From fe33f08b73ae64198e145334928009aa60c803c6 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sun, 23 Aug 2009 16:42:06 +0000 Subject: [PATCH] SEC-1201: Allow requires-channel attribute to take placeholders. --- .../config/http/ChannelAttributeFactory.java | 37 + .../HttpSecurityBeanDefinitionParser.java | 31 +- .../security/config/http/WebConfigUtils.java | 2 +- .../security/config/spring-security-3.0.rnc | 4 +- .../security/config/spring-security-3.0.xsd | 3415 ++++++++--------- ...HttpSecurityBeanDefinitionParserTests.java | 18 +- .../channel/ChannelProcessingFilter.java | 4 +- 7 files changed, 1758 insertions(+), 1753 deletions(-) create mode 100644 config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java diff --git a/config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java b/config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java new file mode 100644 index 0000000000..0160ea03e0 --- /dev/null +++ b/config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java @@ -0,0 +1,37 @@ +package org.springframework.security.config.http; + +import java.util.List; + +import org.springframework.beans.factory.BeanCreationException; +import org.springframework.security.access.ConfigAttribute; +import org.springframework.security.access.SecurityConfig; +import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl; + +/** + * Used as a factory bean to create config attribute values for the requires-channel attribute. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class ChannelAttributeFactory { + private static final String OPT_REQUIRES_HTTP = "http"; + private static final String OPT_REQUIRES_HTTPS = "https"; + private static final String OPT_ANY_CHANNEL = "any"; + + public static final List createChannelAttributes(String requiredChannel) { + String channelConfigAttribute = null; + + if (requiredChannel.equals(OPT_REQUIRES_HTTPS)) { + channelConfigAttribute = "REQUIRES_SECURE_CHANNEL"; + } else if (requiredChannel.equals(OPT_REQUIRES_HTTP)) { + channelConfigAttribute = "REQUIRES_INSECURE_CHANNEL"; + } else if (requiredChannel.equals(OPT_ANY_CHANNEL)) { + channelConfigAttribute = ChannelDecisionManagerImpl.ANY_CHANNEL; + } else { + throw new BeanCreationException("Unknown channel attribute " + requiredChannel); + } + + return SecurityConfig.createList(channelConfigAttribute); + } +} diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java index 73fc956fd4..33359ca010 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java @@ -27,8 +27,6 @@ import org.springframework.beans.factory.xml.BeanDefinitionParser; import org.springframework.beans.factory.xml.ParserContext; import org.springframework.core.OrderComparator; import org.springframework.core.Ordered; -import org.springframework.security.access.ConfigAttribute; -import org.springframework.security.access.SecurityConfig; import org.springframework.security.access.vote.AffirmativeBased; import org.springframework.security.access.vote.AuthenticatedVoter; import org.springframework.security.access.vote.RoleVoter; @@ -102,9 +100,6 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { private static final String OPT_SESSION_FIXATION_MIGRATE_SESSION = "migrateSession"; static final String ATT_REQUIRES_CHANNEL = "requires-channel"; - private static final String OPT_REQUIRES_HTTP = "http"; - private static final String OPT_REQUIRES_HTTPS = "https"; - private static final String OPT_ANY_CHANNEL = "any"; private static final String ATT_CREATE_SESSION = "create-session"; private static final String DEF_CREATE_SESSION_IF_REQUIRED = "ifRequired"; @@ -180,7 +175,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { // Use ManagedMap to allow placeholder resolution final ManagedMap> filterChainMap = parseInterceptUrlsForEmptyFilterChains(interceptUrls, convertPathsToLowerCase, pc); - final ManagedMap> channelRequestMap = + final ManagedMap channelRequestMap = parseInterceptUrlsForChannelSecurity(interceptUrls, convertPathsToLowerCase, pc); BeanDefinition cpf = null; @@ -893,7 +888,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { } private BeanDefinition createChannelProcessingFilter(ParserContext pc, UrlMatcher matcher, - ManagedMap> channelRequestMap, String portMapperBeanName) { + ManagedMap channelRequestMap, String portMapperBeanName) { RootBeanDefinition channelFilter = new RootBeanDefinition(ChannelProcessingFilter.class); BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class); metadataSourceBldr.addConstructorArgValue(matcher); @@ -1189,10 +1184,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { * Parses the intercept-url elements to obtain the map used by channel security. * This will be empty unless the requires-channel attribute has been used on a URL path. */ - private ManagedMap> parseInterceptUrlsForChannelSecurity(List urlElts, + private ManagedMap parseInterceptUrlsForChannelSecurity(List urlElts, boolean useLowerCasePaths, ParserContext parserContext) { - ManagedMap> channelRequestMap = new ManagedMap>(); + ManagedMap channelRequestMap = new ManagedMap(); for (Element urlElt : urlElts) { String path = urlElt.getAttribute(ATT_PATH_PATTERN); @@ -1208,22 +1203,14 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { String requiredChannel = urlElt.getAttribute(ATT_REQUIRES_CHANNEL); if (StringUtils.hasText(requiredChannel)) { - String channelConfigAttribute = null; - - if (requiredChannel.equals(OPT_REQUIRES_HTTPS)) { - channelConfigAttribute = "REQUIRES_SECURE_CHANNEL"; - } else if (requiredChannel.equals(OPT_REQUIRES_HTTP)) { - channelConfigAttribute = "REQUIRES_INSECURE_CHANNEL"; - } else if (requiredChannel.equals(OPT_ANY_CHANNEL)) { - channelConfigAttribute = ChannelDecisionManagerImpl.ANY_CHANNEL; - } else { - parserContext.getReaderContext().error("Unsupported channel " + requiredChannel, urlElt); - } - BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class); requestKey.getConstructorArgumentValues().addGenericArgumentValue(path); - channelRequestMap.put(requestKey, SecurityConfig.createList(channelConfigAttribute)); + RootBeanDefinition channelAttributes = new RootBeanDefinition(ChannelAttributeFactory.class); + channelAttributes.getConstructorArgumentValues().addGenericArgumentValue(requiredChannel); + channelAttributes.setFactoryMethodName("createChannelAttributes"); + + channelRequestMap.put(requestKey, channelAttributes); } } diff --git a/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java b/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java index 6f02008848..538d98ed58 100644 --- a/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java +++ b/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java @@ -9,7 +9,7 @@ import org.springframework.util.StringUtils; * * @author Luke Taylor * @author Ben Alex - * @version $Id: WebConfigUtils.java 3770 2009-07-15 23:09:47Z ltaylor $ + * @version $Id$ */ abstract class WebConfigUtils { diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc index 620ca61e1d..4a3326b5ba 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc @@ -316,8 +316,8 @@ intercept-url.attlist &= ## The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied. The full filter stack (consisting of all filters created by the namespace configuration, and any added using 'custom-filter'), will be applied to any other paths. attribute filters {"none"}? intercept-url.attlist &= - ## Used to specify that a URL must be accessed over http or https, or that there is no preference. - attribute requires-channel {"http" | "https" | "any"}? + ## Used to specify that a URL must be accessed over http or https, or that there is no preference. The value should be "http", "https" or "any", respectively. + attribute requires-channel {xsd:token}? logout = ## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic. diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd index 35bee32393..2263245cfa 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd @@ -1,1736 +1,1711 @@ - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - Specifies an IP port number. Used to configure an embedded LDAP - server, for example. - - - - - - - Specifies a URL. - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - Defines a reference to a Spring bean Id. - - - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - A reference to a DataSource bean - - - - - - - Defines a reference to a Spring bean Id. - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - A property of the UserDetails object which will be used as salt by a - password encoder. Typically something like "username" might be used. - - - - - - - - A single value that will be used as the salt for a password encoder. - - - - - - - - - - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - - Defines an LDAP server location or starts an embedded server. The url - indicates the location of a remote server. If no url is given, an embedded server will - be started, listening on the supplied port number. The port is optional and defaults to - 33389. A Spring LDAP ContextSource bean will be registered for the server with the id - supplied. - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - Specifies a URL. - - - - - Specifies an IP port number. Used to configure an embedded LDAP - server, for example. - - - - - Username (DN) of the "manager" user identity which will be used to - authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be - used. - - - - - The password for the manager DN. - - - - - Explicitly specifies an ldif file resource to load into an embedded - LDAP server - - - - - Optional root suffix for the embedded LDAP server. Default is - "dc=springframework,dc=org" - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - - - Allows explicit customization of the loaded user object by specifying - a UserDetailsContextMapper bean which will be called with the context information - from the user's directory entry - - - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - Allows explicit customization of the loaded user object by specifying - a UserDetailsContextMapper bean which will be called with the context information - from the user's directory entry - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - A specific pattern used to build the user's DN, for example - "uid={0},ou=people". The key "{0}" must be present and will be substituted with the - username. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - Allows explicit customization of the loaded user object by specifying - a UserDetailsContextMapper bean which will be called with the context information - from the user's directory entry - - - - - - - The attribute in the directory which contains the user password. - Defaults to "userPassword". - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - - Can be used inside a bean definition to add a security interceptor to the - bean and set up access configuration attributes for the bean's - methods - - - - - - Defines a protected method and the access control configuration - attributes that apply to it. We strongly advise you NOT to mix "protect" - declarations with any services provided - "global-method-security". - - - - - - - - - - - - - Optional AccessDecisionManager bean ID to be used by the created - method security interceptor. - - - - - - - A method name - - - - - Access configuration attributes list that applies to the method, e.g. - "ROLE_A,ROLE_B". - - - - - - Provides method security for all beans registered in the Spring - application context. Specifically, beans will be scanned for matches with the ordered - list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there - is a match, the beans will automatically be proxied and security authorization applied - to the methods accordingly. If you use and enable all four sources of method security - metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also - JSR250 security annotations), the metadata sources will be queried in that order. In - practical terms, this enables you to use XML to override method security metadata - expressed in annotations. If using annotations, the order of precedence is EL-based - (@PreAuthorize etc.), @Secured and finally JSR-250. - - - - - + xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified" + targetNamespace="http://www.springframework.org/schema/security"> + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + + + Specifies a URL. + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + Defines a reference to a Spring bean Id. + + + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + A reference to a DataSource bean + + + + + + + Defines a reference to a Spring bean Id. + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + A property of the UserDetails object which will be used as salt by a + password encoder. Typically something like "username" might be used. + + + + + + + A single value that will be used as the salt for a password encoder. + + + + + + + + + + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + + Defines an LDAP server location or starts an embedded server. The url + indicates the location of a remote server. If no url is given, an embedded server will be + started, listening on the supplied port number. The port is optional and defaults to 33389. + A Spring LDAP ContextSource