diff --git a/config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java b/config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java
new file mode 100644
index 0000000000..0160ea03e0
--- /dev/null
+++ b/config/src/main/java/org/springframework/security/config/http/ChannelAttributeFactory.java
@@ -0,0 +1,37 @@
+package org.springframework.security.config.http;
+
+import java.util.List;
+
+import org.springframework.beans.factory.BeanCreationException;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl;
+
+/**
+ * Used as a factory bean to create config attribute values for the requires-channel attribute.
+ *
+ * @author Luke Taylor
+ * @version $Id$
+ * @since 3.0
+ */
+public class ChannelAttributeFactory {
+ private static final String OPT_REQUIRES_HTTP = "http";
+ private static final String OPT_REQUIRES_HTTPS = "https";
+ private static final String OPT_ANY_CHANNEL = "any";
+
+ public static final List createChannelAttributes(String requiredChannel) {
+ String channelConfigAttribute = null;
+
+ if (requiredChannel.equals(OPT_REQUIRES_HTTPS)) {
+ channelConfigAttribute = "REQUIRES_SECURE_CHANNEL";
+ } else if (requiredChannel.equals(OPT_REQUIRES_HTTP)) {
+ channelConfigAttribute = "REQUIRES_INSECURE_CHANNEL";
+ } else if (requiredChannel.equals(OPT_ANY_CHANNEL)) {
+ channelConfigAttribute = ChannelDecisionManagerImpl.ANY_CHANNEL;
+ } else {
+ throw new BeanCreationException("Unknown channel attribute " + requiredChannel);
+ }
+
+ return SecurityConfig.createList(channelConfigAttribute);
+ }
+}
diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
index 73fc956fd4..33359ca010 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@@ -27,8 +27,6 @@ import org.springframework.beans.factory.xml.BeanDefinitionParser;
import org.springframework.beans.factory.xml.ParserContext;
import org.springframework.core.OrderComparator;
import org.springframework.core.Ordered;
-import org.springframework.security.access.ConfigAttribute;
-import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.vote.AffirmativeBased;
import org.springframework.security.access.vote.AuthenticatedVoter;
import org.springframework.security.access.vote.RoleVoter;
@@ -102,9 +100,6 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
private static final String OPT_SESSION_FIXATION_MIGRATE_SESSION = "migrateSession";
static final String ATT_REQUIRES_CHANNEL = "requires-channel";
- private static final String OPT_REQUIRES_HTTP = "http";
- private static final String OPT_REQUIRES_HTTPS = "https";
- private static final String OPT_ANY_CHANNEL = "any";
private static final String ATT_CREATE_SESSION = "create-session";
private static final String DEF_CREATE_SESSION_IF_REQUIRED = "ifRequired";
@@ -180,7 +175,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
// Use ManagedMap to allow placeholder resolution
final ManagedMap> filterChainMap =
parseInterceptUrlsForEmptyFilterChains(interceptUrls, convertPathsToLowerCase, pc);
- final ManagedMap> channelRequestMap =
+ final ManagedMap channelRequestMap =
parseInterceptUrlsForChannelSecurity(interceptUrls, convertPathsToLowerCase, pc);
BeanDefinition cpf = null;
@@ -893,7 +888,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
}
private BeanDefinition createChannelProcessingFilter(ParserContext pc, UrlMatcher matcher,
- ManagedMap> channelRequestMap, String portMapperBeanName) {
+ ManagedMap channelRequestMap, String portMapperBeanName) {
RootBeanDefinition channelFilter = new RootBeanDefinition(ChannelProcessingFilter.class);
BeanDefinitionBuilder metadataSourceBldr = BeanDefinitionBuilder.rootBeanDefinition(DefaultFilterInvocationSecurityMetadataSource.class);
metadataSourceBldr.addConstructorArgValue(matcher);
@@ -1189,10 +1184,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
* Parses the intercept-url elements to obtain the map used by channel security.
* This will be empty unless the requires-channel attribute has been used on a URL path.
*/
- private ManagedMap> parseInterceptUrlsForChannelSecurity(List urlElts,
+ private ManagedMap parseInterceptUrlsForChannelSecurity(List urlElts,
boolean useLowerCasePaths, ParserContext parserContext) {
- ManagedMap> channelRequestMap = new ManagedMap>();
+ ManagedMap channelRequestMap = new ManagedMap();
for (Element urlElt : urlElts) {
String path = urlElt.getAttribute(ATT_PATH_PATTERN);
@@ -1208,22 +1203,14 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
String requiredChannel = urlElt.getAttribute(ATT_REQUIRES_CHANNEL);
if (StringUtils.hasText(requiredChannel)) {
- String channelConfigAttribute = null;
-
- if (requiredChannel.equals(OPT_REQUIRES_HTTPS)) {
- channelConfigAttribute = "REQUIRES_SECURE_CHANNEL";
- } else if (requiredChannel.equals(OPT_REQUIRES_HTTP)) {
- channelConfigAttribute = "REQUIRES_INSECURE_CHANNEL";
- } else if (requiredChannel.equals(OPT_ANY_CHANNEL)) {
- channelConfigAttribute = ChannelDecisionManagerImpl.ANY_CHANNEL;
- } else {
- parserContext.getReaderContext().error("Unsupported channel " + requiredChannel, urlElt);
- }
-
BeanDefinition requestKey = new RootBeanDefinition(RequestKey.class);
requestKey.getConstructorArgumentValues().addGenericArgumentValue(path);
- channelRequestMap.put(requestKey, SecurityConfig.createList(channelConfigAttribute));
+ RootBeanDefinition channelAttributes = new RootBeanDefinition(ChannelAttributeFactory.class);
+ channelAttributes.getConstructorArgumentValues().addGenericArgumentValue(requiredChannel);
+ channelAttributes.setFactoryMethodName("createChannelAttributes");
+
+ channelRequestMap.put(requestKey, channelAttributes);
}
}
diff --git a/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java b/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java
index 6f02008848..538d98ed58 100644
--- a/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java
+++ b/config/src/main/java/org/springframework/security/config/http/WebConfigUtils.java
@@ -9,7 +9,7 @@ import org.springframework.util.StringUtils;
*
* @author Luke Taylor
* @author Ben Alex
- * @version $Id: WebConfigUtils.java 3770 2009-07-15 23:09:47Z ltaylor $
+ * @version $Id$
*/
abstract class WebConfigUtils {
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
index 620ca61e1d..4a3326b5ba 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
@@ -316,8 +316,8 @@ intercept-url.attlist &=
## The filter list for the path. Currently can be set to "none" to remove a path from having any filters applied. The full filter stack (consisting of all filters created by the namespace configuration, and any added using 'custom-filter'), will be applied to any other paths.
attribute filters {"none"}?
intercept-url.attlist &=
- ## Used to specify that a URL must be accessed over http or https, or that there is no preference.
