Provide a proxy so filters can be loaded directly from the application context.
This commit is contained in:
Ben Alex
@@ -503,14 +503,14 @@
|
||||
<title>FilterInvocation Security Interceptor</title>
|
||||
|
||||
<para>To secure <literal>FilterInvocation</literal>s, developers need
|
||||
to add a <literal>SecurityEnforcementFilter</literal> to their
|
||||
<literal>web.xml</literal>. A typical configuration example is
|
||||
provided below: <programlisting><filter>
|
||||
to add a filter to their <literal>web.xml</literal> that delegates to
|
||||
the <literal>SecurityEnforcementFilter</literal>. A typical
|
||||
configuration example is provided below: <programlisting><filter>
|
||||
<filter-name>Acegi HTTP Request Security Filter</filter-name>
|
||||
<filter-class>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</filter-class>
|
||||
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>loginFormUrl</param-name>
|
||||
<param-value>/acegilogin.jsp</param-value>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
@@ -519,34 +519,36 @@
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting></para>
|
||||
|
||||
<para>The <literal>loginFormUrl</literal> is where the filter will
|
||||
redirect the user's browser if they request a secure HTTP resource but
|
||||
they are not authenticated. If the user is authenticated, a "403
|
||||
Forbidden" response will be returned to the browser. All paths are
|
||||
relative to the web application root.</para>
|
||||
<para>Notice that the filter is actually a
|
||||
<literal>FilterToBeanProxy</literal>. Most of the filters used by the
|
||||
Acegi Security System for Spring use this class . What it does is
|
||||
delegate the <literal>Filter</literal>'s methods through to a bean
|
||||
which is obtained from the Spring application context. This enables
|
||||
the bean to benefit from the Spring application context lifecycle
|
||||
support and configuration flexibility. The
|
||||
<literal>FilterToBeanProxy</literal> only requires a single
|
||||
initialization parameter, <literal>targetClass</literal>, which will
|
||||
be used to identify the bean in the application context. In the
|
||||
unlikely event there is more than one bean in the application context
|
||||
that matches this class, the <literal>targetBean</literal>
|
||||
initialization parameter should be used. This parameter simply
|
||||
represents the name of the bean in the application context. Like
|
||||
standard Spring web applications, the
|
||||
<literal>FilterToBeanProxy</literal> accesses the application context
|
||||
via<literal>
|
||||
WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>,
|
||||
so you should configure a <literal>ContextLoaderListener</literal> in
|
||||
<literal>web.xml</literal>.</para>
|
||||
|
||||
<para>To perform its function, the
|
||||
<literal>SecurityEnforcementFilter</literal> will need to delegate to
|
||||
a properly configured <literal>FilterSecurityInterceptor</literal>. To
|
||||
do this it requires access to a Spring application context, which is
|
||||
usually obtained from
|
||||
<literal>WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>.
|
||||
This is usually made available by using Spring's
|
||||
<literal>ContextLoaderListener</literal> in
|
||||
<literal>web.xml</literal>. Alternatively, the
|
||||
<literal>web.xml</literal> can be used to define a filter
|
||||
<literal><init-param></literal> named
|
||||
<literal>contextConfigLocation</literal>. This initialization
|
||||
parameter will represent a path to a Spring XML application context
|
||||
that the <literal>SecurityEnforcementFilter</literal> will load during
|
||||
startup.</para>
|
||||
<para>In the application context you will need to configure two
|
||||
beans:</para>
|
||||
|
||||
<para>The configuration of the
|
||||
<literal>FilterSecurityInterceptor</literal> in the Spring application
|
||||
context is very similar to the
|
||||
<literal>MethodSecurityInterceptor</literal>:</para>
|
||||
<programlisting><bean id="securityEnforcementFilter" class="net.sf.acegisecurity.intercept.web.SecurityEnforcementFilter">
|
||||
<property name="filterSecurityInterceptor"><ref bean="filterInvocationInterceptor"/></property>
|
||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
</bean>
|
||||
|
||||
<para><programlisting><bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
||||
<bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
||||
<property name="runAsManager"><ref bean="runAsManager"/></property>
|
||||
