From 90b849c271018252705e53c7cc62c8dd165d53eb Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Thu, 30 Apr 2009 05:46:55 +0000 Subject: [PATCH] SEC-1100: Added support for element which can take a ref or an error-page attribute. --- .../security/config/Elements.java | 1 + .../HttpSecurityBeanDefinitionParser.java | 49 +- .../main/resources/META-INF/spring.schemas | 4 +- .../security/config/spring-security-2.5.xsd | 1572 ---------------- ...curity-2.5.rnc => spring-security-3.0.rnc} | 16 +- .../security/config/spring-security-3.0.xsd | 1590 +++++++++++++++++ .../security/config/spring-security.xsl | 2 +- ...HttpSecurityBeanDefinitionParserTests.java | 44 + .../util/InMemoryXmlApplicationContext.java | 2 +- 9 files changed, 1691 insertions(+), 1589 deletions(-) delete mode 100644 config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd rename config/src/main/resources/org/springframework/security/config/{spring-security-2.5.rnc => spring-security-3.0.rnc} (97%) create mode 100644 config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd diff --git a/config/src/main/java/org/springframework/security/config/Elements.java b/config/src/main/java/org/springframework/security/config/Elements.java index 55b25d43a2..4dfc3aefb3 100644 --- a/config/src/main/java/org/springframework/security/config/Elements.java +++ b/config/src/main/java/org/springframework/security/config/Elements.java @@ -8,6 +8,7 @@ package org.springframework.security.config; */ public abstract class Elements { + public static final String ACCESS_DENIED_HANDLER = "access-denied-handler"; public static final String AUTHENTICATION_MANAGER = "authentication-manager"; public static final String USER_SERVICE = "user-service"; public static final String JDBC_USER_SERVICE = "jdbc-user-service"; diff --git a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java index 6db7da1101..9f7518bd65 100644 --- a/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java @@ -8,6 +8,7 @@ import java.util.Map; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.springframework.beans.BeanMetadataElement; import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.beans.factory.config.RuntimeBeanReference; import org.springframework.beans.factory.support.BeanDefinitionBuilder; @@ -99,6 +100,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { private static final String ATT_ENTRY_POINT_REF = "entry-point-ref"; private static final String ATT_ONCE_PER_REQUEST = "once-per-request"; private static final String ATT_ACCESS_DENIED_PAGE = "access-denied-page"; + private static final String ATT_ACCESS_DENIED_ERROR_PAGE = "error-page"; private static final String ATT_USE_EXPRESSIONS = "use-expressions"; @@ -336,22 +338,51 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { } private void registerExceptionTranslationFilter(Element element, ParserContext pc, boolean allowSessionCreation) { - String accessDeniedPage = element.getAttribute(ATT_ACCESS_DENIED_PAGE); - ConfigUtils.validateHttpRedirect(accessDeniedPage, pc, pc.extractSource(element)); BeanDefinitionBuilder exceptionTranslationFilterBuilder = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class); - exceptionTranslationFilterBuilder.addPropertyValue("createSessionAllowed", new Boolean(allowSessionCreation)); - - if (StringUtils.hasText(accessDeniedPage)) { - BeanDefinition accessDeniedHandler = new RootBeanDefinition(AccessDeniedHandlerImpl.class); - accessDeniedHandler.getPropertyValues().addPropertyValue("errorPage", accessDeniedPage); - exceptionTranslationFilterBuilder.addPropertyValue("accessDeniedHandler", accessDeniedHandler); - } + exceptionTranslationFilterBuilder.addPropertyValue("createSessionAllowed", Boolean.valueOf(allowSessionCreation)); + exceptionTranslationFilterBuilder.addPropertyValue("accessDeniedHandler", createAccessDeniedHandler(element, pc)); pc.getRegistry().registerBeanDefinition(BeanIds.EXCEPTION_TRANSLATION_FILTER, exceptionTranslationFilterBuilder.getBeanDefinition()); ConfigUtils.addHttpFilter(pc, new RuntimeBeanReference(BeanIds.EXCEPTION_TRANSLATION_FILTER)); } + private BeanMetadataElement createAccessDeniedHandler(Element element, ParserContext pc) { + String accessDeniedPage = element.getAttribute(ATT_ACCESS_DENIED_PAGE); + ConfigUtils.validateHttpRedirect(accessDeniedPage, pc, pc.extractSource(element)); + Element accessDeniedElt = DomUtils.getChildElementByTagName(element, Elements.ACCESS_DENIED_HANDLER); + BeanDefinitionBuilder accessDeniedHandler = BeanDefinitionBuilder.rootBeanDefinition(AccessDeniedHandlerImpl.class); + + if (StringUtils.hasText(accessDeniedPage)) { + if (accessDeniedElt != null) { + pc.getReaderContext().error("The attribute " + ATT_ACCESS_DENIED_PAGE + + " cannot be used with <" + Elements.ACCESS_DENIED_HANDLER + ">", pc.extractSource(accessDeniedElt)); + } + + accessDeniedHandler.addPropertyValue("errorPage", accessDeniedPage); + } + + if (accessDeniedElt != null) { + String errorPage = accessDeniedElt.getAttribute("error-page"); + String ref = accessDeniedElt.getAttribute("ref"); + + if (StringUtils.hasText(errorPage)) { + if (StringUtils.hasText(ref)) { + pc.getReaderContext().error("The attribute " + ATT_ACCESS_DENIED_ERROR_PAGE + + " cannot be used together with the 'ref' attribute within <" + + Elements.ACCESS_DENIED_HANDLER + ">", pc.extractSource(accessDeniedElt)); + + } + accessDeniedHandler.addPropertyValue("errorPage", errorPage); + } else if (StringUtils.hasText(ref)) { + return new RuntimeBeanReference(ref); + } + + } + + return accessDeniedHandler.getBeanDefinition(); + } + private void registerFilterSecurityInterceptor(Element element, ParserContext pc, String accessManagerId, BeanDefinition fids) { BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class); diff --git a/config/src/main/resources/META-INF/spring.schemas b/config/src/main/resources/META-INF/spring.schemas index 9b0c7c8952..ed3825e016 100644 --- a/config/src/main/resources/META-INF/spring.schemas +++ b/config/src/main/resources/META-INF/spring.schemas @@ -1,6 +1,6 @@ -http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-2.5.xsd +http\://www.springframework.org/schema/security/spring-security.xsd=org/springframework/security/config/spring-security-3.0.xsd http\://www.springframework.org/schema/security/spring-security-2.0.xsd=org/springframework/security/config/spring-security-2.0.xsd http\://www.springframework.org/schema/security/spring-security-2.0.1.xsd=org/springframework/security/config/spring-security-2.0.1.xsd http\://www.springframework.org/schema/security/spring-security-2.0.2.xsd=org/springframework/security/config/spring-security-2.0.2.xsd http\://www.springframework.org/schema/security/spring-security-2.0.4.xsd=org/springframework/security/config/spring-security-2.0.4.xsd -http\://www.springframework.org/schema/security/spring-security-2.5.xsd=org/springframework/security/config/spring-security-2.5.xsd +http\://www.springframework.org/schema/security/spring-security-3.0.xsd=org/springframework/security/config/spring-security-3.0.xsd diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd deleted file mode 100644 index 4a52d45f74..0000000000 --- a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.xsd +++ /dev/null @@ -1,1572 +0,0 @@ - - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - Specifies