diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index 1fd583cbe8..33e94b4bbe 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -424,9 +424,12 @@ register a bean inside your application context to refer to the messages. An example is shown below: - <bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> - <property name="basename"><value>org/acegisecurity/messages</value></property> -</bean> + + org/acegisecurity/messages + +]]> + The messages.properties is named in accordance with standard resource bundles and represents the default @@ -574,19 +577,22 @@ MethodSecurityInterceptor itself is configured as follows: - <bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> - <property name="validateConfigAttributes"><value>true</value></property> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> - <property name="runAsManager"><ref bean="runAsManager"/></property> - <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> - <property name="objectDefinitionSource"> - <value> + + true + + + + + + org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER - </value> - </property> -</bean> + + + +]]> + As shown above, the MethodSecurityInterceptor is configured with a reference to an @@ -636,18 +642,21 @@ If you are using the Jakarta Commons Attributes approach, your bean context will be configured differently: - <bean id="attributes" class="org.springframework.metadata.commons.CommonsAttributes"/> -<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes"> - <property name="attributes"><ref local="attributes"/></property> -</bean> + + + + -<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> - <property name="validateConfigAttributes"><value>false</value></property> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> - <property name="runAsManager"><ref bean="runAsManager"/></property> - <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property> -</bean> + + false + + + + + +]]> + In addition, your source code will contain Jakarta Commons Attributes tags that refer to a concrete implementation of @@ -683,18 +692,21 @@ If you are using the Spring Security Java 5 Annotations approach, your bean context will be configured as follows: - <bean id="attributes" class="org.acegisecurity.annotation.SecurityAnnotationAttributes"/> -<bean id="objectDefinitionSource" class="org.acegisecurity.intercept.method.MethodDefinitionAttributes"> - <property name="attributes"><ref local="attributes"/></property> -</bean> + + + + -<bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> - <property name="validateConfigAttributes"><value>false</value></property> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> - <property name="runAsManager"><ref bean="runAsManager"/></property> - <property name="objectDefinitionSource"><ref bean="objectDefinitionSource"/></property> -</bean> + + false + + + + + +]]> + In addition, your source code will contain the Acegi Java 5 Security Annotations that represent the @@ -750,15 +762,18 @@ public interface BankManager { requirement on CGLIB. See an example of using BeanNameAutoProxyCreator below: - <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> - <property name="interceptorNames"> - <list><value>methodSecurityInterceptor</value></list> - </property> - <property name="beanNames"> - <list><value>targetObjectName</value></list> - </property> - <property name="proxyTargetClass" value="true"/> -</bean> + + + methodSecurityInterceptor + + + targetObjectName + + + +]]> + @@ -784,19 +799,22 @@ public interface BankManager { AspectJSecurityInterceptor is configured in the Spring application context: - <bean id="bankManagerSecurity" class="org.acegisecurity.intercept.method.aspectj.AspectJSecurityInterceptor"> - <property name="validateConfigAttributes"><value>true</value></property> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> - <property name="runAsManager"><ref bean="runAsManager"/></property> - <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property> - <property name="objectDefinitionSource"> - <value> + + true + + + + + + org.acegisecurity.context.BankManager.delete*=ROLE_SUPERVISOR,RUN_AS_SERVER org.acegisecurity.context.BankManager.getBalance=ROLE_TELLER,ROLE_SUPERVISOR,BANKSECURITY_CUSTOMER,RUN_AS_SERVER - </value> - </property> -</bean> + + + +]]> + As you can see, aside from the class name, the AspectJSecurityInterceptor is exactly the same as @@ -868,11 +886,14 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { with the AspectJSecurityInterceptor. A bean declaration which achieves this is shown below: - <bean id="domainObjectInstanceSecurityAspect" + + factory-method="aspectOf"> + + +]]> + That's it! Now you can create your beans from anywhere within your application, using whatever means you think fit (eg new @@ -1021,19 +1042,22 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { earlier configuration could be generated using Apache Ant paths as follows: - <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> - <property name="runAsManager"><ref bean="runAsManager"/></property> - <property name="objectDefinitionSource"> - <value> + + + + + + CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /secure/super/**=ROLE_WE_DONT_HAVE /secure/**=ROLE_SUPERVISOR,ROLE_TELLER - </value> - </property> -</bean> + + + +]]> + Irrespective of the type of expression syntax used, expressions are always evaluated in the order they are defined. Thus it is @@ -1198,14 +1222,17 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { ProviderManager, is configured via the bean context with a list of AuthenticationProviders: - <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> - <property name="providers"> - <list> - <ref bean="daoAuthenticationProvider"/> - <ref bean="someOtherAuthenticationProvider"/> - </list> - </property> -</bean> + + + + + + + + +]]> + ProviderManager calls a series of registered AuthenticationProvider implementations, until one @@ -1309,9 +1336,12 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { To use concurrent session support, you'll need to add the following to web.xml: - <listener> - <listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class> -</listener> + + org.acegisecurity.ui.session.HttpSessionEventPublisher + +]]> + In addition, you will need to add the org.acegisecurity.concurrent.ConcurrentSessionFilter @@ -1332,19 +1362,22 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { ConcurrentSessionControllerImpl and refer to it from your ProviderManager bean: - <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> - <property name="providers"> - <!-- your providers go here --> - </property> - <property name="sessionController"><ref bean="concurrentSessionController"/></property> -</bean> + + + + + + -<bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> - <property name="maximumSessions"><value>1</value></property> - <property name="sessionRegistry"><ref local="sessionRegistry"/></property> -</bean> + + 1 + + -<bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"/> + +]]> + @@ -1358,11 +1391,14 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authentication details from a data access object configured at bean creation time: - <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> - <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> - <property name="saltSource"><ref bean="saltSource"/></property> - <property name="passwordEncoder"><ref bean="passwordEncoder"/></property> -</bean> + + + + + +]]> + The PasswordEncoder and SaltSource are optional. A @@ -1393,29 +1429,32 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { EhCacheBasedUserCache, which is configured as follows: - <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> - <property name="userDetailsService"><ref bean="userDetailsService"/></property> - <property name="userCache"><ref bean="userCache"/></property> -</bean> + + + + -<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> - <property name="configLocation"> - <value>classpath:/ehcache-failsafe.xml</value> - </property> -</bean> + + + classpath:/ehcache-failsafe.xml + + -<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> - <property name="cacheManager"> - <ref local="cacheManager"/> - </property> - <property name="cacheName"> - <value>userCache</value> - </property> -</bean> + + + + + + userCache + + -<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache"> - <property name="cache"><ref local="userCacheBackend"/></property> -</bean> + + + +]]> + All Acegi Security EH-CACHE implementations (including EhCacheBasedUserCache) require an EH-CACHE @@ -1489,16 +1528,19 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authentication repository in the application context itself using the InMemoryDaoImpl: - <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> - <property name="userMap"> - <value> + + + marissa=koala,ROLE_TELLER,ROLE_SUPERVISOR dianne=emu,ROLE_TELLER scott=wombat,ROLE_TELLER peter=opal,disabled,ROLE_TELLER - </value> - </property> -</bean> + + + +]]> + The userMap property contains each of the usernames, passwords, a list of granted authorities and an optional @@ -1531,16 +1573,19 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { from a JDBC data source. The typical configuration for the JdbcDaoImpl is shown below: - <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> - <property name="driverClassName"><value>org.hsqldb.jdbcDriver</value></property> - <property name="url"><value>jdbc:hsqldb:hsql://localhost:9001</value></property> - <property name="username"><value>sa</value></property> - <property name="password"><value></value></property> -</bean> + + org.hsqldb.jdbcDriver + jdbc:hsqldb:hsql://localhost:9001 + sa + + -<bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> - <property name="dataSource"><ref bean="dataSource"/></property> -</bean> + + + +]]> + You can use different relational database management systems by modifying the DriverManagerDataSource shown above. @@ -1586,25 +1631,28 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { application context. The following definitions would correspond to the above JAAS login configuration file: - <bean id="jaasAuthenticationProvider" class="org.acegisecurity.providers.jaas.JaasAuthenticationProvider"> - <property name="loginConfig"> - <value>/WEB-INF/login.conf</value> - </property> - <property name="loginContextName"> - <value>JAASTest</value> - </property> - <property name="callbackHandlers"> - <list> - <bean class="org.acegisecurity.providers.jaas.JaasNameCallbackHandler"/> - <bean class="org.acegisecurity.providers.jaas.JaasPasswordCallbackHandler"/> - </list> - </property> - <property name="authorityGranters"> - <list> - <bean class="org.acegisecurity.providers.jaas.TestAuthorityGranter"/> - </list> - </property> -</bean> + + + /WEB-INF/login.conf + + + JAASTest + + + + + + + + + + + + + +]]> + The CallbackHandlers and AuthorityGranters are discussed below. @@ -1713,32 +1761,38 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authenticated the user, so it's typical to use the same header for both. - <!-- ======================== SITEMINDER AUTHENTICATION PROCESSING FILTER ======================= --> - <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.SiteminderAuthenticationProcessingFilter"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="authenticationFailureUrl"><value>/login.jsp?login_error=1</value></property> - <property name="defaultTargetUrl"><value>/security.do?method=getMainMenu</value></property> - <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property> - <property name="siteminderUsernameHeaderKey"><value>SM_USER</value></property> - <property name="siteminderPasswordHeaderKey"><value>SM_USER</value></property> - </bean> - - Since this authenticationProcessingFilter - depends on an authenticationManager, we'll need - to define one: - - <!-- ======================== AUTHENTICATION ======================= --> - <!-- - - The top-level Authentication Manager is responsible for all application AUTHENTICATION - - operations. Note that it must reference one or more provider(s) defined below. - --> - <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> - <property name="providers"> - <list> - <ref local="daoAuthenticationProvider"/> - </list> - </property> - </bean> + + + + /login.jsp?login_error=1 + /security.do?method=getMainMenu + /j_acegi_security_check + SM_USER + SM_USER + +]]> + + + Since this authenticationProcessingFilter + depends on an authenticationManager, we'll need + to define one: + + + + + + + + + + +]]> + Note that your daoAuthenticationProvider above will expect the password property to match what it expects. In @@ -1758,20 +1812,23 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { authenticationProcessingFilter in its operations. - <!-- ======================== FILTER CHAIN ======================= --> - <!-- - - The web.xml file has a single filter reference to this top-level bean, which - - invokes the chain of sub-filters specified below. - --> - <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> - <property name="filterInvocationDefinitionSource"> - <value> - CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON - PATTERN_TYPE_APACHE_ANT - /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor - </value> - </property> - </bean> + + + + + + CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON + PATTERN_TYPE_APACHE_ANT + /**=httpSessionContextIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor + + + +]]> + In summary, once the user has authenticated through Siteminder, their header-loaded request will be brokered by @@ -2026,29 +2083,32 @@ public boolean supports(Class clazz); designed to have multiple instances in the same application context, such as: - <bean id="aclContactReadVoter" class="org.acegisecurity.vote.BasicAclEntryVoter"> - <property name="processConfigAttribute"><value>ACL_CONTACT_READ</value></property> - <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> - <property name="aclManager"><ref local="aclManager"/></property> - <property name="requirePermission"> - <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> - </list> - </property> -</bean> - -<bean id="aclContactDeleteVoter" class="org.acegisecurity.vote.BasicAclEntryVoter"> - <property name="processConfigAttribute"><value>ACL_CONTACT_DELETE</value></property> - <property name="processDomainObjectClass"><value>sample.contact.Contact</value></property> - <property name="aclManager"><ref