|
|
|
@ -4,7 +4,7 @@ |
|
|
|
|
|
|
|
|
|
|
|
<!-- |
|
|
|
<!-- |
|
|
|
* ======================================================================== |
|
|
|
* ======================================================================== |
|
|
|
* |
|
|
|
* |
|
|
|
* Copyright 2004 Acegi Technology Pty Limited |
|
|
|
* Copyright 2004 Acegi Technology Pty Limited |
|
|
|
* |
|
|
|
* |
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
|
|
@ -18,7 +18,7 @@ |
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
|
|
* See the License for the specific language governing permissions and |
|
|
|
* See the License for the specific language governing permissions and |
|
|
|
* limitations under the License. |
|
|
|
* limitations under the License. |
|
|
|
* |
|
|
|
* |
|
|
|
* ======================================================================== |
|
|
|
* ======================================================================== |
|
|
|
--> |
|
|
|
--> |
|
|
|
<book> |
|
|
|
<book> |
|
|
|
@ -27,7 +27,7 @@ |
|
|
|
|
|
|
|
|
|
|
|
<subtitle>Reference Documentation</subtitle> |
|
|
|
<subtitle>Reference Documentation</subtitle> |
|
|
|
|
|
|
|
|
|
|
|
<releaseinfo>1.0.4</releaseinfo> |
|
|
|
<releaseinfo>1.0.5</releaseinfo> |
|
|
|
|
|
|
|
|
|
|
|
<authorgroup> |
|
|
|
<authorgroup> |
|
|
|
<author> |
|
|
|
<author> |
|
|
|
@ -479,7 +479,7 @@ if (obj instanceof UserDetails) { |
|
|
|
<literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on |
|
|
|
<literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on |
|
|
|
configured for web authorization, method authorization and domain |
|
|
|
configured for web authorization, method authorization and domain |
|
|
|
object authorization. Other parts of Acegi Security are capable of |
|
|
|
object authorization. Other parts of Acegi Security are capable of |
|
|
|
interpreting these authorities, and expect them to be present. |
|
|
|
interpreting these authorities, and expect them to be present. |
|
|
|
<literal>GrantedAuthority</literal> objects are usually loaded by |
|
|
|
<literal>GrantedAuthority</literal> objects are usually loaded by |
|
|
|
the <literal>UserDetailsService</literal>.</para> |
|
|
|
the <literal>UserDetailsService</literal>.</para> |
|
|
|
|
|
|
|
|
|
|
|
@ -1068,6 +1068,19 @@ if (obj instanceof UserDetails) { |
|
|
|
any servlet container lifecycle invocations are not delegated through |
|
|
|
any servlet container lifecycle invocations are not delegated through |
|
|
|
to <literal>FilterChainProxy</literal>.</para> |
|
|
|
to <literal>FilterChainProxy</literal>.</para> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<para>You can also omit a URI pattern from the filter chain by using |
|
|
|
|
|
|
|
the token <literal>#NONE#</literal> on the right-hand side of the |
|
|
|
|
|
|
|
<literal><URI Pattern> = <Filter Chain></literal> expression. For example, using |
|
|
|
|
|
|
|
the example above, if you wanted to exclude the <filename>/webservices</filename> |
|
|
|
|
|
|
|
location completely, you would modify the corresponding line in the bean declaration to be |
|
|
|
|
|
|
|
<programlisting> |
|
|
|
|
|
|
|
/webServices/**=#NONE# |
|
|
|
|
|
|
|
</programlisting> |
|
|
|
|
|
|
|
Note that anything matching this path will then have no authentication |
|
|
|
|
|
|
|
or authorization services applied and will be freely accessible. |
|
|
|
|
|
|
|
</para> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<para>The order that filters are defined in <literal>web.xml</literal> |
|
|
|
<para>The order that filters are defined in <literal>web.xml</literal> |
|
|
|
is very important. Irrespective of which filters you are actually |
|
|
|
is very important. Irrespective of which filters you are actually |
|
|
|
using, the order of the <literal><filter-mapping></literal>s |
|
|
|
using, the order of the <literal><filter-mapping></literal>s |
|
|
|
@ -1230,7 +1243,7 @@ if (obj instanceof UserDetails) { |
|
|
|
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON |
|
|
|
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON |
|
|
|
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL |
|
|
|
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL |
|
|
|
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL |
|
|
|
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL |
|
|
|
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL |
|
|
|
\A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL |
|
|
|
\A.*\Z=REQUIRES_INSECURE_CHANNEL |
|
|
|
\A.*\Z=REQUIRES_INSECURE_CHANNEL |
|
|
|
</value> |
|
|
|
</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
@ -1918,7 +1931,7 @@ if (obj instanceof UserDetails) { |
|
|
|
<value>classpath:/ehcache-failsafe.xml</value> |
|
|
|
<value>classpath:/ehcache-failsafe.xml</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> |
|
|
|
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> |
|
|
|
<property name="cacheManager"> |
|
|
|
<property name="cacheManager"> |
|
|
|
<ref local="cacheManager"/> |
|
|
|
<ref local="cacheManager"/> |
|
|
|
@ -1927,7 +1940,7 @@ if (obj instanceof UserDetails) { |
|
|
|
<value>userCache</value> |
|
|
|
<value>userCache</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache"> |
|
|
|
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache"> |
|
|
|
<property name="cache"><ref local="userCacheBackend"/></property> |
|
|
|
<property name="cache"><ref local="userCacheBackend"/></property> |
|
|
|
</bean> </programlisting></para> |