an IP port number. Used to configure an embedded LDAP - server, for example. - - - - - - - Specifies a URL. - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - Defines a reference to a Spring bean Id. - - - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - A reference to a DataSource bean - - - - - - - Defines a reference to a Spring bean Id. - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - Whether a string should be base64 encoded - - - - - - - - - - - - - A property of the UserDetails object which will be used as salt by a - password encoder. Typically something like "username" might be used. - - - - - - - - A single value that will be used as the salt for a password encoder. - - - - - - - - - - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - - Defines an LDAP server location or starts an embedded server. The url - indicates the location of a remote server. If no url is given, an embedded server will - be started, listening on the supplied port number. The port is optional and defaults to - 33389. A Spring LDAP ContextSource bean will be registered for the server with the id - supplied. - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - Specifies a URL. - - - - - Specifies an IP port number. Used to configure an embedded LDAP - server, for example. - - - - - Username (DN) of the "manager" user identity which will be used to - authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be - used. - - - - - The password for the manager DN. - - - - - Explicitly specifies an ldif file resource to load into an embedded - LDAP server - - - - - Optional root suffix for the embedded LDAP server. Default is - "dc=springframework,dc=org" - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - - Sets up an ldap authentication provider - - - - - - Specifies that an LDAP provider should use an LDAP compare - operation of the user's password to authenticate the user - - - - - - element which defines a password encoding strategy. - Used by an authentication provider to convert submitted passwords to - hashed versions, for example. - - - - - - Password salting strategy. A system-wide - constant or a property from the UserDetails object can be - used. - - - - - A property of the UserDetails object - which will be used as salt by a password encoder. - Typically something like "username" might be used. - - - - - - A single value that will be used as the - salt for a password encoder. - - - - - Defines a reference to a Spring bean - Id. - - - - - - - - - - - - - - - - - - - - The optional server to use. If omitted, and a default LDAP server is - registered (using <ldap-server> with no Id), that server will be used. - - - - - - Search base for user searches. Defaults to "". Only used with a - 'user-search-filter'. - - - - - The LDAP filter used to search for users (optional). For example - "(uid={0})". The substituted parameter is the user's login name. - - - - - Search base for group membership searches. Defaults to "" (searching - from the root). - - - - - Group search filter. Defaults to (uniqueMember={0}). The substituted - parameter is the DN of the user. - - - - - The LDAP attribute name which contains the role name which will be - used within Spring Security. Defaults to "cn". - - - - - A specific pattern used to build the user's DN, for example - "uid={0},ou=people". The key "{0}" must be present and will be substituted with the - username. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - Allows the objectClass of the user entry to be specified. If set, the - framework will attempt to load standard attributes for the defined class into the - returned UserDetails object - - - - - - - - - - - - - The attribute in the directory which contains the user password. - Defaults to "userPassword". - - - - - Defines the hashing algorithm used on user passwords. We recommend - strongly against using MD4, as it is a very weak hashing - algorithm. - - - - - - - - - - - - - - - - - Can be used inside a bean definition to add a security interceptor to the - bean and set up access configuration attributes for the bean's - methods - - - - - - Defines a protected method and the access control configuration - attributes that apply to it. We strongly advise you NOT to mix "protect" - declarations with any services provided - "global-method-security". - - - - - - - - - - - - - Optional AccessDecisionManager bean ID to be used by the created - method security interceptor. - - - - - - - A method name - - - - - Access configuration attributes list that applies to the method, e.g. - "ROLE_A,ROLE_B". - - - - - - Provides method security for all beans registered in the Spring - application context. Specifically, beans will be scanned for matches with the ordered - list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there - is a match, the beans will automatically be proxied and security authorization applied - to the methods accordingly. If you use and enable all four sources of method security - metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also - JSR250 security annotations), the metadata sources will be queried in that order. In - practical terms, this enables you to use XML to override method security metadata - expressed in annotations. If using annotations, the order of precedence is EL-based - (@PreAuthorize etc.), @Secured and finally JSR-250. - - - - - - - Defines a protected pointcut and the access control - configuration attributes that apply to it. Every bean registered in the Spring - application context that provides a method that matches the pointcut will - receive security authorization. - - - - - - - - - - - - - Specifies whether the use of Spring Security's expression-based - annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be - enabled for this application context. Defaults to "disabled". - - - - - - - - - - - Specifies whether the use of Spring Security's @Secured annotations - should be enabled for this application context. Defaults to - "disabled". - - - - - - - - - - - Specifies whether JSR-250 style attributes are to be used (for example - "RolesAllowed"). This will require the javax.annotation.security classes on the - classpath. Defaults to "disabled". - - - - - - - - - - - Optional AccessDecisionManager bean ID to override the default used - for method security. - - - - - - Defines the SecurityExpressionHandler instance which will be used if - expression-based access-control is enabled. A default implementation (with no ACL - support) will be used if not supplied. - - - - - - - - Used to decorate an AfterInvocationProvider to specify that it should be - used with method security. - - - - - - - An AspectJ expression, including the 'execution' keyword. For example, - 'execution(int com.foo.TargetObject.countLength(String))' (without the - quotes). - - - - - Access configuration attributes list that applies to all methods - matching the pointcut, e.g. "ROLE_A,ROLE_B" - - - - - - Container element for HTTP security configuration - - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - Sets up a form login configuration for authentication with a - username and password - - - - - - - - - Adds support for X.509 client authentication. - - - - - - - - Adds support for basic authentication (this