bean will be registered for the server with the id supplied. + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + Specifies a URL. + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + Username (DN) of the "manager" user identity which will be used to + authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. + + + + + + The password for the manager DN. + + + + + Explicitly specifies an ldif file resource to load into an embedded LDAP + server + + + + + Optional root suffix for the embedded LDAP server. Default is + "dc=springframework,dc=org" + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + Allows explicit customization of the loaded user object by specifying a + UserDetailsContextMapper bean which will be called with the context information from the + user's directory entry + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + Allows explicit customization of the loaded user object by specifying a + UserDetailsContextMapper bean which will be called with the context information from the + user's directory entry + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + A specific pattern used to build the user's DN, for example + "uid={0},ou=people". The key "{0}" must be present and will be substituted with the + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + Allows explicit customization of the loaded user object by specifying a + UserDetailsContextMapper bean which will be called with the context information from the + user's directory entry + + + + + + + The attribute in the directory which contains the user password. Defaults + to "userPassword". + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + Can be used inside a bean definition to add a security interceptor to the + bean and set up access configuration attributes for the bean's methods + + + + + + Defines a protected method and the access control configuration + attributes that apply to it. We strongly advise you NOT to mix "protect" declarations + with any services provided "global-method-security". + + + + + + + + + + + + + Optional AccessDecisionManager bean ID to be used by the created method + security interceptor. + + + + + + + A method name + + + + + Access configuration attributes list that applies to the method, e.g. + "ROLE_A,ROLE_B". + + + + + + Provides method security for all beans registered in the Spring application + context. Specifically, beans will be scanned for matches with the ordered list of + "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, + the beans will automatically be proxied and security authorization applied to the methods + accordingly. If you use and enable all four sources of method security metadata (ie + "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security + annotations), the metadata sources will be queried in that order. In practical terms, this + enables you to use XML to override method security metadata expressed in annotations. If + using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and + finally JSR-250. + + + + + + + Allows the default expression-based mechanism for handling Spring + Security's pre and post invocation annotations (@PreFilter, @PreAuthorize, + @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these + annotations are enabled. + + + + - Allows the default expression-based mechanism for handling - Spring Security's pre and post invocation annotations (@PreFilter, - @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only - applies if these annotations are enabled. + Defines the PrePostInvocationAttributeFactory instance which + is used to generate pre and post invocation metadata from the annotated + methods. - - - - Defines the PrePostInvocationAttributeFactory - instance which is used to generate pre and post invocation metadata - from the annotated methods. - - - - - - - - - - - - - - - - + - - - - Defines the SecurityExpressionHandler instance which will be - used if expression-based access-control is enabled. A default implementation - (with no ACL support) will be used if not supplied. - + + - + - - - - - Defines a protected pointcut and the access control - configuration attributes that apply to it. Every bean registered in the Spring - application context that provides a method that matches the pointcut will - receive security authorization. - - - - - - - - Allows addition of extra AfterInvocationProvider beans which - should be called by the MethodSecurityInterceptor created by - global-method-security. - - - - - - - - - - - - - Specifies whether the use of Spring Security's pre and post invocation - annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be - enabled for this application context. Defaults to "disabled". - - - - - - - - - - - Specifies whether the use of Spring Security's @Secured annotations - should be enabled for this application context. Defaults to - "disabled". - - - - - - - - - - - Specifies whether JSR-250 style attributes are to be used (for example - "RolesAllowed"). This will require the javax.annotation.security classes on the - classpath. Defaults to "disabled". - - - - - - - - - - - Optional AccessDecisionManager bean ID to override the default used - for method security. - - - - - Optional RunAsmanager implementation which will be used by the - configured MethodSecurityInterceptor - - - - - - Used to decorate an AfterInvocationProvider to specify that it should be - used with method security. - - - - - - - An AspectJ expression, including the 'execution' keyword. For example, - 'execution(int com.foo.TargetObject.countLength(String))' (without the - quotes). - - - - - Access configuration attributes list that applies to all methods - matching the pointcut, e.g. "ROLE_A,ROLE_B" - - - - - - Container element for HTTP security configuration - - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - Defines the access-denied strategy that should be used. An - access denied page can be defined or a reference to an AccessDeniedHandler - instance. - - - - - - - - Sets up a form login configuration for authentication with a - username and password - - - - - - - - Sets up form login for authentication with an Open ID - identity - - + + + + + + + + + + + + Defines the SecurityExpressionHandler instance which will be used if + expression-based access-control is enabled. A default implementation (with no ACL + support) will be used if not supplied. + + + + + + + + + Defines a protected pointcut and the access control configuration + attributes that apply to it. Every bean registered in the Spring application context + that provides a method that matches the pointcut will receive security + authorization. + + + + + + + + Allows addition of extra AfterInvocationProvider beans which should be + called by the MethodSecurityInterceptor created by + global-method-security. + + + + + + + + + + + + + Specifies whether the use of Spring Security's pre and post invocation + annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for + this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether the use of Spring Security's @Secured annotations should + be enabled for this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether JSR-250 style attributes are to be used (for example + "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. + Defaults to "disabled". + + + + + + + + + + + Optional AccessDecisionManager bean ID to override the default used for + method security. + + + + + Optional RunAsmanager implementation which will be used by the configured + MethodSecurityInterceptor + + + + + + No longer supported. Use after-invocation-provider + instead. + + + + + + + An AspectJ expression, including the 'execution' keyword. For example, + 'execution(int com.foo.TargetObject.countLength(String))' (without the + quotes). + + + + + Access configuration attributes list that applies to all methods matching + the pointcut, e.g. "ROLE_A,ROLE_B" + + + + + + Container element for HTTP security configuration + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + Defines the access-denied strategy that should be used. An access + denied page can be defined or a reference to an AccessDeniedHandler instance. + + + + + + + + + Sets up a form login configuration for authentication with a username + and password + + + + + + + + Sets up form login for authentication with an Open ID + identity + + + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + Adds support for X.509 client authentication. + + + + + + + + Adds support for basic authentication (this is an element to permit + future expansion, such as supporting an "ignoreFailure" attribute) + + + + + + Incorporates a logout processing filter. Most web applications require + a logout filter, although you may not require one if you write a controller to + provider similar logic. + + + + + + + + Adds support for concurrent session control, allowing limits to be + placed on the number of sessions a user can have. + + + + + + + + Sets up remember-me authentication. If used with the "key" attribute + (or no attributes) the cookie-only implementation will be used. Specifying + "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, + persisten token approach. + + + + + + + + Adds support for automatically granting all anonymous web requests a + particular principal identity and a corresponding granted + authority. + + + + + + + + Defines the list of mappings between http and https ports for use in + redirects + + + + + + + + + + + + + + + + + + + + + Automatically registers a login form, BASIC authentication, anonymous + authentication, logout services, remember-me and servlet-api-integration. If set to + "true", all of these capabilities are added (although you can still customize the + configuration of each by providing the respective element). If unspecified, defaults to + "false". + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + Controls the eagerness with which an HTTP session is created. If not set, + defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using + security-context-repository-ref, then the only value which can be set is "always". + Otherwise the session creation behaviour will be determined by the repository bean + implementation. + + + + + + + + + + + + A reference to a SecurityContextRepository bean. This can be used to + customize how the SecurityContext is stored between requests. + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + Whether test URLs should be converted to lower case prior to comparing + with defined path patterns. If unspecified, defaults to "true". + + + + + Provides versions of HttpServletRequest security methods such as + isUserInRole() and getPrincipal() which are implemented by accessing the Spring + SecurityContext. Defaults to "true". + + + + + Optional attribute specifying the ID of the AccessDecisionManager + implementation which should be used for authorizing HTTP requests. + + + + + Optional attribute specifying the realm name that will be used for all + authentication features that require a realm name (eg BASIC and Digest authentication). If + unspecified, defaults to "Spring Security Application". + + + + + Indicates whether an existing session should be invalidated when a user + authenticates and a new session started. If set to "none" no change will be made. + "newSession" will create a new empty session. "migrateSession" will create a new session + and copy the session attributes to the new session. Defaults to + "migrateSession". + + + + + + + + + + + + Allows a customized AuthenticationEntryPoint to be + used. + + + + + Corresponds to the observeOncePerRequest property of + FilterSecurityInterceptor. Defaults to "true" + + + + + Deprecated in favour of the access-denied-handler + element. + + + + + + + + + + The URL to which a user will be redirected if they submit an invalid + session indentifier. Typically used to detect session timeouts. + + + + + + + Defines a reference to a Spring bean Id. + + + + + The access denied page that an authenticated user will be redirected to if + they request a page which they don't have the authority to access. + + + + + + + The access denied page that an authenticated user will be redirected to if + they request a page which they don't have the authority to access. + + + + + + + The pattern which defines the URL path. The content will depend on the + type set in the containing http element, so will default to ant path + syntax. + + + + + The access configuration attributes that apply for the configured + path. + + + + + The HTTP Method for which the access configuration attributes should + apply. If not specified, the attributes will apply to any method. + + + + + + + + + + + + + + + + The filter list for the path. Currently can be set to "none" to remove a + path from having any filters applied. The full filter stack (consisting of all filters + created by the namespace configuration, and any added using 'custom-filter'), will be + applied to any other paths. + + + + + + + + + + Used to specify that a URL must be accessed over http or https, or that + there is no preference. The value should be "http", "https" or "any", + respectively. + + + + + + + Specifies the URL that will cause a logout. Spring Security will + initialize a filter that responds