diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc
index 6d662ca24b..800bc3f892 100644
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc
@@ -310,6 +310,13 @@ form-login.attlist &=
form-login.attlist &=
## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /spring_security_login?login_error and a corresponding filter to render that login failure URL when requested.
attribute authentication-failure-url {xsd:string}?
+form-login.attlist &=
+ ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful authentication request. Should not be used in combination with default-target-url (or always-use-default-target-url) as the implementation should always deal with navigation to the subsequent destination
+ attribute authentication-success-handler-ref {xsd:string}?
+form-login.attlist &=
+ ## Reference to an AuthenticationFailureHandler bean which should be used to handle a failed authentication request. Should not be used in combination with authentication-failure-url as the implementation should always deal with navigation to the subsequent destination
+ attribute authentication-failure-handler-ref {xsd:string}?
+
openid-login =
## Sets up form login for authentication with an Open ID identity
diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd
index e3c31f8203..5c6b0b13ef 100644
--- a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd
+++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd
@@ -1,1527 +1,1555 @@
-
-
+ xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified"
+ targetNamespace="http://www.springframework.org/schema/security">
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing
+ algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP
+ server, for example.
+
+
+
+
+
+
+ Specifies a URL.
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ A reference to a DataSource bean
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing
+ algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ A property of the UserDetails object which will be used as salt by a
+ password encoder. Typically something like "username" might be used.
+
+
+
+
+
+
+
+ A single value that will be used as the salt for a password encoder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded
+ from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
+ where the default is non-empty.
+
+
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of
+ configuration attributes. Defaults to 'false'. If enabled, each attribute should
+ contain a single boolean expression. If the expression evaluates to 'true', access
+ will be granted.
+
+
+
+
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing algorithm.
+ Defines an LDAP server location or starts an embedded server. The url
+ indicates the location of a remote server. If no url is given, an embedded server will
+ be started, listening on the supplied port number. The port is optional and defaults to
+ 33389. A Spring LDAP ContextSource bean will be registered for the server with the id
+ supplied.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ Specifies a URL.
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP
+ server, for example.
+
+
+
+
+ Username (DN) of the "manager" user identity which will be used to
+ authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be
+ used.
+
+
+
+
+ The password for the manager DN.
+
+
+
+
+ Explicitly specifies an ldif file resource to load into an embedded
+ LDAP server
+
+
+
+
+ Optional root suffix for the embedded LDAP server. Default is
+ "dc=springframework,dc=org"
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching
+ from the root).
+
+
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+
+
+ The LDAP attribute name which contains the role name which will be
+ used within Spring Security. Defaults to "cn".
+
+
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the
+ returned UserDetails object
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching
+ from the root).
+
+
+
+
+ The LDAP attribute name which contains the role name which will be
+ used within Spring Security. Defaults to "cn".
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded
+ from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
+ where the default is non-empty.
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the
+ returned UserDetails object
+
+
+
+
+
+
+
+
+
+
- Whether a string should be base64 encoded
+ Sets up an ldap authentication provider
-
-
-
-
-
-
-
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP server,
- for example.
-
-
-
-
-
-
- Specifies a URL.
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
-
- A reference to a DataSource bean
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
- A property of the UserDetails object which will be used as salt by a
- password encoder. Typically something like "username" might be used.
-
-
-
-
-
-
- A single value that will be used as the salt for a password encoder.
-
-
-
-
-
-
-
-
-
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded from
- persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
- default is non-empty.
-
-
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of configuration
- attributes. Defaults to 'false'. If enabled, each attribute should contain a single
- boolean expression. If the expression evaluates to 'true', access will be granted.
-
-
-
-
-
-
- Defines an LDAP server location or starts an embedded server. The url
- indicates the location of a remote server. If no url is given, an embedded server will be
- started, listening on the supplied port number. The port is optional and defaults to 33389.
- A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
-
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- Specifies a URL.
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP server,
- for example.
-
-
-
-
- Username (DN) of the "manager" user identity which will be used to
- authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
-
-
-
-
-
- The password for the manager DN.
-
-
-
-
- Explicitly specifies an ldif file resource to load into an embedded LDAP
- server
-
-
-
-
- Optional root suffix for the embedded LDAP server. Default is
- "dc=springframework,dc=org"
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching from
- the root).
-
-
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
-
-
- The LDAP attribute name which contains the role name which will be used
- within Spring Security. Defaults to "cn".
-
-
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the returned
- UserDetails object
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching from
- the root).
-
-
-
-
- The LDAP attribute name which contains the role name which will be used
- within Spring Security. Defaults to "cn".
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded from
- persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
- default is non-empty.
