Josh Cummings
4 years ago
18 changed files with 1210 additions and 1190 deletions
@ -0,0 +1,292 @@
@@ -0,0 +1,292 @@
|
||||
[[nsa-authentication]] |
||||
= Authentication Services |
||||
Before Spring Security 3.0, an `AuthenticationManager` was automatically registered internally. |
||||
Now you must register one explicitly using the `<authentication-manager>` element. |
||||
This creates an instance of Spring Security's `ProviderManager` class, which needs to be configured with a list of one or more `AuthenticationProvider` instances. |
||||
These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the `authentication-provider` element. |
||||
|
||||
|
||||
[[nsa-authentication-manager]] |
||||
== <authentication-manager> |
||||
Every Spring Security application which uses the namespace must have include this element somewhere. |
||||
It is responsible for registering the `AuthenticationManager` which provides authentication services to the application. |
||||
All elements which create `AuthenticationProvider` instances should be children of this element. |
||||
|
||||
|
||||
[[nsa-authentication-manager-attributes]] |
||||
=== <authentication-manager> Attributes |
||||
|
||||
|
||||
[[nsa-authentication-manager-alias]] |
||||
* **alias** |
||||
This attribute allows you to define an alias name for the internal instance for use in your own configuration. |
||||
|
||||
|
||||
[[nsa-authentication-manager-erase-credentials]] |
||||
* **erase-credentials** |
||||
If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. |
||||
Literally it maps to the `eraseCredentialsAfterAuthentication` property of the xref:servlet/authentication/architecture.adoc#servlet-authentication-providermanager[`ProviderManager`]. |
||||
|
||||
|
||||
[[nsa-authentication-manager-id]] |
||||
* **id** |
||||
This attribute allows you to define an id for the internal instance for use in your own configuration. |
||||
It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute. |
||||
|
||||
|
||||
[[nsa-authentication-manager-children]] |
||||
=== Child Elements of <authentication-manager> |
||||
|
||||
|
||||
* <<nsa-authentication-provider,authentication-provider>> |
||||
* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-authentication-provider[ldap-authentication-provider] |
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider]] |
||||
== <authentication-provider> |
||||
Unless used with a `ref` attribute, this element is shorthand for configuring a `DaoAuthenticationProvider`. |
||||
`DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login. |
||||
The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context). |
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-parents]] |
||||
=== Parent Elements of <authentication-provider> |
||||
|
||||
|
||||
* <<nsa-authentication-manager,authentication-manager>> |
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-attributes]] |
||||
=== <authentication-provider> Attributes |
||||
|
||||
|
||||
[[nsa-authentication-provider-ref]] |
||||
* **ref** |
||||
Defines a reference to a Spring bean that implements `AuthenticationProvider`. |
||||
|
||||
If you have written your own `AuthenticationProvider` implementation (or want to configure one of Spring Security's own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of `ProviderManager`: |
||||
|
||||
[source,xml] |
||||
---- |
||||
|
||||
<security:authentication-manager> |
||||
<security:authentication-provider ref="myAuthenticationProvider" /> |
||||
</security:authentication-manager> |
||||
<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider"/> |
||||
|
||||
---- |
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-authentication-provider-user-service-ref]] |
||||
* **user-service-ref** |
||||
A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element. |
||||
|
||||
|
||||
[[nsa-authentication-provider-children]] |
||||
=== Child Elements of <authentication-provider> |
||||
|
||||
|
||||
* <<nsa-jdbc-user-service,jdbc-user-service>> |
||||
* xref:servlet/appendix/namespace/ldap.adoc#nsa-ldap-user-service[ldap-user-service] |
||||
* <<nsa-password-encoder,password-encoder>> |
||||
* <<nsa-user-service,user-service>> |
||||
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service]] |
||||
== <jdbc-user-service> |
||||
Causes creation of a JDBC-based UserDetailsService. |
||||
|
||||
|
||||
[[nsa-jdbc-user-service-attributes]] |
||||
=== <jdbc-user-service> Attributes |
||||
|
||||
|
||||
[[nsa-jdbc-user-service-authorities-by-username-query]] |
||||
* **authorities-by-username-query** |
||||
An SQL statement to query for a user's granted authorities given a username. |
||||
|
||||
The default is |
||||
|
||||
[source] |
||||
---- |
||||
select username, authority from authorities where username = ? |
||||
---- |
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-cache-ref]] |
||||
* **cache-ref** |
||||
Defines a reference to a cache for use with a UserDetailsService. |
||||
|
||||
|
||||
[[nsa-jdbc-user-service-data-source-ref]] |
||||
* **data-source-ref** |
||||
