|
|
@@ -0,0 +1,1590 @@
|
|
|
+<?xml version="1.0" encoding="utf-8"?>
|
|
|
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
|
|
|
+ xmlns:security="http://www.springframework.org/schema/security" elementFormDefault="qualified"
|
|
|
+ targetNamespace="http://www.springframework.org/schema/security">
|
|
|
+ <xs:attributeGroup name="hash">
|
|
|
+ <xs:attribute name="hash" use="required">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend
|
|
|
+ strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="plaintext"/>
|
|
|
+ <xs:enumeration value="sha"/>
|
|
|
+ <xs:enumeration value="sha-256"/>
|
|
|
+ <xs:enumeration value="md5"/>
|
|
|
+ <xs:enumeration value="md4"/>
|
|
|
+ <xs:enumeration value="{sha}"/>
|
|
|
+ <xs:enumeration value="{ssha}"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="base64">
|
|
|
+ <xs:attribute name="base64" use="required">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Whether a string should be base64 encoded</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="true"/>
|
|
|
+ <xs:enumeration value="false"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="path-type">
|
|
|
+ <xs:attribute name="path-type" use="required">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the type of pattern used to specify URL paths (either JDK
|
|
|
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
|
|
|
+ unspecified.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="ant"/>
|
|
|
+ <xs:enumeration value="regex"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="port">
|
|
|
+ <xs:attribute name="port" use="required" type="xs:positiveInteger">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies an IP port number. Used to configure an embedded LDAP server,
|
|
|
+ for example.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="url">
|
|
|
+ <xs:attribute name="url" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies a URL.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="id">
|
|
|
+ <xs:attribute name="id" use="required" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the
|
|
|
+ context.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="ref">
|
|
|
+ <xs:attribute name="ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a Spring bean Id.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="cache-ref">
|
|
|
+ <xs:attribute name="cache-ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a cache for use with a
|
|
|
+ UserDetailsService.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="user-service-ref">
|
|
|
+ <xs:attribute name="user-service-ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a user-service (or UserDetailsService bean)
|
|
|
+ Id</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="data-source-ref">
|
|
|
+ <xs:attribute name="data-source-ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a DataSource bean</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="password-encoder.attlist">
|
|
|
+ <xs:attribute name="ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a Spring bean Id.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="hash">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend
|
|
|
+ strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="plaintext"/>
|
|
|
+ <xs:enumeration value="sha"/>
|
|
|
+ <xs:enumeration value="sha-256"/>
|
|
|
+ <xs:enumeration value="md5"/>
|
|
|
+ <xs:enumeration value="md4"/>
|
|
|
+ <xs:enumeration value="{sha}"/>
|
|
|
+ <xs:enumeration value="{ssha}"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="base64">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Whether a string should be base64 encoded</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="true"/>
|
|
|
+ <xs:enumeration value="false"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="user-property">
|
|
|
+ <xs:attribute name="user-property" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A property of the UserDetails object which will be used as salt by a
|
|
|
+ password encoder. Typically something like "username" might be used. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="system-wide">
|
|
|
+ <xs:attribute name="system-wide" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A single value that will be used as the salt for a password encoder.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:simpleType name="boolean">
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="true"/>
|
|
|
+ <xs:enumeration value="false"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ <xs:attributeGroup name="role-prefix">
|
|
|
+ <xs:attribute name="role-prefix" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A non-empty string prefix that will be added to role strings loaded from
|
|
|
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
|
|
|
+ default is non-empty.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="use-expressions">
|
|
|
+ <xs:attribute name="use-expressions" use="required" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Enables the use of expressions in the 'access' attributes in
|
|
|
+ <intercept-url> elements rather than the traditional list of configuration
|
|
|
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
|
|
|
+ boolean expression. If the expression evaluates to 'true', access will be granted.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="ldap-server">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines an LDAP server location or starts an embedded server. The url
|
|
|
+ indicates the location of a remote server. If no url is given, an embedded server will be
|
|
|
+ started, listening on the supplied port number. The port is optional and defaults to 33389.