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the returned
- UserDetails object
-
-
-
-
-
-
-
-
-
-
-
- Sets up an ldap authentication provider
-
-
-
-
-
- Specifies that an LDAP provider should use an LDAP compare operation
- of the user's password to authenticate the user
-
-
-
-
-
- element which defines a password encoding strategy. Used by an
- authentication provider to convert submitted passwords to hashed versions, for
- example.
-
-
+
+
+
+
+ Specifies that an LDAP provider should use an LDAP compare
+ operation of the user's password to authenticate the user
+
+
-
-
- Password salting strategy. A system-wide constant or a
- property from the UserDetails object can be used.
-
-
-
-
- A property of the UserDetails object which will be
- used as salt by a password encoder. Typically something like
- "username" might be used.
-
-
-
-
- A single value that will be used as the salt for a
- password encoder.
-
-
-
-
+
+
+ element which defines a password encoding strategy.
+ Used by an authentication provider to convert submitted passwords to
+ hashed versions, for example.
+
+
+
+
+
+ Password salting strategy. A system-wide
+ constant or a property from the UserDetails object can be
+ used.
+
+
+
+
+ A property of the UserDetails object
+ which will be used as salt by a password encoder.
+ Typically something like "username" might be used.
+
+
+
+
+
+ A single value that will be used as the
+ salt for a password encoder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching
+ from the root).
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ The LDAP attribute name which contains the role name which will be
+ used within Spring Security. Defaults to "cn".
+
+
+
+
+ A specific pattern used to build the user's DN, for example
+ "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
+ username.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded
+ from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
+ where the default is non-empty.
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the
+ returned UserDetails object
+
+
+
+
+
+
+
+
+
+
+
+
+ The attribute in the directory which contains the user password.
+ Defaults to "userPassword".
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing
+ algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Can be used inside a bean definition to add a security interceptor to the
+ bean and set up access configuration attributes for the bean's
+ methods
+
+
+
+
+
+ Defines a protected method and the access control configuration
+ attributes that apply to it. We strongly advise you NOT to mix "protect"
+ declarations with any services provided
+ "global-method-security".
+
+
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to be used by the created
+ method security interceptor.
+
+
+
+
+
+
+ A method name
+
+
+
+
+ Access configuration attributes list that applies to the method, e.g.
+ "ROLE_A,ROLE_B".
+
+
+
+
+
+ Provides method security for all beans registered in the Spring
+ application context. Specifically, beans will be scanned for matches with the ordered
+ list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there
+ is a match, the beans will automatically be proxied and security authorization applied
+ to the methods accordingly. If you use and enable all four sources of method security
+ metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also
+ JSR250 security annotations), the metadata sources will be queried in that order. In
+ practical terms, this enables you to use XML to override method security metadata
+ expressed in annotations. If using annotations, the order of precedence is EL-based
+ (@PreAuthorize etc.), @Secured and finally JSR-250.
+
+
+
+
+
+
+ Defines a protected pointcut and the access control
+ configuration attributes that apply to it. Every bean registered in the Spring
+ application context that provides a method that matches the pointcut will
+ receive security authorization.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's expression-based
+ annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be
+ enabled for this application context. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's @Secured annotations
+ should be enabled for this application context. Defaults to
+ "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether JSR-250 style attributes are to be used (for example
+ "RolesAllowed"). This will require the javax.annotation.security classes on the
+ classpath. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to override the default used
+ for method security.
+
+
+
+
+
+ Defines the SecurityExpressionHandler instance which will be used if
+ expression-based access-control is enabled. A default implementation (with no ACL
+ support) will be used if not supplied.
+
+
+
+
+
+
+
+ Used to decorate an AfterInvocationProvider to specify that it should be
+ used with method security.
+
+
+
+
+
+
+ An AspectJ expression, including the 'execution' keyword. For example,
+ 'execution(int com.foo.TargetObject.countLength(String))' (without the
+ quotes).
+
+
+
+
+ Access configuration attributes list that applies to all methods
+ matching the pointcut, e.g. "ROLE_A,ROLE_B"
+
+
+
+
+
+ Container element for HTTP security configuration
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a
+ particular set of URLs.
+
+
+
+
+
+
+
+ Sets up a form login configuration for authentication with a
+ username and password
+
+
+
+
+
+
+
+
+ Adds support for X.509 client authentication.
+
+
+
+
+
+
+
+ Adds support for basic authentication (this is an element to
+ permit future expansion, such as supporting an "ignoreFailure"
+ attribute)
+
+
+
+
+
+ Incorporates a logout processing filter. Most web applications
+ require a logout filter, although you may not require one if you write a
+ controller to provider similar logic.