- attribute requires-channel {"http" | "https" | "any"}?
+ ## Used to specify that a URL must be accessed over http or https, or that there is no preference. The value should be "http", "https" or "any", respectively.
+ attribute requires-channel {xsd:token}?
logout =
## Incorporates a logout processing filter. Most web applications require a logout filter, although you may not require one if you write a controller to provider similar logic.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
index 35bee32393..2263245cfa 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
@@ -1,1736 +1,1711 @@
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing
- algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP
- server, for example.
-
-
-
-
-
-
- Specifies a URL.
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
-
- A reference to a DataSource bean
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing
- algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Whether a string should be base64 encoded
-
-
-
-
-
-
-
-
-
-
-
-
- A property of the UserDetails object which will be used as salt by a
- password encoder. Typically something like "username" might be used.
-
-
-
-
-
-
-
- A single value that will be used as the salt for a password encoder.
-
-
-
-
-
-
-
-
-
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of
- configuration attributes. Defaults to 'false'. If enabled, each attribute should
- contain a single boolean expression. If the expression evaluates to 'true', access
- will be granted.
-
-
-
-
+ xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified"
+ targetNamespace="http://www.springframework.org/schema/security">
+
+
- Defines an LDAP server location or starts an embedded server. The url
- indicates the location of a remote server. If no url is given, an embedded server will
- be started, listening on the supplied port number. The port is optional and defaults to
- 33389. A Spring LDAP ContextSource bean will be registered for the server with the id
- supplied.
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- Specifies a URL.
-
-
-
-
- Specifies an IP port number. Used to configure an embedded LDAP
- server, for example.
-
-
-
-
- Username (DN) of the "manager" user identity which will be used to
- authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be
- used.
-
-
-
-
- The password for the manager DN.
-
-
-
-
- Explicitly specifies an ldif file resource to load into an embedded
- LDAP server
-
-
-
-
- Optional root suffix for the embedded LDAP server. Default is
- "dc=springframework,dc=org"
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching
- from the root).
-
-
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the
- returned UserDetails object
-
-
-
-
-
-
-
-
-
-
-
-
- Allows explicit customization of the loaded user object by specifying
- a UserDetailsContextMapper bean which will be called with the context information
- from the user's directory entry
-
-
-
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching
- from the root).
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the
- returned UserDetails object
-
-
-
-
-
-
-
-
-
-
- Allows explicit customization of the loaded user object by specifying
- a UserDetailsContextMapper bean which will be called with the context information
- from the user's directory entry
-
-
-
-
-
-
- The optional server to use. If omitted, and a default LDAP server is
- registered (using <ldap-server> with no Id), that server will be used.
-
-
-
-
-
- Search base for user searches. Defaults to "". Only used with a
- 'user-search-filter'.
-
-
-
-
- The LDAP filter used to search for users (optional). For example
- "(uid={0})". The substituted parameter is the user's login name.
-
-
-
-
- Search base for group membership searches. Defaults to "" (searching
- from the root).
-
-
-
-
- Group search filter. Defaults to (uniqueMember={0}). The substituted
- parameter is the DN of the user.
-
-
-
-
- The LDAP attribute name which contains the role name which will be
- used within Spring Security. Defaults to "cn".
-
-
-
-
- A specific pattern used to build the user's DN, for example
- "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
- username.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
- Allows the objectClass of the user entry to be specified. If set, the
- framework will attempt to load standard attributes for the defined class into the
- returned UserDetails object
-
-
-
-
-
-
-
-
-
-
- Allows explicit customization of the loaded user object by specifying
- a UserDetailsContextMapper bean which will be called with the context information
- from the user's directory entry
-
-
-
-
-
-
- The attribute in the directory which contains the user password.
- Defaults to "userPassword".
-
-
-
-
- Defines the hashing algorithm used on user passwords. We recommend
- strongly against using MD4, as it is a very weak hashing
- algorithm.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- Can be used inside a bean definition to add a security interceptor to the
- bean and set up access configuration attributes for the bean's
- methods
+ Whether a string should be base64 encoded
-
-
-
-
- Defines a protected method and the access control configuration
- attributes that apply to it. We strongly advise you NOT to mix "protect"
- declarations with any services provided
- "global-method-security".
-
-
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to be used by the created
- method security interceptor.
-
-
-
-
-
-
- A method name
-
-
-
-
- Access configuration attributes list that applies to the method, e.g.
- "ROLE_A,ROLE_B".
-
-
-
-
+
+
+
+
+
+
+
+
+
+
- Provides method security for all beans registered in the Spring
- application context. Specifically, beans will be scanned for matches with the ordered
- list of "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there
- is a match, the beans will automatically be proxied and security authorization applied
- to the methods accordingly. If you use and enable all four sources of method security
- metadata (ie "protect-pointcut" declarations, expression annotations, @Secured and also
- JSR250 security annotations), the metadata sources will be queried in that order. In
- practical terms, this enables you to use XML to override method security metadata
- expressed in annotations. If using annotations, the order of precedence is EL-based
- (@PreAuthorize etc.), @Secured and finally JSR-250.
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP server,
+ for example.
+
+
+
+
+
+
+ Specifies a URL.
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ A reference to a DataSource bean
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Whether a string should be base64 encoded
+
+
+
+
+
+
+
+
+
+
+
+
+ A property of the UserDetails object which will be used as salt by a
+ password encoder. Typically something like "username" might be used.
+
+
+
+
+
+
+ A single value that will be used as the salt for a password encoder.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of configuration
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
+ boolean expression. If the expression evaluates to 'true', access will be granted.
+
+
+
+
+
+
+ Defines an LDAP server location or starts an embedded server. The url
+ indicates the location of a remote server. If no url is given, an embedded server will be
+ started, listening on the supplied port number. The port is optional and defaults to 33389.
+ A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ Specifies a URL.
+
+
+
+
+ Specifies an IP port number. Used to configure an embedded LDAP server,
+ for example.
