SEC-910: Updates to ns appendix
This commit is contained in:
Luke Taylor
parent
f821b0f0f8
commit
1c9c8f0883
|
|
@ -8,16 +8,134 @@
|
||||||
</info>
|
</info>
|
||||||
|
|
||||||
<para>
|
<para>
|
||||||
This provides a reference to the elements available in the security namespace and infromation on
|
This provides a reference to the elements available in the security namespace and information on
|
||||||
the underlying beans they create. If you haven't used the namespace before, please read the
|
the underlying beans they create (a knowledge of the individual classes and how they work together is assumed -
|
||||||
<link xlink:href="#ns-config">introductory chapter</link>.
|
you can find more information in the project Javadoc and elsewhere in this document).
|
||||||
|
If you haven't used the namespace before, please read the
|
||||||
|
<link xlink:href="#ns-config">introductory chapter</link>. Using a good quality XML editor while
|
||||||
|
editing a configuration based on the schema is recommended as this will provide contextual information on
|
||||||
|
which elements and attributes are available and comments explaining their purpose.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<section>
|
<section xml:id="nsa-http">
|
||||||
<title>The <literal><http></literal> Element</title>
|
<title>The <literal><http></literal> Element</title>
|
||||||
<para>
|
<para>
|
||||||
This element encapsulates the security configuration for the web layer of your application.
|
This element encapsulates the security configuration for the web layer of your application. It creates a
|
||||||
|
<classname>FilterChainProxy</classname> bean named "springSecurityFilterChain" which maintains the stack of
|
||||||
|
security filters which make up the web security configuration <footnote><para>See the
|
||||||
|
<link xlink:href="#ns-web-xml"> introductory chapter</link> for how to set up the mapping from
|
||||||
|
your <literal>web.xml</literal></para></footnote>. Some core filters are always created and others will
|
||||||
|
be added to the stack depending on the attributes child elements which are present. The positions of the standard
|
||||||
|
filters are fixed (see <link xlink:href="#filter-stack">the filter order table</link> in the namespace introduction),
|
||||||
|
removing a common source of errors with previous versions of the framework when users had to configure the
|
||||||
|
filter chain explicitly in the<classname>FilterChainProxy</classname> bean. You can, of course, still do this
|
||||||
|
if you need full control of the configuration.
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
The <literal><http></literal> namespace block always creates an <classname>HttpSessionContextIntegrationFilter</classname>,
|
||||||
|
an <classname>ExceptionTranslationFilter</classname> and a <classname>FilterSecurityInterceptor</classname>. These are fixed
|
||||||
|
and cannot be replaced with alternatives.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<section xml:id="nsa-http-attributes">
|
||||||
|
<title><literal><http></literal> Attributes</title>
|
||||||
|
<para>
|
||||||
|
The attributes on the <literal><http></literal> element control some of the properties on the
|
||||||
|
core filters.
|
||||||
|
</para>
|
||||||
|
<section xml:id="nsa-servlet-api-provision">
|
||||||
|
<title><literal>servlet-api-provision</literal></title>
|
||||||
|
<para>
|
||||||
|
Provides versions of <literal>HttpServletRequest</literal> security methods such as
|
||||||
|
<literal>isUserInRole()</literal> and <literal>getPrincipal()</literal> which are implemented by
|
||||||
|
adding a <classname>SecurityContextHolderAwareRequestFilter</classname> bean to the stack. Defaults to "true".
|
||||||
</para>
|
</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-path-type">
|
||||||
|
<title><literal>path-type</literal></title>
|
||||||
|
<para>
|
||||||
|
Controls whether URL patterns are interpreted as ant paths (the default) or regular expressions. In practice
|
||||||
|
this sets a particular <interfacename>UrlMatcher</interfacename> instance on the <classname>FilterChainProxy</classname>.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-lowercase-comparisons">
|
||||||
|
<title><literal>lowercase-comparisons</literal></title>
|
||||||
|
<para>
|
||||||
|
Whether test URLs should be converted to lower case prior to comparing with defined path patterns. If unspecified,
|
||||||
|
defaults to "true"
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="session-fixation-protection">
|
||||||
|
<title><literal>session-fixation-protection</literal></title>
|
||||||
|
<para>
|
||||||
|
Indicates whether an existing session should be invalidated when a user authenticates and a new session started.
|
||||||
|
If set to "none" no change will be made. "newSession" will create a new empty session.
|
||||||
|
"migrateSession" will create a new session and copy the session attributes to the new session. Defaults to "migrateSession".
|
||||||
|
</para>
|
||||||
|
<para>
|
||||||
|
If enabled this will add a <classname>SessionFixationProtectionFilter</classname> to the stack. The session fixation protection
|
||||||
|
options on namespace-created instances of <classname>AbstractProcessingFilter</classname> will also be set appropriately.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-realm">
|
||||||
|
<title><literal>realm</literal></title>
|
||||||
|
<para>
|
||||||
|
Sets the realm name used for basic authentication (if enabled). Corresponds to the <literal>realmName</literal> proerty on
|
||||||
|
<classname>BasicProcessingFilterEntryPoint</classname>.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-entry-point-ref">
|
||||||
|
<title><literal>entry-point-ref</literal></title>
|
||||||
|
<para>
|
||||||
|
Normally the <interfacename>AuthenticationEntryPoint</interfacename> used will be set depending on which
|
||||||
|
authentication mechanisms have been configured. This attribute allows this behaviour to be overridden
|
||||||
|
by defining a customized <interfacename>AuthenticationEntryPoint</interfacename> bean which will start the authentication
|
||||||
|
process.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-access-decision-manager-ref">
|
||||||
|
<title><literal>access-decision-manager-ref</literal></title>
|
||||||
|
<para>
|
||||||
|
Optional attribute specifying the ID of the <interfacename>AccessDecisionManager</interfacename> implementation which should be
|
||||||
|
used for authorizing HTTP requests. By default an <classname>AffirmativeBased</classname> implementation is used for with
|
||||||
|
a <classname>RoleVoter</classname> and an <classname>AuthenticatedVoter</classname>.
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-access-denied-page">
|
||||||
|
<title><literal>access-denied-page</literal></title>
|
||||||
|
<para>
|
||||||
|
Allows the access denied page to be set (the user will be redirected here if an AccessDeniedException is raised).
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
<section xml:id="nsa-once-per-request">
|
||||||
|
<title><literal>once-per-request</literal></title>
|
||||||
|
<para>
|
||||||
|
Corresponds to the <literal>observeOncePerRequest</literal> property of
|
||||||
|
<classname>FilterSecurityInterceptor</classname>. Defaults to "true".
|
||||||
|
</para>
|
||||||
|
</section>
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<section>
|
||||||
|
<title>The <literal><intercept-url></literal> Element</title>
|
||||||
|
<para></para>
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
|
|
||||||
|
</section>
|
||||||
|
|
||||||
</appendix>
|
</appendix>
|
||||||
Loading…
Reference in New Issue