|
|
|
+ A Spring LDAP ContextSource bean will be registered for the server with the id supplied.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:ldap-server.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="ldap-server.attlist">
|
|
|
+ <xs:attribute name="id" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the
|
|
|
+ context.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies a URL.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="port" type="xs:positiveInteger">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies an IP port number. Used to configure an embedded LDAP server,
|
|
|
+ for example.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="manager-dn" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Username (DN) of the "manager" user identity which will be used to
|
|
|
+ authenticate to a (non-embedded) LDAP server. If omitted, anonymous access will be used.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="manager-password" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The password for the manager DN.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="ldif" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Explicitly specifies an ldif file resource to load into an embedded LDAP
|
|
|
+ server</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="root" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Optional root suffix for the embedded LDAP server. Default is
|
|
|
+ "dc=springframework,dc=org"</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="ldap-server-ref-attribute">
|
|
|
+ <xs:attribute name="server-ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The optional server to use. If omitted, and a default LDAP server is
|
|
|
+ registered (using <ldap-server> with no Id), that server will be used.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="group-search-filter-attribute">
|
|
|
+ <xs:attribute name="group-search-filter" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Group search filter. Defaults to (uniqueMember={0}). The substituted
|
|
|
+ parameter is the DN of the user.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="group-search-base-attribute">
|
|
|
+ <xs:attribute name="group-search-base" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Search base for group membership searches. Defaults to "" (searching from
|
|
|
+ the root).</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="user-search-filter-attribute">
|
|
|
+ <xs:attribute name="user-search-filter" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The LDAP filter used to search for users (optional). For example
|
|
|
+ "(uid={0})". The substituted parameter is the user's login name.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="user-search-base-attribute">
|
|
|
+ <xs:attribute name="user-search-base" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Search base for user searches. Defaults to "". Only used with a
|
|
|
+ 'user-search-filter'.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="group-role-attribute-attribute">
|
|
|
+ <xs:attribute name="group-role-attribute" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The LDAP attribute name which contains the role name which will be used
|
|
|
+ within Spring Security. Defaults to "cn".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="user-details-class-attribute">
|
|
|
+ <xs:attribute name="user-details-class" use="required">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows the objectClass of the user entry to be specified. If set, the
|
|
|
+ framework will attempt to load standard attributes for the defined class into the returned
|
|
|
+ UserDetails object</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="person"/>
|
|
|
+ <xs:enumeration value="inetOrgPerson"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="ldap-user-service" substitutionGroup="security:any-user-service">
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:ldap-us.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="ldap-us.attlist">
|
|
|
+ <xs:attribute name="id" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the
|
|
|
+ context.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="server-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The optional server to use. If omitted, and a default LDAP server is
|
|
|
+ registered (using <ldap-server> with no Id), that server will be used.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-search-filter" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The LDAP filter used to search for users (optional). For example
|
|
|
+ "(uid={0})". The substituted parameter is the user's login name.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-search-base" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Search base for user searches. Defaults to "". Only used with a
|
|
|
+ 'user-search-filter'.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-search-filter" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Group search filter. Defaults to (uniqueMember={0}). The substituted
|
|
|
+ parameter is the DN of the user.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-search-base" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Search base for group membership searches. Defaults to "" (searching from
|
|
|
+ the root).</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-role-attribute" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The LDAP attribute name which contains the role name which will be used
|
|
|
+ within Spring Security. Defaults to "cn".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="cache-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a cache for use with a
|
|
|
+ UserDetailsService.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="role-prefix" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A non-empty string prefix that will be added to role strings loaded from
|
|
|
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
|
|
|
+ default is non-empty.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-details-class">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows the objectClass of the user entry to be specified. If set, the
|
|
|
+ framework will attempt to load standard attributes for the defined class into the returned
|
|
|
+ UserDetails object</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="person"/>
|
|
|
+ <xs:enumeration value="inetOrgPerson"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="ldap-authentication-provider">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Sets up an ldap authentication provider</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" name="password-compare">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies that an LDAP provider should use an LDAP compare operation
|
|
|
+ of the user's password to authenticate the user</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" name="password-encoder">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>element which defines a password encoding strategy. Used by an
|
|
|
+ authentication provider to convert submitted passwords to hashed versions, for
|
|
|
+ example.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" name="salt-source">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Password salting strategy. A system-wide constant or a
|
|
|
+ property from the UserDetails object can be used.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attribute name="user-property" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A property of the UserDetails object which will be
|
|
|
+ used as salt by a password encoder. Typically something like
|
|
|
+ "username" might be used. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="system-wide" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A single value that will be used as the salt for a
|
|
|
+ password encoder. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a Spring bean
|
|
|
+ Id.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:password-encoder.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:password-compare.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:ldap-ap.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="ldap-ap.attlist">
|
|
|
+ <xs:attribute name="server-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The optional server to use. If omitted, and a default LDAP server is
|
|
|
+ registered (using <ldap-server> with no Id), that server will be used.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-search-base" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Search base for user searches. Defaults to "". Only used with a
|
|
|
+ 'user-search-filter'.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-search-filter" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The LDAP filter used to search for users (optional). For example
|
|
|
+ "(uid={0})". The substituted parameter is the user's login name.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-search-base" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Search base for group membership searches. Defaults to "" (searching from
