From fcc68e636e950fe53bd19ed5c832e6583e0ad00f Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 15 Dec 2008 00:56:17 +0000 Subject: [PATCH] SEC-1062: Added authentication-success-handler-ref and authentication-failure-handler-ref to the namespace definition. --- .../security/config/spring-security-2.5.rnc | 7 + .../security/config/spring-security-2.5.xsd | 3044 +++++++++-------- ...HttpSecurityBeanDefinitionParserTests.java | 18 + 3 files changed, 1561 insertions(+), 1508 deletions(-) diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc index 6d662ca24b..800bc3f892 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc @@ -310,6 +310,13 @@ form-login.attlist &= form-login.attlist &= ## The URL for the login failure page. If no login failure URL is specified, Spring Security will automatically create a failure login URL at /spring_security_login?login_error and a corresponding filter to render that login failure URL when requested. attribute authentication-failure-url {xsd:string}? +form-login.attlist &= + ## Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful authentication request. Should not be used in combination with default-target-url (or always-use-default-target-url) as the implementation should always deal with navigation to the subsequent destination + attribute authentication-success-handler-ref {xsd:string}? +form-login.attlist &= + ## Reference to an AuthenticationFailureHandler bean which should be used to handle a failed authentication request. Should not be used in combination with authentication-failure-url as the implementation should always deal with navigation to the subsequent destination + attribute authentication-failure-handler-ref {xsd:string}? + openid-login = ## Sets up form login for authentication with an Open ID identity diff --git a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd index e3c31f8203..5c6b0b13ef 100644 --- a/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd +++ b/core/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd @@ -1,1527 +1,1555 @@ - - + xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified" + targetNamespace="http://www.springframework.org/schema/security"> + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing + algorithm. + + + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + Specifies an IP port number. Used to configure an embedded LDAP + server, for example. + + + + + + + Specifies a URL. + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + Defines a reference to a Spring bean Id. + + + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + A reference to a DataSource bean + + + + + + + Defines a reference to a Spring bean Id. + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing + algorithm. + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + A property of the UserDetails object which will be used as salt by a + password encoder. Typically something like "username" might be used. + + + + + + + + A single value that will be used as the salt for a password encoder. + + + + + + + + + + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of + configuration attributes. Defaults to 'false'. If enabled, each attribute should + contain a single boolean expression. If the expression evaluates to 'true', access + will be granted. + + + + - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing algorithm. + Defines an LDAP server location or starts an embedded server. The url + indicates the location of a remote server. If no url is given, an embedded server will + be started, listening on the supplied port number. The port is optional and defaults to + 33389. A Spring LDAP ContextSource bean will be registered for the server with the id + supplied. - - - - - - - - - - - - - - - + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + Specifies a URL. + + + + + Specifies an IP port number. Used to configure an embedded LDAP + server, for example. + + + + + Username (DN) of the "manager" user identity which will be used to + authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be + used. + + + + + The password for the manager DN. + + + + + Explicitly specifies an ldif file resource to load into an embedded + LDAP server + + + + + Optional root suffix for the embedded LDAP server. Default is + "dc=springframework,dc=org" + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + + + Search base for group membership searches. Defaults to "" (searching + from the root). + + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + + + The LDAP attribute name which contains the role name which will be + used within Spring Security. Defaults to "cn". + + + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the + returned UserDetails object + + + + + + + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + Search base for group membership searches. Defaults to "" (searching + from the root). + + + + + The LDAP attribute name which contains the role name which will be + used within Spring Security. Defaults to "cn". + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the + returned UserDetails object + + + + + + + + + + - Whether a string should be base64 encoded + Sets up an ldap authentication provider - - - - - - - - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - Specifies an IP port number. Used to configure an embedded LDAP server, - for example. - - - - - - - Specifies a URL. - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - Defines a reference to a Spring bean Id. - - - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - A reference to a DataSource bean - - - - - - - Defines a reference to a Spring bean Id. - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing algorithm. - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - A property of the UserDetails object which will be used as salt by a - password encoder. Typically something like "username" might be used. - - - - - - - A single value that will