpServletResponse asyncResponse = (HttpServletResponse) async.getResponse(); - asyncResponse.setStatus(HttpServletResponse.SC_OK); - asyncResponse.getWriter().write(String.valueOf(authentication)); - async.complete(); - } catch(Exception e) { - throw new RuntimeException(e); - } - } + public void run() { + Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + try { + final HttpServletResponse asyncResponse = (HttpServletResponse) async.getResponse(); + asyncResponse.setStatus(HttpServletResponse.SC_OK); + asyncResponse.getWriter().write(String.valueOf(authentication)); + async.complete(); + } catch(Exception e) { + throw new RuntimeException(e); + } + } }); ---- @@ -2735,9 +2735,9 @@ If you are using Java Based configuration, you are ready to go. If you are using [source,xml] ---- +xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" +xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" +version="3.0"> ---- @@ -2747,17 +2747,17 @@ Next you need to ensure that your springSecurityFilterChain is setup for process [source,xml] ---- - springSecurityFilterChain - - org.springframework.web.filter.DelegatingFilterProxy - - true +springSecurityFilterChain + + org.springframework.web.filter.DelegatingFilterProxy + +true - springSecurityFilterChain - /* - REQUEST - ASYNC +springSecurityFilterChain +/* +REQUEST +ASYNC ---- @@ -2769,18 +2769,18 @@ So how does it work? If you are not really interested, feel free to skip the rem ---- httpServletRequest.startAsync(); new Thread("AsyncThread") { - @Override - public void run() { - try { - // Do work - TimeUnit.SECONDS.sleep(1); + @Override + public void run() { + try { + // Do work + TimeUnit.SECONDS.sleep(1); - // Write to and commit the httpServletResponse - httpServletResponse.getOutputStream().flush(); - } catch (Exception e) { - e.printStackTrace(); - } - } + // Write to and commit the httpServletResponse + httpServletResponse.getOutputStream().flush(); + } catch (Exception e) { + e.printStackTrace(); + } + } }.start(); ---- @@ -2812,14 +2812,14 @@ To implement HTTP Basic Authentication, you need to add a `BasicAuthenticationFi [source,xml] ---- - - +class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> + + - +class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> + ---- @@ -2854,17 +2854,17 @@ Now that we've reviewed the theory, let's see how to use it. To implement HTTP D [source,xml] ---- - - - + "org.springframework.security.web.authentication.www.DigestAuthenticationFilter"> + + + - - - + "org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint"> + + + ---- @@ -2908,8 +2908,8 @@ If you are familiar with the topics discussed in the chapter on < - ... - +... + ---- @@ -2922,8 +2922,8 @@ This approach is based on the article http://jaspan.com/improved_persistent_logi [source,xml] ---- - ... - +... + ---- @@ -2932,9 +2932,9 @@ The database should contain a `persistent_logins` table, created using the follo [source,ddl] ---- create table persistent_logins (username varchar(64) not null, - series varchar(64) primary key, - token varchar(64) not null, - last_used timestamp not null) + series varchar(64) primary key, + token varchar(64) not null, + last_used timestamp not null) ---- [[remember-me-impls]] @@ -2948,7 +2948,7 @@ Authentication autoLogin(HttpServletRequest request, HttpServletResponse respons void loginFail(HttpServletRequest request, HttpServletResponse response); void loginSuccess(HttpServletRequest request, HttpServletResponse response, - Authentication successfulAuthentication); + Authentication successfulAuthentication); ---- Please refer to the JavaDocs for a fuller discussion on what the methods do, although note at this stage that `AbstractAuthenticationProcessingFilter` only calls the `loginFail()` and `loginSuccess()` methods. The `autoLogin()` method is called by `RememberMeAuthenticationFilter` whenever the `SecurityContextHolder` does not contain an `Authentication`. This interface therefore provides the underlying remember-me implementation with sufficient notification of authentication-related events, and delegates to the implementation whenever a candidate web request might contain a cookie and wish to be remembered. This design allows any number of remember-me implementation strategies. We've seen above that Spring Security provides two implementations. We'll look at these in turn. @@ -2961,20 +2961,20 @@ The beans required in an application context to enable remember-me services are [source,xml] ---- - - +"org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter"> + + - - +"org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices"> + + - +"org.springframework.security.authentication.RememberMeAuthenticationProvider"> + ---- @@ -3015,17 +3015,17 @@ Now pretend you authenticate to your bank's website and then, without logging ou [source,xml] ----