+
+
+
+
+ Username (DN) of the "manager" user identity which will be used to
+ authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
+
+
+
+
+
+ The password for the manager DN.
+
+
+
+
+ Explicitly specifies an ldif file resource to load into an embedded LDAP
+ server
+
+
+
+
+ Optional root suffix for the embedded LDAP server. Default is
+ "dc=springframework,dc=org"
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching from
+ the root).
+
+
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the returned
+ UserDetails object
+
+
+
+
+
+
+
+
+
+
+
+
+ Allows explicit customization of the loaded user object by specifying a
+ UserDetailsContextMapper bean which will be called with the context information from the
+ user's directory entry
+
+
+
+
+
+
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching from
+ the root).
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the returned
+ UserDetails object
+
+
+
+
+
+
+
+
+
+
+ Allows explicit customization of the loaded user object by specifying a
+ UserDetailsContextMapper bean which will be called with the context information from the
+ user's directory entry
+
+
+
+
+
+
+ The optional server to use. If omitted, and a default LDAP server is
+ registered (using <ldap-server> with no Id), that server will be used.
+
+
+
+
+
+ Search base for user searches. Defaults to "". Only used with a
+ 'user-search-filter'.
+
+
+
+
+ The LDAP filter used to search for users (optional). For example
+ "(uid={0})". The substituted parameter is the user's login name.
+
+
+
+
+ Search base for group membership searches. Defaults to "" (searching from
+ the root).
+
+
+
+
+ Group search filter. Defaults to (uniqueMember={0}). The substituted
+ parameter is the DN of the user.
+
+
+
+
+ The LDAP attribute name which contains the role name which will be used
+ within Spring Security. Defaults to "cn".
+
+
+
+
+ A specific pattern used to build the user's DN, for example
+ "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
+ username.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+ Allows the objectClass of the user entry to be specified. If set, the
+ framework will attempt to load standard attributes for the defined class into the returned
+ UserDetails object
+
+
+
+
+
+
+
+
+
+
+ Allows explicit customization of the loaded user object by specifying a
+ UserDetailsContextMapper bean which will be called with the context information from the
+ user's directory entry
+
+
+
+
+
+
+ The attribute in the directory which contains the user password. Defaults
+ to "userPassword".
+
+
+
+
+ Defines the hashing algorithm used on user passwords. We recommend
+ strongly against using MD4, as it is a very weak hashing algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Can be used inside a bean definition to add a security interceptor to the
+ bean and set up access configuration attributes for the bean's methods
+
+
+
+
+
+ Defines a protected method and the access control configuration
+ attributes that apply to it. We strongly advise you NOT to mix "protect" declarations
+ with any services provided "global-method-security".
+
+
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to be used by the created method
+ security interceptor.
+
+
+
+
+
+
+ A method name
+
+
+
+
+ Access configuration attributes list that applies to the method, e.g.
+ "ROLE_A,ROLE_B".
+
+
+
+
+
+ Provides method security for all beans registered in the Spring application
+ context. Specifically, beans will be scanned for matches with the ordered list of
+ "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match,
+ the beans will automatically be proxied and security authorization applied to the methods
+ accordingly. If you use and enable all four sources of method security metadata (ie
+ "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security
+ annotations), the metadata sources will be queried in that order. In practical terms, this
+ enables you to use XML to override method security metadata expressed in annotations. If
+ using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and
+ finally JSR-250.
+
+
+
+
+
+
+ Allows the default expression-based mechanism for handling Spring
+ Security's pre and post invocation annotations (@PreFilter, @PreAuthorize,
+ @PostFilter, @PostAuthorize) to be replace entirely. Only applies if these
+ annotations are enabled.
+
+
+
+
- Allows the default expression-based mechanism for handling
- Spring Security's pre and post invocation annotations (@PreFilter,
- @PreAuthorize, @PostFilter, @PostAuthorize) to be replace entirely. Only
- applies if these annotations are enabled.
+ Defines the PrePostInvocationAttributeFactory instance which
+ is used to generate pre and post invocation metadata from the annotated
+ methods.
-
-
-
- Defines the PrePostInvocationAttributeFactory
- instance which is used to generate pre and post invocation metadata
- from the annotated methods.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
- Defines the SecurityExpressionHandler instance which will be
- used if expression-based access-control is enabled. A default implementation
- (with no ACL support) will be used if not supplied.
-
+
+
-
+
-
+
+
+
+
+
+
+
+
+
+
+
+ Defines the SecurityExpressionHandler instance which will be used if
+ expression-based access-control is enabled. A default implementation (with no ACL
+ support) will be used if not supplied.
+
+
+
+
+
+
+
+
+ Defines a protected pointcut and the access control configuration
+ attributes that apply to it. Every bean registered in the Spring application context
+ that provides a method that matches the pointcut will receive security
+ authorization.
+
+
+
+
+
+
+
+ Allows addition of extra AfterInvocationProvider beans which should be
+ called by the MethodSecurityInterceptor created by
+ global-method-security.
+
+
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's pre and post invocation
+ annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for
+ this application context. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether the use of Spring Security's @Secured annotations should
+ be enabled for this application context. Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Specifies whether JSR-250 style attributes are to be used (for example
+ "RolesAllowed"). This will require the javax.annotation.security classes on the classpath.
+ Defaults to "disabled".
+
+
+
+
+
+
+
+
+
+
+ Optional AccessDecisionManager bean ID to override the default used for
+ method security.
+
+
+
+
+ Optional RunAsmanager implementation which will be used by the configured
+ MethodSecurityInterceptor
+
+
+
+
+
+ No longer supported. Use after-invocation-provider
+ instead.
+
+
+
+
+
+
+ An AspectJ expression, including the 'execution' keyword. For example,
+ 'execution(int com.foo.TargetObject.countLength(String))' (without the
+ quotes).
+
+
+
+
+ Access configuration attributes list that applies to all methods matching
+ the pointcut, e.g. "ROLE_A,ROLE_B"
+
+
+
+
+
+ Container element for HTTP security configuration
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+ Defines the access-denied strategy that should be used. An access
+ denied page can be defined or a reference to an AccessDeniedHandler instance.
+
+
+
+
+
+
+
+
+ Sets up a form login configuration for authentication with a username
+ and password
+
+
+
+
+
+
+
+ Sets up form login for authentication with an Open ID
+ identity
+
+
+
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+
+ Adds support for X.509 client authentication.