be used as the salt for a password encoder. - - - - - - - - - - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of configuration - attributes. Defaults to 'false'. If enabled, each attribute should contain a single - boolean expression. If the expression evaluates to 'true', access will be granted. - - - - - - - Defines an LDAP server location or starts an embedded server. The url - indicates the location of a remote server. If no url is given, an embedded server will be - started, listening on the supplied port number. The port is optional and defaults to 33389. - A Spring LDAP ContextSource bean will be registered for the server with the id supplied. - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - Specifies a URL. - - - - - Specifies an IP port number. Used to configure an embedded LDAP server, - for example. - - - - - Username (DN) of the "manager" user identity which will be used to - authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. - - - - - - The password for the manager DN. - - - - - Explicitly specifies an ldif file resource to load into an embedded LDAP - server - - - - - Optional root suffix for the embedded LDAP server. Default is - "dc=springframework,dc=org" - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - - - Search base for group membership searches. Defaults to "" (searching from - the root). - - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - - - The LDAP attribute name which contains the role name which will be used - within Spring Security. Defaults to "cn". - - - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the returned - UserDetails object - - - - - - - - - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - Search base for group membership searches. Defaults to "" (searching from - the root). - - - - - The LDAP attribute name which contains the role name which will be used - within Spring Security. Defaults to "cn". - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the returned - UserDetails object - - - - - - - - - - - - Sets up an ldap authentication provider - - - - - - Specifies that an LDAP provider should use an LDAP compare operation - of the user's password to authenticate the user - - - - - - element which defines a password encoding strategy. Used by an - authentication provider to convert submitted passwords to hashed versions, for - example. - - + + + + + Specifies that an LDAP provider should use an LDAP compare + operation of the user's password to authenticate the user + + - - - Password salting strategy. A system-wide constant or a - property from the UserDetails object can be used. - - - - - A property of the UserDetails object which will be - used as salt by a password encoder. Typically something like - "username" might be used. - - - - - A single value that will be used as the salt for a - password encoder. - - - - + + + element which defines a password encoding strategy. + Used by an authentication provider to convert submitted passwords to + hashed versions, for example. + + + + + + Password salting strategy. A system-wide + constant or a property from the UserDetails object can be + used. + + + + + A property of the UserDetails object + which will be used as salt by a password encoder. + Typically something like "username" might be used. + + + + + + A single value that will be used as the + salt for a password encoder. + + + + + + + + + + + + + + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for group membership searches. Defaults to "" (searching + from the root). + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + The LDAP attribute name which contains the role name which will be + used within Spring Security. Defaults to "cn". + + + + + A specific pattern used to build the user's DN, for example + "uid={0},ou=people". The key "{0}" must be present and will be substituted with the + username. + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the + returned UserDetails object + + + + + + + + + + + + + The attribute in the directory which contains the user password. + Defaults to "userPassword". + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing + algorithm. + + + + + + + + + + + + + + + + + Can be used inside a bean definition to add a security interceptor to the + bean and set up access configuration attributes for the bean's + methods + + + + + + Defines a protected method and the access control configuration + attributes that apply to it. We strongly advise you NOT to mix "protect" + declarations with any services provided + "global-method-security". + + + + + + + + + + + + + Optional AccessDecisionManager bean ID to be used by the created + method security interceptor. + + + + + + + A method name + + + + + Access configuration attributes list that applies to the method, e.g. + "ROLE_A,ROLE_B". + + + + + + Provides method security for all beans registered in the Spring + application context. Specifically, beans will be scanned for matches with the ordered + list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there + is a match, the beans will automatically be proxied and security authorization applied + to the methods accordingly. If you use and enable all four sources of method security + metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also + JSR250 security annotations), the metadata sources will be queried in that order. In + practical terms, this enables you to use XML to override method security metadata + expressed in annotations. If using annotations, the order of precedence is EL-based + (@PreAuthorize etc.), @Secured and finally JSR-250. + + + + + + + Defines a protected pointcut and the access control + configuration attributes that apply to it. Every bean registered in the Spring + application context that provides a method that matches the pointcut will + receive security authorization. + + + + + + + + + + + + + Specifies whether the use of Spring Security's expression-based + annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be + enabled for this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether the use of Spring Security's @Secured annotations + should be enabled for this application context. Defaults to + "disabled". + + + + + + + + + + + Specifies whether JSR-250 style attributes are to be used (for example + "RolesAllowed"). This will require the javax.annotation.security classes on the + classpath. Defaults to "disabled". + + + + + + + + + + + Optional AccessDecisionManager bean ID to override the default used + for method security. + + + + + + Defines the SecurityExpressionHandler instance which will be used if + expression-based access-control is enabled. A default implementation (with no ACL + support) will be used if not supplied. + + + + + + + + Used to decorate an AfterInvocationProvider to specify that it should be + used with method security. + + + + + + + An AspectJ expression, including the 'execution' keyword. For example, + 'execution(int com.foo.TargetObject.countLength(String))' (without the + quotes). + + + + + Access configuration attributes list that applies to all methods + matching the pointcut, e.g. "ROLE_A,ROLE_B" + + + + + + Container element for HTTP security configuration + + + + + + Specifies the access attributes and/or filter list for a + particular set of URLs. + + + + + + + + Sets up a form login configuration for authentication with a + username and password + + + + + + + + + Adds support for X.509 client authentication. + + + + + + + + Adds support for basic authentication (this is an element to + permit future expansion, such as supporting an "ignoreFailure" + attribute) + + + + + + Incorporates a logout processing filter. Most web applications + require a logout filter, although you may not require one if you write a + controller to provider similar logic. + + + + + + + + Adds support for concurrent session control, allowing limits to + be placed on the number of sessions a user can have. + + + + + + + + Sets up remember-me authentication. If used with the "key" + attribute (or no attributes) the cookie-only implementation will be used. + Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the + more secure, persisten token approach. + + + + + + + + Adds support for automatically granting all anonymous web + requests a particular principal identity and a corresponding granted + authority. + + + + + + + + Defines the list of mappings between http and https ports for + use in redirects + + + + + + + + + + + + + + + Automatically registers a login form, BASIC authentication, anonymous + authentication, logout services, remember-me and servlet-api-integration. If set to + "true", all of these capabilities are added (although you can still customize the + configuration of each by providing the respective element). If unspecified, defaults + to "false". + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of + configuration attributes. Defaults to 'false'. If enabled, each attribute should + contain a single boolean expression. If the expression evaluates to 'true', access + will be granted. + + + + + Controls the eagerness with which an HTTP session is created. If not + set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set + using security-context-repository-ref, then the only value which can be set is + "always". Otherwise the session creation behaviour will be determined by the + repository bean implementation. + + + + + + + + + + + + A reference to a SecurityContextRepository bean. This can be used to + customize the way the SecurityContext is stored between requests. + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + Whether test URLs should be converted to lower case prior to comparing + with defined path patterns. If unspecified, defaults to "true". + + + + + Provides versions of HttpServletRequest security methods such as + isUserInRole() and getPrincipal() which are implemented by accessing the Spring + SecurityContext. Defaults to "true". + + + + + Optional attribute specifying the ID of the AccessDecisionManager + implementation which should be used for authorizing HTTP requests. + + + + + Optional attribute specifying the realm name that will be used for all + authentication features that require a realm name (eg BASIC and Digest + authentication). If unspecified, defaults to "Spring Security + Application". + + + + + Indicates whether an existing session should be invalidated when a + user authenticates and a new session started. If set to "none" no change will be + made. "newSession" will create a new empty session. "migrateSession" will create a + new session and copy the session attributes to the new session. Defaults to + "migrateSession". + + + + + + + + + + + + Allows a customized AuthenticationEntryPoint to be + used. + + + + + Corresponds to the observeOncePerRequest property of + FilterSecurityInterceptor. Defaults to "true" + + + + + Allows the access denied page to be set (the user will be redirected + here if an AccessDeniedException is raised). + + + + + + + The pattern which defines the URL path. The content will depend on the + type set in the containing http element, so will default to ant path + syntax. + + + + + The access configuration attributes that apply for the configured + path. + + + + + The HTTP Method for which the access configuration attributes should + apply. If not specified, the attributes will apply to any method. + + + + + + + + + + + + + + + + The filter list for the path. Currently can be set to "none" to remove + a path from having any filters applied. The full filter stack (consisting of all + filters created by the namespace configuration, and any added using 'custom-filter'), + will be applied to any other paths. + + + + + + + + + + Used to specify that a URL must be accessed over http or https, or + that there is no preference. + + + + + + + + + + + + + + Specifies the URL