to this particular URL. Defaults to + /j_spring_security_logout if unspecified. + + + + + Specifies the URL to display once the user has logged out. If not + specified, defaults to /. + + + + + Specifies whether a logout also causes HttpSession invalidation, which is + generally desirable. If unspecified, defaults to true. + + + + + + + The URL that the login form is posted to. If unspecified, it defaults to + /j_spring_security_check. + + + + + The URL that will be redirected to after successful authentication, if the + user's previous action could not be resumed. This generally happens if the user visits a + login page without having first requested a secured operation that triggers + authentication. If unspecified, defaults to the root of the + application. + + + + + Whether the user should always be redirected to the default-target-url + after login. + + + + + The URL for the login page. If no login URL is specified, Spring Security + will automatically create a login URL at /spring_security_login and a corresponding filter + to render that login URL when requested. + + + + + The URL for the login failure page. If no login failure URL is specified, + Spring Security will automatically create a failure login URL at + /spring_security_login?login_error and a corresponding filter to render that login failure + URL when requested. + + + + + Reference to an AuthenticationSuccessHandler bean which should be used to + handle a successful authentication request. Should not be used in combination with + default-target-url (or always-use-default-target-url) as the implementation should always + deal with navigation to the subsequent destination + + + + + Reference to an AuthenticationFailureHandler bean which should be used to + handle a failed authentication request. Should not be used in combination with + authentication-failure-url as the implementation should always deal with navigation to the + subsequent destination + + + + + + + + + + + + + + + + + + + + + + + + Used to explicitly configure a FilterChainProxy instance with a + FilterChainMap + + + + + + Used within filter-chain-map to define a specific URL pattern and the + list of filters which apply to the URLs matching that pattern. When multiple + filter-chain elements are used within a filter-chain-map element, the most specific + patterns must be placed at the top of the list, with most general ones at the + bottom. + + + + + + + + + + + + + + + + + + + Used to explicitly configure a FilterSecurityMetadataSource bean for use + with a FilterSecurityInterceptor. Usually only needed if you are configuring a + FilterChainProxy explicitly, rather than using the <http> element. The + intercept-url elements used should only contain pattern, method and access attributes. Any + others will result in a configuration error. + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + as for http element + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + Deprecated synonym for filter-security-metadata-source + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + + + + + + The maximum number of sessions a single user can have open at the same + time. Defaults to "1". + + + + + The URL a user will be redirected to if they attempt to use a session + which has been "expired" by the concurrent session controller because they have logged in + again. + + + + + Specifies that an exception should be raised when a user attempts to login + when they already have the maximum configured sessions open. The default behaviour is to + expire the original session. + + + + + Allows you to define an alias for the SessionRegistry bean in order to + access it in your own configuration + + + + + A reference to an external SessionRegistry implementation which will be + used in place of the standard one. + + + + + Allows a custom session controller to be set on the internal http + AuthenticationManager. If used, the session-registry-ref attribute must also be + set. + + + + + + + The "key" used to identify cookies from a specific token-based remember-me + application. You should set this to a unique value for your + application. + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + A reference to a DataSource bean + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + Exports the internally defined RememberMeServices as a bean alias, + allowing it to be used by other beans in the application context. + + + + + The period (in seconds) for which the remember-me cookie should be + valid. + + + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + + + Allows a custom implementation of RememberMeServices to be used. Note that + this implementation should return RememberMeAuthenticationToken instances with the same + "key" value as specified in the remember-me element. Alternatively it should register its + own AuthenticationProvider. + + + + + + + + + + The key shared between the provider and filter. This generally does not + need to be set. If unset, it will default to "doesNotMatter". + + + + + The username that should be assigned to the anonymous request. This allows + the principal to be identified, which may be important for logging and auditing. if unset, + defaults to "anonymousUser". + + + + + The granted authority that should be assigned to the anonymous request. + Commonly this is used to assign the anonymous request particular roles, which can + subsequently be used in authorization decisions. If unset, defaults to + "ROLE_ANONYMOUS". + + + + + With the default namespace setup, the anonymous "authentication" facility + is automatically enabled. You can disable it using this property. + + + + + + + + + + + + + The regular expression used to obtain the username from the certificate's + subject. Defaults to matching on the common name using the pattern + "CN=(.