@@ -557,7 +559,18 @@
|
||||
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
||||
</value>
|
||||
</property>
|
||||
</bean></programlisting></para>
|
||||
</bean></programlisting>
|
||||
|
||||
<para>The <literal>loginFormUrl</literal> is where the filter will
|
||||
redirect the user's browser if they request a secure HTTP resource but
|
||||
they are not authenticated. If the user is authenticated, a "403
|
||||
Forbidden" response will be returned to the browser. All paths are
|
||||
relative to the web application root.</para>
|
||||
|
||||
<para>The <literal>SecurityEnforcementFilter</literal> primarily
|
||||
provides redirection and session management support. It delegates
|
||||
actual <literal>FilterInvocation</literal> security decisions to the
|
||||
configured <literal>FilterSecurityInterceptor</literal>.</para>
|
||||
|
||||
<para>Like any other security interceptor, the
|
||||
<literal>FilterSecurityInterceptor</literal> requires a reference to
|
||||
@@ -1483,22 +1496,15 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||
<literal>j_password</literal> input fields, and posts to a URL that is
|
||||
monitored by the filter (by default
|
||||
<literal>j_acegi_security_check</literal>). The filter is defined in
|
||||
<literal>web.xml</literal> as follows:</para>
|
||||
<literal>web.xml</literal> behind a
|
||||
<literal>FilterToBeanProxy</literal> as follows:</para>
|
||||
|
||||
<para><programlisting><filter>
|
||||
<filter-name>Acegi Authentication Processing Filter</filter-name>
|
||||
<filter-class>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</filter-class>
|
||||
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>authenticationFailureUrl</param-name>
|
||||
<param-value>/acegilogin.jsp?login_error=1</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>defaultTargetUrl</param-name>
|
||||
<param-value>/</param-value>
|
||||
</init-param>
|
||||
<init-param>
|
||||
<param-name>filterProcessUrl</param-name>
|
||||
<param-value>/j_acegi_security_check</param-value>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
@@ -1507,25 +1513,22 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting></para>
|
||||
|
||||
<para>To perform its function, the
|
||||
<literal>AuthenticationProcessingFilter</literal> will need to
|
||||
delegate to a properly configured
|
||||
<literal>AuthenticationManager</literal>. To do this it requires
|
||||
access to a Spring application context, which is usually obtained from
|
||||
<literal>WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>.
|
||||
This is usually made available by using Spring's
|
||||
<literal>ContextLoaderListener</literal> in
|
||||
<literal>web.xml</literal>. Alternatively, the
|
||||
<literal>web.xml</literal> can be used to define a filter
|
||||
<literal><init-param></literal> named
|
||||
<literal>contextConfigLocation</literal>. This initialization
|
||||
parameter will represent a path to a Spring XML application context
|
||||
that the <literal>AuthenticationProcessingFilter</literal> will load
|
||||
during startup.</para>
|
||||
<para>For a discussion of <literal>FilterToBeanProxy</literal>, please
|
||||
refer to the FilterInvocation Security Interceptor section. The
|
||||
application context will need to define the
|
||||
<literal>AuthenticationProcessingFilter</literal>:</para>
|
||||
|
||||
<para>The <literal>AuthenticationManager</literal> processes each
|
||||
authentication request. If authentication fails, the browser will be
|
||||
redirected to the <literal>authenticationFailureUrl</literal>. The
|
||||
<para><programlisting><bean id="authenticationProcessingFilter" class="net.sf.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
|
||||
<property name="defaultTargetUrl"><value>/</value></property>
|
||||
<property name="filterProcessesUrl"><value>/j_acegi_security_check</value></property>
|
||||
</bean></programlisting></para>
|
||||
|
||||
<para>The configured <literal>AuthenticationManager</literal>
|
||||
processes each authentication request. If authentication fails, the
|
||||
browser will be redirected to the
|
||||
<literal>authenticationFailureUrl</literal>. The
|
||||
<literal>AuthenticationException</literal> will be placed into the
|
||||
<literal>HttpSession</literal> attribute indicated by
|
||||
<literal>AuthenticationProcessingFilter.ACEGI_SECURITY_LAST_EXCEPTION_KEY</literal>,
|
||||
@@ -1549,8 +1552,7 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||
is completed the user can return to what they were trying to access.
