diff --git a/src/docbkx/appendix-namespace.xml b/src/docbkx/appendix-namespace.xml
index ffa7f775d1..fe7a0d3bf2 100644
--- a/src/docbkx/appendix-namespace.xml
+++ b/src/docbkx/appendix-namespace.xml
@@ -131,6 +131,19 @@
FilterSecurityInterceptor. Defaults to "true".
+
+
+ <literal>create-session</literal>
+
+ Controls the eagerness with which an HTTP session is created. If not set, defaults to "ifRequired". Other options are "always" and "never".
+ The setting of this attribute affect the allowSessionCreation and forceEagerSessionCreation
+ properties of HttpSessionContextIntegrationFilter. allowSessionCreation will always be true unless
+ this attribute is set to "never". forceEagerSessionCreation is "false" unless it is set to "always".
+ So the default configuration allows session creation but does not force it. The exception is if concurrent session control is enabled,
+ when forceEagerSessionCreation will be set to true, regardless of what the setting is here. Using "never" would
+ then cause an exception during the initialization of HttpSessionContextIntegrationFilter.
+
+
@@ -170,7 +183,7 @@
Can be "http" or "https" depending on whether a particular URL pattern should be accessed over HTTP or HTTPS respectively. Alternatively
the value "any" can be used when there is no preference. If this attribute is present on any <intercept-url>
element, then a ChannelProcessingFilter will be added to the filter stack and its additional dependencies added
- to the application context. See the chapter on channel security for an
+ to the application context. See the chapter on channel security for an
example configuration using traditional beans.
@@ -324,33 +337,128 @@
The <literal><concurrent-session-control></literal> Element
+ Adds support for concurrent session control, allowing limits to be placed on the number of active sessions a user can have.
+ A ConcurrentSessionFilter will be created, along with a ConcurrentSessionControllerImpl
+ and an instance of SessionRegistry (a SessionRegistryImpl instance unless the user
+ wishes to use a custom bean). The controller is registered with the namespace's AuthenticationManager
+ (ProviderManager). Other namespace-created beans which require a reference to the SessionRegistry
+ will automatically have it injected.
+
+ Note that the forceEagerSessionCreation of HttpSessionContextIntegrationFilter will
+ be set to true if concurrent session control is in use.
+
+
+
+ The <literal>max-sessions</literal> attribute
+ Maps to the maximumSessions property of ConcurrentSessionControllerImpl.
+
+
+
+ The <literal>expired-url</literal> attribute
+
+ The URL a user will be redirected to if they attempt to use a session which has been "expired" by
+ the concurrent session controller because the user has exceeded the number of allowed sessions and has logged
+ in again elsewhere. Should be set unless exception-if-maximum-exceeded is set.
+ If no value is supplied, an expiry message will just be written directly back to the response.
+
+
+
+
+ The <literal>exception-if-maximum-exceeded</literal> attribute
+ If set to "true" a ConcurrentLoginException should be raised when a user
+ attempts to exceed the maximum allowed number of sessions. The default behaviour is to expire the original session.
+
+
+
+
+ The <literal>session-registry-alias</literal> and <literal>session-registry-ref</literal> attributes
+
+ The user can supply their own SessionRegistry implementation using the
+ session-registry-ref attribute. The other concurrent session control beans will be wired
+ up to use it.
+
+
+ It can also be useful to have a reference to the internal session registry for use in your own
+ beans or an admin interface. You can expose the interal bean using the session-registry-alias
+ attribute, giving it a name that you can use elsewhere in your configuration.
+
+
+
The <literal><anonymous></literal> Element
+ Adds an AnonymousProcessingFilter to the stack and an AnonymousAuthenticationProvider.
+ Required if you are using the IS_AUTHENTICATED_ANONYMOUSLY attribute.
The <literal><x509></literal> Element
+ Adds support for X.509 authentication. An X509PreAuthenticatedProcessingFilter will be
+ added to the stack and a PreAuthenticatedProcessingFilterEntryPoint bean will be created. The
+ latter will only be used if no other authentication mechanisms are in use (it's only functionality is to return an HTTP
+ 403 error code). A PreAuthenticatedAuthenticationProvider will also be created which delegates the
+ loading of user authorities to a UserDetailsService.
+
+ The <literal>subject-principal-regex</literal> attribute
+
+ Defines a regular expression which will be used to extract the username from the certificate (for use with the
+ UserDetailsService).
+
+
+
+ The <literal>user-service-ref</literal> attribute
+
+ Allows a specific UserDetailsService to be used with X.509 in the case where
+ multiple instances are configured. If not set, an attempt will be made to locate a suitable instance automatically and
+ use that.
+
+ The <literal><openid-login></literal> Element
+ Similar to <form-login> and has the same attributes. The default value for login-processing-url
+ is "/j_spring_openid_security_check". An OpenIDAuthenticationProcessingFilter and OpenIDAuthenticationProvider
+ will be registered. The latter requires a reference to a UserDetailsService. Again, this can be
+ specified by Id, using the user-service-ref attribute, or will be located automatically in the application context.
The <literal><logout></literal> Element
+ Adds a LogoutFilter to the filter stack. This is configured
+ with a SecurityContextLogoutHandler.
+
+ The <literal>logout-url</literal> attribute
+
+ The URL which will cause a logout (i.e. which will be processed by the filter). Defaults to "/j_spring_security_logout".
+
+
+
+ The <literal>logout-success-url</literal> attribute
+
+ The destination URL which the user will be taken to after logging out. Defaults to "/".
+
+
+
+ The <literal>invalidate-session</literal> attribute
+
+ Maps to the invalidateHttpSession of the SecurityContextLogoutHandler.
+ Defaults to "true", so the session will be invalidated on logout.
+
+
-
+
+
diff --git a/src/docbkx/namespace-config.xml b/src/docbkx/namespace-config.xml
index 50c40493f6..9c9aa6cb63 100644
--- a/src/docbkx/namespace-config.xml
+++ b/src/docbkx/namespace-config.xml
@@ -29,7 +29,7 @@
You can find out more about the use of the
ldap-server
element in the chapter on
- LDAP.
+ LDAP.
. Use of a good XML editor while editing the application context file should
provide information on the attributes and elements that are available. We would recommend that
you try out the
@@ -89,7 +89,8 @@
AuthenticationManager
- - handles authentication requests from other parts of the framework.
+ - handles authentication requests from other parts of the framework. A default
+ instance will be registered internally by the namespace.
@@ -123,7 +124,7 @@
In this section, we'll look at how you can build up a namespace configuration to use some of the main
features of the framework. Let's assume you initially want to get up and running as quickly as possible
and add authentication support and access control to an existing web application, with a few
- test logins. The we'll look at how to change over to authenticating against a database or other
+ test logins. Then we'll look at how to change over to authenticating against a database or other
security information repository. In later sections we'll introduce more advanced namespace configuration
options.
@@ -749,7 +750,7 @@
...
- ]]>
+ ]]>