is an element to - permit future expansion, such as supporting an "ignoreFailure" - attribute) - - - - - - Incorporates a logout processing filter. Most web applications - require a logout filter, although you may not require one if you write a - controller to provider similar logic. - - - - - - - - Adds support for concurrent session control, allowing limits to - be placed on the number of sessions a user can have. - - - - - - - - Sets up remember-me authentication. If used with the "key" - attribute (or no attributes) the cookie-only implementation will be used. - Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the - more secure, persisten token approach. - - - - - - - - Adds support for automatically granting all anonymous web - requests a particular principal identity and a corresponding granted - authority. - - - - - - - - Defines the list of mappings between http and https ports for - use in redirects - - - - - - - - - - - - - - - Automatically registers a login form, BASIC authentication, anonymous - authentication, logout services, remember-me and servlet-api-integration. If set to - "true", all of these capabilities are added (although you can still customize the - configuration of each by providing the respective element). If unspecified, defaults - to "false". - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - Controls the eagerness with which an HTTP session is created. If not - set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set - using security-context-repository-ref, then the only value which can be set is - "always". Otherwise the session creation behaviour will be determined by the - repository bean implementation. - - - - - - - - - - - - A reference to a SecurityContextRepository bean. This can be used to - customize the way the SecurityContext is stored between requests. - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - Whether test URLs should be converted to lower case prior to comparing - with defined path patterns. If unspecified, defaults to "true". - - - - - Provides versions of HttpServletRequest security methods such as - isUserInRole() and getPrincipal() which are implemented by accessing the Spring - SecurityContext. Defaults to "true". - - - - - Optional attribute specifying the ID of the AccessDecisionManager - implementation which should be used for authorizing HTTP requests. - - - - - Optional attribute specifying the realm name that will be used for all - authentication features that require a realm name (eg BASIC and Digest - authentication). If unspecified, defaults to "Spring Security - Application". - - - - - Indicates whether an existing session should be invalidated when a - user authenticates and a new session started. If set to "none" no change will be - made. "newSession" will create a new empty session. "migrateSession" will create a - new session and copy the session attributes to the new session. Defaults to - "migrateSession". - - - - - - - - - - - - Allows a customized AuthenticationEntryPoint to be - used. - - - - - Corresponds to the observeOncePerRequest property of - FilterSecurityInterceptor. Defaults to "true" - - - - - Allows the access denied page to be set (the user will be redirected - here if an AccessDeniedException is raised). - - - - - - - - - - - - The pattern which defines the URL path. The content will depend on the - type set in the containing http element, so will default to ant path - syntax. - - - - - The access configuration attributes that apply for the configured - path. - - - - - The HTTP Method for which the access configuration attributes should - apply. If not specified, the attributes will apply to any method. - - - - - - - - - - - - - - - - The filter list for the path. Currently can be set to "none" to remove - a path from having any filters applied. The full filter stack (consisting of all - filters created by the namespace configuration, and any added using 'custom-filter'), - will be applied to any other paths. - - - - - - - - - - Used to specify that a URL must be accessed over http or https, or - that there is no preference. - - - - - - - - - - - - - - Specifies the URL that will cause a logout. Spring Security will - initialize a filter that responds to this particular URL. Defaults to - /j_spring_security_logout if unspecified. - - - - - Specifies the URL to display once the user has logged out. If not - specified, defaults to /. - - - - - Specifies whether a logout also causes HttpSession invalidation, which - is generally desirable. If unspecified, defaults to true. - - - - - - - The URL that the login form is posted to. If unspecified, it defaults - to /j_spring_security_check. - - - - - The URL that will be redirected to after successful authentication, if - the user's previous action could not be resumed. This generally happens if the user - visits a login page without having first requested a secured operation that triggers - authentication. If unspecified, defaults to the root of the - application. - - - - - Whether the user should always be redirected to the default-target-url - after login. - - - - - The URL for the login page. If no login URL is specified, Spring - Security will automatically create a login URL at /spring_security_login and a - corresponding filter to render that login URL when requested. - - - - - The URL for the login failure page. If no login failure URL is - specified, Spring Security will automatically create a failure login URL at - /spring_security_login?login_error and a corresponding filter to render that login - failure URL when requested. - - - - - Reference to an AuthenticationSuccessHandler bean which should be used - to handle a successful authentication request. Should not be used in combination with - default-target-url (or always-use-default-target-url) as the implementation should - always deal with navigation to the subsequent destination - - - - - Reference to an AuthenticationFailureHandler bean which should be used - to handle a failed authentication request. Should not be used in combination with - authentication-failure-url as the implementation should always deal with navigation - to the subsequent destination - - - - - - Sets up form login for authentication with an Open ID - identity - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - - Used to explicitly configure a FilterChainProxy instance with a - FilterChainMap - - - - - - Used within filter-chain-map to define a specific URL pattern - and the list of filters which apply to the URLs matching that pattern. When - multiple filter-chain elements are used within a filter-chain-map element, the - most specific patterns must be placed at the top of the list, with most general - ones at the bottom. - - - - - - - - - - - - - - - - - - - Used to explicitly configure a FilterInvocationDefinitionSource bean for - use with a FilterSecurityInterceptor. Usually only needed if you are configuring a - FilterChainProxy explicitly, rather than using the <http> element. The - intercept-url elements used should only contain pattern, method and access attributes. - Any others will result in a configuration error. - - - - - - Specifies the access attributes and/or filter list for a - particular set of URLs. - - - - - - - - - - - - - Enables the use