+
+
+
+
+
+
+
+ Adds support for basic authentication (this is an element to permit
+ future expansion, such as supporting an "ignoreFailure" attribute)
+
+
+
+
+
+ Incorporates a logout processing filter. Most web applications require
+ a logout filter, although you may not require one if you write a controller to
+ provider similar logic.
+
+
+
+
+
+
+
+ Adds support for concurrent session control, allowing limits to be
+ placed on the number of sessions a user can have.
+
+
+
+
+
+
+
+ Sets up remember-me authentication. If used with the "key" attribute
+ (or no attributes) the cookie-only implementation will be used. Specifying
+ "token-repository-ref" or "remember-me-data-source-ref" will use the more secure,
+ persisten token approach.
+
+
+
+
+
+
+
+ Adds support for automatically granting all anonymous web requests a
+ particular principal identity and a corresponding granted
+ authority.
+
+
+
+
+
+
+
+ Defines the list of mappings between http and https ports for use in
+ redirects
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Automatically registers a login form, BASIC authentication, anonymous
+ authentication, logout services, remember-me and servlet-api-integration. If set to
+ "true", all of these capabilities are added (although you can still customize the
+ configuration of each by providing the respective element). If unspecified, defaults to
+ "false".
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of configuration
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
+ boolean expression. If the expression evaluates to 'true', access will be granted.
+
+
+
+
+
+ Controls the eagerness with which an HTTP session is created. If not set,
+ defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using
+ security-context-repository-ref, then the only value which can be set is "always".
+ Otherwise the session creation behaviour will be determined by the repository bean
+ implementation.
+
+
+
+
+
+
+
+
+
+
+
+ A reference to a SecurityContextRepository bean. This can be used to
+ customize how the SecurityContext is stored between requests.
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+ Whether test URLs should be converted to lower case prior to comparing
+ with defined path patterns. If unspecified, defaults to "true".
+
+
+
+
+ Provides versions of HttpServletRequest security methods such as
+ isUserInRole() and getPrincipal() which are implemented by accessing the Spring
+ SecurityContext. Defaults to "true".
+
+
+
+
+ Optional attribute specifying the ID of the AccessDecisionManager
+ implementation which should be used for authorizing HTTP requests.
+
+
+
+
+ Optional attribute specifying the realm name that will be used for all
+ authentication features that require a realm name (eg BASIC and Digest authentication). If
+ unspecified, defaults to "Spring Security Application".
+
+
+
+
+ Indicates whether an existing session should be invalidated when a user
+ authenticates and a new session started. If set to "none" no change will be made.
+ "newSession" will create a new empty session. "migrateSession" will create a new session
+ and copy the session attributes to the new session. Defaults to
+ "migrateSession".
+
+
+
+
+
+
+
+
+
+
+
+ Allows a customized AuthenticationEntryPoint to be
+ used.
+
+
+
+
+ Corresponds to the observeOncePerRequest property of
+ FilterSecurityInterceptor. Defaults to "true"
+
+
+
+
+ Deprecated in favour of the access-denied-handler
+ element.
+
+
+
+
+
+
+
+
+
+ The URL to which a user will be redirected if they submit an invalid
+ session indentifier. Typically used to detect session timeouts.
+
+
+
+
+
+
+ Defines a reference to a Spring bean Id.
+
+
+
+
+ The access denied page that an authenticated user will be redirected to if
+ they request a page which they don't have the authority to access.
+
+
+
+
+
+
+ The access denied page that an authenticated user will be redirected to if
+ they request a page which they don't have the authority to access.
+
+
+
+
+
+
+ The pattern which defines the URL path. The content will depend on the
+ type set in the containing http element, so will default to ant path
+ syntax.
+
+
+
+
+ The access configuration attributes that apply for the configured
+ path.
+
+
+
+
+ The HTTP Method for which the access configuration attributes should
+ apply. If not specified, the attributes will apply to any method.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The filter list for the path. Currently can be set to "none" to remove a
+ path from having any filters applied. The full filter stack (consisting of all filters
+ created by the namespace configuration, and any added using 'custom-filter'), will be
+ applied to any other paths.
+
+
+
+
+
+
+
+
+
+ Used to specify that a URL must be accessed over http or https, or that
+ there is no preference. The value should be "http", "https" or "any",
+ respectively.
+
+
+
+
+
+
+ Specifies the URL that will cause a logout. Spring Security will
+ initialize a filter that responds to this particular URL. Defaults to
+ /j_spring_security_logout if unspecified.
+
+
+
+
+ Specifies the URL to display once the user has logged out. If not
+ specified, defaults to /.
+
+
+
+
+ Specifies whether a logout also causes HttpSession invalidation, which is
+ generally desirable. If unspecified, defaults to true.
+
+
+
+
+
+
+ The URL that the login form is posted to. If unspecified, it defaults to
+ /j_spring_security_check.
+
+
+
+
+ The URL that will be redirected to after successful authentication, if the
+ user's previous action could not be resumed. This generally happens if the user visits a
+ login page without having first requested a secured operation that triggers
+ authentication. If unspecified, defaults to the root of the
+ application.
+
+
+
+
+ Whether the user should always be redirected to the default-target-url
+ after login.
+
+
+
+
+ The URL for the login page. If no login URL is specified, Spring Security
+ will automatically create a login URL at /spring_security_login and a corresponding filter
+ to render that login URL when requested.
+
+
+
+
+ The URL for the login failure page. If no login failure URL is specified,
+ Spring Security will automatically create a failure login URL at
+ /spring_security_login?login_error and a corresponding filter to render that login failure
+ URL when requested.
+
+
+
+
+ Reference to an AuthenticationSuccessHandler bean which should be used to
+ handle a successful authentication request. Should not be used in combination with
+ default-target-url (or always-use-default-target-url) as the implementation should always
+ deal with navigation to the subsequent destination
+
+
+
+
+ Reference to an AuthenticationFailureHandler bean which should be used to
+ handle a failed authentication request. Should not be used in combination with
+ authentication-failure-url as the implementation should always deal with navigation to the
+ subsequent destination
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Used to explicitly configure a FilterChainProxy instance with a
+ FilterChainMap
+
+
+
+
+
+ Used within filter-chain-map to define a specific URL pattern and the
+ list of filters which apply to the URLs matching that pattern. When multiple
+ filter-chain elements are used within a filter-chain-map element, the most specific
+ patterns must be placed at the top of the list, with most general ones at the
+ bottom.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Used to explicitly configure a FilterSecurityMetadataSource bean for use
+ with a FilterSecurityInterceptor. Usually only needed if you are configuring a
+ FilterChainProxy explicitly, rather than using the <http> element. The
+ intercept-url elements used should only contain pattern, method and access attributes. Any
+ others will result in a configuration error.