The bean ID of the DataSource which provides the required tables. |
||||
|
||||
|
||||
[[nsa-jdbc-user-service-group-authorities-by-username-query]] |
||||
* **group-authorities-by-username-query** |
||||
An SQL statement to query user's group authorities given a username. |
||||
The default is |
||||
|
||||
+ |
||||
|
||||
[source] |
||||
---- |
||||
select |
||||
g.id, g.group_name, ga.authority |
||||
from |
||||
groups g, group_members gm, group_authorities ga |
||||
where |
||||
gm.username = ? and g.id = ga.group_id and g.id = gm.group_id |
||||
---- |
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-jdbc-user-service-id]] |
||||
* **id** |
||||
A bean identifier, used for referring to the bean elsewhere in the context. |
||||
|
||||
|
||||
[[nsa-jdbc-user-service-role-prefix]] |
||||
* **role-prefix** |
||||
A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE_"). |
||||
Use the value "none" for no prefix in cases where the default is non-empty. |
||||
|
||||
|
||||
[[nsa-jdbc-user-service-users-by-username-query]] |
||||
* **users-by-username-query** |
||||
An SQL statement to query a username, password, and enabled status given a username. |
||||
The default is |
||||
|
||||
+ |
||||
|
||||
[source] |
||||
---- |
||||
select username, password, enabled from users where username = ? |
||||
---- |
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-password-encoder]] |
||||
== <password-encoder> |
||||
Authentication providers can optionally be configured to use a password encoder as described in the xref:features/authentication/password-storage.adoc#authentication-password-storage[Password Storage]. |
||||
This will result in the bean being injected with the appropriate `PasswordEncoder` instance. |
||||
|
||||
|
||||
[[nsa-password-encoder-parents]] |
||||
=== Parent Elements of <password-encoder> |
||||
|
||||
|
||||
* <<nsa-authentication-provider,authentication-provider>> |
||||
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-compare[password-compare] |
||||
|
||||
|
||||
|
||||
[[nsa-password-encoder-attributes]] |
||||
=== <password-encoder> Attributes |
||||
|
||||
|
||||
[[nsa-password-encoder-hash]] |
||||
* **hash** |
||||
Defines the hashing algorithm used on user passwords. |
||||
We recommend strongly against using MD4, as it is a very weak hashing algorithm. |
||||
|
||||
|
||||
[[nsa-password-encoder-ref]] |
||||
* **ref** |
||||
Defines a reference to a Spring bean that implements `PasswordEncoder`. |
||||
|
||||
|
||||
[[nsa-user-service]] |
||||
== <user-service> |
||||
Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements. |
||||
Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required. |
||||
|
||||
|
||||
[[nsa-user-service-attributes]] |
||||
=== <user-service> Attributes |
||||
|
||||
|
||||
[[nsa-user-service-id]] |
||||
* **id** |
||||
A bean identifier, used for referring to the bean elsewhere in the context. |
||||
|
||||
|
||||
[[nsa-user-service-properties]] |
||||
* **properties** |
||||
The location of a Properties file where each line is in the format of |
||||
|
||||
+ |
||||
|
||||
[source] |
||||
---- |
||||
username=password,grantedAuthority[,grantedAuthority][,enabled|disabled] |
||||
---- |
||||
|
||||
|
||||
|
||||
|
||||
[[nsa-user-service-children]] |
||||
=== Child Elements of <user-service> |
||||
|
||||
|
||||
* <<nsa-user,user>> |
||||
|
||||
|
||||
|
||||
[[nsa-user]] |
||||
== <user> |
||||
Represents a user in the application. |
||||
|
||||
|
||||
[[nsa-user-parents]] |
||||
=== Parent Elements of <user> |
||||
|
||||
|
||||
* <<nsa-user-service,user-service>> |
||||
|
||||
|
||||
|
||||
[[nsa-user-attributes]] |
||||
=== <user> Attributes |
||||
|
||||
|
||||
[[nsa-user-authorities]] |
||||
* **authorities** |
||||
One of more authorities granted to the user. |
||||
Separate authorities with a comma (but no space). |
||||
For example, "ROLE_USER,ROLE_ADMINISTRATOR" |
||||
|
||||
|
||||
[[nsa-user-disabled]] |
||||
* **disabled** |
||||
Can be set to "true" to mark an account as disabled and unusable. |
||||
|
||||
|
||||
[[nsa-user-locked]] |
||||
* **locked** |
||||
Can be set to "true" to mark an account as locked and unusable. |
||||
|
||||
|
||||
[[nsa-user-name]] |
||||
* **name** |
||||
The username assigned to the user. |
||||
|
||||
|
||||
[[nsa-user-password]] |
||||
* **password** |
||||
The password assigned to the user. |
||||
This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element). |
||||
This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities. |
||||
If omitted, the namespace will generate a random value, preventing its accidental use for authentication. |
||||
Cannot be empty. |
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
|
||||
[[appendix-namespace]] |
||||
= The Security Namespace |
||||
:page-section-summary-toc: 1 |
||||
|
||||
This appendix provides a reference to the elements available in the security namespace and information on the underlying beans they create (a knowledge of the individual classes and how they work together is assumed - you can find more information in the project Javadoc and elsewhere in this document). |