of expressions in the 'access' attributes in - <intercept-url> elements rather than the traditional list of - configuration attributes. Defaults to 'false'. If enabled, each attribute should - contain a single boolean expression. If the expression evaluates to 'true', access - will be granted. - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - as for http element - - - - - Defines the type of pattern used to specify URL paths (either JDK - 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if - unspecified. - - - - - - - - - - - - - The maximum number of sessions a single user can have open at the same - time. Defaults to "1". - - - - - The URL a user will be redirected to if they attempt to use a session - which has been "expired" by the concurrent session controller because they have - logged in again. - - - - - Specifies that an exception should be raised when a user attempts to - login when they already have the maximum configured sessions open. The default - behaviour is to expire the original session. - - - - - Allows you to define an alias for the SessionRegistry bean in order to - access it in your own configuration - - - - - A reference to an external SessionRegistry implementation which will - be used in place of the standard one. - - - - - - - The "key" used to identify cookies from a specific token-based - remember-me application. You should set this to a unique value for your - application. - - - - - Reference to a PersistentTokenRepository bean for use with the - persistent token remember-me implementation. - - - - - A reference to a DataSource bean - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - The period (in seconds) for which the remember-me cookie should be - valid. If set to a negative value - - - - - - - Reference to a PersistentTokenRepository bean for use with the - persistent token remember-me implementation. - - - - - - - Allows a custom implementation of RememberMeServices to be used. Note - that this implementation should return RememberMeAuthenticationToken instances with - the same "key" value as specified in the remember-me element. Alternatively it should - register its own AuthenticationProvider. - - - - - - - - - - The key shared between the provider and filter. This generally does - not need to be set. If unset, it will default to "doesNotMatter". - - - - - The username that should be assigned to the anonymous request. This - allows the principal to be identified, which may be important for logging and - auditing. if unset, defaults to "anonymousUser". - - - - - The granted authority that should be assigned to the anonymous - request. Commonly this is used to assign the anonymous request particular roles, - which can subsequently be used in authorization decisions. If unset, defaults to - "ROLE_ANONYMOUS". - - - - - - - - - - - - - - - - - - - The regular expression used to obtain the username from the - certificate's subject. Defaults to matching on the common name using the pattern - "CN=(.*?),". - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - If you are using namespace configuration with Spring Security, an - AuthenticationManager will automatically be registered. This element allows you to - define an alias to allow you to reference the authentication-manager in your own beans. - - - - - - - - - - The alias you wish to use for the AuthenticationManager - bean - - - - - Allows the session controller to be set on the internal - AuthenticationManager. This should not be used with the - <concurrent-session-control /> element - - - - - - Indicates that the contained user-service should be used as an - authentication source. - - - - - - - element which defines a password encoding strategy. Used by an - authentication provider to convert submitted passwords to hashed versions, for - example. - - - - - - Password salting strategy. A system-wide constant or a - property from the UserDetails object can be used. - - - - - A property of the UserDetails object which will - be used as salt by a password encoder. Typically something like - "username" might be used. - - - - - A single value that will be used as the salt for - a password encoder. - - - - - Defines a reference to a Spring bean - Id. - - - - - - - - - - - - - - - - A reference to a user-service (or UserDetailsService bean) - Id - - - - - - Element used to decorate an AuthenticationProvider bean to add it to the - internal AuthenticationManager maintained by the namespace. - - - - - - Creates an in-memory UserDetailsService from a properties file or a list - of "user" child elements. - - - - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - - - - - Represents a user in the application. - - - - - - - - - The username assigned to the user. - - - - - The password assigned to the user. This may be hashed if the - corresponding authentication provider supports hashing (remember to set the "hash" - attribute of the "user-service" element). - - - - - One of more authorities granted to the user. Separate authorities with - a comma (but no space). For example, - "ROLE_USER,ROLE_ADMINISTRATOR" - - - - - Can be set to "true" to mark an account as locked and - unusable. - - - - - Can be set to "true" to mark an account as disabled and - unusable. - - - - - - Causes creation of a JDBC-based UserDetailsService. - - - - - A bean identifier, used for referring to the bean elsewhere in the - context. - - - - - - - - - The bean ID of the DataSource which provides the required - tables. - - - - - Defines a reference to a cache for use with a - UserDetailsService. - - - - - An SQL statement to query a username, password, and enabled status - given a username - - - - - An SQL statement to query for a user's granted authorities given a - username. - - - - - An SQL statement to query user's group authorities given a - username. - - - - - A non-empty string prefix that will be added to role strings loaded - from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases - where the default is non-empty. - - - - - - - - - - - - Used to indicate that a filter bean declaration should be incorporated - into the security filter chain. If neither the 'after' or 'before' options are supplied, - then the filter must implement the Ordered interface directly. - - - - - The filter immediately after which the custom-filter should be - placed in the chain. This feature will only be needed by advanced users who wish - to mix their own filters into the security filter chain and have some knowledge of - the standard Spring Security filters. The filter names map to specific Spring - Security implementation filters. - - - - - The filter immediately before which the custom-filter should be - placed in the chain - - - - - The explicit position at which the custom-filter should be placed - in the chain. Use if you are replacing a standard filter. - - - - - - - - The filter immediately after which the custom-filter should be placed - in the chain. This feature will only be needed by advanced users who wish to mix - their own filters into the security filter chain and have some knowledge of the - standard Spring Security filters. The filter names map to specific Spring Security - implementation filters. - - - - - - - The filter immediately before which the custom-filter should be