diff --git a/config/src/main/java/org/springframework/security/config/Elements.java b/config/src/main/java/org/springframework/security/config/Elements.java
index 55b25d43a2..4dfc3aefb3 100644
--- a/config/src/main/java/org/springframework/security/config/Elements.java
+++ b/config/src/main/java/org/springframework/security/config/Elements.java
@@ -8,6 +8,7 @@ package org.springframework.security.config;
*/
public abstract class Elements {
+ public static final String ACCESS_DENIED_HANDLER = "access-denied-handler";
public static final String AUTHENTICATION_MANAGER = "authentication-manager";
public static final String USER_SERVICE = "user-service";
public static final String JDBC_USER_SERVICE = "jdbc-user-service";
diff --git a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
index 6db7da1101..9f7518bd65 100644
--- a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
@@ -8,6 +8,7 @@ import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.BeanMetadataElement;
import org.springframework.beans.factory.config.BeanDefinition;
import org.springframework.beans.factory.config.RuntimeBeanReference;
import org.springframework.beans.factory.support.BeanDefinitionBuilder;
@@ -99,6 +100,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
private static final String ATT_ENTRY_POINT_REF = "entry-point-ref";
private static final String ATT_ONCE_PER_REQUEST = "once-per-request";
private static final String ATT_ACCESS_DENIED_PAGE = "access-denied-page";
+ private static final String ATT_ACCESS_DENIED_ERROR_PAGE = "error-page";
private static final String ATT_USE_EXPRESSIONS = "use-expressions";
@@ -336,22 +338,51 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
}
private void registerExceptionTranslationFilter(Element element, ParserContext pc, boolean allowSessionCreation) {
- String accessDeniedPage = element.getAttribute(ATT_ACCESS_DENIED_PAGE);
- ConfigUtils.validateHttpRedirect(accessDeniedPage, pc, pc.extractSource(element));
BeanDefinitionBuilder exceptionTranslationFilterBuilder
= BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class);
- exceptionTranslationFilterBuilder.addPropertyValue("createSessionAllowed", new Boolean(allowSessionCreation));
-
- if (StringUtils.hasText(accessDeniedPage)) {
- BeanDefinition accessDeniedHandler = new RootBeanDefinition(AccessDeniedHandlerImpl.class);
- accessDeniedHandler.getPropertyValues().addPropertyValue("errorPage", accessDeniedPage);
- exceptionTranslationFilterBuilder.addPropertyValue("accessDeniedHandler", accessDeniedHandler);
- }
+ exceptionTranslationFilterBuilder.addPropertyValue("createSessionAllowed", Boolean.valueOf(allowSessionCreation));
+ exceptionTranslationFilterBuilder.addPropertyValue("accessDeniedHandler", createAccessDeniedHandler(element, pc));
pc.getRegistry().registerBeanDefinition(BeanIds.EXCEPTION_TRANSLATION_FILTER, exceptionTranslationFilterBuilder.getBeanDefinition());
ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.EXCEPTION_TRANSLATION_FILTER));
}
+ private BeanMetadataElement createAccessDeniedHandler(Element element, ParserContext pc) {
+ String accessDeniedPage = element.getAttribute(ATT_ACCESS_DENIED_PAGE);
+ ConfigUtils.validateHttpRedirect(accessDeniedPage, pc, pc.extractSource(element));
+ Element accessDeniedElt = DomUtils.getChildElementByTagName(element, Elements.ACCESS_DENIED_HANDLER);
+ BeanDefinitionBuilder accessDeniedHandler = BeanDefinitionBuilder.rootBeanDefinition(AccessDeniedHandlerImpl.class);
+
+ if (StringUtils.hasText(accessDeniedPage)) {
+ if (accessDeniedElt != null) {
+ pc.getReaderContext().error("The attribute " + ATT_ACCESS_DENIED_PAGE +
+ " cannot be used with <" + Elements.ACCESS_DENIED_HANDLER + ">", pc.extractSource(accessDeniedElt));
+ }
+
+ accessDeniedHandler.addPropertyValue("errorPage", accessDeniedPage);
+ }
+
+ if (accessDeniedElt != null) {
+ String errorPage = accessDeniedElt.getAttribute("error-page");
+ String ref = accessDeniedElt.getAttribute("ref");
+
+ if (StringUtils.hasText(errorPage)) {
+ if (StringUtils.hasText(ref)) {
+ pc.getReaderContext().error("The attribute " + ATT_ACCESS_DENIED_ERROR_PAGE +
+ " cannot be used together with the 'ref' attribute within <" +
+ Elements.ACCESS_DENIED_HANDLER + ">", pc.extractSource(accessDeniedElt));
+
+ }
+ accessDeniedHandler.addPropertyValue("errorPage", errorPage);
+ } else if (StringUtils.hasText(ref)) {
+ return new RuntimeBeanReference(ref);
+ }
+
+ }
+
+ return accessDeniedHandler.getBeanDefinition();
+ }
+
private void registerFilterSecurityInterceptor(Element element, ParserContext pc, String accessManagerId,
BeanDefinition fids) {
BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
diff --git a/config/src/main/resources/META-INF/spring.schemas b/config/src/main/resources/META-INF/spring.schemas
index 9b0c7c8952..ed3825e016 100644
--- a/config/src/main/resources/META-INF/spring.schemas
+++ b/config/src/main/resources/META-INF/spring.schemas
@@ -1,6 +1,6 @@
-http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.5.xsd
+http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.0.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd
http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd
-http\://www.springframework.org/schema/security/spring-security-2.5.xsd=org/springframework/security/config/spring-security-2.5.xsd
+http\://www.springframework.org/schema/security/spring-security-3.0.xsd=org/springframework/security/config/spring-security-3.0.xsd
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd
deleted file mode 100644
index 4a52d45f74..0000000000
--- a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd
+++ /dev/null
@@ -1,1572 +0,0 @@
-
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing
- algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP
- server, for example.