*?),". + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + Registers the AuthenticationManager instance and allows its list of + AuthenticationProviders to be defined. should use. Also allows you to define an alias to + allow you to reference the AuthenticationManager in your own beans. + + + + + + Indicates that the contained user-service should be used as an + authentication source. + + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + - + + + Password salting strategy. A system-wide constant or a + property from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be + used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for a + password encoder. + + + + + Defines a reference to a Spring bean + Id. + + + + - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - Adds support for X.509 client authentication. - - - - - - - - Adds support for basic authentication (this is an element to - permit future expansion, such as supporting an "ignoreFailure" - attribute) - - - - - - Incorporates a logout processing filter. Most web applications - require a logout filter, although you may not require one if you write a - controller to provider similar logic. - - - - - - - - Adds support for concurrent session control, allowing limits to - be placed on the number of sessions a user can have. - - - - - - - - Sets up remember-me authentication. If used with the "key" - attribute (or no attributes) the cookie-only implementation will be used. - Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the - more secure, persisten token approach. - - - - - - - - Adds support for automatically granting all anonymous web - requests a particular principal identity and a corresponding granted - authority. - - - - - - - - Defines the list of mappings between http and https ports for - use in redirects - - + + + + + + + + + + Sets up an ldap authentication provider + + + + + + Specifies that an LDAP provider should use an LDAP compare + operation of the user's password to authenticate the user + + - - - - - - + + + element which defines a password encoding strategy. Used + by an authentication provider to convert submitted passwords to hashed + versions, for example. + + + + + + Password salting strategy. A system-wide constant or + a property from the UserDetails object can be + used. + + + + + A property of the UserDetails object which will + be used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for + a password encoder. + + + + + Defines a reference to a Spring bean + Id. + + + + + + + + - - - - - - - - - - - Automatically registers a login form, BASIC authentication, anonymous - authentication, logout services, remember-me and servlet-api-integration. If set to - "true", all of these capabilities are added (although you can still customize the - configuration of each by providing the respective element). If unspecified, defaults - to "false". - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - Controls the eagerness with which an HTTP session is created. If not - set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set - using security-context-repository-ref, then the only value which can be set is - "always". Otherwise the session creation behaviour will be determined by the - repository bean implementation. - - - - - - - - - - - - A reference to a SecurityContextRepository bean. This can be used to - customize how the SecurityContext is stored between requests. - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - Whether test URLs should be converted to lower case prior to comparing - with defined path patterns. If unspecified, defaults to "true". - - - - - Provides versions of HttpServletRequest security methods such as - isUserInRole() and getPrincipal() which are implemented by accessing the Spring - SecurityContext. Defaults to "true". - - - - - Optional attribute specifying the ID of the AccessDecisionManager - implementation which should be used for authorizing HTTP requests. - - - - - Optional attribute specifying the realm name that will be used for all - authentication features that require a realm name (eg BASIC and Digest - authentication). If unspecified, defaults to "Spring Security - Application". - - - - - Indicates whether an existing session should be invalidated when a - user authenticates and a new session started. If set to "none" no change will be - made. "newSession" will create a new empty session. "migrateSession" will create a - new session and copy the session attributes to the new session. Defaults to - "migrateSession". - - - - - - - - - - - - Allows a customized AuthenticationEntryPoint to be - used. - - - - - Corresponds to the observeOncePerRequest property of - FilterSecurityInterceptor. Defaults to "true" - - - - - Deprecated in favour of the access-denied-handler - element. - - - - - - - - - - The URL to which a user will be redirected if they submit an invalid - session indentifier. Typically used to detect session timeouts. - - - - - - - Defines a reference to a Spring bean Id. - - - - - The access denied page that an authenticated user will be redirected - to if they request a page which they don't have the authority to access. - - - - - - - - The access denied page that an authenticated user will be redirected - to if they request a page which they don't have the authority to access. - - - - - - - - The pattern which defines the URL path. The content will depend on the - type set in the containing http element, so will default to ant path - syntax. - - - - - The access configuration attributes that apply for the configured - path. - - - - - The HTTP Method for which the access configuration attributes should - apply. If not specified, the attributes will apply to any method. - - - - - - - - - - - - - - - - The filter list for the path. Currently can be set to "none" to remove - a path from having any filters applied. The full filter stack (consisting of all - filters created by the namespace configuration, and any added using 'custom-filter'), - will be applied to any other paths. - - - - - - - - - - Used to specify that a URL must be accessed over http or https, or - that there is no preference. - - - - - - - - - - - - - - Specifies the URL that will cause a logout. Spring Security will - initialize a filter that responds to this particular URL. Defaults to - /j_spring_security_logout if unspecified. - - - - - Specifies the URL to display once the user has logged out. If not - specified, defaults to /. - - - - - Specifies whether a logout also causes HttpSession invalidation, which - is generally desirable. If unspecified, defaults to true. - - - - - - - The URL that the login form is posted to. If unspecified, it defaults - to /j_spring_security_check. - - - - - The URL that will be redirected to after successful authentication, if - the user's previous action could not be resumed. This generally happens if the user - visits a login page without having first requested a secured operation that triggers - authentication. If unspecified, defaults to the root of the - application. - - - - - Whether the user should always be redirected to the default-target-url - after login. - - - - - The URL for the login page. If no login URL is specified, Spring - Security will automatically create a login URL at /spring_security_login and a - corresponding filter to render that login URL when requested. - - - - - The URL for the login failure page. If no login failure URL