placed - in the chain - - - - - - - The explicit position at which the custom-filter should be placed in - the chain. Use if you are replacing a standard filter. - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc similarity index 97% rename from config/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc rename to config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc index f524dc7284..c2fddd9e4d 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security-2.5.rnc +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc @@ -219,7 +219,7 @@ protect-pointcut.attlist &= http = ## Container element for HTTP security configuration - element http {http.attlist, (intercept-url+ & form-login? & openid-login & x509? & http-basic? & logout? & concurrent-session-control? & remember-me? & anonymous? & port-mappings) } + element http {http.attlist, (intercept-url+ & access-denied-handler? & form-login? & openid-login? & x509? & http-basic? & logout? & concurrent-session-control? & remember-me? & anonymous? & port-mappings) } http.attlist &= ## Automatically registers a login form, BASIC authentication, anonymous authentication, logout services, remember-me and servlet-api-integration. If set to "true", all of these capabilities are added (although you can still customize the configuration of each by providing the respective element). If unspecified, defaults to "false". attribute auto-config {boolean}? @@ -229,7 +229,7 @@ http.attlist &= ## Controls the eagerness with which an HTTP session is created. If not set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using security-context-repository-ref, then the only value which can be set is "always". Otherwise the session creation behaviour will be determined by the repository bean implementation. attribute create-session {"ifRequired" | "always" | "never" }? http.attlist &= - ## A reference to a SecurityContextRepository bean. This can be used to customize the way the SecurityContext is stored between requests. + ## A reference to a SecurityContextRepository bean. This can be used to customize how the SecurityContext is stored between requests. attribute security-context-repository-ref {xsd:string}? http.attlist &= ## The path format used to define the paths in child elements. @@ -256,12 +256,20 @@ http.attlist &= ## Corresponds to the observeOncePerRequest property of FilterSecurityInterceptor. Defaults to "true" attribute once-per-request {boolean}? http.attlist &= - ## Allows the access denied page to be set (the user will be redirected here if an AccessDeniedException is raised). + ## Deprecated in favour of the access-denied-handler element. attribute access-denied-page {xsd:string}? http.attlist &= ## - attribute disable-url-rewriting {boolean}? + attribute disable-url-rewriting {boolean}? +access-denied-handler = + ## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance. + element access-denied-handler {access-denied-handler.attlist, empty} +access-denied-handler.attlist &= (ref | access-denied-handler-page) + +access-denied-handler-page = + ## The access denied page that an authenticated user will be redirected to if they request a page which they don't have the authority to access. + attribute error-page {xsd:string} intercept-url = ## Specifies the access attributes and/or filter list for a particular set of URLs. diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd new file mode 100644 index 0000000000..35f2e1183c --- /dev/null +++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd @@ -0,0 +1,1590 @@ + + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + + + Specifies a URL. + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + Defines a reference to a Spring bean Id. + + + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + A reference to a DataSource bean + + + + + + + Defines a reference to a Spring bean Id. + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + Whether a string should be base64 encoded + + + + + + + + + + + + + A property of the UserDetails object which will be used as salt by a + password encoder. Typically something like "username" might be used. + + + + + + + A single value that will be used as the salt for a password encoder. + + + + + + + + + + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + + Defines an LDAP server location or starts an embedded server. The url + indicates the location of a remote server. If no url is given, an embedded server will be + started, listening on the supplied port number. The port is optional and defaults to 33389. + A Spring LDAP ContextSource bean will be registered for the server with the id supplied. + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + Specifies a URL. + + + + + Specifies an IP port number. Used to configure an embedded LDAP server, + for example. + + + + + Username (DN) of the "manager" user identity which will be used to + authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used. + + + + + + The password for the manager DN. + + + + + Explicitly specifies an ldif file resource to load into an embedded LDAP + server + + + + + Optional root suffix for the embedded LDAP server. Default is + "dc=springframework,dc=org" + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + Sets up an ldap authentication provider + + + + + + Specifies that an LDAP provider should use an LDAP compare operation + of the user's password to authenticate the user + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a + property from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be + used as salt by a password encoder. Typically something like + "username" might be used. + + + + + A single value that will be used as the salt for a + password encoder. + + + + + Defines a reference to a Spring bean + Id. + + + + + + + + + + + + + + + + + + + + The optional server to use. If omitted, and a default LDAP server is + registered (using <ldap-server> with no Id), that server will be used. + + + + + + Search base for user searches. Defaults to "". Only used with a + 'user-search-filter'. + + + + + The LDAP filter used to search for users (optional). For example + "(uid={0})". The substituted parameter is the user's login name. + + + + + Search base for group membership searches. Defaults to "" (searching from + the root). + + + + + Group search filter. Defaults to (uniqueMember={0}). The substituted + parameter is the DN of the user. + + + + + The LDAP attribute name which contains the role name which will be used + within Spring Security. Defaults to "cn". + + + + + A specific pattern used to build the user's DN, for example + "uid={0},ou=people". The key "{0}" must be present and will be substituted with the + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + Allows the objectClass of the user entry to be specified. If set, the + framework will attempt to load standard attributes for the defined class into the returned + UserDetails object + + + + + + + + + + + + + The attribute in the directory which contains the user password. Defaults + to "userPassword". + + + + + Defines the hashing algorithm used on user passwords. We recommend + strongly against using MD4, as it is a very weak hashing algorithm. + + + + + + + + + + + + + + + + + Can be used inside a bean definition to add a security interceptor