mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-28 14:52:24 +00:00
SEC-487: Added documentation on use of #NONE# in FilterChainProxy. Also changed doc version to 1.0.5.
This commit is contained in:
Luke Taylor
parent
dda88e3931
commit
f47ccd81a6
@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
<!--
|
<!--
|
||||||
* ========================================================================
|
* ========================================================================
|
||||||
*
|
*
|
||||||
* Copyright 2004 Acegi Technology Pty Limited
|
* Copyright 2004 Acegi Technology Pty Limited
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
@ -18,7 +18,7 @@
|
|||||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
* See the License for the specific language governing permissions and
|
* See the License for the specific language governing permissions and
|
||||||
* limitations under the License.
|
* limitations under the License.
|
||||||
*
|
*
|
||||||
* ========================================================================
|
* ========================================================================
|
||||||
-->
|
-->
|
||||||
<book>
|
<book>
|
||||||
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
<subtitle>Reference Documentation</subtitle>
|
<subtitle>Reference Documentation</subtitle>
|
||||||
|
|
||||||
<releaseinfo>1.0.4</releaseinfo>
|
<releaseinfo>1.0.5</releaseinfo>
|
||||||
|
|
||||||
<authorgroup>
|
<authorgroup>
|
||||||
<author>
|
<author>
|
||||||
@ -479,7 +479,7 @@ if (obj instanceof UserDetails) {
|
|||||||
<literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on
|
<literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on
|
||||||
configured for web authorization, method authorization and domain
|
configured for web authorization, method authorization and domain
|
||||||
object authorization. Other parts of Acegi Security are capable of
|
object authorization. Other parts of Acegi Security are capable of
|
||||||
interpreting these authorities, and expect them to be present.
|
interpreting these authorities, and expect them to be present.
|
||||||
<literal>GrantedAuthority</literal> objects are usually loaded by
|
<literal>GrantedAuthority</literal> objects are usually loaded by
|
||||||
the <literal>UserDetailsService</literal>.</para>
|
the <literal>UserDetailsService</literal>.</para>
|
||||||
|
|
||||||
@ -1068,6 +1068,19 @@ if (obj instanceof UserDetails) {
|
|||||||
any servlet container lifecycle invocations are not delegated through
|
any servlet container lifecycle invocations are not delegated through
|
||||||
to <literal>FilterChainProxy</literal>.</para>
|
to <literal>FilterChainProxy</literal>.</para>
|
||||||
|
|
||||||
|
<para>You can also omit a URI pattern from the filter chain by using
|
||||||
|
the token <literal>#NONE#</literal> on the right-hand side of the
|
||||||
|
<literal><URI Pattern> = <Filter Chain></literal> expression. For example, using
|
||||||
|
the example above, if you wanted to exclude the <filename>/webservices</filename>
|
||||||
|
location completely, you would modify the corresponding line in the bean declaration to be
|
||||||
|
<programlisting>
|
||||||
|
/webServices/**=#NONE#
|
||||||
|
</programlisting>
|
||||||
|
Note that anything matching this path will then have no authentication
|
||||||
|
or authorization services applied and will be freely accessible.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
|
||||||
<para>The order that filters are defined in <literal>web.xml</literal>
|
<para>The order that filters are defined in <literal>web.xml</literal>
|
||||||
is very important. Irrespective of which filters you are actually
|
is very important. Irrespective of which filters you are actually
|
||||||
using, the order of the <literal><filter-mapping></literal>s
|
using, the order of the <literal><filter-mapping></literal>s
|
||||||
@ -1230,7 +1243,7 @@ if (obj instanceof UserDetails) {
|
|||||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||||
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
||||||
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
|
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
|
||||||
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
||||||
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
||||||
</value>
|
</value>
|
||||||
</property>
|
</property>
|
||||||
@ -1918,7 +1931,7 @@ if (obj instanceof UserDetails) {
|
|||||||
<value>classpath:/ehcache-failsafe.xml</value>
|
<value>classpath:/ehcache-failsafe.xml</value>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||||
<property name="cacheManager">
|
<property name="cacheManager">
|
||||||
<ref local="cacheManager"/>
|
<ref local="cacheManager"/>
|
||||||
@ -1927,7 +1940,7 @@ if (obj instanceof UserDetails) {
|
|||||||
<value>userCache</value>
|