+
+
+
+
+
+
+
+ Adds support for concurrent session control, allowing limits to
+ be placed on the number of sessions a user can have.
+
+
+
+
+
+
+
+ Sets up remember-me authentication. If used with the "key"
+ attribute (or no attributes) the cookie-only implementation will be used.
+ Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the
+ more secure, persisten token approach.
+
+
+
+
+
+
+
+ Adds support for automatically granting all anonymous web
+ requests a particular principal identity and a corresponding granted
+ authority.
+
+
+
+
+
+
+
+ Defines the list of mappings between http and https ports for
+ use in redirects
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatically registers a login form, BASIC authentication, anonymous
+ authentication, logout services, remember-me and servlet-api-integration. If set to
+ "true", all of these capabilities are added (although you can still customize the
+ configuration of each by providing the respective element). If unspecified, defaults
+ to "false".
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of
+ configuration attributes. Defaults to 'false'. If enabled, each attribute should
+ contain a single boolean expression. If the expression evaluates to 'true', access
+ will be granted.
+
+
+
+
+ Controls the eagerness with which an HTTP session is created. If not
+ set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set
+ using security-context-repository-ref, then the only value which can be set is
+ "always". Otherwise the session creation behaviour will be determined by the
+ repository bean implementation.
+
+
+
+
+
+
+
+
+
+
+
+ A reference to a SecurityContextRepository bean. This can be used to
+ customize the way the SecurityContext is stored between requests.
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+ Whether test URLs should be converted to lower case prior to comparing
+ with defined path patterns. If unspecified, defaults to "true".
+
+
+
+
+ Provides versions of HttpServletRequest security methods such as
+ isUserInRole() and getPrincipal() which are implemented by accessing the Spring
+ SecurityContext. Defaults to "true".
+
+
+
+
+ Optional attribute specifying the ID of the AccessDecisionManager
+ implementation which should be used for authorizing HTTP requests.
+
+
+
+
+ Optional attribute specifying the realm name that will be used for all
+ authentication features that require a realm name (eg BASIC and Digest
+ authentication). If unspecified, defaults to "Spring Security
+ Application".
+
+
+
+
+ Indicates whether an existing session should be invalidated when a
+ user authenticates and a new session started. If set to "none" no change will be
+ made. "newSession" will create a new empty session. "migrateSession" will create a
+ new session and copy the session attributes to the new session. Defaults to
+ "migrateSession".
+
+
+
+
+
+
+
+
+
+
+
+ Allows a customized AuthenticationEntryPoint to be
+ used.
+
+
+
+
+ Corresponds to the observeOncePerRequest property of
+ FilterSecurityInterceptor. Defaults to "true"
+
+
+
+
+ Allows the access denied page to be set (the user will be redirected
+ here if an AccessDeniedException is raised).
+
+
+
+
+
+
+ The pattern which defines the URL path. The content will depend on the
+ type set in the containing http element, so will default to ant path
+ syntax.
+
+
+
+
+ The access configuration attributes that apply for the configured
+ path.
+
+
+
+
+ The HTTP Method for which the access configuration attributes should
+ apply. If not specified, the attributes will apply to any method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filter list for the path. Currently can be set to "none" to remove
+ a path from having any filters applied. The full filter stack (consisting of all
+ filters created by the namespace configuration, and any added using 'custom-filter'),
+ will be applied to any other paths.
+
+
+
+
+
+
+
+
+
+ Used to specify that a URL must be accessed over http or https, or
+ that there is no preference.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the URL that will cause a logout. Spring Security will
+ initialize a filter that responds to this particular URL. Defaults to
+ /j_spring_security_logout if unspecified.
+
+
+
+
+ Specifies the URL to display once the user has logged out. If not
+ specified, defaults to /.
+
+
+
+
+ Specifies whether a logout also causes HttpSession invalidation, which
+ is generally desirable. If unspecified, defaults to true.
+
+
+
+
+
+
+ The URL that the login form is posted to. If unspecified, it defaults
+ to /j_spring_security_check.
+
+
+
+
+ The URL that will be redirected to after successful authentication, if
+ the user's previous action could not be resumed. This generally happens if the user
+ visits a login page without having first requested a secured operation that triggers
+ authentication. If unspecified, defaults to the root of the
+ application.
+
+
+
+
+ Whether the user should always be redirected to the default-target-url
+ after login.
+
+
+
+
+ The URL for the login page. If no login URL is specified, Spring
+ Security will automatically create a login URL at /spring_security_login and a
+ corresponding filter to render that login URL when requested.
+
+
+
+
+ The URL for the login failure page. If no login failure URL is
+ specified, Spring Security will automatically create a failure login URL at
+ /spring_security_login?login_error and a corresponding filter to render that login
+ failure URL when requested.