to the + bean and set up access configuration attributes for the bean's methods + + + + + + Defines a protected method and the access control configuration + attributes that apply to it. We strongly advise you NOT to mix "protect" declarations + with any services provided "global-method-security". + + + + + + + + + + + + + Optional AccessDecisionManager bean ID to be used by the created method + security interceptor. + + + + + + + A method name + + + + + Access configuration attributes list that applies to the method, e.g. + "ROLE_A,ROLE_B". + + + + + + Provides method security for all beans registered in the Spring application + context. Specifically, beans will be scanned for matches with the ordered list of + "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match, + the beans will automatically be proxied and security authorization applied to the methods + accordingly. If you use and enable all four sources of method security metadata (ie + "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security + annotations), the metadata sources will be queried in that order. In practical terms, this + enables you to use XML to override method security metadata expressed in annotations. If + using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and + finally JSR-250. + + + + + + + Defines a protected pointcut and the access control configuration + attributes that apply to it. Every bean registered in the Spring application context + that provides a method that matches the pointcut will receive security + authorization. + + + + + + + + + + + + + Specifies whether the use of Spring Security's expression-based + annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for + this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether the use of Spring Security's @Secured annotations should + be enabled for this application context. Defaults to "disabled". + + + + + + + + + + + Specifies whether JSR-250 style attributes are to be used (for example + "RolesAllowed"). This will require the javax.annotation.security classes on the classpath. + Defaults to "disabled". + + + + + + + + + + + Optional AccessDecisionManager bean ID to override the default used for + method security. + + + + + + Defines the SecurityExpressionHandler instance which will be used if + expression-based access-control is enabled. A default implementation (with no ACL support) + will be used if not supplied. + + + + + + + + Used to decorate an AfterInvocationProvider to specify that it should be + used with method security. + + + + + + + An AspectJ expression, including the 'execution' keyword. For example, + 'execution(int com.foo.TargetObject.countLength(String))' (without the + quotes). + + + + + Access configuration attributes list that applies to all methods matching + the pointcut, e.g. "ROLE_A,ROLE_B" + + + + + + Container element for HTTP security configuration + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + Defines the access-denied strategy that should be used. An access + denied page can be defined or a reference to an AccessDeniedHandler instance. + + + + + + + + + Sets up a form login configuration for authentication with a username + and password + + + + + + + + + Adds support for X.509 client authentication. + + + + + + + + Adds support for basic authentication (this is an element to permit + future expansion, such as supporting an "ignoreFailure" attribute) + + + + + + Incorporates a logout processing filter. Most web applications require + a logout filter, although you may not require one if you write a controller to + provider similar logic. + + + + + + + + Adds support for concurrent session control, allowing limits to be + placed on the number of sessions a user can have. + + + + + + + + Sets up remember-me authentication. If used with the "key" attribute + (or no attributes) the cookie-only implementation will be used. Specifying + "token-repository-ref" or "remember-me-data-source-ref" will use the more secure, + persisten token approach. + + + + + + + + Adds support for automatically granting all anonymous web requests a + particular principal identity and a corresponding granted + authority. + + + + + + + + Defines the list of mappings between http and https ports for use in + redirects + + + + + + + + + + + + + + + Automatically registers a login form, BASIC authentication, anonymous + authentication, logout services, remember-me and servlet-api-integration. If set to + "true", all of these capabilities are added (although you can still customize the + configuration of each by providing the respective element). If unspecified, defaults to + "false". + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + Controls the eagerness with which an HTTP session is created. If not set, + defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using + security-context-repository-ref, then the only value which can be set is "always". + Otherwise the session creation behaviour will be determined by the repository bean + implementation. + + + + + + + + + + + + A reference to a SecurityContextRepository bean. This can be used to + customize how the SecurityContext is stored between requests. + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + Whether test URLs should be converted to lower case prior to comparing + with defined path patterns. If unspecified, defaults to "true". + + + + + Provides versions of HttpServletRequest security methods such as + isUserInRole() and getPrincipal() which are implemented by accessing the Spring + SecurityContext. Defaults to "true". + + + + + Optional attribute specifying the ID of the AccessDecisionManager + implementation which should be used for authorizing HTTP requests. + + + + + Optional attribute specifying the realm name that will be used for all + authentication features that require a realm name (eg BASIC and Digest authentication). If + unspecified, defaults to "Spring Security Application". + + + + + Indicates whether an existing session should be invalidated when a user + authenticates and a new session started. If set to "none" no change will be made. + "newSession" will create a new empty session. "migrateSession" will create a new session + and copy the session attributes to the new session. Defaults to + "migrateSession". + + + + + + + + + + + + Allows a customized AuthenticationEntryPoint to be + used. + + + + + Corresponds to the observeOncePerRequest property of + FilterSecurityInterceptor. Defaults to "true" + + + + + Deprecated in favour of the access-denied-handler + element. + + + + + + + + + + + + Defines a reference to a Spring bean Id. + + + + + The access denied page that an authenticated user will be redirected to if + they request a page which they don't have the authority to access. + + + + + + + The access denied page that an authenticated user will be redirected to if + they request a page which they don't have the authority to access. + + + + + + + The pattern which defines the URL path. The content will depend on the + type set in the containing http element, so will default to ant path + syntax. + + + + + The access configuration attributes that apply for the configured + path. + + + + + The HTTP Method for which the access configuration attributes should + apply. If not specified, the