||||
If you haven't used the namespace before, please read the xref:servlet/configuration/xml-namespace.adoc#ns-config[introductory chapter] on namespace configuration, as this is intended as a supplement to the information there. |
||||
Using a good quality XML editor while editing a configuration based on the schema is recommended as this will provide contextual information on which elements and attributes are available as well as comments explaining their purpose. |
||||
The namespace is written in https://relaxng.org/[RELAX NG] Compact format and later converted into an XSD schema. |
||||
If you are familiar with this format, you may wish to examine the https://raw.githubusercontent.com/spring-projects/spring-security/main/config/src/main/resources/org/springframework/security/config/spring-security-5.6.rnc[schema file] directly. |
||||
@ -0,0 +1,291 @@
@@ -0,0 +1,291 @@
|
||||
[[nsa-ldap]] |
||||
= LDAP Namespace Options |
||||
LDAP is covered in some details in xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[its own chapter]. |
||||
We will expand on that here with some explanation of how the namespace options map to Spring beans. |
||||
The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful. |
||||
|
||||
|
||||
[[nsa-ldap-server]] |
||||
== Defining the LDAP Server using the |
||||
`<ldap-server>` Element |
||||
This element sets up a Spring LDAP `ContextSource` for use by the other LDAP beans, defining the location of the LDAP server and other information (such as a username and password, if it doesn't allow anonymous access) for connecting to it. |
||||
It can also be used to create an embedded server for testing. |
||||
Details of the syntax for both options are covered in the xref:servlet/authentication/passwords/ldap.adoc#servlet-authentication-ldap[LDAP chapter]. |
||||
The actual `ContextSource` implementation is `DefaultSpringSecurityContextSource` which extends Spring LDAP's `LdapContextSource` class. |
||||
The `manager-dn` and `manager-password` attributes map to the latter's `userDn` and `password` properties respectively. |
||||
|
||||
If you only have one server defined in your application context, the other LDAP namespace-defined beans will use it automatically. |
||||
Otherwise, you can give the element an "id" attribute and refer to it from other namespace beans using the `server-ref` attribute. |
||||
This is actually the bean `id` of the `ContextSource` instance, if you want to use it in other traditional Spring beans. |
||||
|
||||
|
||||
[[nsa-ldap-server-attributes]] |
||||
=== <ldap-server> Attributes |
||||
|
||||
[[nsa-ldap-server-mode]] |
||||
* **mode** |
||||
Explicitly specifies which embedded ldap server should use. Values are `apacheds` and `unboundid`. By default, it will depends if the library is available in the classpath. |
||||
|
||||
[[nsa-ldap-server-id]] |
||||
* **id** |
||||
A bean identifier, used for referring to the bean elsewhere in the context. |
||||
|
||||
|
||||
[[nsa-ldap-server-ldif]] |
||||
* **ldif** |
||||
Explicitly specifies an ldif file resource to load into an embedded LDAP server. |
||||
The ldif should be a Spring resource pattern (i.e. classpath:init.ldif). |
||||
The default is classpath*:*.ldif |
||||
|
||||
|
||||
[[nsa-ldap-server-manager-dn]] |
||||
* **manager-dn** |
||||
Username (DN) of the "manager" user identity which will be used to authenticate to a (non-embedded) LDAP server. |
||||
If omitted, anonymous access will be used. |
||||
|
||||
|
||||
[[nsa-ldap-server-manager-password]] |
||||
* **manager-password** |
||||
The password for the manager DN. |
||||
This is required if the manager-dn is specified. |
||||
|
||||
|
||||
[[nsa-ldap-server-port]] |
||||
* **port** |
||||
Specifies an IP port number. |
||||
Used to configure an embedded LDAP server, for example. |
||||
The default value is 33389. |
||||
|
||||
|
||||
[[nsa-ldap-server-root]] |
||||
* **root** |
||||
Optional root suffix for the embedded LDAP server. |
||||
Default is "dc=springframework,dc=org" |
||||
|
||||
|
||||
[[nsa-ldap-server-url]] |
||||
* **url** |
||||
Specifies the ldap server URL when not using the embedded LDAP server. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider]] |
||||
== <ldap-authentication-provider> |
||||
This element is shorthand for the creation of an `LdapAuthenticationProvider` instance. |
||||
By default this will be configured with a `BindAuthenticator` instance and a `DefaultAuthoritiesPopulator`. |
||||
As with all namespace authentication providers, it must be included as a child of the `authentication-provider` element. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-parents]] |
||||
=== Parent Elements of <ldap-authentication-provider> |
||||
|
||||
|
||||
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-authentication-manager[authentication-manager] |
||||
|
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-attributes]] |
||||
=== <ldap-authentication-provider> Attributes |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-group-role-attribute]] |
||||
