diff --git a/src/docbkx/channel-security.xml b/src/docbkx/channel-security.xml index c1116b9143..06cc37e388 100644 --- a/src/docbkx/channel-security.xml +++ b/src/docbkx/channel-security.xml @@ -36,7 +36,7 @@
Configuration - Channel security is supported by the security namespace + Channel security is supported by the security namespace by means of the requires-channel attribute on the <intercept-url> element and this is the simplest (and recommended approach) To confiure channel security explicitly, you would define the following the filter in your application @@ -53,7 +53,7 @@ <security:intercept-url pattern="\A/.*\Z" access="REQUIRES_INSECURE_CHANNEL"/> </security:filter-invocation-definition-source> </property> - </bean> +</bean> <bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl"> <property name="channelProcessors"> diff --git a/src/docbkx/namespace-config.xml b/src/docbkx/namespace-config.xml index 0a1f91b4c7..7e6f8a5e3d 100644 --- a/src/docbkx/namespace-config.xml +++ b/src/docbkx/namespace-config.xml @@ -4,9 +4,7 @@ Security Namespace Configuration
- - Introduction - + Introduction Namespace configuration has been available since version 2.0 of the Spring framework. It allows you to supplement the traditional Spring beans application context syntax with elements @@ -113,18 +111,21 @@ - We'll see how these work together in the next section. + We'll see how these work together in the following sections.
-
- Example Configurations +
+ Getting Started with Security Namespace Cofiguration - In this section, we'll look at how you can build up a namespace configuration to use different + In this section, we'll look at how you can build up a namespace configuration to use some of the main features of the framework. Let's assume you initially want to get up and running as quickly as possible and add authentication support and access control to an existing web application, with a few - test logins. -
- <literal>web.xml</literal> Configuration + test logins. The we'll look at how to change over to authenticating against a database or other + security information repository. In later sections we'll introduce more advanced namespace configuration + options. + +
+ <literal>web.xml</literal> Configuration The first thing you need to do is add the following filter declaration to your web.xml @@ -149,10 +150,8 @@
-
- - A Minimal <literal><http></literal>Configuration - +
+ A Minimal <literal><http></literal>Configuration All you need to enable web security to begin with is If you are familiar with previous versions of the framework, you can probably already guess roughly what's going on here. The <http> element is - responsible for creating a FilterChainProxy and the required - list filter beans which it uses. Common issues like filter incorrect ordering are no + responsible for creating a FilterChainProxy and the + filter beans which it uses. Common issues like incorrect filter ordering are no longer an issue as the filter positions are predefined. The <authentication-provider> element creates a DaoAuthenticationProvider @@ -201,12 +200,9 @@ the application because we have used the auto-config attribute. For example, form login processing and "remember-me" services are automatically - enabled. You might also be wondering where the login form came from when you were prompted - to log in. This was also generated automatically, since we didn't explicitly set a URL for the - login page, but the namespace offers plenty of options to allow you to customize this - kind of thing. + enabled. -
+
What does <literal>auto-config</literal> Include? The auto-config attribute, as we have used it above, is just a @@ -222,40 +218,51 @@ ]]> - These other elements are responsible for setting up form-login, + These other elements are responsible for setting up form-login, anonymous authentication, basic authentication, logout handling and remember-me services - respectively. They each have attributes which can be used to alter their behaviour. For example, if you - want to supply your own login page, you could use: - +
+
+ Form and Basic Login Options + + You might be wondering where the login form came from when you were prompted + to log in, since we made no mention of any HTML files or JSPs. In fact, since we didn't explicitly + set a URL for the login page, Spring Security generates one automatically, based on the features + that are enabled and using standard values for the URL which processes the submitted login, + the default target URL the user will be sent to ad so on. However, the namespace offers plenty of + suppport to allow you to customize these options. + For example, if you want to supply your own login page, you could use: + ]]> - - Note that you can still use auto-config. The form-login element just overrides the - default settings. Also note that we've added an extra intercept-url element to say that any requests - for the login page should be excluded from processing by the security filters. Otherwise the request would be matched by - the pattern /** and it wouldn't be possible to access the login page itself! - If you want to use basic authentication instead of form login, then change the configuration to - + Note that you can still use auto-config. The form-login element just overrides the + default settings. Also note that we've added an extra intercept-url element to say that any requests + for the login page should be excluded from processing by the security filters. Otherwise the request would be matched by + the pattern /** and it wouldn't be possible to access the login page itself! + If you want to use basic authentication instead of form login, then change the configuration to + ]]> - - Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to access - a protected resource. Note that form login is still available in this configuration if you wish to use it, for example - through a login form embedded in another web page. - -
+ + Basic authentication will then take precedence and will be used to prompt for a login when a user attempts to access + a protected resource. Form login is still available in this configuration if you wish to use it, for example + through a login form embedded in another web page. + +
-
- Configuring other Authentication Providers +
+ Using other Authentication Providers - In practice you will need a more scalable source of user information than a few names added to the context file. + In practice you will need a more scalable source of user information than a few names added to the application context file. Most likely you will want to store your user information in something like a database or an LDAP server. LDAP namespace configuration is dealt with in the LDAP chapter, so we won't cover it here. If you have a custom implementation of Spring Security's UserDetailsService, called "myUserDetailsService" in your @@ -306,17 +313,21 @@
-
+
+
+ Advanced Web Features + +
Adding HTTP/HTTPS Channel Security If your application supports both HTTP and HTTPS, and you require that particular URLs can only be accessed over HTTPS, then this is directly supported using the requires-channel attribute on <intercept-url>: - - - - ... -]]> - + + + + ... + ]]> + With this configuration in place, if a user attempts to access anything matching the "/secure/**" pattern using HTTP, they will first be redirected to an HTTPS URL. The available options are "http", "https" or "any". Using the value "any" means that either HTTP or HTTPS @@ -324,17 +335,115 @@ If your application uses non-standard ports for HTTP and/or HTTPS, you can specify a list of port mappings as follows: - - - ... - - - -]]> - + + + ... + + + + ]]> + You can find a more in-depth discussion of channel security in .