attributes will apply to any method. + + + + + + + + + + + + + + + + The filter list for the path. Currently can be set to "none" to remove a + path from having any filters applied. The full filter stack (consisting of all filters + created by the namespace configuration, and any added using 'custom-filter'), will be + applied to any other paths. + + + + + + + + + + Used to specify that a URL must be accessed over http or https, or that + there is no preference. + + + + + + + + + + + + + + Specifies the URL that will cause a logout. Spring Security will + initialize a filter that responds to this particular URL. Defaults to + /j_spring_security_logout if unspecified. + + + + + Specifies the URL to display once the user has logged out. If not + specified, defaults to /. + + + + + Specifies whether a logout also causes HttpSession invalidation, which is + generally desirable. If unspecified, defaults to true. + + + + + + + The URL that the login form is posted to. If unspecified, it defaults to + /j_spring_security_check. + + + + + The URL that will be redirected to after successful authentication, if the + user's previous action could not be resumed. This generally happens if the user visits a + login page without having first requested a secured operation that triggers + authentication. If unspecified, defaults to the root of the + application. + + + + + Whether the user should always be redirected to the default-target-url + after login. + + + + + The URL for the login page. If no login URL is specified, Spring Security + will automatically create a login URL at /spring_security_login and a corresponding filter + to render that login URL when requested. + + + + + The URL for the login failure page. If no login failure URL is specified, + Spring Security will automatically create a failure login URL at + /spring_security_login?login_error and a corresponding filter to render that login failure + URL when requested. + + + + + Reference to an AuthenticationSuccessHandler bean which should be used to + handle a successful authentication request. Should not be used in combination with + default-target-url (or always-use-default-target-url) as the implementation should always + deal with navigation to the subsequent destination + + + + + Reference to an AuthenticationFailureHandler bean which should be used to + handle a failed authentication request. Should not be used in combination with + authentication-failure-url as the implementation should always deal with navigation to the + subsequent destination + + + + + + Sets up form login for authentication with an Open ID + identity + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + + Used to explicitly configure a FilterChainProxy instance with a + FilterChainMap + + + + + + Used within filter-chain-map to define a specific URL pattern and the + list of filters which apply to the URLs matching that pattern. When multiple + filter-chain elements are used within a filter-chain-map element, the most specific + patterns must be placed at the top of the list, with most general ones at the + bottom. + + + + + + + + + + + + + + + + + + + Used to explicitly configure a FilterInvocationDefinitionSource bean for use + with a FilterSecurityInterceptor. Usually only needed if you are configuring a + FilterChainProxy explicitly, rather than using the <http> element. The + intercept-url elements used should only contain pattern, method and access attributes. Any + others will result in a configuration error. + + + + + + Specifies the access attributes and/or filter list for a particular + set of URLs. + + + + + + + + + + + + + Enables the use of expressions in the 'access' attributes in + <intercept-url> elements rather than the traditional list of configuration + attributes. Defaults to 'false'. If enabled, each attribute should contain a single + boolean expression. If the expression evaluates to 'true', access will be granted. + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + as for http element + + + + + Defines the type of pattern used to specify URL paths (either JDK + 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if + unspecified. + + + + + + + + + + + + + The maximum number of sessions a single user can have open at the same + time. Defaults to "1". + + + + + The URL a user will be redirected to if they attempt to use a session + which has been "expired" by the concurrent session controller because they have logged in + again. + + + + + Specifies that an exception should be raised when a user attempts to login + when they already have the maximum configured sessions open. The default behaviour is to + expire the original session. + + + + + Allows you to define an alias for the SessionRegistry bean in order to + access it in your own configuration + + + + + A reference to an external SessionRegistry implementation which will be + used in place of the standard one. + + + + + + + The "key" used to identify cookies from a specific token-based remember-me + application. You should set this to a unique value for your + application. + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + A reference to a DataSource bean + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + The period (in seconds) for which the remember-me cookie should be valid. + If set to a negative value + + + + + + + Reference to a PersistentTokenRepository bean for use with the persistent + token remember-me implementation. + + + + + + + Allows a custom implementation of RememberMeServices to be used. Note that + this implementation should return RememberMeAuthenticationToken instances with the same + "key" value as specified in the remember-me element. Alternatively it should register its + own AuthenticationProvider. + + + + + + + + + + The key shared between the provider and filter. This generally does not + need to be set. If unset, it will default to "doesNotMatter". + + + + + The username that should be assigned to the anonymous request. This allows + the principal to be identified, which may be important for logging and auditing. if unset, + defaults to "anonymousUser". + + + + + The granted authority that should be assigned to the anonymous request. + Commonly this is used to assign the anonymous request particular roles, which can + subsequently be used in authorization decisions. If unset, defaults to + "ROLE_ANONYMOUS". + + + + + + + + + + + + + + + + + + + The regular expression used to obtain the username from the certificate's + subject. Defaults to matching on the common name using the pattern + "CN=(.