local="aclManager"/></property> - <property name="requirePermission"> - <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.DELETE"/> - </list> - </property> -</bean> + + ACL_CONTACT_READ + sample.contact.Contact + + + + + + + + + + + ACL_CONTACT_DELETE + sample.contact.Contact + + + + + + + + +]]> + In the above example, you'd define ACL_CONTACT_READ or @@ -2114,10 +2174,13 @@ public boolean supports(Class clazz); directory. The following fragment is added to web.xml: - <taglib> - <taglib-uri>http://acegisecurity.sf.net/authz</taglib-uri> - <taglib-location>/WEB-INF/authz.tld</taglib-location> -</taglib> + + http://acegisecurity.sf.net/authz + /WEB-INF/authz.tld + +]]> + AuthorizeTag @@ -2129,11 +2192,14 @@ public boolean supports(Class clazz); The following JSP fragment illustrates how to use the AuthorizeTag: - <authz:authorize ifAllGranted="ROLE_SUPERVISOR"> - <td> - <A HREF="del.htm?id=<c:out value="${contact.id}"/>">Del</A> - </td> -</authz:authorize> + + + ">Del + + +]]> + This tag would cause the tag's body to be output if the principal has been granted ROLE_SUPERVISOR. @@ -2215,9 +2281,12 @@ public boolean supports(Class clazz); The following JSP fragment illustrates how to use the AclTag: - <authz:acl domainObject="${contact}" hasPermission="16,1"> - <td><A HREF="<c:url value="del.htm"><c:param name="contactId" value="${contact.id}"/></c:url>">Del</A></td> -</authz:acl> + + ">Del + +]]> + This tag would cause the tag's body to be output if the principal holds either permission 16 or permission 1 for the @@ -2341,15 +2410,18 @@ public boolean supports(Class clazz); BasicAclAfterInvocationProvider delivers a solution, and is configured as follows: - <bean id="afterAclRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider"> - <property name="aclManager"><ref local="aclManager"/></property> - <property name="requirePermission"> - <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> - </list> - </property> -</bean> + + + + + + + + + +]]> + In the above example, the Contact will be retrieved and passed to the @@ -2369,15 +2441,18 @@ public boolean supports(Class clazz); an AccessDeniedException - simply silently removes the offending elements. The provider is configured as follows: - <bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider"> - <property name="aclManager"><ref local="aclManager"/></property> - <property name="requirePermission"> - <list> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/> - <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/> - </list> - </property> -</bean> + + + + + + + + + +]]> + As you can imagine, the returned Object must be a Collection or array for this provider to @@ -2479,11 +2554,16 @@ public boolean supports(Class clazz); RunAsImplAuthenticationProvider is created in the bean context with the same key: - <bean id="runAsManager" class="org.acegisecurity.runas.RunAsManagerImpl"> - <property name="key"><value>my_run_as_password</value></property> -</bean><bean id="runAsAuthenticationProvider" class="org.acegisecurity.runas.RunAsImplAuthenticationProvider"> - <property name="key"><value>my_run_as_password</value></property> -</bean> + + my_run_as_password + + + + my_run_as_password + +]]> + By using the same key, each RunAsUserToken can be validated it was created by an approved @@ -2557,30 +2637,36 @@ public boolean supports(Class clazz); web.xml behind a FilterToBeanProxy as follows: - <filter> - <filter-name>Acegi Authentication Processing Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value> - </init-param> -</filter> + + Acegi Authentication Processing Filter + org.acegisecurity.util.FilterToBeanProxy + + targetClass + org.acegisecurity.ui.webapp.AuthenticationProcessingFilter + + -<filter-mapping> - <filter-name>Acegi Authentication Processing Filter</filter-name> - <url-pattern>/*</url-pattern> -</filter-mapping> + + Acegi Authentication Processing Filter + /* +]]> + + For a discussion of FilterToBeanProxy, please refer to the Filters section. The application context will need to define the AuthenticationProcessingFilter: - <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property> - <property name="defaultTargetUrl"><value>/</value></property> - <property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property> -</bean> + + + /acegilogin.jsp?login_error=1 + / + /j_acegi_security_check + +]]> + The configured AuthenticationManager processes each authentication request. If authentication fails, the @@ -2635,14 +2721,17 @@ public boolean supports(Class clazz); BasicProcessingFilter and its required collaborator: - <bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="authenticationEntryPoint"><ref bean="authenticationEntryPoint"/></property> -</bean> + + + + -<bean id="authenticationEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"> - <property