* **group-role-attribute** |
||||
The LDAP attribute name which contains the role name which will be used within Spring Security. |
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupRoleAttribute` property. |
||||
Defaults to "cn". |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-group-search-base]] |
||||
* **group-search-base** |
||||
Search base for group membership searches. |
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupSearchBase` constructor argument. |
||||
Defaults to "" (searching from the root). |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-group-search-filter]] |
||||
* **group-search-filter** |
||||
Group search filter. |
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `groupSearchFilter` property. |
||||
Defaults to `+(uniqueMember={0})+`. |
||||
The substituted parameter is the DN of the user. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-role-prefix]] |
||||
* **role-prefix** |
||||
A non-empty string prefix that will be added to role strings loaded from persistent. |
||||
Maps to the ``DefaultLdapAuthoritiesPopulator``'s `rolePrefix` property. |
||||
Defaults to "ROLE_". |
||||
Use the value "none" for no prefix in cases where the default is non-empty. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-server-ref]] |
||||
* **server-ref** |
||||
The optional server to use. |
||||
If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-context-mapper-ref]] |
||||
* **user-context-mapper-ref** |
||||
Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-details-class]] |
||||
* **user-details-class** |
||||
Allows the objectClass of the user entry to be specified. |
||||
If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-dn-pattern]] |
||||
* **user-dn-pattern** |
||||
If your users are at a fixed location in the directory (i.e. you can work out the DN directly from the username without doing a directory search), you can use this attribute to map directly to the DN. |
||||
It maps directly to the `userDnPatterns` property of `AbstractLdapAuthenticator`. |
||||
The value is a specific pattern used to build the user's DN, for example `+uid={0},ou=people+`. |
||||
The key `+{0}+` must be present and will be substituted with the username. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-search-base]] |
||||
* **user-search-base** |
||||
Search base for user searches. |
||||
Defaults to "". |
||||
Only used with a 'user-search-filter'. |
||||
|
||||
+ |
||||
|
||||
If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. |
||||
The `BindAuthenticator` will be configured with a `FilterBasedLdapUserSearch` and the attribute values map directly to the first two arguments of that bean's constructor. |
||||
If these attributes aren't set and no `user-dn-pattern` has been supplied as an alternative, then the default search values of `+user-search-filter="(uid={0})"+` and `user-search-base=""` will be used. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-user-search-filter]] |
||||
* **user-search-filter** |
||||
The LDAP filter used to search for users (optional). |
||||
For example `+(uid={0})+`. |
||||
The substituted parameter is the user's login name. |
||||
|
||||
+ |
||||
|
||||
If you need to perform a search to locate the user in the directory, then you can set these attributes to control the search. |
||||
The `BindAuthenticator` will be configured with a `FilterBasedLdapUserSearch` and the attribute values map directly to the first two arguments of that bean's constructor. |
||||
If these attributes aren't set and no `user-dn-pattern` has been supplied as an alternative, then the default search values of `+user-search-filter="(uid={0})"+` and `user-search-base=""` will be used. |
||||
|
||||
|
||||
[[nsa-ldap-authentication-provider-children]] |
||||
=== Child Elements of <ldap-authentication-provider> |
||||
|
||||
|
||||
* <<nsa-password-compare,password-compare>> |
||||
|
||||
|
||||
|
||||
[[nsa-password-compare]] |
||||
== <password-compare> |
||||
This is used as child element to `<ldap-provider>` and switches the authentication strategy from `BindAuthenticator` to `PasswordComparisonAuthenticator`. |
||||
|
||||
|
||||
[[nsa-password-compare-parents]] |
||||
=== Parent Elements of <password-compare> |
||||
|
||||
|
||||
* <<nsa-ldap-authentication-provider,ldap-authentication-provider>> |
||||
|
||||
|
||||
|
||||
[[nsa-password-compare-attributes]] |
||||
=== <password-compare> Attributes |
||||
|
||||
|
||||
[[nsa-password-compare-hash]] |
||||
* **hash** |
||||
Defines the hashing algorithm used on user passwords. |
||||
We recommend strongly against using MD4, as it is a very weak hashing algorithm. |
||||
|
||||
|
||||
[[nsa-password-compare-password-attribute]] |
||||
* **password-attribute** |
||||
The attribute in the directory which contains the user password. |
||||
Defaults to "userPassword". |
||||
|
||||
|
||||
[[nsa-password-compare-children]] |
||||
=== Child Elements of <password-compare> |
||||
|
||||
|
||||
* xref:servlet/appendix/namespace/authentication-manager.adoc#nsa-password-encoder[password-encoder] |