|
||||
If for some reason the <literal>HttpSession</literal> does not
|
||||
indicate the target URL, the browser will be redirected to the
|
||||
<literal>defaultTargetUrl</literal> filter initialization
|
||||
property.</para>
|
||||
<literal>defaultTargetUrl</literal> property.</para>
|
||||
|
||||
<para>Because this authentication approach is fully contained within a
|
||||
single web application, HTTP Session Authentication is recommended to
|
||||
@@ -1567,13 +1569,20 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||
standard authentication of web browser users, we recommend HTTP
|
||||
Session Authentication). The standard governing HTTP Basic
|
||||
Authentication is defined by RFC 1945, Section 11, and the
|
||||
<literal>BasicProcessingFilter</literal> conforms with this RFC. To
|
||||
implement HTTP Basic Authentication, it is necessary to add the
|
||||
following filter to <literal>web.xml</literal>:</para>
|
||||
<literal>BasicProcessingFilter</literal> conforms with this RFC.
|
||||
</para>
|
||||
|
||||
<para>To implement HTTP Basic Authentication, it is necessary to add
|
||||
the following filter to <literal>web.xml</literal>, behind a
|
||||
<literal>FilterToBeanProxy</literal>:</para>
|
||||
|
||||
<para><programlisting><filter>
|
||||
<filter-name>Acegi HTTP BASIC Authorization Filter</filter-name>
|
||||
<filter-class>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</filter-class>
|
||||
<filter-class>net.sf.acegisecurity.util.FilterToBeanProxy</filter-class>
|
||||
<init-param>
|
||||
<param-name>targetClass</param-name>
|
||||
<param-value>net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter</param-value>
|
||||
</init-param>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
@@ -1581,26 +1590,19 @@ public boolean supports(Class clazz);</programlisting></para>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping></programlisting></para>
|
||||
|
||||
<para>Like the <literal>AuthenticationProcessingFilter</literal>
|
||||
discussed above, the <literal>BasicProcessingFilter</literal> will
|
||||
need to delegate to a properly configured
|
||||
<literal>AuthenticationManager</literal>. To do this it requires
|
||||
access to a Spring application context, which is usually obtained from
|
||||
<literal>WebApplicationContextUtils.getWebApplicationContext(ServletContext)</literal>.
|
||||
This is usually made available by using Spring's
|
||||
<literal>ContextLoaderListener</literal> in
|
||||
<literal>web.xml</literal>. Alternatively, the
|
||||
<literal>web.xml</literal> can be used to define a filter
|
||||
<literal><init-param></literal> named
|
||||
<literal>contextConfigLocation</literal>. This initialization
|
||||
parameter will represent a path to a Spring XML application context
|
||||
that the <literal>AuthenticationProcessingFilter</literal> will load
|
||||
during startup.</para>
|
||||
<para>For a discussion of <literal>FilterToBeanProxy</literal>, please
|
||||
refer to the FilterInvocation Security Interceptor section. The
|
||||
application context will need to define the
|
||||
<literal>BasicProcessingFilter</literal>:</para>
|
||||
|
||||
<para>The <literal>AuthenticationManager</literal> processes each
|
||||
authentication request. If authentication fails, a 403 (forbidden)
|
||||
response will be returned in response to the HTTP request. If
|
||||
authentication is successful, the resulting
|
||||
<para><programlisting><bean id="basicProcessingFilter" class="net.sf.acegisecurity.ui.basicauth.BasicProcessingFilter">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
</bean></programlisting></para>
|
||||
|
||||
<para>The configured <literal>AuthenticationManager</literal>
|
||||
processes each authentication request. If authentication fails, a 403
|
||||
(forbidden) response will be returned in response to the HTTP request.
|
||||
If authentication is successful, the resulting
|
||||
<literal>Authentication</literal> object will be placed into the
|
||||
<literal>HttpSession</literal> attribute indicated by
|
||||
<literal>HttpSessionIntegrationFilter.ACEGI_SECURITY_AUTHENTICATION_KEY</literal>.
|
||||
|
||||
Reference in New Issue
Block a user