|
|
|
</bean> </programlisting></para> |
|
|
|
@ -2774,7 +2787,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> |
|
|
|
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> |
|
|
|
<property name="key"><value>springRocks</value></property> |
|
|
|
<property name="key"><value>springRocks</value></property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> |
|
|
|
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> |
|
|
|
<property name="key"><value>springRocks</value></property> |
|
|
|
<property name="key"><value>springRocks</value></property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
@ -3126,7 +3139,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
|
|
|
|
|
|
|
|
<para>A typical configuration, using some of the beans we've discussed |
|
|
|
<para>A typical configuration, using some of the beans we've discussed |
|
|
|
above, might look like this: <programlisting> |
|
|
|
above, might look like this: <programlisting> |
|
|
|
<bean id="initialDirContextFactory" |
|
|
|
<bean id="initialDirContextFactory" |
|
|
|
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> |
|
|
|
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory"> |
|
|
|
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> |
|
|
|
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/> |
|
|
|
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> |
|
|
|
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property> |
|
|
|
@ -3143,13 +3156,13 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
</constructor-arg> |
|
|
|
</constructor-arg> |
|
|
|
<constructor-arg index="2"> |
|
|
|
<constructor-arg index="2"> |
|
|
|
<ref local="initialDirContextFactory" /> |
|
|
|
<ref local="initialDirContextFactory" /> |
|
|
|
</constructor-arg> |
|
|
|
</constructor-arg> |
|
|
|
<property name="searchSubtree"> |
|
|
|
<property name="searchSubtree"> |
|
|
|
<value>true</value> |
|
|
|
<value>true</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="ldapAuthProvider" |
|
|
|
<bean id="ldapAuthProvider" |
|
|
|
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> |
|
|
|
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider"> |
|
|
|
<constructor-arg> |
|
|
|
<constructor-arg> |
|
|
|
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> |
|
|
|
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator"> |
|
|
|
@ -3165,7 +3178,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
</constructor-arg> |
|
|
|
</constructor-arg> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
</programlisting> This would set up the provider to access an LDAP |
|
|
|
</programlisting> This would set up the provider to access an LDAP |
|
|
|
server with URL |
|
|
|
server with URL |
|
|
|
<literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>. |
|
|
|
<literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>. |
|
|
|
@ -3620,7 +3633,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> |
|
|
|
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" /> |
|
|
|
</list> |
|
|
|
</list> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
|
|
|
|
|
|
|
|
<property name="authenticationHandlers"> |
|
|
|
<property name="authenticationHandlers"> |
|
|
|
<list> |
|
|
|
<list> |
|
|
|
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> |
|
|
|
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" /> |
|
|
|
@ -3630,8 +3643,8 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
</list> |
|
|
|
</list> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> |
|
|
|
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl"> |
|
|
|
<property name="userMap"> |
|
|
|
<property name="userMap"> |
|
|
|
<value> |
|
|
|
<value> |
|
|
|
@ -3642,11 +3655,11 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
</value> |
|
|
|
</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> |
|
|
|
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> |
|
|
|
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> |
|
|
|
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> |
|
|
|
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager"> |
|
|
|
<property name="providers"> |
|
|
|
<property name="providers"> |
|
|
|
<list> |
|
|
|
<list> |
|
|
|
@ -3655,7 +3668,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
</beans> |
|
|
|
</beans> |
|
|
|
|
|
|
|
|
|
|
|
</programlisting> |
|
|
|
</programlisting> |
|
|
|
|
|
|
|
|
|
|
|
<para>Note the granted authorities are ignored by CAS because it has |
|
|
|
<para>Note the granted authorities are ignored by CAS because it has |
|
|
|
@ -3663,7 +3676,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
applications. CAS is only concerned with username and passwords (and |
|
|
|
applications. CAS is only concerned with username and passwords (and |
|
|
|
the enabled/disabled status).</para> |
|
|
|
the enabled/disabled status).</para> |
|
|
|
|
|
|
|
|
|
|
|
<para>Copy <literal>acegi-security.jar</literal> and |
|
|
|
<para>Copy <literal>acegi-security.jar</literal> and |
|
|
|
<literal>acegi-security-cas.jar</literal> files into |
|
|
|
<literal>acegi-security-cas.jar</literal> files into |
|
|
|
<literal>/localPlugins/lib</literal>. Now use the <literal>ant |
|
|
|
<literal>/localPlugins/lib</literal>. Now use the <literal>ant |
|
|
|
war</literal> task in the <literal>build.xml</literal> in the |
|
|
|
war</literal> task in the <literal>build.xml</literal> in the |
|
|
|
@ -3721,7 +3734,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
|
|