<value>userCache</value>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
|
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
|
||||||
<property name="cache"><ref local="userCacheBackend"/></property>
|
<property name="cache"><ref local="userCacheBackend"/></property>
|
||||||
</bean> </programlisting></para>
|
</bean> </programlisting></para>
|
||||||
@ -2774,7 +2787,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
||||||
<property name="key"><value>springRocks</value></property>
|
<property name="key"><value>springRocks</value></property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
|
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
|
||||||
<property name="key"><value>springRocks</value></property>
|
<property name="key"><value>springRocks</value></property>
|
||||||
</bean>
|
</bean>
|
||||||
@ -3126,7 +3139,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
|
|
||||||
<para>A typical configuration, using some of the beans we've discussed
|
<para>A typical configuration, using some of the beans we've discussed
|
||||||
above, might look like this: <programlisting>
|
above, might look like this: <programlisting>
|
||||||
<bean id="initialDirContextFactory"
|
<bean id="initialDirContextFactory"
|
||||||
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
|
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
|
||||||
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
|
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
|
||||||
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>
|
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>
|
||||||
@ -3143,13 +3156,13 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
<constructor-arg index="2">
|
<constructor-arg index="2">
|
||||||
<ref local="initialDirContextFactory" />
|
<ref local="initialDirContextFactory" />
|
||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
<property name="searchSubtree">
|
<property name="searchSubtree">
|
||||||
<value>true</value>
|
<value>true</value>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="ldapAuthProvider"
|
<bean id="ldapAuthProvider"
|
||||||
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
|
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
|
||||||
<constructor-arg>
|
<constructor-arg>
|
||||||
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
|
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
|
||||||
@ -3165,7 +3178,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
</bean>
|
</bean>
|
||||||
</constructor-arg>
|
</constructor-arg>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
</programlisting> This would set up the provider to access an LDAP
|
</programlisting> This would set up the provider to access an LDAP
|
||||||
server with URL
|
server with URL
|
||||||
<literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>.
|
<literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>.
|
||||||
@ -3620,7 +3633,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
|
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
|
||||||
</list>
|
</list>
|
||||||
</property>
|
</property>
|
||||||
|
|
||||||
<property name="authenticationHandlers">
|
<property name="authenticationHandlers">
|
||||||
<list>
|
<list>
|
||||||
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
|
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
|
||||||
@ -3630,8 +3643,8 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
</list>
|
</list>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
|
|
||||||
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
|
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
|
||||||
<property name="userMap">
|
<property name="userMap">
|
||||||
<value>
|
<value>
|
||||||
@ -3642,11 +3655,11 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
</value>
|
</value>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
||||||
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager">
|
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager">
|
||||||
<property name="providers">
|
<property name="providers">
|
||||||
<list>
|
<list>
|
||||||
@ -3655,7 +3668,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
</beans>
|
</beans>
|
||||||
|
|
||||||
</programlisting>
|
</programlisting>
|
||||||
|
|
||||||
<para>Note the granted authorities are ignored by CAS because it has
|
<para>Note the granted authorities are ignored by CAS because it has
|
||||||
@ -3663,7 +3676,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
applications. CAS is only concerned with username and passwords (and
|
applications. CAS is only concerned with username and passwords (and
|
||||||
the enabled/disabled status).</para>
|
the enabled/disabled status).</para>
|
||||||
|
|
||||||
<para>Copy <literal>acegi-security.jar</literal> and
|
<para>Copy <literal>acegi-security.jar</literal> and
|
||||||
<literal>acegi-security-cas.jar</literal> files into