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+
+
+
+
+
+ Enables the use of expressions in the 'access' attributes in
+ <intercept-url> elements rather than the traditional list of configuration
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
+ boolean expression. If the expression evaluates to 'true', access will be granted.
+
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
+
+
+
+ as for http element
+
+
+
+
+ Defines the type of pattern used to specify URL paths (either JDK
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
+ unspecified.
+
+
+
+
+
+
+
+
+
+
+
+ Deprecated synonym for filter-security-metadata-source
+
+
+
+
+
+ Specifies the access attributes and/or filter list for a particular
+ set of URLs.
+
+
+
+
+
+
+
+
+
+
+
+
+ The maximum number of sessions a single user can have open at the same
+ time. Defaults to "1".
+
+
+
+
+ The URL a user will be redirected to if they attempt to use a session
+ which has been "expired" by the concurrent session controller because they have logged in
+ again.
+
+
+
+
+ Specifies that an exception should be raised when a user attempts to login
+ when they already have the maximum configured sessions open. The default behaviour is to
+ expire the original session.
+
+
+
+
+ Allows you to define an alias for the SessionRegistry bean in order to
+ access it in your own configuration
+
+
+
+
+ A reference to an external SessionRegistry implementation which will be
+ used in place of the standard one.
+
+
+
+
+ Allows a custom session controller to be set on the internal http
+ AuthenticationManager. If used, the session-registry-ref attribute must also be
+ set.
+
+
+
+
+
+
+ The "key" used to identify cookies from a specific token-based remember-me
+ application. You should set this to a unique value for your
+ application.
+
+
+
+
+ Reference to a PersistentTokenRepository bean for use with the persistent
+ token remember-me implementation.
+
+
+
+
+ A reference to a DataSource bean
+
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+ Exports the internally defined RememberMeServices as a bean alias,
+ allowing it to be used by other beans in the application context.
+
+
+
+
+ The period (in seconds) for which the remember-me cookie should be
+ valid.
+
+
+
+
+
+
+ Reference to a PersistentTokenRepository bean for use with the persistent
+ token remember-me implementation.
+
+
+
+
+
+
+ Allows a custom implementation of RememberMeServices to be used. Note that
+ this implementation should return RememberMeAuthenticationToken instances with the same
+ "key" value as specified in the remember-me element. Alternatively it should register its
+ own AuthenticationProvider.
+
+
+
+
+
+
+
+
+
+ The key shared between the provider and filter. This generally does not
+ need to be set. If unset, it will default to "doesNotMatter".
+
+
+
+
+ The username that should be assigned to the anonymous request. This allows
+ the principal to be identified, which may be important for logging and auditing. if unset,
+ defaults to "anonymousUser".
+
+
+
+
+ The granted authority that should be assigned to the anonymous request.
+ Commonly this is used to assign the anonymous request particular roles, which can
+ subsequently be used in authorization decisions. If unset, defaults to
+ "ROLE_ANONYMOUS".
+
+
+
+
+ With the default namespace setup, the anonymous "authentication" facility
+ is automatically enabled. You can disable it using this property.
+
+
+
+
+
+
+
+
+
+
+
+
+ The regular expression used to obtain the username from the certificate's
+ subject. Defaults to matching on the common name using the pattern
+ "CN=(.*?),".
+
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+ Registers the AuthenticationManager instance and allows its list of
+ AuthenticationProviders to be defined. should use. Also allows you to define an alias to
+ allow you to reference the AuthenticationManager in your own beans.
+
+
+
+
+
+ Indicates that the contained user-service should be used as an
+ authentication source.
+
+
+
+
+
+
+ element which defines a password encoding strategy. Used by an
+ authentication provider to convert submitted passwords to hashed versions, for
+ example.
+
+
+
+
+
+ Password salting strategy. A system-wide constant or a
+ property from the UserDetails object can be used.
+
+
+
+
+ A property of the UserDetails object which will be
+ used as salt by a password encoder. Typically something like
+ "username" might be used.
+
+
+
+
+ A single value that will be used as the salt for a
+ password encoder.
+
+
+
+
+ Defines a reference to a Spring bean
+ Id.
+
+
+
+
+
+
+
+
-
-
- Defines a protected pointcut and the access control
- configuration attributes that apply to it. Every bean registered in the Spring
- application context that provides a method that matches the pointcut will
- receive security authorization.
-
-
-
-
-
-
-
- Allows addition of extra AfterInvocationProvider beans which
- should be called by the MethodSecurityInterceptor created by
- global-method-security.
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's pre and post invocation
- annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be
- enabled for this application context. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether the use of Spring Security's @Secured annotations
- should be enabled for this application context. Defaults to
- "disabled".
-
-
-
-
-
-
-
-
-
-
- Specifies whether JSR-250 style attributes are to be used (for example
- "RolesAllowed"). This will require the javax.annotation.security classes on the
- classpath. Defaults to "disabled".
-
-
-
-
-
-
-
-
-
-
- Optional AccessDecisionManager bean ID to override the default used
- for method security.
-
-
-
-
- Optional RunAsmanager implementation which will be used by the
- configured MethodSecurityInterceptor
-
-
-
-
-
- Used to decorate an AfterInvocationProvider to specify that it should be
- used with method security.
-
-
-
-
-
-
- An AspectJ expression, including the 'execution' keyword. For example,
- 'execution(int com.foo.TargetObject.countLength(String))' (without the
- quotes).
-
-
-
-
- Access configuration attributes list that applies to all methods
- matching the pointcut, e.g. "ROLE_A,ROLE_B"
-
-
-
-
-
- Container element for HTTP security configuration
-
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
- Defines the access-denied strategy that should be used. An
- access denied page can be defined or a reference to an AccessDeniedHandler
- instance.
-
-
-
-
-
-
-
- Sets up a form login configuration for authentication with a
- username and password
-
-
-
-
-
-
-
- Sets up form login for authentication with an Open ID
- identity
-
-
+
+
+
+
+
+ Sets up an ldap authentication provider
+
+
+
+
+
+ Specifies that an LDAP provider should use an LDAP compare
+ operation of the user's password to authenticate the user
+
+
-
+
+
+ element which defines a password encoding strategy. Used
+ by an authentication provider to convert submitted passwords to hashed
+ versions, for example.
