From ecd63cabdaaeef39094aca1a81ab51738fb5762e Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 6 Aug 2008 00:20:58 +0000 Subject: [PATCH] Added use of ANY_CHANNEL attribute to channel-security docbook --- src/docbkx/channel-security.xml | 67 ++++++++++++++++----------------- 1 file changed, 33 insertions(+), 34 deletions(-) diff --git a/src/docbkx/channel-security.xml b/src/docbkx/channel-security.xml index 06cc37e388..0b77c25dce 100644 --- a/src/docbkx/channel-security.xml +++ b/src/docbkx/channel-security.xml @@ -40,35 +40,33 @@ by means of the requires-channel attribute on the <intercept-url> element and this is the simplest (and recommended approach) To confiure channel security explicitly, you would define the following the filter in your application - context: + context: + + + + + + + + + + + - -<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter"> - <property name="channelDecisionManager" ref="channelDecisionManager"/> - <property name="filterInvocationDefinitionSource"> - <security:filter-invocation-definition-source path-type="regex"> - <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/> - <security:intercept-url pattern="\A/acegilogin.jsp.*\" access="REQUIRES_SECURE_CHANNEL"/> - <security:intercept-url pattern="\A/j_spring_security_check.*\Z" access="REQUIRES_SECURE_CHANNEL"/> - <security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/> - </security:filter-invocation-definition-source> - </property> -</bean> + + + + + + + + -<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"> - <property name="channelProcessors"> - <list> - <ref bean="secureChannelProcessor"/> - <ref bean="insecureChannelProcessor"/> - </list> - </property> -</bean> - -<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/> -<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/> - - - Like FilterSecurityInterceptor, Apache Ant + +]]> + + Like FilterSecurityInterceptor, Apache Ant style paths are also supported by the ChannelProcessingFilter. @@ -77,10 +75,11 @@ attributes that apply. It then delegates to the ChannelDecisionManager. The default implementation, ChannelDecisionManagerImpl, should suffice in most - cases. It simply delegates through the list of configured - ChannelProcessor instances. A + cases. It simply delegates to the list of configured + ChannelProcessor instances. The attribute ANY_CHANNEL + can be used to override this behaviour and skip a particular URL. Otherwise, a ChannelProcessor will review the request, and if it - is unhappy with the request (eg it was received across the incorrect + is unhappy with the request (e.g. if it was received across the incorrect transport protocol), it will perform a redirect, throw an exception or take whatever other action is appropriate. @@ -99,7 +98,7 @@ request to HTTP and HTTPS as appropriate. Appropriate defaults are assigned to the ChannelProcessor implementations for the configuration attribute keywords they respond to and the - ChannelEntryPoint they delegate to, although you + ChannelEntryPoint they delegate to, although you have the ability to override these using the application context. @@ -109,15 +108,15 @@ that Internet Explorer 6 Service Pack 1 has a bug whereby it does not respond correctly to a redirection instruction which also changes the port to use. Accordingly, absolute URLs are used in conjunction with - bug detection logic in the PortResolverImpl that is + bug detection logic in the PortResolverImpl that is wired up by default to many Spring Security beans. Please refer to the - JavaDocs for PortResolverImpl for further + JavaDocs for PortResolverImpl for further details. You should note that using a secure channel is recommended if usernames and passwords are to be kept secure during the login process. If you do decide to use - ChannelProcessingFilter with form-based login, + ChannelProcessingFilter with form-based login, please ensure that your login page is set to REQUIRES_SECURE_CHANNEL, and that the AuthenticationProcessingFilterEntryPoint.forceHttps