SEC-487: Added documentation on use of #NONE# in FilterChainProxy. Also changed doc version to 1.0.5.
This commit is contained in:
Luke Taylor
parent
dda88e3931
commit
f47ccd81a6
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
<!--
|
||||
* ========================================================================
|
||||
*
|
||||
*
|
||||
* Copyright 2004 Acegi Technology Pty Limited
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
*
|
||||
* ========================================================================
|
||||
-->
|
||||
<book>
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
|
||||
<subtitle>Reference Documentation</subtitle>
|
||||
|
||||
<releaseinfo>1.0.4</releaseinfo>
|
||||
<releaseinfo>1.0.5</releaseinfo>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
|
|
@ -479,7 +479,7 @@ if (obj instanceof UserDetails) {
|
|||
<literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on
|
||||
configured for web authorization, method authorization and domain
|
||||
object authorization. Other parts of Acegi Security are capable of
|
||||
interpreting these authorities, and expect them to be present.
|
||||
interpreting these authorities, and expect them to be present.
|
||||
<literal>GrantedAuthority</literal> objects are usually loaded by
|
||||
the <literal>UserDetailsService</literal>.</para>
|
||||
|
||||
|
|
@ -1068,6 +1068,19 @@ if (obj instanceof UserDetails) {
|
|||
any servlet container lifecycle invocations are not delegated through
|
||||
to <literal>FilterChainProxy</literal>.</para>
|
||||
|
||||
<para>You can also omit a URI pattern from the filter chain by using
|
||||
the token <literal>#NONE#</literal> on the right-hand side of the
|
||||
<literal><URI Pattern> = <Filter Chain></literal> expression. For example, using
|
||||
the example above, if you wanted to exclude the <filename>/webservices</filename>
|
||||
location completely, you would modify the corresponding line in the bean declaration to be
|
||||
<programlisting>
|
||||
/webServices/**=#NONE#
|
||||
</programlisting>
|
||||
Note that anything matching this path will then have no authentication
|
||||
or authorization services applied and will be freely accessible.
|
||||
</para>
|
||||
|
||||
|
||||
<para>The order that filters are defined in <literal>web.xml</literal>
|
||||
is very important. Irrespective of which filters you are actually
|
||||
using, the order of the <literal><filter-mapping></literal>s
|
||||
|
|
@ -1230,7 +1243,7 @@ if (obj instanceof UserDetails) {
|
|||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
||||
</value>
|
||||
</property>
|
||||
|
|
@ -1918,7 +1931,7 @@ if (obj instanceof UserDetails) {
|
|||
<value>classpath:/ehcache-failsafe.xml</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||
<property name="cacheManager">
|
||||
<ref local="cacheManager"/>
|
||||
|
|
@ -1927,7 +1940,7 @@ if (obj instanceof UserDetails) {
|
|||
<value>userCache</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
|
||||
<property name="cache"><ref local="userCacheBackend"/></property>
|
||||
</bean> </programlisting></para>
|
||||
|
|
@ -2774,7 +2787,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
||||
<property name="key"><value>springRocks</value></property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
|
||||
<property name="key"><value>springRocks</value></property>
|
||||
</bean>
|
||||
|
|
@ -3126,7 +3139,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
|
||||
<para>A typical configuration, using some of the beans we've discussed
|
||||
above, might look like this: <programlisting>
|
||||
<bean id="initialDirContextFactory"
|
||||
<bean id="initialDirContextFactory"
|
||||
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
|
||||
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
|
||||
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>
|
||||
|
|
@ -3143,13 +3156,13 @@ key: A private key to prevent modification of the remember-me token
|
|||
</constructor-arg>
|
||||
<constructor-arg index="2">
|
||||
<ref local="initialDirContextFactory" />
|
||||
</constructor-arg>
|
||||
</constructor-arg>
|
||||
<property name="searchSubtree">
|
||||
<value>true</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="ldapAuthProvider"
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="ldapAuthProvider"
|
||||
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
|
||||
<constructor-arg>
|
||||
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
|
||||
|
|
@ -3165,7 +3178,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
|
||||
</programlisting> This would set up the provider to access an LDAP
|
||||
server with URL
|
||||
<literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>.