+
+
+
+
+ Reference to an AuthenticationSuccessHandler bean which should be used
+ to handle a successful authentication request. Should not be used in combination with
+ default-target-url (or always-use-default-target-url) as the implementation should
+ always deal with navigation to the subsequent destination
+
+
+
+
+ Reference to an AuthenticationFailureHandler bean which should be used
+ to handle a failed authentication request. Should not be used in combination with
+ authentication-failure-url as the implementation should always deal with navigation
+ to the subsequent destination
+
+
+
+
+
+ Sets up form login for authentication with an Open ID
+ identity
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ Used to explicitly configure a FilterChainProxy instance with a
+ FilterChainMap
+
+
+
+
+
+ Used within filter-chain-map to define a specific URL pattern
+ and the list of filters which apply to the URLs matching that pattern. When
+ multiple filter-chain elements are used within a filter-chain-map element, the
+ most specific patterns must be placed at the top of the list, with most general
+ ones at the bottom.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Used to explicitly configure a FilterInvocationDefinitionSource bean for
+ use with a FilterSecurityInterceptor. Usually only needed if you are configuring a
+ FilterChainProxy explicitly, rather than using the <http> element. The
+ intercept-url elements used should only contain pattern, method and access attributes.
+ Any others will result in a configuration error.
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a
+ particular set of URLs.
+
+
+
+
+
+
+
+
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of
+ configuration attributes. Defaults to 'false'. If enabled, each attribute should
+ contain a single boolean expression. If the expression evaluates to 'true', access
+ will be granted.
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ as for http element
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+
+ The maximum number of sessions a single user can have open at the same
+ time. Defaults to "1".
+
+
+
+
+ The URL a user will be redirected to if they attempt to use a session
+ which has been "expired" by the concurrent session controller because they have
+ logged in again.
+
+
+
+
+ Specifies that an exception should be raised when a user attempts to
+ login when they already have the maximum configured sessions open. The default
+ behaviour is to expire the original session.
+
+
+
+
+ Allows you to define an alias for the SessionRegistry bean in order to
+ access it in your own configuration
+
+
+
+
+ A reference to an external SessionRegistry implementation which will
+ be used in place of the standard one.
+
+
+
+
+
+
+ The "key" used to identify cookies from a specific token-based
+ remember-me application. You should set this to a unique value for your
+ application.
+
+
+
+
+ Reference to a PersistentTokenRepository bean for use with the
+ persistent token remember-me implementation.
+
+
+
+
+ A reference to a DataSource bean
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+ The period (in seconds) for which the remember-me cookie should be
+ valid.
+
+
+
+
+
+
+ Reference to a PersistentTokenRepository bean for use with the
+ persistent token remember-me implementation.
+
+
+
+
+
+
+ Allows a custom implementation of RememberMeServices to be used. Note
+ that this implementation should return RememberMeAuthenticationToken instances with
+ the same "key" value as specified in the remember-me element. Alternatively it should
+ register its own AuthenticationProvider.
+
+
+
+
+
+
+
+
+
+ The key shared between the provider and filter. This generally does
+ not need to be set. If unset, it will default to "doesNotMatter".
+
+
+
+
+ The username that should be assigned to the anonymous request. This
+ allows the principal to be identified, which may be important for logging and
+ auditing. if unset, defaults to "anonymousUser".
+
+
+
+
+ The granted authority that should be assigned to the anonymous
+ request. Commonly this is used to assign the anonymous request particular roles,
+ which can subsequently be used in authorization decisions. If unset, defaults to
+ "ROLE_ANONYMOUS".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The regular expression used to obtain the username from the
+ certificate's subject. Defaults to matching on the common name using the pattern
+ "CN=(.*?),".
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+ If you are using namespace configuration with Spring Security, an
+ AuthenticationManager will automatically be registered. This element allows you to
+ define an alias to allow you to reference the authentication-manager in your own beans.
+
+
+
+
+
+
+
+
+
+ The alias you wish to use for the AuthenticationManager
+ bean
+
+
+
+
+ Allows the session controller to be set on the internal
+ AuthenticationManager. This should not be used with the
+ <concurrent-session-control /> element
+
+
+
+
+
+ Indicates that the contained user-service should be used as an
+ authentication source.
+
+
+
+
+
+
+ element which defines a password encoding strategy. Used by an
+ authentication provider to convert submitted passwords to hashed versions, for
+ example.
+
+
+
+
+
+ Password salting strategy. A system-wide constant or a
+ property from the UserDetails object can be used.
+
+
+
+
+ A property of the UserDetails object which will
+ be used as salt by a password encoder. Typically something like
+ "username" might be used.