*?),". + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + If you are using namespace configuration with Spring Security, an + AuthenticationManager will automatically be registered. This element allows you to define an + alias to allow you to reference the authentication-manager in your own beans. + + + + + + + + + + The alias you wish to use for the AuthenticationManager + bean + + + + + Allows the session controller to be set on the internal + AuthenticationManager. This should not be used with the <concurrent-session-control + /> element + + + + + + Indicates that the contained user-service should be used as an + authentication source. + + + + + + + element which defines a password encoding strategy. Used by an + authentication provider to convert submitted passwords to hashed versions, for + example. + + + + + + Password salting strategy. A system-wide constant or a property + from the UserDetails object can be used. + + + + + A property of the UserDetails object which will be used as + salt by a password encoder. Typically something like "username" might be + used. + + + + + A single value that will be used as the salt for a password + encoder. + + + + + Defines a reference to a Spring bean Id. + + + + + + + + + + + + + + + + A reference to a user-service (or UserDetailsService bean) + Id + + + + + + Element used to decorate an AuthenticationProvider bean to add it to the + internal AuthenticationManager maintained by the namespace. + + + + + + Creates an in-memory UserDetailsService from a properties file or a list of + "user" child elements. + + + + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + + + Represents a user in the application. + + + + + + + + + The username assigned to the user. + + + + + The password assigned to the user. This may be hashed if the corresponding + authentication provider supports hashing (remember to set the "hash" attribute of the + "user-service" element). + + + + + One of more authorities granted to the user. Separate authorities with a + comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR" + + + + + Can be set to "true" to mark an account as locked and + unusable. + + + + + Can be set to "true" to mark an account as disabled and + unusable. + + + + + + Causes creation of a JDBC-based UserDetailsService. + + + + + A bean identifier, used for referring to the bean elsewhere in the + context. + + + + + + + + + The bean ID of the DataSource which provides the required + tables. + + + + + Defines a reference to a cache for use with a + UserDetailsService. + + + + + An SQL statement to query a username, password, and enabled status given a + username + + + + + An SQL statement to query for a user's granted authorities given a + username. + + + + + An SQL statement to query user's group authorities given a + username. + + + + + A non-empty string prefix that will be added to role strings loaded from + persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the + default is non-empty. + + + + + + + + + + + + Used to indicate that a filter bean declaration should be incorporated into + the security filter chain. If neither the 'after' or 'before' options are supplied, then the + filter must implement the Ordered interface directly. + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation + filters. + + + + + The filter immediately before which the custom-filter should be placed + in the chain + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + The filter immediately after which the custom-filter should be placed in + the chain. This feature will only be needed by advanced users who wish to mix their own + filters into the security filter chain and have some knowledge of the standard Spring + Security filters. The filter names map to specific Spring Security implementation filters. + + + + + + + + The filter immediately before which the custom-filter should be placed in + the chain + + + + + + + The explicit position at which the custom-filter should be placed in the + chain. Use if you are replacing a standard filter. + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/config/src/main/resources/org/springframework/security/config/spring-security.xsl b/config/src/main/resources/org/springframework/security/config/spring-security.xsl index 90759153a8..fa87e2e563 100644 --- a/config/src/main/resources/org/springframework/security/config/spring-security.xsl +++ b/config/src/main/resources/org/springframework/security/config/spring-security.xsl @@ -10,7 +10,7 @@ - ,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,remember-me,salt-source,x509, + ,access-denied-handler,anonymous,concurrent-session-control,filter-chain,form-login,http-basic,intercept-url,logout,password-encoder,port-mappings,port-mapper,password-compare,protect,protect-pointcut,remember-me,salt-source,x509, diff --git a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java index 556187abf2..443e85c322 100644 --- a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java @@ -33,6 +33,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.openid.OpenIDAuthenticationProcessingFilter; import org.springframework.security.openid.OpenIDAuthenticationProvider; import org.springframework.security.util.FieldUtils; +import org.springframework.security.web.AccessDeniedHandlerImpl; import org.springframework.security.web.ExceptionTranslationFilter; import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.FilterInvocation; @@ -351,6 +352,49 @@ public class HttpSecurityBeanDefinitionParserTests { assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage")); } + @Test + public void accessDeniedHandlerPageIsSetCorectly() throws Exception { + setContext( + " " + + " " + + " " + AUTH_PROVIDER_XML); + ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER); + assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage")); + } + + @Test + public void accessDeniedHandlerIsSetCorectly() throws Exception { + setContext( + " " + + " " + + " " + + " " + AUTH_PROVIDER_XML); + ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER); + AccessDeniedHandlerImpl adh = (AccessDeniedHandlerImpl) appContext.getBean("adh"); + assertSame(adh, FieldUtils.getFieldValue(filter, "accessDeniedHandler")); + } + + @Test(expected=BeanDefinitionParsingException.class) + public void accessDeniedHandlerAndAccessDeniedHandlerAreMutuallyExclusive() throws Exception { + setContext( + " " + + " " + + " " + AUTH_PROVIDER_XML); + ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER); + assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage")); + } + + @Test(expected=BeanDefinitionParsingException.class) + public void accessDeniedHandlerPageAndRefAreMutuallyExclusive() throws Exception { + setContext( + " " + + " " + + " " + + " " + AUTH_PROVIDER_XML); + ExceptionTranslationFilter filter = (ExceptionTranslationFilter) appContext.getBean(BeanIds.EXCEPTION_TRANSLATION_FILTER); + assertEquals("/go-away", FieldUtils.getFieldValue(filter, "accessDeniedHandler.errorPage")); + } + @Test public void externalFiltersAreTreatedCorrectly() throws Exception { // Decorated user-filters should be added to stack. The others should be ignored. diff --git a/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java b/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java index 67e20db828..5d2665d7e3 100644 --- a/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java +++ b/config/src/test/java/org/springframework/security/config/util/InMemoryXmlApplicationContext.java @@ -16,7 +16,7 @@ public class InMemoryXmlApplicationContext extends AbstractXmlApplicationContext " xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'\n" + " xsi:schemaLocation='http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd\n" + "http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd\n" + - "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.5.xsd'>\n"; + "http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd'>\n"; private static final String BEANS_CLOSE = "\n"; Resource inMemoryXml;