|
||||
|
|
@ -3620,7 +3633,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
|
||||
</list>
|
||||
</property>
|
||||
|
||||
|
||||
<property name="authenticationHandlers">
|
||||
<list>
|
||||
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
|
||||
|
|
@ -3630,8 +3643,8 @@ key: A private key to prevent modification of the remember-me token
|
|||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
|
||||
|
||||
|
||||
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
|
||||
<property name="userMap">
|
||||
<value>
|
||||
|
|
@ -3642,11 +3655,11 @@ key: A private key to prevent modification of the remember-me token
|
|||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
||||
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager">
|
||||
<property name="providers">
|
||||
<list>
|
||||
|
|
@ -3655,7 +3668,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
</property>
|
||||
</bean>
|
||||
</beans>
|
||||
|
||||
|
||||
</programlisting>
|
||||
|
||||
<para>Note the granted authorities are ignored by CAS because it has
|
||||
|
|
@ -3663,7 +3676,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
applications. CAS is only concerned with username and passwords (and
|
||||
the enabled/disabled status).</para>
|
||||
|
||||
<para>Copy <literal>acegi-security.jar</literal> and
|
||||
<para>Copy <literal>acegi-security.jar</literal> and
|
||||
<literal>acegi-security-cas.jar</literal> files into
|
||||
<literal>/localPlugins/lib</literal>. Now use the <literal>ant
|
||||
war</literal> task in the <literal>build.xml</literal> in the
|
||||
|
|
@ -3721,7 +3734,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
|
||||
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
</bean>
|
||||
|
||||
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
||||
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
||||
|
|
@ -3733,7 +3746,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
<para>You will also need to add the
|
||||
<literal>CasProcessingFilter</literal> to web.xml:</para>
|
||||
|
||||
<para><programlisting>
|
||||
<para><programlisting>
|
||||
<filter>
|
||||
<filter-name>Acegi CAS Processing Filter</filter-name>
|
||||
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
|
|
@ -3798,7 +3811,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
<value>classpath:/ehcache-failsafe.xml</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||
<property name="cacheManager">
|
||||
<ref local="cacheManager"/>
|
||||
|
|
@ -3807,7 +3820,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
<value>ticketCache</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
|
||||
<property name="cache"><ref local="ticketCacheBackend"/></property>
|
||||
</bean>
|
||||
|
|
@ -4110,7 +4123,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
file so that it contains a new entry under the
|
||||
<literal><Policy></literal> section:</para>
|
||||
|
||||
<para><programlisting>
|
||||
<para><programlisting>
|
||||
<application-policy name = "SpringPoweredRealm">
|
||||
<authentication>
|
||||
<login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"
|
||||
|
|
@ -4120,7 +4133,7 @@ key: A private key to prevent modification of the remember-me token
|
|||
</login-module>
|
||||
</authentication>
|
||||
</application-policy>
|
||||
|
||||
|
||||
</programlisting></para>
|
||||
|
||||
<para>Copy <literal>acegisecurity.xml</literal> into
|
||||
|
|
@ -5224,7 +5237,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||
|
||||
private AspectJSecurityInterceptor securityInterceptor;
|
||||
|
||||
pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
||||
pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
||||
&& execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect);
|
||||
|
||||
Object around(): domainObjectInstanceExecution() {
|
||||
|
|
@ -5270,7 +5283,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||
declaration which achieves this is shown below:</para>
|
||||
|
||||
<programlisting>
|
||||
<bean id="domainObjectInstanceSecurityAspect"
|
||||
<bean id="domainObjectInstanceSecurityAspect"
|
||||
class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect"
|
||||
factory-method="aspectOf">
|
||||
<property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property>
|
||||
|
|
@ -5322,7 +5335,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
<property name="forceHttps"><value>false</value></property>
|
||||
</bean>
|
||||
|
||||
|
||||
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||
|
|
|
|||
Loading…
Reference in New Issue