From f47ccd81a6dcba017bf9fd487e8d1ca2f7eb3887 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 27 Aug 2007 23:05:16 +0000 Subject: [PATCH] SEC-487: Added documentation on use of #NONE# in FilterChainProxy. Also changed doc version to 1.0.5. --- doc/docbook/acegi.xml | 75 +++++++++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 31 deletions(-) diff --git a/doc/docbook/acegi.xml b/doc/docbook/acegi.xml index caeb4bd187..cc076c4d4a 100644 --- a/doc/docbook/acegi.xml +++ b/doc/docbook/acegi.xml @@ -4,7 +4,7 @@ @@ -27,7 +27,7 @@ Reference Documentation - 1.0.4 + 1.0.5 @@ -479,7 +479,7 @@ if (obj instanceof UserDetails) { ROLE_HR_SUPERVISOR. These roles are later on configured for web authorization, method authorization and domain object authorization. Other parts of Acegi Security are capable of - interpreting these authorities, and expect them to be present. + interpreting these authorities, and expect them to be present. GrantedAuthority objects are usually loaded by the UserDetailsService. @@ -1068,6 +1068,19 @@ if (obj instanceof UserDetails) { any servlet container lifecycle invocations are not delegated through to FilterChainProxy. + You can also omit a URI pattern from the filter chain by using + the token #NONE# on the right-hand side of the + <URI Pattern> = <Filter Chain> expression. For example, using + the example above, if you wanted to exclude the /webservices + location completely, you would modify the corresponding line in the bean declaration to be + +/webServices/**=#NONE# + + Note that anything matching this path will then have no authentication + or authorization services applied and will be freely accessible. + + + The order that filters are defined in web.xml is very important. Irrespective of which filters you are actually using, the order of the <filter-mapping>s @@ -1230,7 +1243,7 @@ if (obj instanceof UserDetails) { CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON \A/secure/.*\Z=REQUIRES_SECURE_CHANNEL \A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL - \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL + \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL \A.*\Z=REQUIRES_INSECURE_CHANNEL </value> </property> @@ -1918,7 +1931,7 @@ if (obj instanceof UserDetails) { <value>classpath:/ehcache-failsafe.xml</value> </property> </bean> - + <bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager"> <ref local="cacheManager"/> @@ -1927,7 +1940,7 @@ if (obj instanceof UserDetails) { <value>userCache</value> </property> </bean> - + <bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache"> <property name="cache"><ref local="userCacheBackend"/></property> </bean> @@ -2774,7 +2787,7 @@ key: A private key to prevent modification of the remember-me token <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> <property name="key"><value>springRocks</value></property> </bean> - + <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key"><value>springRocks</value></property> </bean> @@ -3126,7 +3139,7 @@ key: A private key to prevent modification of the remember-me token A typical configuration, using some of the beans we've discussed above, might look like this: - <bean id="initialDirContextFactory" + <bean id="initialDirContextFactory" class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> <constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> <property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> @@ -3143,13 +3156,13 @@ key: A private key to prevent modification of the remember-me token </constructor-arg> <constructor-arg index="2"> <ref local="initialDirContextFactory" /> - </constructor-arg> + </constructor-arg> <property name="searchSubtree"> <value>true</value> - </property> - </bean> - - <bean id="ldapAuthProvider" + </property> + </bean> + + <bean id="ldapAuthProvider" class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> <constructor-arg> <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> @@ -3165,7 +3178,7 @@ key: A private key to prevent modification of the remember-me token </bean> </constructor-arg> </bean> - + This would set up the provider to access an LDAP server with URL ldap://monkeymachine:389/dc=acegisecurity,dc=org. @@ -3620,7 +3633,7 @@ key: A private key to prevent modification of the remember-me token <bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> </list> </property> - + <property name="authenticationHandlers"> <list> <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> @@ -3630,8 +3643,8 @@ key: A private key to prevent modification of the remember-me token </list> </property> </bean> - - + + <bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> <property name="userMap"> <value> @@ -3642,11 +3655,11 @@ key: A private key to prevent modification of the remember-me token </value> </property> </bean> - + <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> </bean> - + <bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> @@ -3655,7 +3668,7 @@ key: A private key to prevent modification of the remember-me token </property> </bean> </beans> - + Note the granted authorities are ignored by CAS because it has @@ -3663,7 +3676,7 @@ key: A private key to prevent modification of the remember-me token applications. CAS is only concerned with username and passwords (and the enabled/disabled status). - Copy acegi-security.jar and + Copy acegi-security.jar and acegi-security-cas.jar files into /localPlugins/lib. Now use the ant war task in the build.xml in the @@ -3721,7 +3734,7 @@ key: A private key to prevent modification of the remember-me token <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> -</bean> +</bean> <bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl"><value>https://localhost:8443/cas/login</value></property> @@ -3733,7 +3746,7 @@ key: A private key to prevent modification of the remember-me token You will also need to add the CasProcessingFilter to web.xml: - + <filter> <filter-name>Acegi CAS Processing Filter</filter-name> <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> @@ -3798,7 +3811,7 @@ key: A private key to prevent modification of the remember-me token <value>classpath:/ehcache-failsafe.xml</value> </property> </bean> - + <bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager"> <ref local="cacheManager"/> @@ -3807,7 +3820,7 @@ key: A private key to prevent modification of the remember-me token <value>ticketCache</value> </property> </bean> - + <bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> <property name="cache"><ref local="ticketCacheBackend"/></property> </bean> @@ -4110,7 +4123,7 @@ key: A private key to prevent modification of the remember-me token file so that it contains a new entry under the <Policy> section: - + <application-policy name = "SpringPoweredRealm"> <authentication> <login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule" @@ -4120,7 +4133,7 @@ key: A private key to prevent modification of the remember-me token </login-module> </authentication> </application-policy> - + Copy acegisecurity.xml into @@ -5224,7 +5237,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { private AspectJSecurityInterceptor securityInterceptor; - pointcut domainObjectInstanceExecution(): target(PersistableEntity) + pointcut domainObjectInstanceExecution(): target(PersistableEntity) && execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect); Object around(): domainObjectInstanceExecution() { @@ -5270,7 +5283,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { declaration which achieves this is shown below: -<bean id="domainObjectInstanceSecurityAspect" +<bean id="domainObjectInstanceSecurityAspect" class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect" factory-method="aspectOf"> <property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property> @@ -5322,7 +5335,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { <property name="loginFormUrl"><value>/acegilogin.jsp</value></property> <property name="forceHttps"><value>false</value></property> </bean> - + <bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>