- - - - + + + +
---- @@ -3068,9 +3068,9 @@ A common question is "do I need to protect JSON requests made by javascript?" Th [source,xml] ----
- - + +
---- @@ -3081,9 +3081,9 @@ This will produce the following JSON structure [source,javascript] ---- { "amount": 100, - "routingNumber": "evilsRoutingNumber", - "account": "evilsAccountNumber", - "ignore_me": "=test" +"routingNumber": "evilsRoutingNumber", +"account": "evilsAccountNumber", +"ignore_me": "=test" } ---- @@ -3092,9 +3092,9 @@ If an application were not validating the Content-Type, then it would be exposed [source,xml] ----
- - + +
---- @@ -3129,8 +3129,8 @@ As of Spring Security 4.0, CSRF protection is enabled by default with XML config [source,xml] ---- - - + + ---- @@ -3140,13 +3140,13 @@ CSRF protection is enabled by default with Java configuration. If you would like ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .csrf().disable(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + .csrf().disable(); +} } ---- @@ -3161,12 +3161,12 @@ The last step is to ensure that you include the CSRF token in all PATCH, POST, P ----
- - + method="post"> + +
---- @@ -3185,13 +3185,13 @@ If you are using JSON, then it is not possible to submit the CSRF token within a [source,xml] ---- - - - - - - - + + + + + + + ---- Instead of manually creating the meta tags, you can use the simpler <> from the Spring Security JSP tag library. @@ -3201,11 +3201,11 @@ You can then include the token within all your Ajax requests. If you were using [source,javascript] ---- $(function () { - var token = $("meta[name='_csrf']").attr("content"); - var header = $("meta[name='_csrf_header']").attr("content"); - $(document).ajaxSend(function(e, xhr, options) { - xhr.setRequestHeader(header, token); - }); +var token = $("meta[name='_csrf']").attr("content"); +var header = $("meta[name='_csrf_header']").attr("content"); +$(document).ajaxSend(function(e, xhr, options) { + xhr.setRequestHeader(header, token); +}); }); ---- @@ -3214,8 +3214,8 @@ As an alternative to jQuery, we recommend using http://cujojs.com/[cujoJS's] res [source,javascript] ---- var client = rest.chain(csrf, { - token: $("meta[name='_csrf']").attr("content"), - name: $("meta[name='_csrf_header']").attr("content") +token: $("meta[name='_csrf']").attr("content"), +name: $("meta[name='_csrf_header']").attr("content") }); ---- @@ -3259,14 +3259,14 @@ If you really want to use HTTP GET with logout you can do so, but remember this ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - .logout() - .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + .logout() + .logoutRequestMatcher(new AntPathRequestMatcher("/logout")); +} } ---- @@ -3292,10 +3292,10 @@ To ensure `MultipartFilter` is specified before the Spring Security filter with ---- public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer { - @Override - protected void beforeSpringSecurityFilterChain(ServletContext servletContext) { - insertFilters(servletContext, new MultipartFilter()); - } + @Override + protected void beforeSpringSecurityFilterChain(ServletContext servletContext) { + insertFilters(servletContext, new MultipartFilter()); + } } ---- @@ -3304,20 +3304,20 @@ To ensure `MultipartFilter` is specified before the Spring Security filter with [source,xml] ---- - MultipartFilter - org.springframework.web.multipart.support.MultipartFilter + MultipartFilter + org.springframework.web.multipart.support.MultipartFilter - springSecurityFilterChain - org.springframework.web.filter.DelegatingFilterProxy + springSecurityFilterChain + org.springframework.web.filter.DelegatingFilterProxy - MultipartFilter - /* + MultipartFilter + /* - springSecurityFilterChain - /* + springSecurityFilterChain + /* ---- @@ -3399,18 +3399,18 @@ You can easily do this with the following Java Configuration: ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .frameOptions() - .sameOrigin() - .and() - .hsts().disable(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .frameOptions() + .sameOrigin() + .and() + .hsts().disable(); +} } ---- @@ -3419,12 +3419,12 @@ Alternatively, if you are using Spring Security XML Configuration, you can use t [source,xml] ---- - + - - - - + + + + ---- @@ -3437,17 +3437,17 @@ If you are using Spring Security's Java Configuration the following will only ad ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - // do not use any default headers unless explicitly listed - .defaultsDisabled() - .cacheControl(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + // do not use any default headers unless explicitly listed + .defaultsDisabled() + .cacheControl(); +} } ---- @@ -3456,11 +3456,11 @@ The following XML will only add <>. [source,xml] ---- - + - - - + + + ---- @@ -3471,14 +3471,14 @@ If necessary, you can disable all of the HTTP Security response headers with the ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers().disable(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers().disable(); +} } ---- @@ -3487,9 +3487,9 @@ If necessary, you can disable all of the HTTP Security response headers with the [source,xml] ---- - + - + ---- @@ -3510,11 +3510,11 @@ However, if you only want cache control, you can enable this feature using Sprin [source,xml] ---- - + - - - + + + ---- @@ -3524,16 +3524,16 @@ Similarly, you can enable only cache control within Java Configuration with the ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .defaultsDisabled() - .cacheControl(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .defaultsDisabled() + .cacheControl(); +} } ---- @@ -3546,15 +3546,15 @@ When using Spring Web MVC, this is typically done within your configuration. For @EnableWebMvc public class WebMvcConfiguration extends WebMvcConfigurerAdapter { - @Override - public void addResourceHandlers(ResourceHandlerRegistry registry) { - registry - .addResourceHandler("/resources/**") - .addResourceLocations("/resources/") - .setCachePeriod(31556926); - } + @Override + public void addResourceHandlers(ResourceHandlerRegistry registry) { + registry + .addResourceHandler("/resources/**") + .addResourceLocations("/resources/") + .setCachePeriod(31556926); + } - // ... + // ... } ---- @@ -3582,11 +3582,11 @@ However, if you want more control over which headers are added you can use the < [source,xml] ---- - + - - - + + + ---- @@ -3596,16 +3596,16 @@ The X-Content-Type-Options header is added by default with Spring Security Java ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .defaultsDisabled() - .contentTypeOptions(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .defaultsDisabled() + .contentTypeOptions(); +} } ---- @@ -3634,13 +3634,13 @@ As with the other headers, Spring Security adds HSTS by default. You can customi [source,xml] ---- - + - - - + + + ---- @@ -3650,17 +3650,17 @@ Similarly, you can enable only HSTS headers with Java Configuration: ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .httpStrictTransportSecurity() - .includeSubdomains(true) - .maxAgeSeconds(31536000); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .httpStrictTransportSecurity() + .includeSubdomains(true) + .maxAgeSeconds(31536000); +} } ---- @@ -3691,12 +3691,12 @@ For example, the following will instruct Spring Security to use "X-Frame-Options [source,xml] ---- - + - - - + + + ---- @@ -3706,16 +3706,16 @@ Similarly, you can customize frame options to use the same origin within Java Co ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .frameOptions() - .sameOrigin(); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .frameOptions() + .sameOrigin(); +} } ---- @@ -3735,11 +3735,11 @@ This header is included by default. However, we can customize it if we wanted. F [source,xml] ---- - + - - - + + + ---- @@ -3749,16 +3749,16 @@ Similarly, you can customize xss protection within Java Configuration with the f ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .xssProtection() - .block(false); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .xssProtection() + .block(false); +} } ---- @@ -3785,13 +3785,13 @@ When using the XML namespace, these headers can be added to the response using t [source,xml] ---- - + - -
-
- - + +
+
+ + ---- Similarly, the headers could be added to the response using Java Configuration as shown in the following: @@ -3800,16 +3800,16 @@ Similarly, the headers could be added to the response using Java Configuration a ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","default-src 'self'")) - .addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP","default-src 'self'")); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .addHeaderWriter(new StaticHeadersWriter("X-Content-Security-Policy","default-src 'self'")) + .addHeaderWriter(new StaticHeadersWriter("X-WebKit-CSP","default-src 'self'")); +} } ---- @@ -3822,18 +3822,18 @@ Let's take a look at an example of using an custom instance of `XFrameOptionsHea [source,xml] ---- - + - -
- + +
+ + class="org.springframework.security.web.header.writers.frameoptions.XFrameOptionsHeaderWriter" + c:frameOptionsMode="SAMEORIGIN"/> ---- @@ -3844,15 +3844,15 @@ We could also restrict framing of content to the same origin with Java configura ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - http - // ... - .headers() - .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + http + // ... + .headers() + .addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN)); +} } ---- @@ -3866,24 +3866,24 @@ At times you may want to only write a header for certain requests. For example, [source,xml] ---- - + - - -