+
+
+
+
+ A single value that will be used as the salt for
+ a password encoder.
+
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching from
- the root).
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
- The LDAP attribute name which contains the role name which will be used
- within Spring Security. Defaults to "cn".
-
-
-
-
- A specific pattern used to build the user's DN, for example
- "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
- username.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded from
- persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
- default is non-empty.
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the returned
- UserDetails object
-
-
-
-
-
-
-
-
-
-
-
-
- The attribute in the directory which contains the user password. Defaults
- to "userPassword".
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Can be used inside a bean definition to add a security interceptor to the
- bean and set up access configuration attributes for the bean's methods
-
-
-
-
-
- Defines a protected method and the access control configuration
- attributes that apply to it. We strongly advise you NOT to mix "protect" declarations
- with any services provided "global-method-security".
-
-
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to be used by the created method
- security interceptor.
-
-
-
-
-
-
- A method name
-
-
-
-
- Access configuration attributes list that applies to the method, e.g.
- "ROLE_A,ROLE_B".
-
-
-
-
-
- Provides method security for all beans registered in the Spring application
- context. Specifically, beans will be scanned for matches with the ordered list of
- "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match,
- the beans will automatically be proxied and security authorization applied to the methods
- accordingly. If you use and enable all four sources of method security metadata (ie
- "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security
- annotations), the metadata sources will be queried in that order. In practical terms, this
- enables you to use XML to override method security metadata expressed in annotations. If
- using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and
- finally JSR-250.
-
-
-
-
-
-
- Defines a protected pointcut and the access control configuration
- attributes that apply to it. Every bean registered in the Spring application context
- that provides a method that matches the pointcut will receive security
- authorization.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's expression-based
- annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for
- this application context. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's @Secured annotations should
- be enabled for this application context. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether JSR-250 style attributes are to be used (for example
- "RolesAllowed"). This will require the javax.annotation.security classes on the classpath.
- Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to override the default used for
- method security.
-
-
-
-
-
- Defines the SecurityExpressionHandler instance which will be used if
- expression-based access-control is enabled. A default implementation (with no ACL support)
- will be used if not supplied.
-
-
-
-
-
-
-
- Used to decorate an AfterInvocationProvider to specify that it should be
- used with method security.
-
-
-
-
-
-
- An AspectJ expression, including the 'execution' keyword. For example,
- 'execution(int com.foo.TargetObject.countLength(String))' (without the
- quotes).
-
-
-
-
- Access configuration attributes list that applies to all methods matching
- the pointcut, e.g. "ROLE_A,ROLE_B"
-
-
-
-
-
- Container element for HTTP security configuration
-
-
-
-
-
- Specifies the access attributes and/or filter list for a particular
- set of URLs.
-
-
-
-
-
-
-
- Sets up a form login configuration for authentication with a username
- and password
-
-
-
-
-
-
-
-
- Adds support for X.509 client authentication.
-
-
-
-
-
-
-
- Adds support for basic authentication (this is an element to permit
- future expansion, such as supporting an "ignoreFailure" attribute)
-
-
-
-
-
- Incorporates a logout processing filter. Most web applications require
- a logout filter, although you may not require one if you write a controller to
- provider similar logic.
-
-
-
-
-
-
-
- Adds support for concurrent session control, allowing limits to be
- placed on the number of sessions a user can have.
-
-
-
-
-
-
-
- Sets up remember-me authentication. If used with the "key" attribute
- (or no attributes) the cookie-only implementation will be used. Specifying
- "token-repository-ref" or "remember-me-data-source-ref" will use the more secure,
- persisten token approach.
-
-
-
-
-
-
-
- Adds support for automatically granting all anonymous web requests a
- particular principal identity and a corresponding granted
- authority.
-
-
-
-
-
-
-
- Defines the list of mappings between http and https ports for use in
- redirects
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Automatically registers a login form, BASIC authentication, anonymous
- authentication, logout services, remember-me and servlet-api-integration. If set to
- "true", all of these capabilities are added (although you can still customize the
- configuration of each by providing the respective element). If unspecified, defaults to
- "false".
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of configuration
- attributes. Defaults to 'false'. If enabled, each attribute should contain a single
- boolean expression. If the expression evaluates to 'true', access will be granted.
-
-
-
-
-
- Controls the eagerness with which an HTTP session is created. If not set,
- defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using
- security-context-repository-ref, then the only value which can be set is "always".
- Otherwise the session creation behaviour will be determined by the repository bean
- implementation.
-
-
-
-
-
-
-
-
-
-
-
- A reference to a SecurityContextRepository bean. This can be used to
- customize the way the SecurityContext is stored between requests.