name="realmName"><value>Name Of Your Realm</value></property> -</bean> + + Name Of Your Realm + +]]> + The configured AuthenticationManager processes each authentication request. If authentication fails, the @@ -2745,17 +2834,20 @@ key: A private key to prevent modification of the nonce token DigestProcessingFilter and its required collaborators: - <bean id="digestProcessingFilter" class="org.acegisecurity.ui.digestauth.DigestProcessingFilter"> - <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> - <property name="authenticationEntryPoint"><ref local="digestProcessingFilterEntryPoint"/></property> - <property name="userCache"><ref local="userCache"/></property> -</bean> + + + + + -<bean id="digestProcessingFilterEntryPoint" class="org.acegisecurity.ui.digestauth.DigestProcessingFilterEntryPoint"> - <property name="realmName"><value>Contacts Realm via Digest Authentication</value></property> - <property name="key"><value>acegi</value></property> - <property name="nonceValiditySeconds"><value>10</value></property> -</bean> + + Contacts Realm via Digest Authentication + acegi + 10 + +]]> + The configured UserDetailsService is needed because DigestProcessingFilter must have direct @@ -2826,14 +2918,17 @@ key: A private key to prevent modification of the nonce token Authentication held there. The definition of the filter and authentication provider appears as follows: - <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> - <property name="key"><value>foobar</value></property> - <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property> -</bean> + + foobar + anonymousUser,ROLE_ANONYMOUS + -<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> - <property name="key"><value>foobar</value></property> -</bean> + + foobar + +]]> + The key is shared between the filter and authentication provider, so that tokens created by the former are @@ -2848,11 +2943,12 @@ key: A private key to prevent modification of the nonce token that all URI patterns can have security applied to them. For example: - <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> - <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property> - <property name="objectDefinitionSource"> - <value> + + + + + CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ANONYMOUS,ROLE_USER @@ -2860,9 +2956,11 @@ key: A private key to prevent modification of the nonce token /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER /**=ROLE_USER - </value> - </property> -</bean>Rounding out the anonymous authentication + + + +]]> + Rounding out the anonymous authentication discussion is the AuthenticationTrustResolver interface, with its corresponding AuthenticationTrustResolverImpl implementation. @@ -2965,18 +3063,21 @@ key: A private key to prevent modification of the remember-me token The beans required in an application context to enable remember-me services are as follows: - <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> - <property name="rememberMeServices"><ref local="rememberMeServices"/></property> -</bean> + + + -<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> - <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> - <property name="key"><value>springRocks</value></property> -</bean> + + + springRocks + -<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> - <property name="key"><value>springRocks</value></property> -</bean>Don't forget to add your + + springRocks + +]]> + Don't forget to add your RememberMeServices implementation to your AuthenticationProcessingFilter.setRememberMeServices() property, include the @@ -3075,9 +3176,12 @@ key: A private key to prevent modification of the remember-me token to be validated by the AuthByAdapterProvider. This authentication provider is defined as follows: - <bean id="authByAdapterProvider" class="org.acegisecurity.adapters.AuthByAdapterProvider"> - <property name="key"><value>my_password</value></property> -</bean> + + my_password + +]]> + The key must match the key that is defined in the container-specific configuration file that starts the adapter. The @@ -3194,15 +3298,18 @@ $CATALINA_HOME/bin/startup.sh the <Configure class> section has a new addRealm call: - <Call name="addRealm"> - <Arg> - <New class="org.acegisecurity.adapters.jetty.JettyAcegiUserRealm"> - <Arg>Spring Powered Realm</Arg> - <Arg>my_password</Arg> - <Arg>etc/acegisecurity.xml</Arg> - </New> - </Arg> - </Call> + + + + Spring Powered Realm + my_password + etc/acegisecurity.xml + + + +]]> + Copy acegisecurity.xml into $JETTY_HOME/etc. @@ -3264,15 +3371,18 @@ $CATALINA_HOME/bin/startup.sh file so that it contains a new entry under the <Policy> section: - <application-policy name = "SpringPoweredRealm"> - <authentication> - <login-module code = "org.acegisecurity.adapters.jboss.JbossSpringLoginModule" - flag = "required"> - <module-option name = "appContextLocation">acegisecurity.xml</module-option> - <module-option name = "key">my_password</module-option> - </login-module> - </authentication> - </application-policy> + + + + acegisecurity.xml + my_password + + + +]]> + Copy acegisecurity.xml into $JBOSS_HOME/server/your_config/conf. @@ -3287,16 +3397,19 @@ $CATALINA_HOME/bin/startup.sh org.springframework.beans.factory.access.SingletonBeanFactoryLocator. The required configuration for this approach is: - <application-policy name = "SpringPoweredRealm"> - <authentication> - <login-module code = "org.acegisecurity.adapters.jboss.JbossSpringLoginModule" - flag = "required"> - <module-option name = "singletonId">springRealm</module-option> - <module-option name = "key">my_password</module-option> - <module-option name = "authenticationManager">authenticationManager</module-option> - </login-module> - </authentication> - </application-policy> + + + + springRealm + my_password + authenticationManager + + + +]]> + In the above code fragment, authenticationManager is a helper property that @@ -3310,15 +3423,18 @@ $CATALINA_HOME/bin/startup.sh beanRefFactory.xml contains the following declaration: - <beans> - <bean id="springRealm" singleton="true" lazy-init="true" class="org.springframework.context.support.ClassPathXmlApplicationContext"> - <constructor-arg> - <list> - <value>acegisecurity.xml</value> - </list> - </constructor-arg> - </bean> -</beans> + + + + + acegisecurity.xml + + + + +]]> + Finally, irrespective of the configuration approach you need to copy the following files into @@ -3359,9 +3475,12 @@ $CATALINA_HOME/bin/startup.sh example, your jboss-web.xml would look like this: - <jboss-web> - <security-domain>java:/jaas/SpringPoweredRealm</security-domain> -</jboss-web> + + java:/jaas/SpringPoweredRealm + +]]> + @@ -3418,15 +3537,18 @@ $CATALINA_HOME/bin/startup.sh application will also contain a resin-web.xml file which Resin uses to start the container adapter: - <web-app> - <authenticator> - <type>org.acegisecurity.adapters.resin.ResinAcegiAuthenticator</type> - <init> - <app-context-location>WEB-INF/resin-acegisecurity.xml</app-context-location> - <key>my_password</key> - </init> - </authenticator> -</web-app> + + + org.acegisecurity.adapters.resin.ResinAcegiAuthenticator + + WEB-INF/resin-acegisecurity.xml + my_password + + + +]]> + With the basic configuration provided above, none of the JAR files listed (or acegi-security-XX.jar) should be @@ -3730,32 +3852,35 @@ $CATALINA_HOME/bin/startup.sh /web/WEB-INF directory. A sample applicationContext.xml is included below: - <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> - <property name="userMap"> - <value> + + + marissa=koala,ROLES_IGNORED_BY_CAS dianne=emu,ROLES_IGNORED_BY_CAS scott=wombat,ROLES_IGNORED_BY_CAS peter=opal,disabled,ROLES_IGNORED_BY_CAS - </value> - </property> -</bean> - -<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> - <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> -</bean> - -<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> - <property name="providers"> - <list> - <ref bean="daoAuthenticationProvider"/> - </list> - </property> -</bean> - -<bean id="casPasswordHandler" class="org.acegisecurity.adapters.cas.CasPasswordHandler"> - <property name="authenticationManager"><ref bean="authenticationManager"/></property> -</bean> + + + + + + + + + + + + + + + + + + + +]]> + Note the granted authorities are ignored by CAS because it has no way of communicating the granted authorities to calling @@ -3767,19 +3892,23 @@ $CATALINA_HOME/bin/startup.sh of the authHandler property) the following lines: - <context-param> - <param-name>edu.yale.its.tp.cas.authHandler</param-name> - <param-value>org.acegisecurity.adapters.cas.CasPasswordHandlerProxy</param-value> -</context-param> - -<context-param> - <param-name>contextConfigLocation</param-name> - <param-value>/WEB-INF/applicationContext.xml</param-value> -</context-param> - -<listener> - <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> -</listener> + + + edu.yale.its.tp.cas.authHandler + org.acegisecurity.adapters.cas.CasPasswordHandlerProxy + + + + contextConfigLocation + /WEB-INF/applicationContext.xml + + + + org.springframework.web.context.ContextLoaderListener + +]]> + Copy the spring.jar and acegi-security.jar files into @@ -3807,10 +3936,14 @@ $CATALINA_HOME/bin/startup.sh You will need to add a ServiceProperties bean to your application context. This represents your service: - <bean id="serviceProperties" class="org.acegisecurity.ui.cas.ServiceProperties"> - <property name="service"><value>https://localhost:8443/contacts-cas/j_acegi_cas_security_check</value></property> - <property name="sendRenew"><value>false</value></property> -</bean> + + + https://localhost:8443/contacts-cas/j_acegi_cas_security_check + false + +]]> + The service must equal a URL that will be monitored by the CasProcessingFilter. The @@ -3845,19 +3978,22 @@ $CATALINA_HOME/bin/startup.sh You will also need to add the CasProcessingFilter to web.xml: - <filter> - <filter-name>Acegi CAS Processing Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.acegisecurity.ui.cas.CasProcessingFilter</param-value> - </init-param> -</filter> + + Acegi CAS Processing Filter + org.acegisecurity.util.FilterToBeanProxy + + targetClass + org.acegisecurity.ui.cas.CasProcessingFilter + + -<filter-mapping> - <filter-name>Acegi CAS Processing Filter</filter-name> - <url-pattern>/*</url-pattern> -</filter-mapping> + + Acegi CAS Processing Filter + /* + +]]> + The CasProcessingFilter has very similar properties to the AuthenticationProcessingFilter @@ -3878,53 +4014,56 @@ $CATALINA_HOME/bin/startup.sh that uses CasAuthenticationProvider and its collaborators: - <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> - <property name="providers"> - <list> - <ref bean="casAuthenticationProvider"/> - </list> - </property> -</bean> - -<bean id="casAuthenticationProvider" class="org.acegisecurity.providers.cas.CasAuthenticationProvider"> - <property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator"/></property> - <property name="casProxyDecider"><ref bean="casProxyDecider"/></property> - <property name="ticketValidator"><ref bean="casProxyTicketValidator"/></property> - <property name="statelessTicketCache"><ref bean="statelessTicketCache"/></property> - <property name="key"><value>my_password_for_this_auth_provider_only</value></property> -</bean> - -<bean id="casProxyTicketValidator" class="org.acegisecurity.providers.cas.ticketvalidator.CasProxyTicketValidator"> - <property name="casValidate"><value>https://localhost:8443/cas/proxyValidate</value></property> - <property name="proxyCallbackUrl"><value>https://localhost:8443/contacts-cas/casProxy/receptor</value></property> - <property name="serviceProperties"><ref bean="serviceProperties"/></property> - <!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> --> -</bean> - -<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> - <property name="configLocation"> - <value>classpath:/ehcache-failsafe.xml</value> - </property> -</bean> + + + + + + + + + + + + + + my_password_for_this_auth_provider_only + + + + https://localhost:8443/cas/proxyValidate + https://localhost:8443/contacts-cas/casProxy/receptor + + + + + + + classpath:/ehcache-failsafe.xml + + -<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> - <property name="cacheManager"> - <ref local="cacheManager"/> - </property> - <property name="cacheName"> - <value>ticketCache</value> - </property> -</bean> + + + + + + ticketCache + + -<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> - <property name="cache"><ref local="ticketCacheBackend"/></property> -</bean> + + + -<bean id="casAuthoritiesPopulator" class="org.acegisecurity.providers.cas.populator.DaoCasAuthoritiesPopulator"> - <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> -</bean> + + + -<bean id="casProxyDecider" class="org.acegisecurity.providers.cas.proxy.RejectProxyTickets"/> + +]]> + The beans are all reasonable self-explanatory if you refer back to the "How CAS Works" section. Careful readers might notice one @@ -3943,15 +4082,18 @@ $CATALINA_HOME/bin/startup.sh ProxyTicketReceptor by adding the following to your web application's web.xml: - <servlet> - <servlet-name>casproxy</servlet-name> - <servlet-class>edu.yale.its.tp.cas.proxy.ProxyTicketReceptor</servlet-class> -</servlet> - -<servlet-mapping> - <servlet-name>casproxy</servlet-name> - <url-pattern>/casProxy/*</url-pattern> -</servlet-mapping> + + casproxy + edu.yale.its.tp.cas.proxy.ProxyTicketReceptor + + + + casproxy + /casProxy/* + +]]> + This completes the configuration of CAS. If you haven't made any mistakes, your web application should happily work within the @@ -4152,8 +4294,9 @@ $CATALINA_HOME/bin/startup.sh For JBoss 3.2.7 (with Tomcat 5.0), the SSL configuration in the server.xml file looks like - this <!