- + + +
+ - - - - - - + class="org.springframework.security.web.header.writers.DelegatingRequestMatcherHeaderWriter"> + + + + + + ---- @@ -3895,19 +3895,19 @@ We could also prevent framing of content to the log in page using java configura ---- @EnableWebSecurity public class WebSecurityConfig extends - WebSecurityConfigurerAdapter { +WebSecurityConfigurerAdapter { - @Override - protected void configure(HttpSecurity http) throws Exception { - RequestMatcher matcher = new AntPathRequestMatcher("/login"); - DelegatingRequestMatcherHeaderWriter headerWriter = - new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); - http - // ... - .headers() - .frameOptions().disabled() - .addHeaderWriter(headerWriter); - } +@Override +protected void configure(HttpSecurity http) throws Exception { + RequestMatcher matcher = new AntPathRequestMatcher("/login"); + DelegatingRequestMatcherHeaderWriter headerWriter = + new DelegatingRequestMatcherHeaderWriter(matcher,new XFrameOptionsHeaderWriter()); + http + // ... + .headers() + .frameOptions().disabled() + .addHeaderWriter(headerWriter); +} } ---- @@ -3933,18 +3933,18 @@ If the user is not currently authenticated, the filter will check whether an inv ---- - - + + - - ... +"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> + + ... +"org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" /> ---- @@ -3970,11 +3970,11 @@ To use concurrent session support, you'll need to add the following to `web.xml` [source,xml] ---- - - - org.springframework.security.web.session.HttpSessionEventPublisher - - + + + org.springframework.security.web.session.HttpSessionEventPublisher + + ---- @@ -3985,43 +3985,43 @@ In addition, you will need to add the `ConcurrentSessionFilter` to your `FilterC ---- - - + + - + - - +class="org.springframework.security.web.session.ConcurrentSessionFilter"> + + - - +"org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> + + - - - - - - - - - - - - - - + + + + + + + + + + + + + + + class="org.springframework.security.core.session.SessionRegistryImpl" /> ---- @@ -4062,14 +4062,14 @@ Three classes that together provide the anonymous authentication feature. `Anony ---- - - + class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> + + - + class="org.springframework.security.authentication.AnonymousAuthenticationProvider"> + ---- @@ -4087,18 +4087,18 @@ As explained earlier, the benefit of anonymous authentication is that all URI pa ---- - - - - - - - - - - " + - + class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> + + + + + + + + + + " + + ---- @@ -4133,12 +4133,12 @@ As we saw in the <>, all `Authenticat [source,java] ---- - String getAuthority(); +String getAuthority(); ---- This method allows - `AccessDecisionManager` s to obtain a precise `String` representation of the `GrantedAuthority`. By returning a representation as a `String`, a `GrantedAuthority` can be easily "read" by most `AccessDecisionManager` s. If a `GrantedAuthority` cannot be precisely represented as a `String`, the `GrantedAuthority` is considered "complex" and `getAuthority()` must return `null`. + `AccessDecisionManager` s to obtain a precise `String` representation of the `GrantedAuthority`. By returning a representation as a `String`, a `GrantedAuthority` can be easily "read" by most `AccessDecisionManager` s. If a `GrantedAuthority` cannot be precisely represented as a `String`, the `GrantedAuthority` is considered "complex" and `getAuthority()` must return `null`. An example of a "complex" `GrantedAuthority` would be an implementation that stores a list of operations and authority thresholds that apply to different customer account numbers. Representing this complex `GrantedAuthority` as a `String` would be quite difficult, and as a result the `getAuthority()` method should return `null`. This will indicate to any `AccessDecisionManager` that it will need to specifically support the `GrantedAuthority` implementation in order to understand its contents. @@ -4157,7 +4157,7 @@ The `AccessDecisionManager` is called by the `AbstractSecurityInterceptor` and i [source,java] ---- void decide(Authentication authentication, Object secureObject, - Collection attrs) throws AccessDeniedException; + Collection attrs) throws AccessDeniedException; boolean supports(ConfigAttribute attribute); @@ -4242,17 +4242,17 @@ The use of a role-hierarchy allows you to configure which roles (or authorities) ---- - + - - - ROLE_ADMIN > ROLE_STAFF - ROLE_STAFF > ROLE_USER - ROLE_USER > ROLE_GUEST - - + class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> + + + ROLE_ADMIN > ROLE_STAFF + ROLE_STAFF > ROLE_USER + ROLE_USER > ROLE_GUEST + + ---- @@ -4276,16 +4276,16 @@ You can of course configure a `MethodSecurityIterceptor` directly in your applic ---- - - - - - - - - - + "org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> + + + + + + + + + ---- @@ -4302,15 +4302,15 @@ Let's first consider how the `AspectJSecurityInterceptor` is configured in the S ---- - - - - - - - - + "org.springframework.security.access.intercept.aspectj.AspectJMethodSecurityInterceptor"> + + + + + + + + ---- @@ -4332,38 +4332,38 @@ import org.springframework.beans.factory.InitializingBean; public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { - private AspectJSecurityInterceptor securityInterceptor; + private AspectJSecurityInterceptor securityInterceptor; - pointcut domainObjectInstanceExecution(): target(PersistableEntity) - && execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect); + pointcut domainObjectInstanceExecution(): target(PersistableEntity) + && execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect); - Object around(): domainObjectInstanceExecution() { - if (this.securityInterceptor == null) { - return proceed(); - } + Object around(): domainObjectInstanceExecution() { + if (this.securityInterceptor == null) { + return proceed(); + } - AspectJCallback callback = new AspectJCallback() { - public Object proceedWithObject() { - return proceed(); - } - }; + AspectJCallback callback = new AspectJCallback() { + public Object proceedWithObject() { + return proceed(); + } + }; - return this.securityInterceptor.invoke(thisJoinPoint, callback); - } + return this.securityInterceptor.invoke(thisJoinPoint, callback); + } - public AspectJSecurityInterceptor getSecurityInterceptor() { - return securityInterceptor; - } + public AspectJSecurityInterceptor getSecurityInterceptor() { + return securityInterceptor; + } - public void setSecurityInterceptor(AspectJSecurityInterceptor securityInterceptor) { - this.securityInterceptor = securityInterceptor; - } + public void setSecurityInterceptor(AspectJSecurityInterceptor securityInterceptor) { + this.securityInterceptor = securityInterceptor; + } - public void afterPropertiesSet() throws Exception { - if (this.securityInterceptor == null) - throw new IllegalArgumentException("securityInterceptor required"); - } - } + public void afterPropertiesSet() throws Exception { + if (this.securityInterceptor == null) + throw new IllegalArgumentException("securityInterceptor required"); + } + } } ---- @@ -4377,9 +4377,9 @@ You will need to configure Spring to load the aspect and wire it with the `Aspec ---- - + class="security.samples.aspectj.DomainObjectInstanceSecurityAspect" + factory-method="aspectOf"> + ---- @@ -4457,11 +4457,11 @@ To use expressions to secure individual URLs, you would first need to set the `u [source,xml] ---- - - - ... - + + + ... + ---- @@ -4588,10 +4588,10 @@ There are some built-in expressions which are specific to method security, which [source,java] ---- boolean hasPermission(Authentication authentication, Object targetDomainObject, - Object permission); + Object permission); boolean hasPermission(Authentication authentication, Serializable targetId, - String targetType, Object permission); + String targetType, Object permission); ---- which map directly to the available versions of the expression, with the exception that the first argument (the `Authentication` object) is not supplied. The first is used in situations where the domain object, to which access is being controlled, is already loaded. Then expression will return true if the current user has the given permission for that object. The second version is used in cases where the object is not loaded, but its identifier is known. An abstract "type" specifier for the domain object is also required, allowing the correct ACL permissions to be loaded. This has traditionally been the Java class of the object, but does not have to be as long as it is consistent with how the permissions are loaded. @@ -4601,12 +4601,12 @@ To use `hasPermission()` expressions, you have to explicitly configure a `Permis [source,xml] ---- - + - +"org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> + ---- @@ -4708,9 +4708,9 @@ Permission p = BasePermission.ADMINISTRATION; // Create or update the relevant ACL MutableAcl acl = null; try { - acl = (MutableAcl) aclService.readAclById(oi); +acl = (MutableAcl) aclService.readAclById(oi); } catch (NotFoundException nfe) { - acl = aclService.createAcl(oi); +acl = aclService.createAcl(oi); } // Now grant some permissions via an access control