||||
|
||||
|
||||
|
||||
[[nsa-ldap-user-service]] |
||||
== <ldap-user-service> |
||||
This element configures an LDAP `UserDetailsService`. |
||||
The class used is `LdapUserDetailsService` which is a combination of a `FilterBasedLdapUserSearch` and a `DefaultLdapAuthoritiesPopulator`. |
||||
The attributes it supports have the same usage as in `<ldap-provider>`. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-attributes]] |
||||
=== <ldap-user-service> Attributes |
||||
|
||||
|
||||
[[nsa-ldap-user-service-cache-ref]] |
||||
* **cache-ref** |
||||
Defines a reference to a cache for use with a UserDetailsService. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-group-role-attribute]] |
||||
* **group-role-attribute** |
||||
The LDAP attribute name which contains the role name which will be used within Spring Security. |
||||
Defaults to "cn". |
||||
|
||||
|
||||
[[nsa-ldap-user-service-group-search-base]] |
||||
* **group-search-base** |
||||
Search base for group membership searches. |
||||
Defaults to "" (searching from the root). |
||||
|
||||
|
||||
[[nsa-ldap-user-service-group-search-filter]] |
||||
* **group-search-filter** |
||||
Group search filter. |
||||
Defaults to `+(uniqueMember={0})+`. |
||||
The substituted parameter is the DN of the user. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-id]] |
||||
* **id** |
||||
A bean identifier, used for referring to the bean elsewhere in the context. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-role-prefix]] |
||||
* **role-prefix** |
||||
A non-empty string prefix that will be added to role strings loaded from persistent storage (e.g. |
||||
"ROLE_"). |
||||
Use the value "none" for no prefix in cases where the default is non-empty. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-server-ref]] |
||||
* **server-ref** |
||||
The optional server to use. |
||||
If omitted, and a default LDAP server is registered (using <ldap-server> with no Id), that server will be used. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-context-mapper-ref]] |
||||
* **user-context-mapper-ref** |
||||
Allows explicit customization of the loaded user object by specifying a UserDetailsContextMapper bean which will be called with the context information from the user's directory entry |
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-details-class]] |
||||
* **user-details-class** |
||||
Allows the objectClass of the user entry to be specified. |
||||
If set, the framework will attempt to load standard attributes for the defined class into the returned UserDetails object |
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-search-base]] |
||||
* **user-search-base** |
||||
Search base for user searches. |
||||
Defaults to "". |
||||
Only used with a 'user-search-filter'. |
||||
|
||||
|
||||
[[nsa-ldap-user-service-user-search-filter]] |
||||
* **user-search-filter** |
||||
The LDAP filter used to search for users (optional). |
||||
For example `+(uid={0})+`. |
||||
The substituted parameter is the user's login name. |
||||
@ -0,0 +1,340 @@
@@ -0,0 +1,340 @@
|
||||
= Method Security |
||||
|
||||
[[nsa-method-security]] |
||||
== <method-security> |
||||
This element is the primary means of adding support for securing methods on Spring Security beans. |
||||
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts. |
||||
|
||||
[[nsa-method-security-attributes]] |
||||
=== <method-security> attributes |
||||
|
||||
[[nsa-method-security-pre-post-enabled]] |
||||
* **pre-post-enabled** |
||||
Enables Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) for this application context. |
||||
Defaults to "true". |
||||
|
||||
[[nsa-method-security-secured-enabled]] |
||||
* **secured-enabled** |
||||
Enables Spring Security's @Secured annotation for this application context. |
||||
Defaults to "false". |
||||
|
||||
[[nsa-method-security-jsr250-enabled]] |
||||
* **jsr250-enabled** |
||||
Enables JSR-250 authorization annotations (@RolesAllowed, @PermitAll, @DenyAll) for this application context. |
||||
Defaults to "false". |
||||
|
||||
[[nsa-method-security-proxy-target-class]] |
||||
* **proxy-target-class** |
||||
If true, class based proxying will be used instead of interface based proxying. |
||||
Defaults to "false". |
||||
|
||||
[[nsa-method-security-children]] |
||||
=== Child Elements of <method-security> |
||||
|
||||
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler] |
||||
|
||||
[[nsa-global-method-security]] |
||||
== <global-method-security> |
||||
This element is the primary means of adding support for securing methods on Spring Security beans. |
||||
Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax. |
||||
|
||||
|
||||
[[nsa-global-method-security-attributes]] |
||||
=== <global-method-security> Attributes |
||||
|
||||
|
||||
[[nsa-global-method-security-access-decision-manager-ref]] |
||||
* **access-decision-manager-ref** |
||||
Method security uses the same `AccessDecisionManager` configuration as web security, but this can be overridden using this attribute. |
||||