that will cause a logout. Spring Security will + initialize a filter that responds to this particular URL. Defaults to + /j_spring_security_logout if unspecified. + + + + + Specifies the URL to display once the user has logged out. If not + specified, defaults to /. + + + + + Specifies whether a logout also causes HttpSession invalidation, which + is generally desirable. If unspecified, defaults to true. + + + + + + + The URL that the login form is posted to. If unspecified, it defaults + to /j_spring_security_check. + + + + + The URL that will be redirected to after successful authentication, if + the user's previous action could not be resumed. This generally happens if the user + visits a login page without having first requested a secured operation that triggers + authentication. If unspecified, defaults to the root of the + application. + + + + + Whether the user should always be redirected to the default-target-url + after login. + + + + + The URL for the login page. If no login URL is specified, Spring + Security will automatically create a login URL at /spring_security_login and a + corresponding filter to render that login URL when requested. + + + + + The URL for the login failure page. If no login failure URL is + specified, Spring Security will automatically create a failure login URL at + /spring_security_login?login_error and a corresponding filter to render that login + failure URL when requested. + + + + + Reference to an AuthenticationSuccessHandler bean which should be used + to handle a successful authentication request. Should not be used in combination with + default-target-url (or always-use-default-target-url) as the implementation should + always deal with navigation to the subsequent destination + + + + + Reference to an AuthenticationFailureHandler bean which should be used + to handle a failed authentication request. Should not be used in combination with + authentication-failure-url as the implementation should always deal with navigation + to the subsequent destination + + + + + + Sets up form login for authentication with an Open ID + identity + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + Used to explicitly configure a FilterChainProxy instance with a + FilterChainMap + + + + + + Used within filter-chain-map to define a specific URL pattern + and the list of filters which apply to the URLs matching that pattern. When + multiple filter-chain elements are used within a filter-chain-map element, the + most specific patterns must be placed at the top of the list, with most general + ones at the bottom. + + + + + + + + + + + + + + + + + + + Used to explicitly configure a FilterInvocationDefinitionSource bean for + use with a FilterSecurityInterceptor. Usually only needed if you are configuring a + FilterChainProxy explicitly, rather than using the <http> element. The + intercept-url elements used should only contain pattern, method and access attributes. + Any others will result in a configuration error. + + + + + + Specifies the access attributes and/or filter list for a + particular set of URLs. + + + + + + + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of + configuration attributes. Defaults to 'false'. If enabled, each attribute should + contain a single boolean expression. If the expression evaluates to 'true', access + will be granted. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + as for http element + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + The maximum number of sessions a single user can have open at the same + time. Defaults to "1". + + + + + The URL a user will be redirected to if they attempt to use a session + which has been "expired" by the concurrent session controller because they have + logged in again. + + + + + Specifies that an exception should be raised when a user attempts to + login when they already have the maximum configured sessions open. The default + behaviour is to expire the original session. + + + + + Allows you to define an alias for the SessionRegistry bean in order to + access it in your own configuration + + + + + A reference to an external SessionRegistry implementation which will + be used in place of the standard one. + + + + + + + The "key" used to identify cookies from a specific token-based + remember-me application. You should set this to a unique value for your + application. + + + + + Reference to a PersistentTokenRepository bean for use with the + persistent token remember-me implementation. + + + + + A reference to a DataSource bean + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + The period (in seconds) for which the remember-me cookie should be + valid. + + + + + + + Reference to a PersistentTokenRepository bean for use with the + persistent token remember-me implementation. + + + + + + + Allows a custom implementation of RememberMeServices to be used. Note + that this implementation should return RememberMeAuthenticationToken instances with + the same "key" value as specified in the remember-me element. Alternatively it should + register its own AuthenticationProvider. + + + + + + + + + + The key shared between the provider and filter. This generally does + not need to be set. If unset, it will default to "doesNotMatter". + + + + + The username that should be assigned to the anonymous request. This + allows the principal to be identified, which may be important for logging and + auditing. if unset, defaults to "anonymousUser". + + + + + The granted authority that should be assigned to the anonymous + request. Commonly this is used to assign the anonymous request particular roles, + which can subsequently be used in authorization decisions. If unset, defaults to + "ROLE_ANONYMOUS". + + + + + + + + + + + + + + + + + + + The regular expression used to obtain the username from the + certificate's subject. Defaults to matching on the common name using the pattern + "CN=(.