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
- Whether test URLs should be converted to lower case prior to comparing
- with defined path patterns. If unspecified, defaults to "true".
-
-
-
-
- Provides versions of HttpServletRequest security methods such as
- isUserInRole() and getPrincipal() which are implemented by accessing the Spring
- SecurityContext. Defaults to "true".
-
-
-
-
- Optional attribute specifying the ID of the AccessDecisionManager
- implementation which should be used for authorizing HTTP requests.
-
-
-
-
- Optional attribute specifying the realm name that will be used for all
- authentication features that require a realm name (eg BASIC and Digest authentication). If
- unspecified, defaults to "Spring Security Application".
-
-
-
-
- Indicates whether an existing session should be invalidated when a user
- authenticates and a new session started. If set to "none" no change will be made.
- "newSession" will create a new empty session. "migrateSession" will create a new session
- and copy the session attributes to the new session. Defaults to
- "migrateSession".
-
-
-
-
-
-
-
-
-
-
-
- Allows a customized AuthenticationEntryPoint to be
- used.
-
-
-
-
- Corresponds to the observeOncePerRequest property of
- FilterSecurityInterceptor. Defaults to "true"
-
-
-
-
- Allows the access denied page to be set (the user will be redirected here
- if an AccessDeniedException is raised).
-
-
-
-
-
-
- The pattern which defines the URL path. The content will depend on the
- type set in the containing http element, so will default to ant path
- syntax.
-
-
-
-
- The access configuration attributes that apply for the configured
- path.
-
-
-
-
- The HTTP Method for which the access configuration attributes should
- apply. If not specified, the attributes will apply to any method.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The filter list for the path. Currently can be set to "none" to remove a
- path from having any filters applied. The full filter stack (consisting of all filters
- created by the namespace configuration, and any added using 'custom-filter'), will be
- applied to any other paths.
-
-
-
-
-
-
-
-
-
- Used to specify that a URL must be accessed over http or https, or that
- there is no preference.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies the URL that will cause a logout. Spring Security will
- initialize a filter that responds to this particular URL. Defaults to
- /j_spring_security_logout if unspecified.
-
-
-
-
- Specifies the URL to display once the user has logged out. If not
- specified, defaults to /.
-
-
-
-
- Specifies whether a logout also causes HttpSession invalidation, which is
- generally desirable. If unspecified, defaults to true.
-
-
-
-
-
-
- The URL that the login form is posted to. If unspecified, it defaults to
- /j_spring_security_check.
-
-
-
-
- The URL that will be redirected to after successful authentication, if the
- user's previous action could not be resumed. This generally happens if the user visits a
- login page without having first requested a secured operation that triggers
- authentication. If unspecified, defaults to the root of the
- application.
-
-
-
-
- Whether the user should always be redirected to the default-target-url
- after login.
-
-
-
-
- The URL for the login page. If no login URL is specified, Spring Security
- will automatically create a login URL at /spring_security_login and a corresponding filter
- to render that login URL when requested.
-
-
-
-
- The URL for the login failure page. If no login failure URL is specified,
- Spring Security will automatically create a failure login URL at
- /spring_security_login?login_error and a corresponding filter to render that login failure
- URL when requested.
-
-
-
-
-
- Sets up form login for authentication with an Open ID
- identity
-
-
-
+
+
+
+
+
+
+
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
-
-
-
-
- Used to explicitly configure a FilterChainProxy instance with a
- FilterChainMap
-
-
+
+
+
+ Element used to decorate an AuthenticationProvider bean to add it to the
+ internal AuthenticationManager maintained by the namespace.
+
+
+
+
+
+ Creates an in-memory UserDetailsService from a properties file or a list
+ of "user" child elements.
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+
+
+
+
+ Represents a user in the application.
+
+
+
+
+
+
+
+
+ The username assigned to the user.
+
+
+
+
+ The password assigned to the user. This may be hashed if the
+ corresponding authentication provider supports hashing (remember to set the "hash"
+ attribute of the "user-service" element).
+
+
+
+
+ One of more authorities granted to the user. Separate authorities with
+ a comma (but no space). For example,
+ "ROLE_USER,ROLE_ADMINISTRATOR"
+
+
+
+
+ Can be set to "true" to mark an account as locked and
+ unusable.
+
+
+
+
+ Can be set to "true" to mark an account as disabled and
+ unusable.
+
+
+
+
+
+ Causes creation of a JDBC-based UserDetailsService.
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+
+
+ The bean ID of the DataSource which provides the required
+ tables.
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+ An SQL statement to query a username, password, and enabled status
+ given a username
+
+
+
+
+ An SQL statement to query for a user's granted authorities given a
+ username.
+
+
+
+
+ An SQL statement to query user's group authorities given a
+ username.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded
+ from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
+ where the default is non-empty.