is - specified, Spring Security will automatically create a failure login URL at - /spring_security_login?login_error and a corresponding filter to render that login - failure URL when requested. - - - - - Reference to an AuthenticationSuccessHandler bean which should be used - to handle a successful authentication request. Should not be used in combination with - default-target-url (or always-use-default-target-url) as the implementation should - always deal with navigation to the subsequent destination - - - - - Reference to an AuthenticationFailureHandler bean which should be used - to handle a failed authentication request. Should not be used in combination with - authentication-failure-url as the implementation should always deal with navigation - to the subsequent destination - - - - - - - - - - - - - - - - - - - - - - - - Used to explicitly configure a FilterChainProxy instance with a - FilterChainMap - - - - - - Used within filter-chain-map to define a specific URL pattern - and the list of filters which apply to the URLs matching that pattern. When - multiple filter-chain elements are used within a filter-chain-map element, the - most specific patterns must be placed at the top of the list, with most general - ones at the bottom. - - - - - - - - - - - - - - - - - - - Used to explicitly configure a FilterSecurityMetadataSource bean for use - with a FilterSecurityInterceptor. Usually only needed if you are configuring a - FilterChainProxy explicitly, rather than using the <http> element. The - intercept-url elements used should only contain pattern, method and access attributes. - Any others will result in a configuration error. - - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - + + + + + + + + + + + + + + + The alias you wish to use for the AuthenticationManager + bean + + + + + + + Defines a reference to a Spring bean Id. + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + Creates an in-memory UserDetailsService from a properties file or a list of + "user" child elements. + + + + + + Represents a user in the application. + + + + + + - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - as for http element - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - Deprecated synonym for filter-security-metadata-source - - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - - - - - - The maximum number of sessions a single user can have open at the same - time. Defaults to "1". - - - - - The URL a user will be redirected to if they attempt to use a session - which has been "expired" by the concurrent session controller because they have - logged in again. - - - - - Specifies that an exception should be raised when a user attempts to - login when they already have the maximum configured sessions open. The default - behaviour is to expire the original session. - - - - - Allows you to define an alias for the SessionRegistry bean in order to - access it in your own configuration - - - - - A reference to an external SessionRegistry implementation which will - be used in place of the standard one. - - - - - Allows a custom session controller to be set on the internal http - AuthenticationManager. If used, the session-registry-ref attribute must also be - set. - - - - - - - The "key" used to identify cookies from a specific token-based - remember-me application. You should set this to a unique value for your - application. - - - - - Reference to a PersistentTokenRepository bean for use with the - persistent token remember-me implementation. - - - - - A reference to a DataSource bean - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - Exports the internally defined RememberMeServices as a bean alias, - allowing it to be used by other beans in the application context. - - - - - The period (in seconds) for which the remember-me cookie should be - valid. - - - - - - - Reference to a PersistentTokenRepository bean for use with the - persistent token remember-me implementation. - - - - - - - Allows a custom implementation of RememberMeServices to be used. Note - that this implementation should return RememberMeAuthenticationToken instances with - the same "key" value as specified in the remember-me element. Alternatively it should - register its own AuthenticationProvider. - - - - - - - - - - The key shared between the provider and filter. This generally does - not need to be set. If unset, it will default to "doesNotMatter". - - - - - The username that should be assigned to the anonymous request. This - allows the principal to be identified, which may be important for logging and - auditing. if unset, defaults to "anonymousUser". - - - - - The granted authority that should be assigned to the anonymous - request. Commonly this is used to assign the anonymous request particular roles, - which can subsequently be used in authorization decisions. If unset, defaults to - "ROLE_ANONYMOUS". - - - - - With the default namespace setup, the anonymous "authentication" - facility is automatically enabled. You can disable it using this property. - - - - - - - - - - - - - - The regular expression used to obtain the username from the - certificate's subject. Defaults to matching on the common name using the pattern - "CN=(.*?),". - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - Registers the AuthenticationManager instance and allows its list of - AuthenticationProviders to be defined. should use. Also allows you to define an alias to - allow you to reference the AuthenticationManager in your own beans. - - - - - - Indicates that the contained user-service should be used as an - authentication source. - - - - - - - element which defines a password encoding strategy. - Used by an authentication provider to convert submitted passwords to - hashed versions, for example. - - - - - - Password salting strategy. A system-wide - constant or a property from the UserDetails object can be - used. - - - - - A property of the UserDetails object - which will be used as salt by a password encoder. - Typically something like "username" might be used. - - - - - - A single value that will be used as the - salt for a password encoder. - - - - - Defines a reference to a Spring bean - Id. - - - - - - - - - - - - - - - Sets up an ldap authentication provider - - - - - - Specifies that an LDAP provider should use an LDAP - compare operation of the user's password to authenticate the - user - - - - - - element which defines a password encoding - strategy. Used by an authentication provider to convert - submitted passwords to hashed versions, for - example. - - - - - - Password salting strategy. A - system-wide constant