-
-
-
-
-
-
- Specifies a URL.
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
-
- A reference to a DataSource bean
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing
- algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
- A property of the UserDetails object which will be used as salt by a
- password encoder. Typically something like "username" might be used.
-
-
-
-
-
-
-
- A single value that will be used as the salt for a password encoder.
-
-
-
-
-
-
-
-
-
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of
- configuration attributes. Defaults to 'false'. If enabled, each attribute should
- contain a single boolean expression. If the expression evaluates to 'true', access
- will be granted.
-
-
-
-
-
- Defines an LDAP server location or starts an embedded server. The url
- indicates the location of a remote server. If no url is given, an embedded server will
- be started, listening on the supplied port number. The port is optional and defaults to
- 33389. A Spring LDAP ContextSource bean will be registered for the server with the id
- supplied.
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- Specifies a URL.
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP
- server, for example.
-
-
-
-
- Username (DN) of the "manager" user identity which will be used to
- authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be
- used.
-
-
-
-
- The password for the manager DN.
-
-
-
-
- Explicitly specifies an ldif file resource to load into an embedded
- LDAP server
-
-
-
-
- Optional root suffix for the embedded LDAP server. Default is
- "dc=springframework,dc=org"
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching
- from the root).
-
-
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the
- returned UserDetails object
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching
- from the root).
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the
- returned UserDetails object
-
-
-
-
-
-
-
-
-
-
-
- Sets up an ldap authentication provider
-
-
-
-
-
- Specifies that an LDAP provider should use an LDAP compare
- operation of the user's password to authenticate the user
-
-
-
-
-
- element which defines a password encoding strategy.
- Used by an authentication provider to convert submitted passwords to
- hashed versions, for example.
-
-
-
-
-
- Password salting strategy. A system-wide
- constant or a property from the UserDetails object can be
- used.
-
-
-
-
- A property of the UserDetails object
- which will be used as salt by a password encoder.
- Typically something like "username" might be used.
-
-
-
-
-
- A single value that will be used as the
- salt for a password encoder.
-
-
-
-
- Defines a reference to a Spring bean
- Id.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching
- from the root).
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
- A specific pattern used to build the user's DN, for example
- "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
- username.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the
- returned UserDetails object
-
-
-
-
-
-
-
-
-
-
-
-
- The attribute in the directory which contains the user password.
- Defaults to "userPassword".
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing
- algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Can be used inside a bean definition to add a security interceptor to the
- bean and set up access configuration attributes for the bean's
- methods
-
-
-
-
-
- Defines a protected method and the access control configuration
- attributes that apply to it. We strongly advise you NOT to mix "protect"
- declarations with any services provided
- "global-method-security".
-
-
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to be used by the created
- method security interceptor.
-
-
-
-
-
-
- A method name
-
-
-
-
- Access configuration attributes list that applies to the method, e.g.
- "ROLE_A,ROLE_B".
-
-
-
-
-
- Provides method security for all beans registered in the Spring
- application context. Specifically, beans will be scanned for matches with the ordered
- list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there
- is a match, the beans will automatically be proxied and security authorization applied
- to the methods accordingly. If you use and enable all four sources of method security
- metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also
- JSR250 security annotations), the metadata sources will be queried in that order. In
- practical terms, this enables you to use XML to override method security metadata
- expressed in annotations. If using annotations, the order of precedence is EL-based
- (@PreAuthorize etc.), @Secured and finally JSR-250.
-
-
-
-
-
-
- Defines a protected pointcut and the access control
- configuration attributes that apply to it. Every bean registered in the Spring
- application context that provides a method that matches the pointcut will
- receive security authorization.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's expression-based
- annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be
- enabled for this application context. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's @Secured annotations
- should be enabled for this application context. Defaults to
- "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether JSR-250 style attributes are to be used (for example
- "RolesAllowed"). This will require the javax.annotation.security classes on the
- classpath. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to override the default used
- for method security.
-
-
-
-
-
- Defines the SecurityExpressionHandler instance which will be used if
- expression-based access-control is enabled. A default implementation (with no ACL
- support) will be used if not supplied.
-
-
-
-
-
-
-
- Used to decorate an AfterInvocationProvider to specify that it should be
- used with method security.
-
-
-
-
-
-
- An AspectJ expression, including the 'execution' keyword. For example,
- 'execution(int com.foo.TargetObject.countLength(String))' (without the
- quotes).
-
-
-
-
- Access configuration attributes list that applies to all methods
- matching the pointcut, e.g. "ROLE_A,ROLE_B"
-
-
-
-
-
- Container element for HTTP security configuration
-
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
- Sets up a form login configuration for authentication with a
- username and password
-
-
-
-
-
-
-
-
- Adds support for X.509 client authentication.
-
-
-
-
-
-
-
- Adds support for basic authentication (this is an element to
- permit future expansion, such as supporting an "ignoreFailure"
- attribute)
-
-
-
-
-
- Incorporates a logout processing filter. Most web applications
- require a logout filter, although you may not require one if you write a
- controller to provider similar logic.
-
-
-
-
-
-
-
- Adds support for concurrent session control, allowing limits to
- be placed on the number of sessions a user can have.
-
-
-
-
-
-
-
- Sets up remember-me authentication. If used with the "key"
- attribute (or no attributes) the cookie-only implementation will be used.
- Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the
- more secure, persisten token approach.
-
-
-
-
-
-
-
- Adds support for automatically granting all anonymous web
- requests a particular principal identity and a corresponding granted
- authority.
-
-
-
-
-
-
-
- Defines the list of mappings between http and https ports for
- use in redirects
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Automatically registers a login form, BASIC authentication, anonymous
- authentication, logout services, remember-me and servlet-api-integration. If set to
- "true", all of these capabilities are added (although you can still customize the
- configuration of each by providing the respective element). If unspecified, defaults
- to "false".
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of
- configuration attributes. Defaults to 'false'. If enabled, each attribute should
- contain a single boolean expression. If the expression evaluates to 'true', access
- will be granted.
-
-
-
-
- Controls the eagerness with which an HTTP session is created. If not
- set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set
- using security-context-repository-ref, then the only value which can be set is
- "always". Otherwise the session creation behaviour will be determined by the
- repository bean implementation.
-
-
-
-
-
-
-
-
-
-
-
- A reference to a SecurityContextRepository bean. This can be used to
- customize the way the SecurityContext is stored between requests.
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
- Whether test URLs should be converted to lower case prior to comparing
- with defined path patterns. If unspecified, defaults to "true".
-
-
-
-
- Provides versions of HttpServletRequest security methods such as
- isUserInRole() and getPrincipal() which are implemented by accessing the Spring
- SecurityContext. Defaults to "true".
-
-
-
-
- Optional attribute specifying the ID of the AccessDecisionManager
- implementation which should be used for authorizing HTTP requests.
-
-
-
-
- Optional attribute specifying the realm name that will be used for all
- authentication features that require a realm name (eg BASIC and Digest
- authentication). If unspecified, defaults to "Spring Security
- Application".
-
-
-
-
- Indicates whether an existing session should be invalidated when a
- user authenticates and a new session started. If set to "none" no change will be
- made. "newSession" will create a new empty session. "migrateSession" will create a
- new session and copy the session attributes to the new session. Defaults to
- "migrateSession".
-
-
-
-
-
-
-
-
-
-
-
- Allows a customized AuthenticationEntryPoint to be
- used.
-
-
-
-
- Corresponds to the observeOncePerRequest property of
- FilterSecurityInterceptor. Defaults to "true"
-
-
-
-
- Allows the access denied page to be set (the user will be redirected
- here if an AccessDeniedException is raised).
-
-
-
-
-
-
-
-
-
-
-
- The pattern which defines the URL path. The content will depend on the
- type set in the containing http element, so will default to ant path
- syntax.
-
-
-
-
- The access configuration attributes that apply for the configured
- path.
-
-
-
-
- The HTTP Method for which the access configuration attributes should
- apply. If not specified, the attributes will apply to any method.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The filter list for the path. Currently can be set to "none" to remove
- a path from having any filters applied. The full filter stack (consisting of all
- filters created by the namespace configuration, and any added using 'custom-filter'),
- will be applied to any other paths.
-
-
-
-
-
-
-
-
-
- Used to specify that a URL must be accessed over http or https, or
- that there is no preference.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies the URL that will cause a logout. Spring Security will
- initialize a filter that responds to this particular URL. Defaults to
- /j_spring_security_logout if unspecified.
-
-
-
-
- Specifies the URL to display once the user has logged out. If not
- specified, defaults to /.
-
-
-
-
- Specifies whether a logout also causes HttpSession invalidation, which
- is generally desirable. If unspecified, defaults to true.
-
-
-
-
-
-
- The URL that the login form is posted to. If unspecified, it defaults
- to /j_spring_security_check.
-
-
-
-
- The URL that will be redirected to after successful authentication, if
- the user's previous action could not be resumed. This generally happens if the user
- visits a login page without having first requested a secured operation that triggers
- authentication. If unspecified, defaults to the root of the
- application.
-
-
-
-
- Whether the user should always be redirected to the default-target-url
- after login.
-
-
-
-
- The URL for the login page. If no login URL is specified, Spring
- Security will automatically create a login URL at /spring_security_login and a
- corresponding filter to render that login URL when requested.
-
-
-
-
- The URL for the login failure page. If no login failure URL is
- specified, Spring Security will automatically create a failure login URL at
- /spring_security_login?login_error and a corresponding filter to render that login
- failure URL when requested.
-
-
-
-
- Reference to an AuthenticationSuccessHandler bean which should be used
- to handle a successful authentication request. Should not be used in combination with
- default-target-url (or always-use-default-target-url) as the implementation should
- always deal with navigation to the subsequent destination
-
-
-
-
- Reference to an AuthenticationFailureHandler bean which should be used
- to handle a failed authentication request. Should not be used in combination with
- authentication-failure-url as the implementation should always deal with navigation
- to the subsequent destination
-
-
-
-
-
- Sets up form login for authentication with an Open ID
- identity
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
-
- Used to explicitly configure a FilterChainProxy instance with a
- FilterChainMap
-
-
-
-
-
- Used within filter-chain-map to define a specific URL pattern
- and the list of filters which apply to the URLs matching that pattern. When
- multiple filter-chain elements are used within a filter-chain-map element, the
- most specific patterns must be placed at the top of the list, with most general
- ones at the bottom.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Used to explicitly configure a FilterInvocationDefinitionSource bean for
- use with a FilterSecurityInterceptor. Usually only needed if you are configuring a
- FilterChainProxy explicitly, rather than using the <http> element. The
- intercept-url elements used should only contain pattern, method and access attributes.
- Any others will result in a configuration error.