+ +
+ Concurrent Session Control + + If you wish to place constraints on a single user's ability to log in to your application, + Spring Security supports this out of the box with the following simple addition: + + ... + + ]]> + + This will prevent a user from logging in multiple times - a second login will cause the first to + be invalidated. Often you would prefer to prevent a second login, in which case you can use + + ... + + ]]> + + The second login will then be rejected. + +
+ +
+ OpenID Login + The namespace supports OpenID login eiter instead of, or in addition to + normal form-based login, with a simple change: + + + + + ]]> + You should then register yourself with an OpenID provider (such as myopenid.com), and + add the user information to your in-memory <user-service>: + + ]]> + You should be able to login using the myopenid.com site to authenticate. + +
+
+ Adding in Your Own Filters + If you've used Spring Security before, you'll know that the framework maintains a chain + of filters in order to apply its services. You may want to add your own filters to the stack at + particular locations, or use a customized version of an existing filter. How can you do this with + namespace configuration, since the filter chain is not directly exposed? + + The order of the filters is always strictly enforced when using the namespace. Each Spring Security + filter implements the Spring Ordered interface and the filters are sorted + during initialization. The standard filters each have an alias in the namespace: + + Standard Filter Aliases and Ordering + + + AliasFilter Class + + + CHANNEL_FILTERChannelProcessingFilter + CONCURRENT_SESSION_FILTERConcurrentSessionFilter + SESSION_CONTEXT_INTEGRATION_FILTERHttpSessionContextIntegrationFilter + LOGOUT_FILTER LogoutFilter + X509_FILTER X509PreAuthenticatedProcessigFilter + PRE_AUTH_FILTER Subclass of AstractPreAuthenticatedProcessingFilter + CAS_PROCESSING_FILTER CasProcessingFilter + AUTHENTICATION_PROCESSING_FILTER AuthenticationProcessingFilter + BASIC_PROCESSING_FILTER BasicProcessingFilter + SERVLET_API_SUPPORT_FILTERclassname + REMEMBER_ME_FILTER RememberMeProcessingFilter + ANONYMOUS_FILTER AnonymousProcessingFilter + EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter + NTLM_FILTER NtlmProcessingFilter + FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor + SWITCH_USER_FILTER SwitchUserProcessingFilter + + +
+ You can add your own filter to the stack, using the custom-filter element and one of these + names to specify the position your filter should appear at: + + + + ]]> + You can also use the after or before attribtues if you want your filter + to be inserted before or after another filter in the stack. The names "FIRST" and "LAST" can be used to indicate + that you want your filter to appear before or after the entire stack, respectively. + +
+
+ +
+ Namespace Support for Method Security + + TODO +
+ \ No newline at end of file diff --git a/src/docbkx/supporting-infrastructure.xml b/src/docbkx/supporting-infrastructure.xml index 9877e6f28b..88a1b02628 100644 --- a/src/docbkx/supporting-infrastructure.xml +++ b/src/docbkx/supporting-infrastructure.xml @@ -80,7 +80,7 @@ Filters Spring Security uses many filters, as referred to throughout the - remainder of this reference guide. If you are using namespace configuration, + remainder of this reference guide. If you are using namespace configuration, then the you don't usually have to declare the filter beans explicitly. There may be times when you want full control over the security filter chain, either because you are using features which aren't supported in the namespace, or you are using your own customized versions of classes.