+
+
+
+
+
+ Password salting strategy. A system-wide constant or
+ a property from the UserDetails object can be
+ used.
+
+
+
+
+ A property of the UserDetails object which will
+ be used as salt by a password encoder. Typically something like
+ "username" might be used.
+
+
+
+
+ A single value that will be used as the salt for
+ a password encoder.
+
+
+
+
+ Defines a reference to a Spring bean
+ Id.
+
+
+
+
+
+
+
+
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
-
-
- Adds support for X.509 client authentication.
-
-
-
-
-
-
-
- Adds support for basic authentication (this is an element to
- permit future expansion, such as supporting an "ignoreFailure"
- attribute)
-
-
-
-
-
- Incorporates a logout processing filter. Most web applications
- require a logout filter, although you may not require one if you write a
- controller to provider similar logic.
-
-
-
-
-
-
-
- Adds support for concurrent session control, allowing limits to
- be placed on the number of sessions a user can have.
-
-
-
-
-
-
-
- Sets up remember-me authentication. If used with the "key"
- attribute (or no attributes) the cookie-only implementation will be used.
- Specifying "token-repository-ref" or "remember-me-data-source-ref" will use the
- more secure, persisten token approach.
-
-
-
-
-
-
-
- Adds support for automatically granting all anonymous web
- requests a particular principal identity and a corresponding granted
- authority.
-
-
-
-
-
-
-
- Defines the list of mappings between http and https ports for
- use in redirects
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Automatically registers a login form, BASIC authentication, anonymous
- authentication, logout services, remember-me and servlet-api-integration. If set to
- "true", all of these capabilities are added (although you can still customize the
- configuration of each by providing the respective element). If unspecified, defaults
- to "false".
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of
- configuration attributes. Defaults to 'false'. If enabled, each attribute should
- contain a single boolean expression. If the expression evaluates to 'true', access
- will be granted.
-
-
-
-
- Controls the eagerness with which an HTTP session is created. If not
- set, defaults to "ifRequired". Note that if a custom SecurityContextRepository is set
- using security-context-repository-ref, then the only value which can be set is
- "always". Otherwise the session creation behaviour will be determined by the
- repository bean implementation.
-
-
-
-
-
-
-
-
-
-
-
- A reference to a SecurityContextRepository bean. This can be used to
- customize how the SecurityContext is stored between requests.
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
- Whether test URLs should be converted to lower case prior to comparing
- with defined path patterns. If unspecified, defaults to "true".
-
-
-
-
- Provides versions of HttpServletRequest security methods such as
- isUserInRole() and getPrincipal() which are implemented by accessing the Spring
- SecurityContext. Defaults to "true".
-
-
-
-
- Optional attribute specifying the ID of the AccessDecisionManager
- implementation which should be used for authorizing HTTP requests.
-
-
-
-
- Optional attribute specifying the realm name that will be used for all
- authentication features that require a realm name (eg BASIC and Digest
- authentication). If unspecified, defaults to "Spring Security
- Application".
-
-
-
-
- Indicates whether an existing session should be invalidated when a
- user authenticates and a new session started. If set to "none" no change will be
- made. "newSession" will create a new empty session. "migrateSession" will create a
- new session and copy the session attributes to the new session. Defaults to
- "migrateSession".
-
-
-
-
-
-
-
-
-
-
-
- Allows a customized AuthenticationEntryPoint to be
- used.
-
-
-
-
- Corresponds to the observeOncePerRequest property of
- FilterSecurityInterceptor. Defaults to "true"
-
-
-
-
- Deprecated in favour of the access-denied-handler
- element.
-
-
-
-
-
-
-
-
-
- The URL to which a user will be redirected if they submit an invalid
- session indentifier. Typically used to detect session timeouts.
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
- The access denied page that an authenticated user will be redirected
- to if they request a page which they don't have the authority to access.
-
-
-
-
-
-
-
- The access denied page that an authenticated user will be redirected
- to if they request a page which they don't have the authority to access.
-
-
-
-
-
-
-
- The pattern which defines the URL path. The content will depend on the
- type set in the containing http element, so will default to ant path
- syntax.
-
-
-
-
- The access configuration attributes that apply for the configured
- path.
-
-
-
-
- The HTTP Method for which the access configuration attributes should
- apply. If not specified, the attributes will apply to any method.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The filter list for the path. Currently can be set to "none" to remove
- a path from having any filters applied. The full filter stack (consisting of all
- filters created by the namespace configuration, and any added using 'custom-filter'),
- will be applied to any other paths.
-
-
-
-
-
-
-
-
-
- Used to specify that a URL must be accessed over http or https, or
- that there is no preference.
-
-
-
-
-
-
-
-
-
-
-
-
-
- Specifies the URL that will cause a logout. Spring Security will
- initialize a filter that responds to this particular URL. Defaults to
- /j_spring_security_logout if unspecified.
-
-
-
-
- Specifies the URL to display once the user has logged out. If not
- specified, defaults to /.
-
-
-
-
- Specifies whether a logout also causes HttpSession invalidation, which
- is generally desirable. If unspecified, defaults to true.
-
-
-
-
-
-
- The URL that the login form is posted to. If unspecified, it defaults
- to /j_spring_security_check.
-
-
-
-
- The URL that will be redirected to after successful authentication, if
- the user's previous action could not be resumed. This generally happens if the user
- visits a login page without having first requested a secured operation that triggers
- authentication. If unspecified, defaults to the root of the
- application.
-
-
-
-
- Whether the user should always be redirected to the default-target-url
- after login.
-
-
-
-
- The URL for the login page. If no login URL is specified, Spring
- Security will automatically create a login URL at /spring_security_login and a
- corresponding filter to render that login URL when requested.
-
-
-
-
- The URL for the login failure page. If no login failure URL is
- specified, Spring Security will automatically create a failure login URL at
- /spring_security_login?login_error and a corresponding filter to render that login
- failure URL when requested.