+
+
+
+
+
-
-
- Used within filter-chain-map to define a specific URL pattern and the
- list of filters which apply to the URLs matching that pattern. When multiple
- filter-chain elements are used within a filter-chain-map element, the most specific
- patterns must be placed at the top of the list, with most general ones at the
- bottom.
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
- Used to explicitly configure a FilterInvocationDefinitionSource bean for use
- with a FilterSecurityInterceptor. Usually only needed if you are configuring a
- FilterChainProxy explicitly, rather than using the <http> element. The
- intercept-url elements used should only contain pattern, method and access attributes. Any
- others will result in a configuration error.
-
-
-
-
-
- Specifies the access attributes and/or filter list for a particular
- set of URLs.
-
-
-
-
-
-
-
-
-
-
-
+
+
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of configuration
- attributes. Defaults to 'false'. If enabled, each attribute should contain a single
- boolean expression. If the expression evaluates to 'true', access will be granted.
-
+ Used to indicate that a filter bean declaration should be incorporated
+ into the security filter chain. If neither the 'after' or 'before' options are supplied,
+ then the filter must implement the Ordered interface directly.
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- as for http element
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
- The maximum number of sessions a single user can have open at the same
- time. Defaults to "1".
-
-
-
-
- The URL a user will be redirected to if they attempt to use a session
- which has been "expired" by the concurrent session controller because they have logged in
- again.
-
-
-
-
- Specifies that an exception should be raised when a user attempts to login
- when they already have the maximum configured sessions open. The default behaviour is to
- expire the original session.
-
-
-
-
- Allows you to define an alias for the SessionRegistry bean in order to
- access it in your own configuration
-
-
-
-
- A reference to an external SessionRegistry implementation which will be
- used in place of the standard one.
-
-
-
-
-
-
- The "key" used to identify cookies from a specific token-based remember-me
- application. You should set this to a unique value for your
- application.
-
-
-
-
- Reference to a PersistentTokenRepository bean for use with the persistent
- token remember-me implementation.
-
-
-
-
- A reference to a DataSource bean
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
- The period (in seconds) for which the remember-me cookie should be valid.
-
-
-
-
-
-
-
- Reference to a PersistentTokenRepository bean for use with the persistent
- token remember-me implementation.
-
-
-
-
-
-
- Allows a custom implementation of RememberMeServices to be used. Note that
- this implementation should return RememberMeAuthenticationToken instances with the same
- "key" value as specified in the remember-me element. Alternatively it should register its
- own AuthenticationProvider.
-
-
-
-
-
-
-
-
-
- The key shared between the provider and filter. This generally does not
- need to be set. If unset, it will default to "doesNotMatter".
-
-
-
-
- The username that should be assigned to the anonymous request. This allows
- the principal to be identified, which may be important for logging and auditing. if unset,
- defaults to "anonymousUser".
-
-
-
-
- The granted authority that should be assigned to the anonymous request.
- Commonly this is used to assign the anonymous request particular roles, which can
- subsequently be used in authorization decisions. If unset, defaults to
- "ROLE_ANONYMOUS".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The regular expression used to obtain the username from the certificate's
- subject. Defaults to matching on the common name using the pattern
- "CN=(.*?),".
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
- If you are using namespace configuration with Spring Security, an
- AuthenticationManager will automatically be registered. This element allows you to define an
- alias to allow you to reference the authentication-manager in your own beans.
-
-
-
-
-
-
-
-
-
- The alias you wish to use for the AuthenticationManager
- bean
-
-
-
-
- Allows the session controller to be set on the internal
- AuthenticationManager. This should not be used with the <concurrent-session-control
- /> element
-
-
-
-
-
- Indicates that the contained user-service should be used as an
- authentication source.
-
-
-
-
-
-
- element which defines a password encoding strategy. Used by an
- authentication provider to convert submitted passwords to hashed versions, for
- example.
-
-
-
-
-
- Password salting strategy. A system-wide constant or a property
- from the UserDetails object can be used.
-
-
-
-
- A property of the UserDetails object which will be used as
- salt by a password encoder. Typically something like "username" might be
- used.
-
-
-
-
- A single value that will be used as the salt for a password
- encoder.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
- Element used to decorate an AuthenticationProvider bean to add it to the
- internal AuthenticationManager maintained by the namespace.
-
-
-
-
-
- Creates an in-memory UserDetailsService from a properties file or a list of
- "user" child elements.
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
+
+
+
+ The filter immediately after which the custom-filter should be
+ placed in the chain. This feature will only be needed by advanced users who wish
+ to mix their own filters into the security filter chain and have some knowledge of
+ the standard Spring Security filters. The filter names map to specific Spring
+ Security implementation filters.