By default an AffirmativeBased implementation is used for with a RoleVoter and an AuthenticatedVoter. |
||||
|
||||
|
||||
[[nsa-global-method-security-authentication-manager-ref]] |
||||
* **authentication-manager-ref** |
||||
A reference to an `AuthenticationManager` that should be used for method security. |
||||
|
||||
|
||||
[[nsa-global-method-security-jsr250-annotations]] |
||||
* **jsr250-annotations** |
||||
Specifies whether JSR-250 style attributes are to be used (for example "RolesAllowed"). |
||||
This will require the javax.annotation.security classes on the classpath. |
||||
Setting this to true also adds a `Jsr250Voter` to the `AccessDecisionManager`, so you need to make sure you do this if you are using a custom implementation and want to use these annotations. |
||||
|
||||
|
||||
[[nsa-global-method-security-metadata-source-ref]] |
||||
* **metadata-source-ref** |
||||
An external `MethodSecurityMetadataSource` instance can be supplied which will take priority over other sources (such as the default annotations). |
||||
|
||||
|
||||
[[nsa-global-method-security-mode]] |
||||
* **mode** |
||||
This attribute can be set to "aspectj" to specify that AspectJ should be used instead of the default Spring AOP. |
||||
Secured methods must be woven with the `AnnotationSecurityAspect` from the `spring-security-aspects` module. |
||||
|
||||
It is important to note that AspectJ follows Java's rule that annotations on interfaces are not inherited. |
||||
This means that methods that define the Security annotations on the interface will not be secured. |
||||
Instead, you must place the Security annotation on the class when using AspectJ. |
||||
|
||||
|
||||
[[nsa-global-method-security-order]] |
||||
* **order** |
||||
Allows the advice "order" to be set for the method security interceptor. |
||||
|
||||
|
||||
[[nsa-global-method-security-pre-post-annotations]] |
||||
* **pre-post-annotations** |
||||
Specifies whether the use of Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for this application context. |
||||
Defaults to "disabled". |
||||
|
||||
|
||||
[[nsa-global-method-security-proxy-target-class]] |
||||
* **proxy-target-class** |
||||
If true, class based proxying will be used instead of interface based proxying. |
||||
|
||||
|
||||
[[nsa-global-method-security-run-as-manager-ref]] |
||||
* **run-as-manager-ref** |
||||
A reference to an optional `RunAsManager` implementation which will be used by the configured `MethodSecurityInterceptor` |
||||
|
||||
|
||||
[[nsa-global-method-security-secured-annotations]] |
||||
* **secured-annotations** |
||||
Specifies whether the use of Spring Security's @Secured annotations should be enabled for this application context. |
||||
Defaults to "disabled". |
||||
|
||||
|
||||
[[nsa-global-method-security-children]] |
||||
=== Child Elements of <global-method-security> |
||||
|
||||
|
||||
* <<nsa-after-invocation-provider,after-invocation-provider>> |
||||
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler] |
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>> |
||||
* <<nsa-protect-pointcut,protect-pointcut>> |
||||
|
||||
|
||||
|
||||
[[nsa-after-invocation-provider]] |
||||
== <after-invocation-provider> |
||||
This element can be used to decorate an `AfterInvocationProvider` for use by the security interceptor maintained by the `<global-method-security>` namespace. |
||||
You can define zero or more of these within the `global-method-security` element, each with a `ref` attribute pointing to an `AfterInvocationProvider` bean instance within your application context. |
||||
|
||||
|
||||
[[nsa-after-invocation-provider-parents]] |
||||
=== Parent Elements of <after-invocation-provider> |
||||
|
||||
|
||||
* <<nsa-global-method-security,global-method-security>> |
||||
|
||||
|
||||
|
||||
[[nsa-after-invocation-provider-attributes]] |
||||
=== <after-invocation-provider> Attributes |
||||
|
||||
|
||||
[[nsa-after-invocation-provider-ref]] |
||||
* **ref** |
||||
Defines a reference to a Spring bean that implements `AfterInvocationProvider`. |
||||
|
||||
|
||||
[[nsa-pre-post-annotation-handling]] |
||||
== <pre-post-annotation-handling> |
||||
Allows the default expression-based mechanism for handling Spring Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) to be replaced entirely. |
||||
Only applies if these annotations are enabled. |
||||
|
||||
|
||||
[[nsa-pre-post-annotation-handling-parents]] |
||||
=== Parent Elements of <pre-post-annotation-handling> |
||||
|
||||
|
||||
* <<nsa-global-method-security,global-method-security>> |
||||
|
||||
|
||||
|
||||
[[nsa-pre-post-annotation-handling-children]] |
||||
=== Child Elements of <pre-post-annotation-handling> |
||||
|
||||
|
||||
* <<nsa-invocation-attribute-factory,invocation-attribute-factory>> |
||||
* <<nsa-post-invocation-advice,post-invocation-advice>> |
||||
* <<nsa-pre-invocation-advice,pre-invocation-advice>> |
||||
|
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory]] |
||||
== <invocation-attribute-factory> |
||||