-- SSL/TLS Connector configuration --> -<Connector port="8443" address="${jboss.bind.address}" + this + keystoreType="PKCS12" keystorePass="password" truststoreFile="${jboss.server.home.dir}/conf/ca.jks" truststoreType="JKS" truststorePass="password" -/>clientAuth can also be set to +/> +]]> + clientAuth can also be set to want if you still want SSL connections to succeed even if the client doesn't provide a certificate. Obviously these clients won't be able to access any objects secured by Acegi @@ -4358,47 +4503,47 @@ $CATALINA_HOME/bin/startup.sh starting point for configuring your own application. A typical configuration, using some of the beans we've discussed - above, might look like this: - <bean id="initialDirContextFactory" - class="org.acegisecurity.providers.ldap.DefaultInitialDirContextFactory"> - <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> - <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> - <property name="managerPassword"><value>password</value></property> - </bean> - - <bean id="userSearch" - class="org.acegisecurity.providers.ldap.search.FilterBasedLdapUserSearch"> - <constructor-arg index="0"> - <value></value> - </constructor-arg> - <constructor-arg index="1"> - <value>(uid={0})</value> - </constructor-arg> - <constructor-arg index="2"> - <ref local="initialDirContextFactory" /> - </constructor-arg> - <property name="searchSubtree"> - <value>true</value> - </property> - </bean> + above, might look like this: + + cn=manager,dc=acegisecurity,dc=org + password + + + + + + + + (uid={0}) + + + + + + true + + - <bean id="ldapAuthProvider" - class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> - <constructor-arg> - <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> - <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> - <property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property> - </bean> - </constructor-arg> - <constructor-arg> - <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator"> - <constructor-arg><ref local="initialDirContextFactory"/></constructor-arg> - <constructor-arg><value>ou=groups</value></constructor-arg> - <property name="groupRoleAttribute"><value>ou</value></property> - </bean> - </constructor-arg> - </bean> - + + + + + uid={0},ou=people + + + + + + ou=groups + ou + + + +]]> This would set up the provider to access an LDAP server with URL ldap://monkeymachine:389/dc=acegisecurity,dc=org. @@ -4464,48 +4609,54 @@ $CATALINA_HOME/bin/startup.sh To utilise Acegi Security's channel security services, add the following lines to web.xml: - <filter> - <filter-name>Acegi Channel Processing Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.acegisecurity.securechannel.ChannelProcessingFilter</param-value> - </init-param> -</filter> + + Acegi Channel Processing Filter + org.acegisecurity.util.FilterToBeanProxy + + targetClass + org.acegisecurity.securechannel.ChannelProcessingFilter + + -<filter-mapping> - <filter-name>Acegi Channel Processing Filter</filter-name> - <url-pattern>/*</url-pattern> -</filter-mapping> + + Acegi Channel Processing Filter + /* + +]]> + As usual when running FilterToBeanProxy, you will also need to configure the filter in your application context: - <bean id="channelProcessingFilter" class="org.acegisecurity.securechannel.ChannelProcessingFilter"> - <property name="channelDecisionManager"><ref bean="channelDecisionManager"/></property> - <property name="filterInvocationDefinitionSource"> - <value> + + + + CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL \A.*\Z=REQUIRES_INSECURE_CHANNEL - </value> - </property> -</bean> - -<bean id="channelDecisionManager" class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl"> - <property name="channelProcessors"> - <list> - <ref bean="secureChannelProcessor"/> - <ref bean="insecureChannelProcessor"/> - </list> - </property> -</bean> - -<bean id="secureChannelProcessor" class="org.acegisecurity.securechannel.SecureChannelProcessor"/> -<bean id="insecureChannelProcessor" class="org.acegisecurity.securechannel.InsecureChannelProcessor"/> + + + + + + + + + + + + + + + +]]> + Like FilterSecurityInterceptor, Apache Ant style paths are also supported by the @@ -5027,14 +5178,17 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); FilterToBeanProxy. An example configuration from web.xml follows: - <filter> - <filter-name>Acegi HTTP Request Security Filter</filter-name> - <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> - <init-param> - <param-name>targetClass</param-name> - <param-value>org.acegisecurity.ClassThatImplementsFilter</param-value> - </init-param> -</filter> + + Acegi HTTP Request Security Filter + org.acegisecurity.util.FilterToBeanProxy + + targetClass + org.acegisecurity.ClassThatImplementsFilter + + +]]> + Notice that the filter in web.xml is actually a FilterToBeanProxy, and not the filter that will @@ -5104,16 +5258,19 @@ INSERT INTO acl_permission VALUES (null, 6, 'scott', 1); chain is then declared in the application context, using code such as this: - <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> - <property name="filterInvocationDefinitionSource"> - <value> + + + CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /webServices/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor /**=httpSessionContextIntegrationFilterWithASCTrue,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor - </value> - </property> -</bean> + + + +]]> + You may notice similarities with the way FilterSecurityInterceptor is declared. Both regular