entry (ACE) @@ -4772,7 +4772,7 @@ The pre-authenticated provider has little more to do than load the `UserDetails` [source,java] ---- public interface AuthenticationUserDetailsService { - UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException; +UserDetails loadUserDetails(Authentication token) throws UsernameNotFoundException; } ---- @@ -4800,26 +4800,26 @@ A typical configuration using this filter would look like this: [source,xml] ---- - - + + - - + + - - - - - + + + + + - + ---- @@ -4899,7 +4899,7 @@ This simple example would obtain the DN for the user by substituting the user lo [source,xml] ---- + user-search-base="ou=people"/> ---- If used with the server definition above, this would perform a search under the DN `ou=people,dc=springframework,dc=org` using the value of the `user-search-filter` attribute as a filter. Again the user login name is substituted for the parameter in the filter name, so it will search for an entry with the `uid` attribute equal to the user name. If `user-search-base` isn't supplied, the search will be performed from the root. @@ -4916,7 +4916,7 @@ So if we used the following configuration [source,xml] ---- + group-search-base="ou=groups" /> ---- and authenticated successfully as user "ben", the subsequent loading of authorities would perform a search under the directory entry`ou=groups,dc=springframework,dc=org`, looking for entries which contain the attribute `uniqueMember` with value `uid=ben,ou=people,dc=springframework,dc=org`. By default the authority names will have the prefix `ROLE_` prepended. You can change this using the `role-prefix` attribute. If you don't want any prefix, use `role-prefix="none"`. For more information on loading authorities, see the Javadoc for the `DefaultLdapAuthoritiesPopulator` class. @@ -4980,30 +4980,30 @@ A typical configuration, using some of the beans we've discussed here, might loo [source,xml] ---- - - - + class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> + + + - - - - - uid={0},ou=people - - - - - - - - - - + class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> + + + + + uid={0},ou=people + + + + + + + + + + ---- @@ -5015,10 +5015,10 @@ To configure a user search object, which uses the filter `(uid= ---- - - - + class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> + + + ---- @@ -5033,10 +5033,10 @@ The net result of an authentication using `LdapAuthenticationProvider` is the sa ---- public interface UserDetailsContextMapper { - UserDetails mapUserFromContext(DirContextOperations ctx, String username, - Collection authorities); +UserDetails mapUserFromContext(DirContextOperations ctx, String username, + Collection authorities); - void mapUserToContext(UserDetails user, DirContextAdapter ctx); +void mapUserToContext(UserDetails user, DirContextAdapter ctx); } ---- @@ -5057,9 +5057,9 @@ Configuring `ActiveDirectoryLdapAuthenticationProvider` is quite straightforward ---- - - +class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider"> + + } ---- @@ -5095,7 +5095,7 @@ The legacy options from Spring Security 2.0 are also supported, but discouraged. ---- - This content will only be visible to users who have the "supervisor" authority in their list of GrantedAuthoritys. +This content will only be visible to users who have the "supervisor" authority in their list of GrantedAuthoritys. ---- @@ -5106,7 +5106,7 @@ When used in conjuction with Spring Security's PermissionEvaluator, the tag can ---- - This content will only be visible to users who have read or write permission to the Object found as a request attribute named "domain". +This content will only be visible to users who have read or write permission to the Object found as a request attribute named "domain". ---- @@ -5117,7 +5117,7 @@ A common requirement is to only show a particular link, if the user is actually ---- - This content will only be visible to users who are authorized to send requests to the "/admin" URL. +This content will only be visible to users who are authorized to send requests to the "/admin" URL. ---- @@ -5148,7 +5148,7 @@ CAUTION: In general this tag should be considered deprecated. Instead use the << ---- - This will be shown if the user has all of the permissions represented by the values "1" or "2" on the given object. +This will be shown if the user has all of the permissions represented by the values "1" or "2" on the given object. ---- @@ -5167,12 +5167,12 @@ You should place this tag within an HTML `
` block, where you would [source,xml] ---- -
- - Name:
- - ... - +
+ + Name:
+ + ... + ---- @@ -5185,55 +5185,55 @@ You should place `csrfMetaTags` within an HTML `` block, where you ---- - - CSRF Protected JavaScript Page - - -