-
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
-
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of
- configuration attributes. Defaults to 'false'. If enabled, each attribute should
- contain a single boolean expression. If the expression evaluates to 'true', access
- will be granted.
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- as for http element
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
- The maximum number of sessions a single user can have open at the same
- time. Defaults to "1".
-
-
-
-
- The URL a user will be redirected to if they attempt to use a session
- which has been "expired" by the concurrent session controller because they have
- logged in again.
-
-
-
-
- Specifies that an exception should be raised when a user attempts to
- login when they already have the maximum configured sessions open. The default
- behaviour is to expire the original session.
-
-
-
-
- Allows you to define an alias for the SessionRegistry bean in order to
- access it in your own configuration
-
-
-
-
- A reference to an external SessionRegistry implementation which will
- be used in place of the standard one.
-
-
-
-
-
-
- The "key" used to identify cookies from a specific token-based
- remember-me application. You should set this to a unique value for your
- application.
-
-
-
-
- Reference to a PersistentTokenRepository bean for use with the
- persistent token remember-me implementation.
-
-
-
-
- A reference to a DataSource bean
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
- The period (in seconds) for which the remember-me cookie should be
- valid. If set to a negative value
-
-
-
-
-
-
- Reference to a PersistentTokenRepository bean for use with the
- persistent token remember-me implementation.
-
-
-
-
-
-
- Allows a custom implementation of RememberMeServices to be used. Note
- that this implementation should return RememberMeAuthenticationToken instances with
- the same "key" value as specified in the remember-me element. Alternatively it should
- register its own AuthenticationProvider.
-
-
-
-
-
-
-
-
-
- The key shared between the provider and filter. This generally does
- not need to be set. If unset, it will default to "doesNotMatter".
-
-
-
-
- The username that should be assigned to the anonymous request. This
- allows the principal to be identified, which may be important for logging and
- auditing. if unset, defaults to "anonymousUser".
-
-
-
-
- The granted authority that should be assigned to the anonymous
- request. Commonly this is used to assign the anonymous request particular roles,
- which can subsequently be used in authorization decisions. If unset, defaults to
- "ROLE_ANONYMOUS".
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The regular expression used to obtain the username from the
- certificate's subject. Defaults to matching on the common name using the pattern
- "CN=(.*?),".
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
- If you are using namespace configuration with Spring Security, an
- AuthenticationManager will automatically be registered. This element allows you to
- define an alias to allow you to reference the authentication-manager in your own beans.
-
-
-
-
-
-
-
-
-
- The alias you wish to use for the AuthenticationManager
- bean
-
-
-
-
- Allows the session controller to be set on the internal
- AuthenticationManager. This should not be used with the
- <concurrent-session-control /> element
-
-
-
-
-
- Indicates that the contained user-service should be used as an
- authentication source.
-
-
-
-
-
-
- element which defines a password encoding strategy. Used by an
- authentication provider to convert submitted passwords to hashed versions, for
- example.
-
-
-
-
-
- Password salting strategy. A system-wide constant or a
- property from the UserDetails object can be used.
-
-
-
-
- A property of the UserDetails object which will
- be used as salt by a password encoder. Typically something like
- "username" might be used.
-
-
-
-
- A single value that will be used as the salt for
- a password encoder.
-
-
-
-
- Defines a reference to a Spring bean
- Id.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
- Element used to decorate an AuthenticationProvider bean to add it to the
- internal AuthenticationManager maintained by the namespace.
-
-
-
-
-
- Creates an in-memory UserDetailsService from a properties file or a list
- of "user" child elements.
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
-
-
-
-
- Represents a user in the application.
-
-
-
-
-
-
-
-
- The username assigned to the user.
-
-
-
-
- The password assigned to the user. This may be hashed if the
- corresponding authentication provider supports hashing (remember to set the "hash"
- attribute of the "user-service" element).
-
-
-
-
- One of more authorities granted to the user. Separate authorities with
- a comma (but no space). For example,
- "ROLE_USER,ROLE_ADMINISTRATOR"
-
-
-
-
- Can be set to "true" to mark an account as locked and
- unusable.
-
-
-
-
- Can be set to "true" to mark an account as disabled and
- unusable.
-
-
-
-
-
- Causes creation of a JDBC-based UserDetailsService.
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
-
-
- The bean ID of the DataSource which provides the required
- tables.
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
- An SQL statement to query a username, password, and enabled status
- given a username
-
-
-
-
- An SQL statement to query for a user's granted authorities given a
- username.
-
-
-
-
- An SQL statement to query user's group authorities given a
- username.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
-
-
-
-
-
-
-
- Used to indicate that a filter bean declaration should be incorporated
- into the security filter chain. If neither the 'after' or 'before' options are supplied,
- then the filter must implement the Ordered interface directly.
-
-
-
-
- The filter immediately after which the custom-filter should be
- placed in the chain. This feature will only be needed by advanced users who wish
- to mix their own filters into the security filter chain and have some knowledge of
- the standard Spring Security filters. The filter names map to specific Spring
- Security implementation filters.
-
-
-
-
- The filter immediately before which the custom-filter should be
- placed in the chain
-
-
-
-
- The explicit position at which the custom-filter should be placed
- in the chain. Use if you are replacing a standard filter.
-
-
-
-
-
-
-
- The filter immediately after which the custom-filter should be placed
- in the chain. This feature will only be needed by advanced users who wish to mix
- their own filters into the security filter chain and have some knowledge of the
- standard Spring Security filters. The filter names map to specific Spring Security
- implementation filters.
