Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-26 22:02:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added use of ANY_CHANNEL attribute to channel-security docbook

Browse Source
This commit is contained in:
Luke Taylor 2008-08-06 00:20:58 +00:00
parent f31bcbee07
commit ecd63cabda
1 changed files with 33 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
src/docbkx/channel-security.xml
View File

@ -40,35 +40,33 @@
by means of the <literal>requires-channel</literal> attribute on the <literal>&lt;intercept-url&gt;</literal> by means of the <literal>requires-channel</literal> attribute on the <literal>&lt;intercept-url&gt;</literal>
element and this is the simplest (and recommended approach)</para> element and this is the simplest (and recommended approach)</para>
<para>To confiure channel security explicitly, you would define the following the filter in your application <para>To confiure channel security explicitly, you would define the following the filter in your application
context:</para> context:
<programlisting><![CDATA[
<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager"/>
<property name="filterInvocationDefinitionSource">
<security:filter-invocation-definition-source path-type="regex">
<security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/acegilogin.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
<security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
</security:filter-invocation-definition-source>
</property>
</bean>
<para><programlisting> <bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
&lt;bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"&gt; <property name="channelProcessors">
&lt;property name="channelDecisionManager" ref="channelDecisionManager"/&gt; <list>
&lt;property name="filterInvocationDefinitionSource"&gt; <ref bean="secureChannelProcessor"/>
&lt;security:filter-invocation-definition-source path-type="regex"&gt; <ref bean="insecureChannelProcessor"/>
&lt;security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/&gt; </list>
&lt;security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/&gt; </property>
&lt;security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/&gt; </bean>
&lt;security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/&gt;
&lt;/security:filter-invocation-definition-source&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"&gt; <bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
&lt;property name="channelProcessors"&gt; <bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>]]>
&lt;list&gt; </programlisting>
&lt;ref bean="secureChannelProcessor"/&gt; Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
&lt;ref bean="insecureChannelProcessor"/&gt;
&lt;/list&gt;
&lt;/property&gt;
&lt;/bean&gt;
&lt;bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/&gt;
&lt;bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/&gt;
</programlisting></para>
<para>Like <literal>FilterSecurityInterceptor</literal>, Apache Ant
style paths are also supported by the style paths are also supported by the
<literal>ChannelProcessingFilter</literal>.</para> <literal>ChannelProcessingFilter</literal>.</para>
@ -77,10 +75,11 @@
attributes that apply. It then delegates to the attributes that apply. It then delegates to the
<literal>ChannelDecisionManager</literal>. The default implementation, <literal>ChannelDecisionManager</literal>. The default implementation,
<literal>ChannelDecisionManagerImpl</literal>, should suffice in most <literal>ChannelDecisionManagerImpl</literal>, should suffice in most
cases. It simply delegates through the list of configured cases. It simply delegates to the list of configured
<literal>ChannelProcessor</literal> instances. A <literal>ChannelProcessor</literal> instances. The attribute <literal>ANY_CHANNEL</literal>
can be used to override this behaviour and skip a particular URL. Otherwise, a
<literal>ChannelProcessor</literal> will review the request, and if it <literal>ChannelProcessor</literal> will review the request, and if it
is unhappy with the request (eg it was received across the incorrect is unhappy with the request (e.g. if it was received across the incorrect
transport protocol), it will perform a redirect, throw an exception or transport protocol), it will perform a redirect, throw an exception or
take whatever other action is appropriate.</para> take whatever other action is appropriate.</para>
@ -99,7 +98,7 @@
request to HTTP and HTTPS as appropriate. Appropriate defaults are request to HTTP and HTTPS as appropriate. Appropriate defaults are
assigned to the <literal>ChannelProcessor</literal> implementations assigned to the <literal>ChannelProcessor</literal> implementations
for the configuration attribute keywords they respond to and the for the configuration attribute keywords they respond to and the
<literal>ChannelEntryPoint</literal> they delegate to, although you <interfacename>ChannelEntryPoint</interfacename> they delegate to, although you
have the ability to override these using the application have the ability to override these using the application
context.</para> context.</para>
@ -109,15 +108,15 @@
that Internet Explorer 6 Service Pack 1 has a bug whereby it does not that Internet Explorer 6 Service Pack 1 has a bug whereby it does not
respond correctly to a redirection instruction which also changes the respond correctly to a redirection instruction which also changes the
port to use. Accordingly, absolute URLs are used in conjunction with port to use. Accordingly, absolute URLs are used in conjunction with
bug detection logic in the <literal>PortResolverImpl</literal> that is bug detection logic in the <classname>PortResolverImpl</classname> that is
wired up by default to many Spring Security beans. Please refer to the wired up by default to many Spring Security beans. Please refer to the
JavaDocs for <literal>PortResolverImpl</literal> for further JavaDocs for <classname>PortResolverImpl</classname> for further
details.</para> details.</para>
<para>You should note that using a secure channel is recommended if <para>You should note that using a secure channel is recommended if
usernames and passwords are to be kept secure during the login usernames and passwords are to be kept secure during the login
process. If you do decide to use process. If you do decide to use
<literal>ChannelProcessingFilter</literal> with form-based login, <classname>ChannelProcessingFilter</classname> with form-based login,
please ensure that your login page is set to please ensure that your login page is set to
<literal>REQUIRES_SECURE_CHANNEL</literal>, and that the <literal>REQUIRES_SECURE_CHANNEL</literal>, and that the
<literal>AuthenticationProcessingFilterEntryPoint.forceHttps</literal> <literal>AuthenticationProcessingFilterEntryPoint.forceHttps</literal>