*?),". + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + If you are using namespace configuration with Spring Security, an + AuthenticationManager will automatically be registered. This element allows you to + define an alias to allow you to reference the authentication-manager in your own beans. + + + + + + + + + + The alias you wish to use for the AuthenticationManager + bean + + + + + Allows the session controller to be set on the internal + AuthenticationManager. This should not be used with the + <concurrent-session-control /> element + + + + + + Indicates that the contained user-service should be used as an + authentication source. + + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a + property from the UserDetails object can be used. + + + + + A property of the UserDetails object which will + be used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for + a password encoder. + + + + - - - - - - - - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for group membership searches. Defaults to "" (searching from - the root). - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - The LDAP attribute name which contains the role name which will be used - within Spring Security. Defaults to "cn". - - - - - A specific pattern used to build the user's DN, for example - "uid={0},ou=people". The key "{0}" must be present and will be substituted with the - username. - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the returned - UserDetails object - - - - - - - - - - - - - The attribute in the directory which contains the user password. Defaults - to "userPassword". - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing algorithm. - - - - - - - - - - - - - - - - - Can be used inside a bean definition to add a security interceptor to the - bean and set up access configuration attributes for the bean's methods - - - - - - Defines a protected method and the access control configuration - attributes that apply to it. We strongly advise you NOT to mix "protect" declarations - with any services provided "global-method-security". - - - - - - - - - - - - - Optional AccessDecisionManager bean ID to be used by the created method - security interceptor. - - - - - - - A method name - - - - - Access configuration attributes list that applies to the method, e.g. - "ROLE_A,ROLE_B". - - - - - - Provides method security for all beans registered in the Spring application - context. Specifically, beans will be scanned for matches with the ordered list of - "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, - the beans will automatically be proxied and security authorization applied to the methods - accordingly. If you use and enable all four sources of method security metadata (ie - "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security - annotations), the metadata sources will be queried in that order. In practical terms, this - enables you to use XML to override method security metadata expressed in annotations. If - using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and - finally JSR-250. - - - - - - - Defines a protected pointcut and the access control configuration - attributes that apply to it. Every bean registered in the Spring application context - that provides a method that matches the pointcut will receive security - authorization. - - - - - - - - - - - - - Specifies whether the use of Spring Security's expression-based - annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for - this application context. Defaults to "disabled". - - - - - - - - - - - Specifies whether the use of Spring Security's @Secured annotations should - be enabled for this application context. Defaults to "disabled". - - - - - - - - - - - Specifies whether JSR-250 style attributes are to be used (for example - "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. - Defaults to "disabled". - - - - - - - - - - - Optional AccessDecisionManager bean ID to override the default used for - method security. - - - - - - Defines the SecurityExpressionHandler instance which will be used if - expression-based access-control is enabled. A default implementation (with no ACL support) - will be used if not supplied. - - - - - - - - Used to decorate an AfterInvocationProvider to specify that it should be - used with method security. - - - - - - - An AspectJ expression, including the 'execution' keyword. For example, - 'execution(int com.foo.TargetObject.countLength(String))' (without the - quotes). - - - - - Access configuration attributes list that applies to all methods matching - the pointcut, e.g. "ROLE_A,ROLE_B" - - - - - - Container element for HTTP security configuration - - - - - - Specifies the access attributes and/or filter list for a particular - set of URLs. - - - - - - - - Sets up a form login configuration for authentication with a username - and password - - - - - - - - - Adds support for X.509 client authentication. - - - - - - - - Adds support for basic authentication (this is an element to permit - future expansion, such as supporting an "ignoreFailure" attribute) - - - - - - Incorporates a logout processing filter. Most web applications require - a logout filter, although you may not require one if you write a controller to - provider similar logic. - - - - - - - - Adds support for concurrent session control, allowing limits to be - placed on the number of sessions a user can have. - - - - - - - - Sets up remember-me authentication. If used with the "key" attribute - (or no attributes) the cookie-only implementation will be used. Specifying - "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, - persisten token approach. - - - - - - - - Adds support for automatically granting all anonymous web requests a - particular principal identity and a corresponding granted - authority. - - - - - - - - Defines the list of mappings between http and https ports for use in - redirects - - - - - - - - - - - - - - - Automatically registers a