-
-
-
-
-
-
- The filter immediately before which the custom-filter should be placed
- in the chain
-
-
-
-
-
-
- The explicit position at which the custom-filter should be placed in
- the chain. Use if you are replacing a standard filter.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
similarity index 97%
rename from config/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc
rename to config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
index f524dc7284..c2fddd9e4d 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
@@ -219,7 +219,7 @@ protect-pointcut.attlist &=
http =
## Container element for HTTP security configuration
- element http {http.attlist, (intercept-url+ & form-login? & openid-login & x509? & http-basic? & logout? & concurrent-session-control? & remember-me? & anonymous? & port-mappings) }
+ element http {http.attlist, (intercept-url+ & access-denied-handler? & form-login? & openid-login? & x509? & http-basic? & logout? & concurrent-session-control? & remember-me? & anonymous? & port-mappings) }
http.attlist &=
## Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false".
attribute auto-config {boolean}?
@@ -229,7 +229,7 @@ http.attlist &=
## Controls the eagerness with which an HTTP session is created. If not set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using security-context-repository-ref, then the only value which can be set is "always". Otherwise the session creation behaviour will be determined by the repository bean implementation.
attribute create-session {"ifRequired" | "always" | "never" }?
http.attlist &=
- ## A reference to a SecurityContextRepository bean. This can be used to customize the way the SecurityContext is stored between requests.
+ ## A reference to a SecurityContextRepository bean. This can be used to customize how the SecurityContext is stored between requests.
attribute security-context-repository-ref {xsd:string}?
http.attlist &=
## The path format used to define the paths in child elements.
@@ -256,12 +256,20 @@ http.attlist &=
## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true"
attribute once-per-request {boolean}?
http.attlist &=
- ## Allows the access denied page to be set (the user will be redirected here if an AccessDeniedException is raised).
+ ## Deprecated in favour of the access-denied-handler element.
attribute access-denied-page {xsd:string}?
http.attlist &=
##
- attribute disable-url-rewriting {boolean}?
+ attribute disable-url-rewriting {boolean}?
+access-denied-handler =
+ ## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance.
+ element access-denied-handler {access-denied-handler.attlist, empty}
+access-denied-handler.attlist &= (ref | access-denied-handler-page)
+
+access-denied-handler-page =
+ ## The access denied page that an authenticated user will be redirected to if they request a page which they don't have the authority to access.
+ attribute error-page {xsd:string}
intercept-url =
## Specifies the access attributes and/or filter list for a particular set of URLs.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
new file mode 100644
index 0000000000..35f2e1183c
--- /dev/null
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
@@ -0,0 +1,1590 @@
+
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP server,
+ for example.
+
+
+
+
+
+
+ Specifies a URL.
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ A reference to a DataSource bean
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ A property of the UserDetails object which will be used as salt by a
+ password encoder. Typically something like "username" might be used.
+
+
+
+
+
+
+ A single value that will be used as the salt for a password encoder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of configuration
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
+ boolean expression. If the expression evaluates to 'true', access will be granted.
+
+
+
+
+
+
+ Defines an LDAP server location or starts an embedded server. The url
+ indicates the location of a remote server. If no url is given, an embedded server will be
+ started, listening on the supplied port number. The port is optional and defaults to 33389.
+ A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ Specifies a URL.
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP server,
+ for example.
+
+
+
+
+ Username (DN) of the "manager" user identity which will be used to
+ authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
+
+
+
+
+
+ The password for the manager DN.
+
+
+
+
+ Explicitly specifies an ldif file resource to load into an embedded LDAP
+ server
+
+
+
+
+ Optional root suffix for the embedded LDAP server. Default is
+ "dc=springframework,dc=org"
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching from
+ the root).
+
+
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the returned
+ UserDetails object
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching from
+ the root).
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the returned
+ UserDetails object
+
+
+
+
+
+
+
+
+
+
+
+ Sets up an ldap authentication provider
+
+
+
+
+
+ Specifies that an LDAP provider should use an LDAP compare operation
+ of the user's password to authenticate the user
+
+
+
+
+
+ element which defines a password encoding strategy. Used by an
+ authentication provider to convert submitted passwords to hashed versions, for
+ example.
+
+
+
+
+
+ Password salting strategy. A system-wide constant or a
+ property from the UserDetails object can be used.
+
+
+
+
+ A property of the UserDetails object which will be
+ used as salt by a password encoder. Typically something like
+ "username" might be used.
+
+
+
+
+ A single value that will be used as the salt for a
+ password encoder.
+
+
+
+
+ Defines a reference to a Spring bean
+ Id.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching from
+ the root).
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+ A specific pattern used to build the user's DN, for example
+ "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
+ username.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the returned
+ UserDetails object
+
+
+
+
+
+
+
+
+
+
+
+
+ The attribute in the directory which contains the user password. Defaults
+ to "userPassword".
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Can be used inside a bean definition to add a security interceptor to the
+ bean and set up access configuration attributes for the bean's methods
+
+
+
+
+
+ Defines a protected method and the access control configuration
+ attributes that apply to it. We strongly advise you NOT to mix "protect" declarations
+ with any services provided "global-method-security".
+
+
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to be used by the created method
+ security interceptor.
+
+
+
+
+
+
+ A method name
+
+
+
+
+ Access configuration attributes list that applies to the method, e.g.
+ "ROLE_A,ROLE_B".
+
+
+
+
+
+ Provides method security for all beans registered in the Spring application
+ context. Specifically, beans will be scanned for matches with the ordered list of
+ "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match,
+ the beans will automatically be proxied and security authorization applied to the methods
+ accordingly. If you use and enable all four sources of method security metadata (ie
+ "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security
+ annotations), the metadata sources will be queried in that order. In practical terms, this
+ enables you to use XML to override method security metadata expressed in annotations. If
+ using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and
+ finally JSR-250.
