From bf45ff94e770e9b6826edea1b189cc55fe725eec Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Tue, 1 Jul 2008 14:20:18 +0000 Subject: [PATCH] SEC-901: Improve docs on custom-filter and avoiding conflicts with namespace filters --- src/docbkx/namespace-config.xml | 170 ++++++++++++++++++++++++-------- 1 file changed, 127 insertions(+), 43 deletions(-) diff --git a/src/docbkx/namespace-config.xml b/src/docbkx/namespace-config.xml index b1ab63b7a1..d4029febc1 100644 --- a/src/docbkx/namespace-config.xml +++ b/src/docbkx/namespace-config.xml @@ -427,35 +427,104 @@ Adding in Your Own Filters If you've used Spring Security before, you'll know that the framework maintains a chain of filters in order to apply its services. You may want to add your own filters to the stack at - particular locations, or use a customized version of an existing filter. How can you do this with - namespace configuration, since the filter chain is not directly exposed? + particular locations or use a Spring Security filter for which there isn't currently a namespace + configuration option (CAS, for example). Or you might want to use a customized version of a + standard namespace filter, such as the AuthenticationProcessingFilter which is created by the + <form-login> element, taking advantage of some of the extra configuration options which are + available by using defining the bean directly. How can you do this with namespace configuration, + since the filter chain is not directly exposed? The order of the filters is always strictly enforced when using the namespace. Each Spring Security - filter implements the Spring Ordered interface and the filters are sorted - during initialization. The standard filters each have an alias in the namespace: - + filter implements the Spring Ordered interface and the filters created by the namespace + are sorted during initialization. The standard Spring Security filters each have an alias in the namespace. The filters, aliases + and namespace elements/attributes which create the filters are shown in . +
Standard Filter Aliases and Ordering - + - AliasFilter Class + AliasFilter ClassNamespace Element or Attribute - CHANNEL_FILTERChannelProcessingFilter - CONCURRENT_SESSION_FILTERConcurrentSessionFilter - SESSION_CONTEXT_INTEGRATION_FILTERHttpSessionContextIntegrationFilter - LOGOUT_FILTER LogoutFilter - X509_FILTER X509PreAuthenticatedProcessigFilter - PRE_AUTH_FILTER Subclass of AstractPreAuthenticatedProcessingFilter - CAS_PROCESSING_FILTER CasProcessingFilter - AUTHENTICATION_PROCESSING_FILTER AuthenticationProcessingFilter - BASIC_PROCESSING_FILTER BasicProcessingFilter - SERVLET_API_SUPPORT_FILTERclassname - REMEMBER_ME_FILTER RememberMeProcessingFilter - ANONYMOUS_FILTER AnonymousProcessingFilter - EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter - NTLM_FILTER NtlmProcessingFilter - FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor - SWITCH_USER_FILTER SwitchUserProcessingFilter + + CHANNEL_FILTER + ChannelProcessingFilter + http/intercept-url + + + CONCURRENT_SESSION_FILTER + ConcurrentSessionFilter + http/concurrent-session-control + + + SESSION_CONTEXT_INTEGRATION_FILTER + HttpSessionContextIntegrationFilter + http + + + LOGOUT_FILTER + LogoutFilter + http/logout + + + X509_FILTER + X509PreAuthenticatedProcessigFilter + http/x509 + + + PRE_AUTH_FILTER + AstractPreAuthenticatedProcessingFilter Subclasses + N/A + + + CAS_PROCESSING_FILTER + CasProcessingFilter + N/A + + + AUTHENTICATION_PROCESSING_FILTER + AuthenticationProcessingFilter + http/form-login + + + BASIC_PROCESSING_FILTER + BasicProcessingFilter + http/http-basic + + + SERVLET_API_SUPPORT_FILTER + SecurityContextHolderAwareRequestFilter + http/@servlet-api-provision + + + REMEMBER_ME_FILTER + RememberMeProcessingFilter + http/remember-me + + + ANONYMOUS_FILTER + AnonymousProcessingFilter + http/anonymous + + + EXCEPTION_TRANSLATION_FILTER + ExceptionTranslationFilter + http + + + NTLM_FILTER + NtlmProcessingFilter + N/A + + + FILTER_SECURITY_INTERCEPTOR + FilterSecurityInterceptor + http + + + SWITCH_USER_FILTER + SwitchUserProcessingFilter + N/A +
@@ -470,8 +539,39 @@ to be inserted before or after another filter in the stack. The names "FIRST" and "LAST" can be used to indicate that you want your filter to appear before or after the entire stack, respectively. + + Avoiding filter position conflicts + + If you are inserting a custom filter which may occupy the same position as one of the standard filters created by the namespace + then it's important that you don't include the namespace versions by mistake. Avoid using the + auto-config attribute and remove any elements which create filters whose functionality you want to replace. + + + Note that you can't replace filters which are created by the use of the <http> + element itself - HttpSessionContextIntegrationFilter, ExceptionTranslationFilter or + FilterSecurityInterceptor. + + + + If you're replacing a namespace filter which requires an authentication entry point (i.e. where the authentication process is triggered by + an attempt by an unauthenticated user to access to a secured resource), you will need to add a custom entry point bean too. + +
+ Setting a Custom <literal>AuthenticationEntryPoint</literal> + + If you aren't using form login, OpenID or basic authentication through the namespace, you may + want to define an authentication filter and entry point using a traditional bean syntax and link them + into the namespace, as we've just seen. The corresponding AuthenticationEntryPoint can be set using the + entry-point-ref attribute on the <http> element. + + + The CAS sample application is a good example of the use of custom beans with the namespace, including this syntax. If you aren't + familiar with authentication entry points, they are discussed in the technical + overview chapter. + +
- +
Session Fixation Attack Protection @@ -492,22 +592,6 @@
-
- Setting a Custom <literal>AuthenticationEntryPoint</literal> - - If you aren't using form login, OpenID or basic authentication through the namespace, you may - want to define an authentication filter and entry point using a traditional bean syntax and link them - into the namespace. You can add the filter as explained in . The - corresponding AuthenticationEntryPoint can be set using the entry-point-ref - attribute on the <http> element. - - - The CAS sample is a good example of the use of custom beans with the namespace, including this syntax. If you aren't - familiar with authentication entry points, they are discussed in the technical - overview chapter. - -
-
@@ -641,9 +725,9 @@ use this name elsewhere in your application context. - - - + + + ...