login form, BASIC authentication, anonymous - authentication, logout services, remember-me and servlet-api-integration. If set to - "true", all of these capabilities are added (although you can still customize the - configuration of each by providing the respective element). If unspecified, defaults to - "false". - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of configuration - attributes. Defaults to 'false'. If enabled, each attribute should contain a single - boolean expression. If the expression evaluates to 'true', access will be granted. - - - - - - Controls the eagerness with which an HTTP session is created. If not set, - defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using - security-context-repository-ref, then the only value which can be set is "always". - Otherwise the session creation behaviour will be determined by the repository bean - implementation. - - - - - - - - - - - - A reference to a SecurityContextRepository bean. This can be used to - customize the way the SecurityContext is stored between requests. - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - Whether test URLs should be converted to lower case prior to comparing - with defined path patterns. If unspecified, defaults to "true". - - - - - Provides versions of HttpServletRequest security methods such as - isUserInRole() and getPrincipal() which are implemented by accessing the Spring - SecurityContext. Defaults to "true". - - - - - Optional attribute specifying the ID of the AccessDecisionManager - implementation which should be used for authorizing HTTP requests. - - - - - Optional attribute specifying the realm name that will be used for all - authentication features that require a realm name (eg BASIC and Digest authentication). If - unspecified, defaults to "Spring Security Application". - - - - - Indicates whether an existing session should be invalidated when a user - authenticates and a new session started. If set to "none" no change will be made. - "newSession" will create a new empty session. "migrateSession" will create a new session - and copy the session attributes to the new session. Defaults to - "migrateSession". - - - - - - - - - - - - Allows a customized AuthenticationEntryPoint to be - used. - - - - - Corresponds to the observeOncePerRequest property of - FilterSecurityInterceptor. Defaults to "true" - - - - - Allows the access denied page to be set (the user will be redirected here - if an AccessDeniedException is raised). - - - - - - - The pattern which defines the URL path. The content will depend on the - type set in the containing http element, so will default to ant path - syntax. - - - - - The access configuration attributes that apply for the configured - path. - - - - - The HTTP Method for which the access configuration attributes should - apply. If not specified, the attributes will apply to any method. - - - - - - - - - - - - - - - - The filter list for the path. Currently can be set to "none" to remove a - path from having any filters applied. The full filter stack (consisting of all filters - created by the namespace configuration, and any added using 'custom-filter'), will be - applied to any other paths. - - - - - - - - - - Used to specify that a URL must be accessed over http or https, or that - there is no preference. - - - - - - - - - - - - - - Specifies the URL that will cause a logout. Spring Security will - initialize a filter that responds to this particular URL. Defaults to - /j_spring_security_logout if unspecified. - - - - - Specifies the URL to display once the user has logged out. If not - specified, defaults to /. - - - - - Specifies whether a logout also causes HttpSession invalidation, which is - generally desirable. If unspecified, defaults to true. - - - - - - - The URL that the login form is posted to. If unspecified, it defaults to - /j_spring_security_check. - - - - - The URL that will be redirected to after successful authentication, if the - user's previous action could not be resumed. This generally happens if the user visits a - login page without having first requested a secured operation that triggers - authentication. If unspecified, defaults to the root of the - application. - - - - - Whether the user should always be redirected to the default-target-url - after login. - - - - - The URL for the login page. If no login URL is specified, Spring Security - will automatically create a login URL at /spring_security_login and a corresponding filter - to render that login URL when requested. - - - - - The URL for the login failure page. If no login failure URL is specified, - Spring Security will automatically create a failure login URL at - /spring_security_login?login_error and a corresponding filter to render that login failure - URL when requested. - - - - - - Sets up form login for authentication with an Open ID - identity - - - + + + + + + + - - A reference to a user-service (or UserDetailsService bean) - Id - + + A reference to a user-service (or UserDetailsService bean) + Id + - - - - - Used to explicitly configure a FilterChainProxy instance with a - FilterChainMap - - + + + + Element used to decorate an AuthenticationProvider bean to add it to the + internal AuthenticationManager maintained by the namespace. + + + + + + Creates an in-memory UserDetailsService from a properties file or a list + of "user" child elements. + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + + + Represents a user in the application. + + + + + + + + + The username assigned to the user. + + + + + The password assigned to the user. This may be hashed if the + corresponding authentication provider supports hashing (remember to set the "hash" + attribute of the "user-service" element). + + + + + One of more authorities granted to the user. Separate authorities with + a comma (but no space). For example, + "ROLE_USER,ROLE_ADMINISTRATOR" + + + + + Can be set to "true" to mark an account as locked and + unusable. + + + + + Can be set to "true" to mark an account as disabled and + unusable. + + + + + + Causes creation of a JDBC-based UserDetailsService. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + The bean ID of the DataSource which provides the required + tables. + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + An SQL statement to query a username, password, and enabled status + given a username + + + + + An SQL statement to query for a user's granted authorities given a + username. + + + + + An SQL statement to query user's group authorities given a + username. + + + + + A non-empty string prefix that will be added to role strings loaded + from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases + where the default is non-empty. + + + + + - - - Used within filter-chain-map to define a specific URL pattern and the - list of filters which apply to the URLs matching that pattern. When multiple - filter-chain elements are used within a filter-chain-map element, the most specific - patterns must be placed at the top of the list, with most general ones at the - bottom. - - - - - + - - - - - - - - - - - - - Used to explicitly configure a FilterInvocationDefinitionSource bean for use - with a FilterSecurityInterceptor. Usually only needed if you are configuring a - FilterChainProxy explicitly, rather than using the <http> element. The - intercept-url elements used should only contain pattern, method and access attributes. Any - others will result in a configuration error. - - - - - - Specifies the access attributes and/or filter list for a particular - set of URLs. - - - - - - - - - - - + + - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of configuration - attributes. Defaults to 'false'. If enabled, each attribute should contain a single - boolean expression. If the expression evaluates to 'true', access will be granted. - + Used to indicate that a filter bean declaration should be incorporated + into the security filter chain. If neither the 'after' or 'before' options are supplied, + then the filter must implement the Ordered interface directly. - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - as for http element - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - The maximum number of sessions a single user can have open at the same - time. Defaults to "1". - - - - - The URL a user will be redirected to if they attempt to use a session - which has been "expired" by the concurrent session controller because they have logged in - again. - - - - - Specifies that an exception should be raised when a user attempts to login - when they already have the maximum configured sessions open. The default behaviour is to - expire the original session. - - - - - Allows you to define an alias for the SessionRegistry bean in order to - access it in your own configuration - - - - - A reference to an external SessionRegistry implementation which will be - used in place of the standard one. - - - - - - - The "key" used to identify cookies from a specific token-based remember-me - application. You should set this to a unique value for your - application. - - - - - Reference to a PersistentTokenRepository bean for use with the persistent - token remember-me implementation. - - - - - A reference to a DataSource bean - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - The period (in seconds) for which the remember-me cookie should be valid. - - - - - - - - Reference to a PersistentTokenRepository bean for use with the persistent - token remember-me implementation. - - - - - - - Allows a custom implementation of RememberMeServices to be used. Note that - this implementation should return RememberMeAuthenticationToken instances with the same - "key" value as specified in the remember-me element. Alternatively it should register its - own AuthenticationProvider. - - - - - - - - - - The key shared between the provider and filter. This generally does not - need to be set. If unset, it will default to "doesNotMatter". - - - - - The username that should be assigned to the anonymous request. This allows - the principal to be identified, which may be important for logging and auditing. if unset, - defaults to "anonymousUser". - - - - - The granted authority that should be assigned to the anonymous request. - Commonly this is used to assign the anonymous request particular roles, which can - subsequently be used in authorization decisions. If unset, defaults to - "ROLE_ANONYMOUS". - - - - - - - - - - - - - - - - - - - The regular expression used to obtain the username from the certificate's - subject. Defaults to matching on the common name using the pattern - "CN=(.*?),". - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - If you are using namespace configuration with Spring Security, an - AuthenticationManager will automatically be registered. This element allows you to define an - alias to allow you to reference the authentication-manager in your own beans. - - - - - - - - - - The alias you wish to use for the AuthenticationManager - bean - - - - - Allows the session controller to be set on the internal - AuthenticationManager. This should not be used with the <concurrent-session-control - /> element - - - - - - Indicates that the contained user-service should be used as an - authentication source. - - - - - - - element which defines a password encoding strategy. Used by an - authentication provider to convert submitted passwords to hashed versions, for - example. - - - - - - Password salting strategy. A system-wide constant or a property - from the UserDetails object can be used. - - - - - A property of the UserDetails object which will be used as - salt by a password encoder. Typically something like "username" might be - used. - - - - - A single value that will be used as the salt for a password - encoder. - - - - - - - - - - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - Element