+
+
+
+
+
+
+ Defines a protected pointcut and the access control configuration
+ attributes that apply to it. Every bean registered in the Spring application context
+ that provides a method that matches the pointcut will receive security
+ authorization.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's expression-based
+ annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for
+ this application context. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's @Secured annotations should
+ be enabled for this application context. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether JSR-250 style attributes are to be used (for example
+ "RolesAllowed"). This will require the javax.annotation.security classes on the classpath.
+ Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to override the default used for
+ method security.
+
+
+
+
+
+ Defines the SecurityExpressionHandler instance which will be used if
+ expression-based access-control is enabled. A default implementation (with no ACL support)
+ will be used if not supplied.
+
+
+
+
+
+
+
+ Used to decorate an AfterInvocationProvider to specify that it should be
+ used with method security.
+
+
+
+
+
+
+ An AspectJ expression, including the 'execution' keyword. For example,
+ 'execution(int com.foo.TargetObject.countLength(String))' (without the
+ quotes).
+
+
+
+
+ Access configuration attributes list that applies to all methods matching
+ the pointcut, e.g. "ROLE_A,ROLE_B"
+
+
+
+
+
+ Container element for HTTP security configuration
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+ Defines the access-denied strategy that should be used. An access
+ denied page can be defined or a reference to an AccessDeniedHandler instance.
+
+
+
+
+
+
+
+
+ Sets up a form login configuration for authentication with a username
+ and password
+
+
+
+
+
+
+
+
+ Adds support for X.509 client authentication.
+
+
+
+
+
+
+
+ Adds support for basic authentication (this is an element to permit
+ future expansion, such as supporting an "ignoreFailure" attribute)
+
+
+
+
+
+ Incorporates a logout processing filter. Most web applications require
+ a logout filter, although you may not require one if you write a controller to
+ provider similar logic.
+
+
+
+
+
+
+
+ Adds support for concurrent session control, allowing limits to be
+ placed on the number of sessions a user can have.
+
+
+
+
+
+
+
+ Sets up remember-me authentication. If used with the "key" attribute
+ (or no attributes) the cookie-only implementation will be used. Specifying
+ "token-repository-ref" or "remember-me-data-source-ref" will use the more secure,
+ persisten token approach.
+
+
+
+
+
+
+
+ Adds support for automatically granting all anonymous web requests a
+ particular principal identity and a corresponding granted
+ authority.
+
+
+
+
+
+
+
+ Defines the list of mappings between http and https ports for use in
+ redirects
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatically registers a login form, BASIC authentication, anonymous
+ authentication, logout services, remember-me and servlet-api-integration. If set to
+ "true", all of these capabilities are added (although you can still customize the
+ configuration of each by providing the respective element). If unspecified, defaults to
+ "false".
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of configuration
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
+ boolean expression. If the expression evaluates to 'true', access will be granted.
+
+
+
+
+
+ Controls the eagerness with which an HTTP session is created. If not set,
+ defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using
+ security-context-repository-ref, then the only value which can be set is "always".
+ Otherwise the session creation behaviour will be determined by the repository bean
+ implementation.
+
+
+
+
+
+
+
+
+
+
+
+ A reference to a SecurityContextRepository bean. This can be used to
+ customize how the SecurityContext is stored between requests.
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+ Whether test URLs should be converted to lower case prior to comparing
+ with defined path patterns. If unspecified, defaults to "true".
+
+
+
+
+ Provides versions of HttpServletRequest security methods such as
+ isUserInRole() and getPrincipal() which are implemented by accessing the Spring
+ SecurityContext. Defaults to "true".
+
+
+
+
+ Optional attribute specifying the ID of the AccessDecisionManager
+ implementation which should be used for authorizing HTTP requests.
+
+
+
+
+ Optional attribute specifying the realm name that will be used for all
+ authentication features that require a realm name (eg BASIC and Digest authentication). If
+ unspecified, defaults to "Spring Security Application".
+
+
+
+
+ Indicates whether an existing session should be invalidated when a user
+ authenticates and a new session started. If set to "none" no change will be made.
+ "newSession" will create a new empty session. "migrateSession" will create a new session
+ and copy the session attributes to the new session. Defaults to
+ "migrateSession".
+
+
+
+
+
+
+
+
+
+
+
+ Allows a customized AuthenticationEntryPoint to be
+ used.
+
+
+
+
+ Corresponds to the observeOncePerRequest property of
+ FilterSecurityInterceptor. Defaults to "true"
+
+
+
+
+ Deprecated in favour of the access-denied-handler
+ element.
+
+
+
+
+
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+ The access denied page that an authenticated user will be redirected to if
+ they request a page which they don't have the authority to access.
+
+
+
+
+
+
+ The access denied page that an authenticated user will be redirected to if
+ they request a page which they don't have the authority to access.
+
+
+
+
+
+
+ The pattern which defines the URL path. The content will depend on the
+ type set in the containing http element, so will default to ant path
+ syntax.
+
+
+
+
+ The access configuration attributes that apply for the configured
+ path.
+
+
+
+
+ The HTTP Method for which the access configuration attributes should
+ apply. If not specified, the attributes will apply to any method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filter list for the path. Currently can be set to "none" to remove a
+ path from having any filters applied. The full filter stack (consisting of all filters
+ created by the namespace configuration, and any added using 'custom-filter'), will be
+ applied to any other paths.