or a property from the - UserDetails object can be used. - - - - - A property of the UserDetails - object which will be used as salt by a password - encoder. Typically something like "username" might - be used. - - - - - A single value that will be used - as the salt for a password encoder. - - - - - - Defines a reference to a Spring - bean Id. - - - - - - - - - - - - - - - - - - - - - - - - The alias you wish to use for the AuthenticationManager - bean - - - - - - - Defines a reference to a Spring bean Id. - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - Creates an in-memory UserDetailsService from a properties file or a list - of "user" child elements. - - - - - - Represents a user in the application. - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - - - - - - The username assigned to the user. - - - - - The password assigned to the user. This may be hashed if the - corresponding authentication provider supports hashing (remember to set the "hash" - attribute of the "user-service" element). - - - - - One of more authorities granted to the user. Separate authorities with - a comma (but no space). For example, - "ROLE_USER,ROLE_ADMINISTRATOR" - - - - - Can be set to "true" to mark an account as locked and - unusable. - - - - - Can be set to "true" to mark an account as disabled and - unusable. - - - - + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + + - Causes creation of a JDBC-based UserDetailsService. + The username assigned to the user. - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - - - The bean ID of the DataSource which provides the required - tables. - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - An SQL statement to query a username, password, and enabled status - given a username - - - - - An SQL statement to query for a user's granted authorities given a - username. - - - - - An SQL statement to query user's group authorities given a - username. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - - - Used to indicate that a filter bean declaration should be incorporated - into the security filter chain. - - - - - - - - - - The filter immediately after which the custom-filter should be placed - in the chain. This feature will only be needed by advanced users who wish to mix - their own filters into the security filter chain and have some knowledge of the - standard Spring Security filters. The filter names map to specific Spring Security - implementation filters. - - - - - The filter immediately before which the custom-filter should be placed - in the chain - - - - - The explicit position at which the custom-filter should be placed in - the chain. Use if you are replacing a standard filter. - - - - - - - The filter immediately after which the custom-filter should be placed - in the chain. This feature will only be needed by advanced users who wish to mix - their own filters into the security filter chain and have some knowledge of the - standard Spring Security filters. The filter names map to specific Spring Security - implementation filters. - - - - - - - The filter immediately before which the custom-filter should be placed - in the chain - - - - - - - The explicit position at which the custom-filter should be placed in - the chain. Use if you are replacing a standard filter. - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + The password assigned to the user. This may be hashed if the corresponding + authentication provider supports hashing (remember to set the "hash" attribute of the + "user-service" element). + + + + + One of more authorities granted to the user. Separate authorities with a + comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" + + + + + Can be set to "true" to mark an account as locked and + unusable. + + + + + Can be set to "true" to mark an account as disabled and + unusable. + + + + + + Causes creation of a JDBC-based UserDetailsService. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + The bean ID of the DataSource which provides the required + tables. + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + An SQL statement to query a username, password, and enabled status given a + username + + + + + An SQL statement to query for a user's granted authorities given a + username. + + + + + An SQL statement to query user's group authorities given a + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + Used to indicate that a filter bean declaration should be incorporated into + the security filter chain. + + + + + + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation filters. + + + + + + The filter immediately before which the custom-filter should be placed in + the chain + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation filters. + + + + + + + + The filter immediately before which the custom-filter should be placed in + the chain + + + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java index ce7c5f4dc3..cd6bf61d9d 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java @@ -391,18 +391,24 @@ public class HttpSecurityBeanDefinitionParserTests { @Test public void requiresChannelSupportsPlaceholder() throws Exception { System.setProperty("secure.url", "/secure"); + System.setProperty("required.channel", "https"); setContext( - " " + + " " + " " + - " " + + " " + " " + AUTH_PROVIDER_XML); List filters = getFilters("/secure"); - assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +" filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size()); - assertTrue(filters.get(0) instanceof ChannelProcessingFilter); - } - + ChannelProcessingFilter filter = (ChannelProcessingFilter) filters.get(0); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setServletPath("/secure"); + MockHttpServletResponse response = new MockHttpServletResponse(); + filter.doFilter(request, response, new MockFilterChain()); + assertNotNull(response.getRedirectedUrl()); + assertTrue(response.getRedirectedUrl().startsWith("https")); + } + @Test public void portMappingsAreParsedCorrectly() throws Exception { setContext( diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java index c1c585b4ef..4c18bc169c 100644 --- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java @@ -111,11 +111,11 @@ public class ChannelProcessingFilter extends GenericFilterBean { chain.doFilter(request, response); } - public ChannelDecisionManager getChannelDecisionManager() { + protected ChannelDecisionManager getChannelDecisionManager() { return channelDecisionManager; } - public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { + protected FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { return securityMetadataSource; }