From 7cf9740fd439ff0ae8880aeeadb5e5c11ab51b88 Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Fri, 17 Dec 2010 17:09:20 +0000 Subject: [PATCH] SEC-1638: Added an example configuration to the Javadoc for ChannelProcessingFilter and a pointer from the reference manual. --- docs/manual/src/docbook/namespace-config.xml | 6 ++- .../channel/ChannelProcessingFilter.java | 45 ++++++++++++++++--- 2 files changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml index ab4c93c775..c232a93b22 100644 --- a/docs/manual/src/docbook/namespace-config.xml +++ b/docs/manual/src/docbook/namespace-config.xml @@ -454,7 +454,11 @@ ]]> With this configuration in place, if a user attempts to access anything matching the "/secure/**" pattern using HTTP, they will first be redirected - to an HTTPS URL. The available options are "http", "https" or "any". Using the value + to an HTTPS URL + For more details on how channel-processing is implemented, see the Javadoc + for ChannelProcessingFilter and related classes. + . + The available options are "http", "https" or "any". Using the value "any" means that either HTTP or HTTPS can be used. If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows: Internally uses a {@link FilterInvocation} to represent the request, so that the - * FilterInvocation-related property editors and lookup classes can be used.

- *

Delegates the actual channel security decisions and necessary actions to the configured - * {@link ChannelDecisionManager}. If a response is committed by the ChannelDecisionManager, - * the filter chain will not proceed.

+ *

+ * Internally uses a {@link FilterInvocation} to represent the request, allowing a + * {@code FilterInvocationSecurityMetadataSource} to be used to lookup the attributes which apply. + *

+ * Delegates the actual channel security decisions and necessary actions to the configured + * {@link ChannelDecisionManager}. If a response is committed by the {@code ChannelDecisionManager}, + * the filter chain will not proceed. + *

+ * The most common usage is to ensure that a request takes place over HTTPS, where the + * {@link ChannelDecisionManagerImpl} is configured with a {@link SecureChannelProcessor} and an + * {@link InsecureChannelProcessor}. A typical configuration would be + * 

+ *
+<bean id="channelProcessingFilter" class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
+  <property name="channelDecisionManager" ref="channelDecisionManager"/>
+  <property name="securityMetadataSource">
+    <security:filter-security-metadata-source path-type="regex">
+      <security:intercept-url pattern="\A/secure/.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
+      <security:intercept-url pattern="\A/login.jsp.*\Z" access="REQUIRES_SECURE_CHANNEL"/>
+      <security:intercept-url pattern="\A/.*\Z" access="ANY_CHANNEL"/>
+    </security:filter-security-metadata-source>
+  </property>
+</bean>
+
+<bean id="channelDecisionManager" class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl">
+  <property name="channelProcessors">
+    <list>
+    <ref bean="secureChannelProcessor"/>
+    <ref bean="insecureChannelProcessor"/>
+    </list>
+  </property>
+</bean>
+
+<bean id="secureChannelProcessor"
+  class="org.springframework.security.web.access.channel.SecureChannelProcessor"/>
+<bean id="insecureChannelProcessor"
+  class="org.springframework.security.web.access.channel.InsecureChannelProcessor"/>
+
+ *
+ * which would force the login form and any access to the {@code /secure} path to be made over HTTPS. * * @author Ben Alex */