Defines the PrePostInvocationAttributeFactory instance which is used to generate pre and post invocation metadata from the annotated methods. |
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory-parents]] |
||||
=== Parent Elements of <invocation-attribute-factory> |
||||
|
||||
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>> |
||||
|
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory-attributes]] |
||||
=== <invocation-attribute-factory> Attributes |
||||
|
||||
|
||||
[[nsa-invocation-attribute-factory-ref]] |
||||
* **ref** |
||||
Defines a reference to a Spring bean Id. |
||||
|
||||
|
||||
[[nsa-post-invocation-advice]] |
||||
== <post-invocation-advice> |
||||
Customizes the `PostInvocationAdviceProvider` with the ref as the `PostInvocationAuthorizationAdvice` for the <pre-post-annotation-handling> element. |
||||
|
||||
|
||||
[[nsa-post-invocation-advice-parents]] |
||||
=== Parent Elements of <post-invocation-advice> |
||||
|
||||
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>> |
||||
|
||||
|
||||
|
||||
[[nsa-post-invocation-advice-attributes]] |
||||
=== <post-invocation-advice> Attributes |
||||
|
||||
|
||||
[[nsa-post-invocation-advice-ref]] |
||||
* **ref** |
||||
Defines a reference to a Spring bean Id. |
||||
|
||||
|
||||
[[nsa-pre-invocation-advice]] |
||||
== <pre-invocation-advice> |
||||
Customizes the `PreInvocationAuthorizationAdviceVoter` with the ref as the `PreInvocationAuthorizationAdviceVoter` for the <pre-post-annotation-handling> element. |
||||
|
||||
|
||||
[[nsa-pre-invocation-advice-parents]] |
||||
=== Parent Elements of <pre-invocation-advice> |
||||
|
||||
|
||||
* <<nsa-pre-post-annotation-handling,pre-post-annotation-handling>> |
||||
|
||||
|
||||
|
||||
[[nsa-pre-invocation-advice-attributes]] |
||||
=== <pre-invocation-advice> Attributes |
||||
|
||||
|
||||
[[nsa-pre-invocation-advice-ref]] |
||||
* **ref** |
||||
Defines a reference to a Spring bean Id. |
||||
|
||||
|
||||
[[nsa-protect-pointcut]] |
||||
== Securing Methods using |
||||
`<protect-pointcut>` |
||||
Rather than defining security attributes on an individual method or class basis using the `@Secured` annotation, you can define cross-cutting security constraints across whole sets of methods and interfaces in your service layer using the `<protect-pointcut>` element. |
||||
You can find an example in the xref:servlet/authorization/method-security.adoc#ns-protect-pointcut[namespace introduction]. |
||||
|
||||
|
||||
[[nsa-protect-pointcut-parents]] |
||||
=== Parent Elements of <protect-pointcut> |
||||
|
||||
|
||||
* <<nsa-global-method-security,global-method-security>> |
||||
|
||||
|
||||
|
||||
[[nsa-protect-pointcut-attributes]] |
||||
=== <protect-pointcut> Attributes |
||||
|
||||
|
||||
[[nsa-protect-pointcut-access]] |
||||
* **access** |
||||
Access configuration attributes list that applies to all methods matching the pointcut, e.g. |
||||
"ROLE_A,ROLE_B" |
||||
|
||||
|
||||
[[nsa-protect-pointcut-expression]] |
||||
* **expression** |
||||
An AspectJ expression, including the `execution` keyword. |
||||
For example, `execution(int com.foo.TargetObject.countLength(String))`. |
||||
|
||||
|
||||
[[nsa-intercept-methods]] |
||||
== <intercept-methods> |
||||
Can be used inside a bean definition to add a security interceptor to the bean and set up access configuration attributes for the bean's methods |
||||
|
||||
|
||||
[[nsa-intercept-methods-attributes]] |
||||
=== <intercept-methods> Attributes |
||||
|
||||
|
||||
[[nsa-intercept-methods-access-decision-manager-ref]] |
||||
* **access-decision-manager-ref** |
||||
Optional AccessDecisionManager bean ID to be used by the created method security interceptor. |
||||
|
||||
|
||||
[[nsa-intercept-methods-children]] |
||||
=== Child Elements of <intercept-methods> |
||||
|
||||
|
||||
* <<nsa-protect,protect>> |
||||
|
||||
|
||||
|
||||
[[nsa-method-security-metadata-source]] |
||||
== <method-security-metadata-source> |
||||
Creates a MethodSecurityMetadataSource instance |
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-attributes]] |
||||
=== <method-security-metadata-source> Attributes |
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-id]] |
||||
* **id** |
||||
A bean identifier, used for referring to the bean elsewhere in the context. |
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-use-expressions]] |
||||
* **use-expressions** |
||||
Enables the use of expressions in the 'access' attributes in <intercept-url> elements rather than the traditional list of configuration attributes. |
||||
Defaults to 'false'. |
||||
If enabled, each attribute should contain a single Boolean expression. |
||||
If the expression evaluates to 'true', access will be granted. |
||||
|
||||
|
||||
[[nsa-method-security-metadata-source-children]] |
||||
=== Child Elements of <method-security-metadata-source> |
||||
|
||||
|
||||
* <<nsa-protect,protect>> |
||||
|
||||
|
||||
|
||||
[[nsa-protect]] |
||||
== <protect> |
||||
Defines a protected method and the access control configuration attributes that apply to it. |
||||