|
|
|
|
|
|
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> |
|
|
|
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> |
|
|
|
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> |
|
|
|
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> |
|
|
|
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint"> |
|
|
|
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property> |
|
|
|
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property> |
|
|
|
@ -3733,7 +3746,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
<para>You will also need to add the |
|
|
|
<para>You will also need to add the |
|
|
|
<literal>CasProcessingFilter</literal> to web.xml:</para> |
|
|
|
<literal>CasProcessingFilter</literal> to web.xml:</para> |
|
|
|
|
|
|
|
|
|
|
|
<para><programlisting> |
|
|
|
<para><programlisting> |
|
|
|
<filter> |
|
|
|
<filter> |
|
|
|
<filter-name>Acegi CAS Processing Filter</filter-name> |
|
|
|
<filter-name>Acegi CAS Processing Filter</filter-name> |
|
|
|
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> |
|
|
|
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> |
|
|
|
@ -3798,7 +3811,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
<value>classpath:/ehcache-failsafe.xml</value> |
|
|
|
<value>classpath:/ehcache-failsafe.xml</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> |
|
|
|
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> |
|
|
|
<property name="cacheManager"> |
|
|
|
<property name="cacheManager"> |
|
|
|
<ref local="cacheManager"/> |
|
|
|
<ref local="cacheManager"/> |
|
|
|
@ -3807,7 +3820,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
<value>ticketCache</value> |
|
|
|
<value>ticketCache</value> |
|
|
|
</property> |
|
|
|
</property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> |
|
|
|
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache"> |
|
|
|
<property name="cache"><ref local="ticketCacheBackend"/></property> |
|
|
|
<property name="cache"><ref local="ticketCacheBackend"/></property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
@ -4110,7 +4123,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
file so that it contains a new entry under the |
|
|
|
file so that it contains a new entry under the |
|
|
|
<literal><Policy></literal> section:</para> |
|
|
|
<literal><Policy></literal> section:</para> |
|
|
|
|
|
|
|
|
|
|
|
<para><programlisting> |
|
|
|
<para><programlisting> |
|
|
|
<application-policy name = "SpringPoweredRealm"> |
|
|
|
<application-policy name = "SpringPoweredRealm"> |
|
|
|
<authentication> |
|
|
|
<authentication> |
|
|
|
<login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule" |
|
|
|
<login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule" |
|
|
|
@ -4120,7 +4133,7 @@ key: A private key to prevent modification of the remember-me token |
|
|
|
</login-module> |
|
|
|
</login-module> |
|
|
|
</authentication> |
|
|
|
</authentication> |
|
|
|
</application-policy> |
|
|
|
</application-policy> |
|
|
|
|
|
|
|
|
|
|
|
</programlisting></para> |
|
|
|
</programlisting></para> |
|
|
|
|
|
|
|
|
|
|
|
<para>Copy <literal>acegisecurity.xml</literal> into |
|
|
|
<para>Copy <literal>acegisecurity.xml</literal> into |
|
|
|
@ -5224,7 +5237,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { |
|
|
|
|
|
|
|
|
|
|
|
private AspectJSecurityInterceptor securityInterceptor; |
|
|
|
private AspectJSecurityInterceptor securityInterceptor; |
|
|
|
|
|
|
|
|
|
|
|
pointcut domainObjectInstanceExecution(): target(PersistableEntity) |
|
|
|
pointcut domainObjectInstanceExecution(): target(PersistableEntity) |
|
|
|
&& execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect); |
|
|
|
&& execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect); |
|
|
|
|
|
|
|
|
|
|
|
Object around(): domainObjectInstanceExecution() { |
|
|
|
Object around(): domainObjectInstanceExecution() { |
|
|
|
@ -5270,7 +5283,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { |
|
|
|
declaration which achieves this is shown below:</para> |
|
|
|
declaration which achieves this is shown below:</para> |
|
|
|
|
|
|
|
|
|
|
|
<programlisting> |
|
|
|
<programlisting> |
|
|
|
<bean id="domainObjectInstanceSecurityAspect" |
|
|
|
<bean id="domainObjectInstanceSecurityAspect" |
|
|
|
class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect" |
|
|
|
class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect" |
|
|
|
factory-method="aspectOf"> |
|
|
|
factory-method="aspectOf"> |
|
|
|
<property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property> |
|
|
|
<property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property> |
|
|
|
@ -5322,7 +5335,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean { |
|
|
|
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property> |
|
|
|
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property> |
|
|
|
<property name="forceHttps"><value>false</value></property> |
|
|
|
<property name="forceHttps"><value>false</value></property> |
|
|
|
</bean> |
|
|
|
</bean> |
|
|
|
|
|
|
|
|
|
|
|
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> |
|
|
|
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> |
|
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property> |
|
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property> |
|
|
|
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> |
|
|
|
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property> |
|
|
|
|
Luke Taylor
19 years ago