+
+
+
+
+
+
+
+
+
+ Used to specify that a URL must be accessed over http or https, or that
+ there is no preference.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies the URL that will cause a logout. Spring Security will
+ initialize a filter that responds to this particular URL. Defaults to
+ /j_spring_security_logout if unspecified.
+
+
+
+
+ Specifies the URL to display once the user has logged out. If not
+ specified, defaults to /.
+
+
+
+
+ Specifies whether a logout also causes HttpSession invalidation, which is
+ generally desirable. If unspecified, defaults to true.
+
+
+
+
+
+
+ The URL that the login form is posted to. If unspecified, it defaults to
+ /j_spring_security_check.
+
+
+
+
+ The URL that will be redirected to after successful authentication, if the
+ user's previous action could not be resumed. This generally happens if the user visits a
+ login page without having first requested a secured operation that triggers
+ authentication. If unspecified, defaults to the root of the
+ application.
+
+
+
+
+ Whether the user should always be redirected to the default-target-url
+ after login.
+
+
+
+
+ The URL for the login page. If no login URL is specified, Spring Security
+ will automatically create a login URL at /spring_security_login and a corresponding filter
+ to render that login URL when requested.
+
+
+
+
+ The URL for the login failure page. If no login failure URL is specified,
+ Spring Security will automatically create a failure login URL at
+ /spring_security_login?login_error and a corresponding filter to render that login failure
+ URL when requested.
+
+
+
+
+ Reference to an AuthenticationSuccessHandler bean which should be used to
+ handle a successful authentication request. Should not be used in combination with
+ default-target-url (or always-use-default-target-url) as the implementation should always
+ deal with navigation to the subsequent destination
+
+
+
+
+ Reference to an AuthenticationFailureHandler bean which should be used to
+ handle a failed authentication request. Should not be used in combination with
+ authentication-failure-url as the implementation should always deal with navigation to the
+ subsequent destination
+
+
+
+
+
+ Sets up form login for authentication with an Open ID
+ identity
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ Used to explicitly configure a FilterChainProxy instance with a
+ FilterChainMap
+
+
+
+
+
+ Used within filter-chain-map to define a specific URL pattern and the
+ list of filters which apply to the URLs matching that pattern. When multiple
+ filter-chain elements are used within a filter-chain-map element, the most specific
+ patterns must be placed at the top of the list, with most general ones at the
+ bottom.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Used to explicitly configure a FilterInvocationDefinitionSource bean for use
+ with a FilterSecurityInterceptor. Usually only needed if you are configuring a
+ FilterChainProxy explicitly, rather than using the <http> element. The
+ intercept-url elements used should only contain pattern, method and access attributes. Any
+ others will result in a configuration error.
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of configuration
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
+ boolean expression. If the expression evaluates to 'true', access will be granted.
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ as for http element
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+
+ The maximum number of sessions a single user can have open at the same
+ time. Defaults to "1".
+
+
+
+
+ The URL a user will be redirected to if they attempt to use a session
+ which has been "expired" by the concurrent session controller because they have logged in
+ again.
+
+
+
+
+ Specifies that an exception should be raised when a user attempts to login
+ when they already have the maximum configured sessions open. The default behaviour is to
+ expire the original session.
+
+
+
+
+ Allows you to define an alias for the SessionRegistry bean in order to
+ access it in your own configuration
+
+
+
+
+ A reference to an external SessionRegistry implementation which will be
+ used in place of the standard one.
+
+
+
+
+
+
+ The "key" used to identify cookies from a specific token-based remember-me
+ application. You should set this to a unique value for your
+ application.
+
+
+
+
+ Reference to a PersistentTokenRepository bean for use with the persistent
+ token remember-me implementation.
+
+
+
+
+ A reference to a DataSource bean
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+ The period (in seconds) for which the remember-me cookie should be valid.
+ If set to a negative value
+
+
+
+
+
+
+ Reference to a PersistentTokenRepository bean for use with the persistent
+ token remember-me implementation.
+
+
+
+
+
+
+ Allows a custom implementation of RememberMeServices to be used. Note that
+ this implementation should return RememberMeAuthenticationToken instances with the same
+ "key" value as specified in the remember-me element. Alternatively it should register its
+ own AuthenticationProvider.
+
+
+
+
+
+
+
+
+
+ The key shared between the provider and filter. This generally does not
+ need to be set. If unset, it will default to "doesNotMatter".
+
+
+
+
+ The username that should be assigned to the anonymous request. This allows
+ the principal to be identified, which may be important for logging and auditing. if unset,
+ defaults to "anonymousUser".
+
+
+
+
+ The granted authority that should be assigned to the anonymous request.
+ Commonly this is used to assign the anonymous request particular roles, which can
+ subsequently be used in authorization decisions. If unset, defaults to
+ "ROLE_ANONYMOUS".
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The regular expression used to obtain the username from the certificate's
+ subject. Defaults to matching on the common name using the pattern
+ "CN=(.*?),".
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+ If you are using namespace configuration with Spring Security, an
+ AuthenticationManager will automatically be registered. This element allows you to define an
+ alias to allow you to reference the authentication-manager in your own beans.
+
+
+
+
+
+
+
+
+
+ The alias you wish to use for the AuthenticationManager
+ bean
+
+
+
+
+ Allows the session controller to be set on the internal
+ AuthenticationManager. This should not be used with the <concurrent-session-control
+ /> element
+
+
+
+
+
+ Indicates that the contained user-service should be used as an
+ authentication source.
+
+
+
+
+
+
+ element which defines a password encoding strategy. Used by an
+ authentication provider to convert submitted passwords to hashed versions, for
+ example.