We strongly advise you NOT to mix "protect" declarations with any services provided "global-method-security". |
||||
|
||||
|
||||
[[nsa-protect-parents]] |
||||
=== Parent Elements of <protect> |
||||
|
||||
|
||||
* <<nsa-intercept-methods,intercept-methods>> |
||||
* <<nsa-method-security-metadata-source,method-security-metadata-source>> |
||||
|
||||
|
||||
|
||||
[[nsa-protect-attributes]] |
||||
=== <protect> Attributes |
||||
|
||||
|
||||
[[nsa-protect-access]] |
||||
* **access** |
||||
Access configuration attributes list that applies to the method, e.g. |
||||
"ROLE_A,ROLE_B". |
||||
|
||||
|
||||
[[nsa-protect-method]] |
||||
* **method** |
||||
A method name |
||||
@ -0,0 +1,74 @@
@@ -0,0 +1,74 @@
|
||||
[[nsa-websocket-security]] |
||||
= WebSocket Security |
||||
|
||||
Spring Security 4.0+ provides support for authorizing messages. |
||||
One concrete example of where this is useful is to provide authorization in WebSocket based applications. |
||||
|
||||
[[nsa-websocket-message-broker]] |
||||
== <websocket-message-broker> |
||||
|
||||
The websocket-message-broker element has two different modes. |
||||
If the <<nsa-websocket-message-broker-id,websocket-message-broker@id>> is not specified, then it will do the following things: |
||||
|
||||
* Ensure that any SimpAnnotationMethodMessageHandler has the AuthenticationPrincipalArgumentResolver registered as a custom argument resolver. |
||||
This allows the use of `@AuthenticationPrincipal` to resolve the principal of the current `Authentication` |
||||
* Ensures that the SecurityContextChannelInterceptor is automatically registered for the clientInboundChannel. |
||||
This populates the SecurityContextHolder with the user that is found in the Message |
||||
* Ensures that a ChannelSecurityInterceptor is registered with the clientInboundChannel. |
||||
This allows authorization rules to be specified for a message. |
||||
* Ensures that a CsrfChannelInterceptor is registered with the clientInboundChannel. |
||||
This ensures that only requests from the original domain are enabled. |
||||
* Ensures that a CsrfTokenHandshakeInterceptor is registered with WebSocketHttpRequestHandler, TransportHandlingSockJsService, or DefaultSockJsService. |
||||
This ensures that the expected CsrfToken from the HttpServletRequest is copied into the WebSocket Session attributes. |
||||
|
||||
If additional control is necessary, the id can be specified and a ChannelSecurityInterceptor will be assigned to the specified id. |
||||
All the wiring with Spring's messaging infrastructure can then be done manually. |
||||
This is more cumbersome, but provides greater control over the configuration. |
||||
|
||||
|
||||
[[nsa-websocket-message-broker-attributes]] |
||||
=== <websocket-message-broker> Attributes |
||||
|
||||
[[nsa-websocket-message-broker-id]] |
||||
* **id** A bean identifier, used for referring to the ChannelSecurityInterceptor bean elsewhere in the context. |
||||
If specified, Spring Security requires explicit configuration within Spring Messaging. |
||||
If not specified, Spring Security will automatically integrate with the messaging infrastructure as described in <<nsa-websocket-message-broker>> |
||||
|
||||
[[nsa-websocket-message-broker-same-origin-disabled]] |
||||
* **same-origin-disabled** Disables the requirement for CSRF token to be present in the Stomp headers (default false). |
||||
Changing the default is useful if it is necessary to allow other origins to make SockJS connections. |
||||
|
||||
[[nsa-websocket-message-broker-children]] |
||||
=== Child Elements of <websocket-message-broker> |
||||
|
||||
|
||||
* xref:servlet/appendix/namespace/http.adoc#nsa-expression-handler[expression-handler] |
||||
* <<nsa-intercept-message,intercept-message>> |
||||
|
||||
[[nsa-intercept-message]] |
||||
== <intercept-message> |
||||
|
||||
Defines an authorization rule for a message. |
||||
|
||||
|
||||
[[nsa-intercept-message-parents]] |
||||
=== Parent Elements of <intercept-message> |
||||
|
||||
|
||||
* <<nsa-websocket-message-broker,websocket-message-broker>> |
||||
|
||||
|
||||
[[nsa-intercept-message-attributes]] |
||||
=== <intercept-message> Attributes |
||||
|
||||
[[nsa-intercept-message-pattern]] |
||||
* **pattern** An ant based pattern that matches on the Message destination. |
||||
For example, "/**" matches any Message with a destination; "/admin/**" matches any Message that has a destination that starts with "/admin/**". |
||||
|
||||
[[nsa-intercept-message-type]] |
||||
* **type** The type of message to match on. |
||||
Valid values are defined in SimpMessageType (i.e. CONNECT, CONNECT_ACK, HEARTBEAT, MESSAGE, SUBSCRIBE, UNSUBSCRIBE, DISCONNECT, DISCONNECT_ACK, OTHER). |
||||
|
||||
[[nsa-intercept-message-access]] |
||||
* **access** The expression used to secure the Message. |
||||
For example, "denyAll" will deny access to all of the matching Messages; "permitAll" will grant access to all of the matching Messages; "hasRole('ADMIN') requires the current user to have the role 'ROLE_ADMIN' for the matching Messages. |
||||
Loading…
Reference in new issue