-
-
-
-
- Reference to an AuthenticationSuccessHandler bean which should be used
- to handle a successful authentication request. Should not be used in combination with
- default-target-url (or always-use-default-target-url) as the implementation should
- always deal with navigation to the subsequent destination
-
-
-
-
- Reference to an AuthenticationFailureHandler bean which should be used
- to handle a failed authentication request. Should not be used in combination with
- authentication-failure-url as the implementation should always deal with navigation
- to the subsequent destination
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
- Used to explicitly configure a FilterChainProxy instance with a
- FilterChainMap
+ The alias you wish to use for the AuthenticationManager
+ bean
-
-
-
-
- Used within filter-chain-map to define a specific URL pattern
- and the list of filters which apply to the URLs matching that pattern. When
- multiple filter-chain elements are used within a filter-chain-map element, the
- most specific patterns must be placed at the top of the list, with most general
- ones at the bottom.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
- Used to explicitly configure a FilterSecurityMetadataSource bean for use
- with a FilterSecurityInterceptor. Usually only needed if you are configuring a
- FilterChainProxy explicitly, rather than using the <http> element. The
- intercept-url elements used should only contain pattern, method and access attributes.
- Any others will result in a configuration error.
+ Defines a reference to a Spring bean Id.
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
-
-
-
-
-
- Enables the use of expressions in the 'access' attributes in
- <intercept-url> elements rather than the traditional list of
- configuration attributes. Defaults to 'false'. If enabled, each attribute should
- contain a single boolean expression. If the expression evaluates to 'true', access
- will be granted.
-
-
+
+
+
+ A reference to a user-service (or UserDetailsService bean)
+ Id
+
+
+
+
+
+ Creates an in-memory UserDetailsService from a properties file or a list of
+ "user" child elements.
+
+
+
+
+
+ Represents a user in the application.
+
+
+
+
+
+
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
-
-
- as for http element
-
-
-
-
- Defines the type of pattern used to specify URL paths (either JDK
- 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
- unspecified.
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
- Deprecated synonym for filter-security-metadata-source
+ The username assigned to the user.
-
-
-
-
- Specifies the access attributes and/or filter list for a
- particular set of URLs.
-
-
-
-
-
-
-
-
-
-
-
-
- The maximum number of sessions a single user can have open at the same
- time. Defaults to "1".
-
-
-
-
- The URL a user will be redirected to if they attempt to use a session
- which has been "expired" by the concurrent session controller because they have
- logged in again.
-
-
-
-
- Specifies that an exception should be raised when a user attempts to
- login when they already have the maximum configured sessions open. The default
- behaviour is to expire the original session.
-
-
-
-
- Allows you to define an alias for the SessionRegistry bean in order to
- access it in your own configuration
-
-
-
-
- A reference to an external SessionRegistry implementation which will
- be used in place of the standard one.
-
-
-
-
- Allows a custom session controller to be set on the internal http
- AuthenticationManager. If used, the session-registry-ref attribute must also be
- set.
-
-
-
-
-
-
- The "key" used to identify cookies from a specific token-based
- remember-me application. You should set this to a unique value for your
- application.
-
-
-
-
- Reference to a PersistentTokenRepository bean for use with the
- persistent token remember-me implementation.
-
-
-
-
- A reference to a DataSource bean
-
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
- Exports the internally defined RememberMeServices as a bean alias,
- allowing it to be used by other beans in the application context.
-
-
-
-
- The period (in seconds) for which the remember-me cookie should be
- valid.
-
-
-
-
-
-
- Reference to a PersistentTokenRepository bean for use with the
- persistent token remember-me implementation.
-
-
-
-
-
-
- Allows a custom implementation of RememberMeServices to be used. Note
- that this implementation should return RememberMeAuthenticationToken instances with
- the same "key" value as specified in the remember-me element. Alternatively it should
- register its own AuthenticationProvider.
-
-
-
-
-
-
-
-
-
- The key shared between the provider and filter. This generally does
- not need to be set. If unset, it will default to "doesNotMatter".
-
-
-
-
- The username that should be assigned to the anonymous request. This
- allows the principal to be identified, which may be important for logging and
- auditing. if unset, defaults to "anonymousUser".
-
-
-
-
- The granted authority that should be assigned to the anonymous
- request. Commonly this is used to assign the anonymous request particular roles,
- which can subsequently be used in authorization decisions. If unset, defaults to
- "ROLE_ANONYMOUS".
-
-
-
-
- With the default namespace setup, the anonymous "authentication"
- facility is automatically enabled. You can disable it using this property.
-
-
-
-
-
-
-
-
-
-
-
-
-
- The regular expression used to obtain the username from the
- certificate's subject. Defaults to matching on the common name using the pattern
- "CN=(.*?),".
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
+
+
- Registers the AuthenticationManager instance and allows its list of
- AuthenticationProviders to be defined. should use. Also allows you to define an alias to
- allow you to reference the AuthenticationManager in your own beans.
+ The password assigned to the user. This may be hashed if the corresponding
+ authentication provider supports hashing (remember to set the "hash" attribute of the
+ "user-service" element).
-
-
-
-
- Indicates that the contained user-service should be used as an
- authentication source.
-
-
-
-
-
-
- element which defines a password encoding strategy.
- Used by an authentication provider to convert submitted passwords to
- hashed versions, for example.
-
-
-
-
-
- Password salting strategy. A system-wide
- constant or a property from the UserDetails object can be
- used.
-
-
-
-
- A property of the UserDetails object
- which will be used as salt by a password encoder.
- Typically something like "username" might be used.
-
-
-
-
-
- A single value that will be used as the
- salt for a password encoder.
-
-
-
-
- Defines a reference to a Spring bean
- Id.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- Sets up an ldap authentication provider
-
-
-
-
-
- Specifies that an LDAP provider should use an LDAP
- compare operation of the user's password to authenticate the
- user
-
-
-
-
-
- element which defines a password encoding
- strategy. Used by an authentication provider to convert
- submitted passwords to hashed versions, for
- example.
-
-
-
-
-
- Password salting strategy. A
- system-wide constant or a property from the
- UserDetails object can be used.
-
-
-
-
- A property of the UserDetails
- object which will be used as salt by a password
- encoder. Typically something like "username" might
- be used.
-
-
-
-
- A single value that will be used
- as the salt for a password encoder.
-
-
-
-
-
- Defines a reference to a Spring
- bean Id.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- The alias you wish to use for the AuthenticationManager
- bean
-
-
-
-
-
-
- Defines a reference to a Spring bean Id.
-
-
-
-
- A reference to a user-service (or UserDetailsService bean)
- Id
-
-
-
-
+
+
- Creates an in-memory UserDetailsService from a properties file or a list
- of "user" child elements.