+
+
+
+
+
+ Password salting strategy. A system-wide constant or a property
+ from the UserDetails object can be used.
+
+
+
+
+ A property of the UserDetails object which will be used as
+ salt by a password encoder. Typically something like "username" might be
+ used.
+
+
+
+
+ A single value that will be used as the salt for a password
+ encoder.
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+ Element used to decorate an AuthenticationProvider bean to add it to the
+ internal AuthenticationManager maintained by the namespace.
+
+
+
+
+
+ Creates an in-memory UserDetailsService from a properties file or a list of
+ "user" child elements.
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+
+
+
+
+ Represents a user in the application.
+
+
+
+
+
+
+
+
+ The username assigned to the user.
+
+
+
+
+ The password assigned to the user. This may be hashed if the corresponding
+ authentication provider supports hashing (remember to set the "hash" attribute of the
+ "user-service" element).
+
+
+
+
+ One of more authorities granted to the user. Separate authorities with a
+ comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
+
+
+
+
+ Can be set to "true" to mark an account as locked and
+ unusable.
+
+
+
+
+ Can be set to "true" to mark an account as disabled and
+ unusable.
+
+
+
+
+
+ Causes creation of a JDBC-based UserDetailsService.
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+
+
+ The bean ID of the DataSource which provides the required
+ tables.
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+ An SQL statement to query a username, password, and enabled status given a
+ username
+
+
+
+
+ An SQL statement to query for a user's granted authorities given a
+ username.
+
+
+
+
+ An SQL statement to query user's group authorities given a
+ username.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+
+
+
+
+
+
+
+ Used to indicate that a filter bean declaration should be incorporated into
+ the security filter chain. If neither the 'after' or 'before' options are supplied, then the
+ filter must implement the Ordered interface directly.
+
+
+
+
+ The filter immediately after which the custom-filter should be placed in
+ the chain. This feature will only be needed by advanced users who wish to mix their own
+ filters into the security filter chain and have some knowledge of the standard Spring
+ Security filters. The filter names map to specific Spring Security implementation
+ filters.
+
+
+
+
+ The filter immediately before which the custom-filter should be placed
+ in the chain
+
+
+
+
+ The explicit position at which the custom-filter should be placed in the
+ chain. Use if you are replacing a standard filter.
+
+
+
+
+
+
+
+ The filter immediately after which the custom-filter should be placed in
+ the chain. This feature will only be needed by advanced users who wish to mix their own
+ filters into the security filter chain and have some knowledge of the standard Spring
+ Security filters. The filter names map to specific Spring Security implementation filters.
+
+
+
+
+
+
+
+ The filter immediately before which the custom-filter should be placed in
+ the chain
+
+
+
+
+
+
+ The explicit position at which the custom-filter should be placed in the
+ chain. Use if you are replacing a standard filter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security.xsl b/config/src/main/resources/org/springframework/security/config/spring-security.xsl
index 90759153a8..fa87e2e563 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security.xsl
+++ b/config/src/main/resources/org/springframework/security/config/spring-security.xsl
@@ -10,7 +10,7 @@
- ,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,remember-me,salt-source,x509,
+ ,access-denied-handler,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,remember-me,salt-source,x509,
diff --git a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
index 556187abf2..443e85c322 100644
--- a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java
@@ -33,6 +33,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.openid.OpenIDAuthenticationProcessingFilter;
import org.springframework.security.openid.OpenIDAuthenticationProvider;
import org.springframework.security.util.FieldUtils;
+import org.springframework.security.web.AccessDeniedHandlerImpl;
import org.springframework.security.web.ExceptionTranslationFilter;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.FilterInvocation;
@@ -351,6 +352,49 @@ public class HttpSecurityBeanDefinitionParserTests {
assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage"));
}
+ @Test
+ public void accessDeniedHandlerPageIsSetCorectly() throws Exception {
+ setContext(
+ " " +
+ " " +
+ " " + AUTH_PROVIDER_XML);
+ ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER);
+ assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage"));
+ }
+
+ @Test
+ public void accessDeniedHandlerIsSetCorectly() throws Exception {
+ setContext(
+ " " +
+ " " +
+ " " +
+ " " + AUTH_PROVIDER_XML);
+ ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER);
+ AccessDeniedHandlerImpl adh = (AccessDeniedHandlerImpl) appContext.getBean("adh");
+ assertSame(adh, FieldUtils.getFieldValue(filter, "accessDeniedHandler"));
+ }
+
+ @Test(expected=BeanDefinitionParsingException.class)
+ public void accessDeniedHandlerAndAccessDeniedHandlerAreMutuallyExclusive() throws Exception {
+ setContext(
+ " " +
+ " " +
+ " " + AUTH_PROVIDER_XML);
+ ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER);
+ assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage"));
+ }
+
+ @Test(expected=BeanDefinitionParsingException.class)
+ public void accessDeniedHandlerPageAndRefAreMutuallyExclusive() throws Exception {
+ setContext(
+ " " +
+ " " +
+ " " +
+ " " + AUTH_PROVIDER_XML);
+ ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER);
+ assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage"));
+ }
+
@Test
public void externalFiltersAreTreatedCorrectly() throws Exception {
// Decorated user-filters should be added to stack. The others should be ignored.
diff --git a/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java b/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java
index 67e20db828..5d2665d7e3 100644
--- a/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java
+++ b/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java
@@ -16,7 +16,7 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext
" xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n" +
" xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd\n" +
"http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd\n" +
- "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.5.xsd'>\n";
+ "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'>\n";
private static final String BEANS_CLOSE = "\n";
Resource inMemoryXml;