|
<literal>acegi-security-cas.jar</literal> files into
|
||||||
<literal>/localPlugins/lib</literal>. Now use the <literal>ant
|
<literal>/localPlugins/lib</literal>. Now use the <literal>ant
|
||||||
war</literal> task in the <literal>build.xml</literal> in the
|
war</literal> task in the <literal>build.xml</literal> in the
|
||||||
@ -3721,7 +3734,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
|
|
||||||
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
|
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
|
||||||
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
|
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
||||||
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
||||||
@ -3733,7 +3746,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
<para>You will also need to add the
|
<para>You will also need to add the
|
||||||
<literal>CasProcessingFilter</literal> to web.xml:</para>
|
<literal>CasProcessingFilter</literal> to web.xml:</para>
|
||||||
|
|
||||||
<para><programlisting>
|
<para><programlisting>
|
||||||
<filter>
|
<filter>
|
||||||
<filter-name>Acegi CAS Processing Filter</filter-name>
|
<filter-name>Acegi CAS Processing Filter</filter-name>
|
||||||
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||||
@ -3798,7 +3811,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
<value>classpath:/ehcache-failsafe.xml</value>
|
<value>classpath:/ehcache-failsafe.xml</value>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||||
<property name="cacheManager">
|
<property name="cacheManager">
|
||||||
<ref local="cacheManager"/>
|
<ref local="cacheManager"/>
|
||||||
@ -3807,7 +3820,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
<value>ticketCache</value>
|
<value>ticketCache</value>
|
||||||
</property>
|
</property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
|
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
|
||||||
<property name="cache"><ref local="ticketCacheBackend"/></property>
|
<property name="cache"><ref local="ticketCacheBackend"/></property>
|
||||||
</bean>
|
</bean>
|
||||||
@ -4110,7 +4123,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
file so that it contains a new entry under the
|
file so that it contains a new entry under the
|
||||||
<literal><Policy></literal> section:</para>
|
<literal><Policy></literal> section:</para>
|
||||||
|
|
||||||
<para><programlisting>
|
<para><programlisting>
|
||||||
<application-policy name = "SpringPoweredRealm">
|
<application-policy name = "SpringPoweredRealm">
|
||||||
<authentication>
|
<authentication>
|
||||||
<login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"
|
<login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"
|
||||||
@ -4120,7 +4133,7 @@ key: A private key to prevent modification of the remember-me token
|
|||||||
</login-module>
|
</login-module>
|
||||||
</authentication>
|
</authentication>
|
||||||
</application-policy>
|
</application-policy>
|
||||||
|
|
||||||
</programlisting></para>
|
</programlisting></para>
|
||||||
|
|
||||||
<para>Copy <literal>acegisecurity.xml</literal> into
|
<para>Copy <literal>acegisecurity.xml</literal> into
|
||||||
@ -5224,7 +5237,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||||||
|
|
||||||
private AspectJSecurityInterceptor securityInterceptor;
|
private AspectJSecurityInterceptor securityInterceptor;
|
||||||
|
|
||||||
pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
||||||
&& execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect);
|
&& execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect);
|
||||||
|
|
||||||
Object around(): domainObjectInstanceExecution() {
|
Object around(): domainObjectInstanceExecution() {
|
||||||
@ -5270,7 +5283,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||||||
declaration which achieves this is shown below:</para>
|
declaration which achieves this is shown below:</para>
|
||||||
|
|
||||||
<programlisting>
|
<programlisting>
|
||||||
<bean id="domainObjectInstanceSecurityAspect"
|
<bean id="domainObjectInstanceSecurityAspect"
|
||||||
class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect"
|
class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect"
|
||||||
factory-method="aspectOf">
|
factory-method="aspectOf">
|
||||||
<property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property>
|
<property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property>
|
||||||
@ -5322,7 +5335,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|||||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||||
<property name="forceHttps"><value>false</value></property>
|
<property name="forceHttps"><value>false</value></property>
|
||||||
</bean>
|
</bean>
|
||||||
|
|
||||||
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
||||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user