+ One of more authorities granted to the user. Separate authorities with a
+ comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"
-
-
-
-
- Represents a user in the application.
-
-
-
-
-
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
-
-
-
-
-
- The username assigned to the user.
-
-
-
-
- The password assigned to the user. This may be hashed if the
- corresponding authentication provider supports hashing (remember to set the "hash"
- attribute of the "user-service" element).
-
-
-
-
- One of more authorities granted to the user. Separate authorities with
- a comma (but no space). For example,
- "ROLE_USER,ROLE_ADMINISTRATOR"
-
-
-
-
- Can be set to "true" to mark an account as locked and
- unusable.
-
-
-
-
- Can be set to "true" to mark an account as disabled and
- unusable.
-
-
-
-
+
+
- Causes creation of a JDBC-based UserDetailsService.
+ Can be set to "true" to mark an account as locked and
+ unusable.
-
-
-
- A bean identifier, used for referring to the bean elsewhere in the
- context.
-
-
-
-
-
-
-
-
- The bean ID of the DataSource which provides the required
- tables.
-
-
-
-
- Defines a reference to a cache for use with a
- UserDetailsService.
-
-
-
-
- An SQL statement to query a username, password, and enabled status
- given a username
-
-
-
-
- An SQL statement to query for a user's granted authorities given a
- username.
-
-
-
-
- An SQL statement to query user's group authorities given a
- username.
-
-
-
-
- A non-empty string prefix that will be added to role strings loaded
- from persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases
- where the default is non-empty.
-
-
-
-
-
+
+
- Used to indicate that a filter bean declaration should be incorporated
- into the security filter chain.
+ Can be set to "true" to mark an account as disabled and
+ unusable.
-
-
-
-
-
-
-
-
- The filter immediately after which the custom-filter should be placed
- in the chain. This feature will only be needed by advanced users who wish to mix
- their own filters into the security filter chain and have some knowledge of the
- standard Spring Security filters. The filter names map to specific Spring Security
- implementation filters.
-
+
+
+
+
+ Causes creation of a JDBC-based UserDetailsService.
+
+
+
+
+ A bean identifier, used for referring to the bean elsewhere in the
+ context.
+
-
-
- The filter immediately before which the custom-filter should be placed
- in the chain
-
-
-
-
- The explicit position at which the custom-filter should be placed in
- the chain. Use if you are replacing a standard filter.
-
-
-
-
-
-
- The filter immediately after which the custom-filter should be placed
- in the chain. This feature will only be needed by advanced users who wish to mix
- their own filters into the security filter chain and have some knowledge of the
- standard Spring Security filters. The filter names map to specific Spring Security
- implementation filters.
-
-
-
-
-
-
- The filter immediately before which the custom-filter should be placed
- in the chain
-
-
-
-
-
-
- The explicit position at which the custom-filter should be placed in
- the chain. Use if you are replacing a standard filter.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+ The bean ID of the DataSource which provides the required
+ tables.
+
+
+
+
+ Defines a reference to a cache for use with a
+ UserDetailsService.
+
+
+
+
+ An SQL statement to query a username, password, and enabled status given a
+ username
+
+
+
+
+ An SQL statement to query for a user's granted authorities given a
+ username.
+
+
+
+
+ An SQL statement to query user's group authorities given a
+ username.
+
+
+
+
+ A non-empty string prefix that will be added to role strings loaded from
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
+ default is non-empty.
+
+
+
+
+
+
+ Used to indicate that a filter bean declaration should be incorporated into
+ the security filter chain.
+
+
+
+
+
+
+
+
+
+ The filter immediately after which the custom-filter should be placed in
+ the chain. This feature will only be needed by advanced users who wish to mix their own
+ filters into the security filter chain and have some knowledge of the standard Spring
+ Security filters. The filter names map to specific Spring Security implementation filters.
+
+
+
+
+
+ The filter immediately before which the custom-filter should be placed in
+ the chain
+
+
+
+
+ The explicit position at which the custom-filter should be placed in the
+ chain. Use if you are replacing a standard filter.
+
+
+
+
+
+
+ The filter immediately after which the custom-filter should be placed in
+ the chain. This feature will only be needed by advanced users who wish to mix their own
+ filters into the security filter chain and have some knowledge of the standard Spring
+ Security filters. The filter names map to specific Spring Security implementation filters.
+
+
+
+
+
+
+
+ The filter immediately before which the custom-filter should be placed in
+ the chain
+
+
+
+
+
+
+ The explicit position at which the custom-filter should be placed in the
+ chain. Use if you are replacing a standard filter.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
index ce7c5f4dc3..cd6bf61d9d 100644
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@@ -391,18 +391,24 @@ public class HttpSecurityBeanDefinitionParserTests {
@Test
public void requiresChannelSupportsPlaceholder() throws Exception {
System.setProperty("secure.url", "/secure");
+ System.setProperty("required.channel", "https");
setContext(
- " " +
+ " " +
" " +
- " " +
+ " " +
" " + AUTH_PROVIDER_XML);
List filters = getFilters("/secure");
- assertEquals("Expected " + (AUTO_CONFIG_FILTERS + 1) +" filters in chain", AUTO_CONFIG_FILTERS + 1, filters.size());
-
assertTrue(filters.get(0) instanceof ChannelProcessingFilter);
- }
-
+ ChannelProcessingFilter filter = (ChannelProcessingFilter) filters.get(0);
+ MockHttpServletRequest request = new MockHttpServletRequest();
+ request.setServletPath("/secure");
+ MockHttpServletResponse response = new MockHttpServletResponse();
+ filter.doFilter(request, response, new MockFilterChain());
+ assertNotNull(response.getRedirectedUrl());
+ assertTrue(response.getRedirectedUrl().startsWith("https"));
+ }
+
@Test
public void portMappingsAreParsedCorrectly() throws Exception {
setContext(
diff --git a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
index c1c585b4ef..4c18bc169c 100644
--- a/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/access/channel/ChannelProcessingFilter.java
@@ -111,11 +111,11 @@ public class ChannelProcessingFilter extends GenericFilterBean {
chain.doFilter(request, response);
}
- public ChannelDecisionManager getChannelDecisionManager() {
+ protected ChannelDecisionManager getChannelDecisionManager() {
return channelDecisionManager;
}
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
+ protected FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return securityMetadataSource;
}