used to decorate an AuthenticationProvider bean to add it to the - internal AuthenticationManager maintained by the namespace. - - - - - - Creates an in-memory UserDetailsService from a properties file or a list of - "user" child elements. - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - + + + + The filter immediately after which the custom-filter should be + placed in the chain. This feature will only be needed by advanced users who wish + to mix their own filters into the security filter chain and have some knowledge of + the standard Spring Security filters. The filter names map to specific Spring + Security implementation filters. + + + + + The filter immediately before which the custom-filter should be + placed in the chain + + + + + The explicit position at which the custom-filter should be placed + in the chain. Use if you are replacing a standard filter. + + + + + + + + The filter immediately after which the custom-filter should be placed + in the chain. This feature will only be needed by advanced users who wish to mix + their own filters into the security filter chain and have some knowledge of the + standard Spring Security filters. The filter names map to specific Spring Security + implementation filters. + - - - - - - - - - Represents a user in the application. - - - - - - - - - The username assigned to the user. - - - - - The password assigned to the user. This may be hashed if the corresponding - authentication provider supports hashing (remember to set the "hash" attribute of the - "user-service" element). - - - - - One of more authorities granted to the user. Separate authorities with a - comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" - - - - - Can be set to "true" to mark an account as locked and - unusable. - - - - - Can be set to "true" to mark an account as disabled and - unusable. - - - - - - Causes creation of a JDBC-based UserDetailsService. - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - + + + + + The filter immediately before which the custom-filter should be placed + in the chain + - - - - - - - The bean ID of the DataSource which provides the required - tables. - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - An SQL statement to query a username, password, and enabled status given a - username - - - - - An SQL statement to query for a user's granted authorities given a - username. - - - - - An SQL statement to query user's group authorities given a - username. - - - - - A non-empty string prefix that will be added to role strings loaded from - persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the - default is non-empty. - - - - - - - - - - - - Used to indicate that a filter bean declaration should be incorporated into - the security filter chain. If neither the 'after' or 'before' options are supplied, then the - filter must implement the Ordered interface directly. - - - - - The filter immediately after which the custom-filter should be placed in - the chain. This feature will only be needed by advanced users who wish to mix their own - filters into the security filter chain and have some knowledge of the standard Spring - Security filters. The filter names map to specific Spring Security implementation - filters. - + + + + + The explicit position at which the custom-filter should be placed in + the chain. Use if you are replacing a standard filter. + - - - The filter immediately before which the custom-filter should be placed - in the chain - - - - - The explicit position at which the custom-filter should be placed in the - chain. Use if you are replacing a standard filter. - - - - - - - - The filter immediately after which the custom-filter should be placed in - the chain. This feature will only be needed by advanced users who wish to mix their own - filters into the security filter chain and have some knowledge of the standard Spring - Security filters. The filter names map to specific Spring Security implementation filters. - - - - - - - - The filter immediately before which the custom-filter should be placed in - the chain - - - - - - - The explicit position at which the custom-filter should be placed in the - chain. Use if you are replacing a standard filter. - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java index fbfae66c18..6f8dcc4081 100644 --- a/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java +++ b/core/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java @@ -35,6 +35,8 @@ import org.springframework.security.providers.TestingAuthenticationToken; import org.springframework.security.providers.UsernamePasswordAuthenticationToken; import org.springframework.security.providers.anonymous.AnonymousProcessingFilter; import org.springframework.security.securechannel.ChannelProcessingFilter; +import org.springframework.security.ui.AuthenticationFailureHandler; +import org.springframework.security.ui.AuthenticationSuccessHandler; import org.springframework.security.ui.ExceptionTranslationFilter; import org.springframework.security.ui.SessionFixationProtectionFilter; import org.springframework.security.ui.WebAuthenticationDetails; @@ -717,6 +719,22 @@ public class HttpSecurityBeanDefinitionParserTests { } } + @Test + public void customSuccessAndFailureHandlersCanBeSetThroughTheNamespace() throws Exception { + setContext( + "" + + " " + + "" + + "" + + "" + + AUTH_PROVIDER_XML); + AuthenticationProcessingFilter apf = (AuthenticationProcessingFilter) appContext.getBean(BeanIds.FORM_LOGIN_FILTER); + AuthenticationSuccessHandler sh = (AuthenticationSuccessHandler) appContext.getBean("sh"); + AuthenticationFailureHandler fh = (AuthenticationFailureHandler) appContext.getBean("fh"); + assertSame(sh, FieldUtils.getFieldValue(apf, "successHandler")); + assertSame(fh, FieldUtils.getFieldValue(apf, "failureHandler")); + } + private void setContext(String context) { appContext = new InMemoryXmlApplicationContext(context); }