+
+
+
+
+ The filter immediately before which the custom-filter should be
+ placed in the chain
+
+
+
+
+ The explicit position at which the custom-filter should be placed
+ in the chain. Use if you are replacing a standard filter.
+
+
+
+
+
+
+
+ The filter immediately after which the custom-filter should be placed
+ in the chain. This feature will only be needed by advanced users who wish to mix
+ their own filters into the security filter chain and have some knowledge of the
+ standard Spring Security filters. The filter names map to specific Spring Security
+ implementation filters.
+
-
-
-
-
-
-
-
-
- Represents a user in the application.
-
-
-
-
-
-
-
-
- The username assigned to the user.
-
-
-
-
- The password assigned to the user. This may be hashed if the corresponding
- authentication provider supports hashing (remember to set the "hash" attribute of the
- "user-service" element).
-
-
-
-
- One of more authorities granted to the user. Separate authorities with a
- comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
-
-
-
-
- Can be set to "true" to mark an account as locked and
- unusable.
-
-
-
-
- Can be set to "true" to mark an account as disabled and
- unusable.
-
-
-
-
-
- Causes creation of a JDBC-based UserDetailsService.
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
+
+
+
+
+ The filter immediately before which the custom-filter should be placed
+ in the chain
+
-
-
-
-
-
-
- The bean ID of the DataSource which provides the required
- tables.
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
- An SQL statement to query a username, password, and enabled status given a
- username
-
-
-
-
- An SQL statement to query for a user's granted authorities given a
- username.
-
-
-
-
- An SQL statement to query user's group authorities given a
- username.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded from
- persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
- default is non-empty.
-
-
-
-
-
-
-
-
-
-
-
- Used to indicate that a filter bean declaration should be incorporated into
- the security filter chain. If neither the 'after' or 'before' options are supplied, then the
- filter must implement the Ordered interface directly.
-
-
-
-
- The filter immediately after which the custom-filter should be placed in
- the chain. This feature will only be needed by advanced users who wish to mix their own
- filters into the security filter chain and have some knowledge of the standard Spring
- Security filters. The filter names map to specific Spring Security implementation
- filters.
-
+
+
+
+
+ The explicit position at which the custom-filter should be placed in
+ the chain. Use if you are replacing a standard filter.
+
-
-
- The filter immediately before which the custom-filter should be placed
- in the chain
-
-
-
-
- The explicit position at which the custom-filter should be placed in the
- chain. Use if you are replacing a standard filter.
-
-
-
-
-
-
-
- The filter immediately after which the custom-filter should be placed in
- the chain. This feature will only be needed by advanced users who wish to mix their own
- filters into the security filter chain and have some knowledge of the standard Spring
- Security filters. The filter names map to specific Spring Security implementation filters.
-
-
-
-
-
-
-
- The filter immediately before which the custom-filter should be placed in
- the chain
-
-
-
-
-
-
- The explicit position at which the custom-filter should be placed in the
- chain. Use if you are replacing a standard filter.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
index fbfae66c18..6f8dcc4081 100644
--- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -35,6 +35,8 @@ import org.springframework.security.providers.TestingAuthenticationToken;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.providers.anonymous.AnonymousProcessingFilter;
import org.springframework.security.securechannel.ChannelProcessingFilter;
+import org.springframework.security.ui.AuthenticationFailureHandler;
+import org.springframework.security.ui.AuthenticationSuccessHandler;
import org.springframework.security.ui.ExceptionTranslationFilter;
import org.springframework.security.ui.SessionFixationProtectionFilter;
import org.springframework.security.ui.WebAuthenticationDetails;
@@ -717,6 +719,22 @@ public class HttpSecurityBeanDefinitionParserTests {
}
}
+ @Test
+ public void customSuccessAndFailureHandlersCanBeSetThroughTheNamespace() throws Exception {
+ setContext(
+ "" +
+ " " +
+ "" +
+ "" +
+ "" +
+ AUTH_PROVIDER_XML);
+ AuthenticationProcessingFilter apf = (AuthenticationProcessingFilter) appContext.getBean(BeanIds.FORM_LOGIN_FILTER);
+ AuthenticationSuccessHandler sh = (AuthenticationSuccessHandler) appContext.getBean("sh");
+ AuthenticationFailureHandler fh = (AuthenticationFailureHandler) appContext.getBean("fh");
+ assertSame(sh, FieldUtils.getFieldValue(apf, "successHandler"));
+ assertSame(fh, FieldUtils.getFieldValue(apf, "failureHandler"));
+ }
+
private void setContext(String context) {
appContext = new InMemoryXmlApplicationContext(context);
}