|
|
|
+ the root).</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-search-filter" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Group search filter. Defaults to (uniqueMember={0}). The substituted
|
|
|
+ parameter is the DN of the user.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-role-attribute" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The LDAP attribute name which contains the role name which will be used
|
|
|
+ within Spring Security. Defaults to "cn".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-dn-pattern" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A specific pattern used to build the user's DN, for example
|
|
|
+ "uid={0},ou=people". The key "{0}" must be present and will be substituted with the
|
|
|
+ username.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="role-prefix" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A non-empty string prefix that will be added to role strings loaded from
|
|
|
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
|
|
|
+ default is non-empty.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-details-class">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows the objectClass of the user entry to be specified. If set, the
|
|
|
+ framework will attempt to load standard attributes for the defined class into the returned
|
|
|
+ UserDetails object</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="person"/>
|
|
|
+ <xs:enumeration value="inetOrgPerson"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="password-compare.attlist">
|
|
|
+ <xs:attribute name="password-attribute" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The attribute in the directory which contains the user password. Defaults
|
|
|
+ to "userPassword".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="hash">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the hashing algorithm used on user passwords. We recommend
|
|
|
+ strongly against using MD4, as it is a very weak hashing algorithm.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="plaintext"/>
|
|
|
+ <xs:enumeration value="sha"/>
|
|
|
+ <xs:enumeration value="sha-256"/>
|
|
|
+ <xs:enumeration value="md5"/>
|
|
|
+ <xs:enumeration value="md4"/>
|
|
|
+ <xs:enumeration value="{sha}"/>
|
|
|
+ <xs:enumeration value="{ssha}"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="intercept-methods">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Can be used inside a bean definition to add a security interceptor to the
|
|
|
+ bean and set up access configuration attributes for the bean's methods</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element maxOccurs="unbounded" name="protect">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a protected method and the access control configuration
|
|
|
+ attributes that apply to it. We strongly advise you NOT to mix "protect" declarations
|
|
|
+ with any services provided "global-method-security".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:protect.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:intercept-methods.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="intercept-methods.attlist">
|
|
|
+ <xs:attribute name="access-decision-manager-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Optional AccessDecisionManager bean ID to be used by the created method
|
|
|
+ security interceptor.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="protect.attlist">
|
|
|
+ <xs:attribute name="method" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A method name</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="access" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Access configuration attributes list that applies to the method, e.g.
|
|
|
+ "ROLE_A,ROLE_B".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="global-method-security">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Provides method security for all beans registered in the Spring application
|
|
|
+ context. Specifically, beans will be scanned for matches with the ordered list of
|
|
|
+ "protect-pointcut" sub-elements, Spring Security annotations and/or. Where there is a match,
|
|
|
+ the beans will automatically be proxied and security authorization applied to the methods
|
|
|
+ accordingly. If you use and enable all four sources of method security metadata (ie
|
|
|
+ "protect-pointcut" declarations, expression annotations, @Secured and also JSR250 security
|
|
|
+ annotations), the metadata sources will be queried in that order. In practical terms, this
|
|
|
+ enables you to use XML to override method security metadata expressed in annotations. If
|
|
|
+ using annotations, the order of precedence is EL-based (@PreAuthorize etc.), @Secured and
|
|
|
+ finally JSR-250.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" ref="security:expression-handler"/>
|
|
|
+ <xs:element minOccurs="0" maxOccurs="unbounded" name="protect-pointcut">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a protected pointcut and the access control configuration
|
|
|
+ attributes that apply to it. Every bean registered in the Spring application context
|
|
|
+ that provides a method that matches the pointcut will receive security
|
|
|
+ authorization.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:protect-pointcut.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:global-method-security.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="global-method-security.attlist">
|
|
|
+ <xs:attribute name="expression-annotations">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies whether the use of Spring Security's expression-based
|
|
|
+ annotations (@PreFilter, @PreAuthorize, @PostFilter, @PostAuthorize) should be enabled for
|
|
|
+ this application context. Defaults to "disabled".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="disabled"/>
|
|
|
+ <xs:enumeration value="enabled"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="secured-annotations">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies whether the use of Spring Security's @Secured annotations should
|
|
|
+ be enabled for this application context. Defaults to "disabled".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="disabled"/>
|
|
|
+ <xs:enumeration value="enabled"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="jsr250-annotations">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies whether JSR-250 style attributes are to be used (for example
|
|
|
+ "RolesAllowed"). This will require the javax.annotation.security classes on the classpath.
|
|
|
+ Defaults to "disabled".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="disabled"/>
|
|
|
+ <xs:enumeration value="enabled"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="access-decision-manager-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Optional AccessDecisionManager bean ID to override the default used for
|
|
|
+ method security.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="expression-handler">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the SecurityExpressionHandler instance which will be used if
|
|
|
+ expression-based access-control is enabled. A default implementation (with no ACL support)
|
|
|
+ will be used if not supplied.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:ref"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="custom-after-invocation-provider">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Used to decorate an AfterInvocationProvider to specify that it should be
|
|
|
+ used with method security.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType/>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="protect-pointcut.attlist">
|
|
|
+ <xs:attribute name="expression" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>An AspectJ expression, including the 'execution' keyword. For example,
|
|
|
+ 'execution(int com.foo.TargetObject.countLength(String))' (without the
|
|
|
+ quotes).</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="access" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Access configuration attributes list that applies to all methods matching
|
|
|
+ the pointcut, e.g. "ROLE_A,ROLE_B"</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="http">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Container element for HTTP security configuration</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:choice minOccurs="0" maxOccurs="unbounded">
|
|
|
+ <xs:element name="intercept-url">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies the access attributes and/or filter list for a particular
|
|
|
+ set of URLs.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:intercept-url.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="access-denied-handler">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the access-denied strategy that should be used. An access
|
|
|
+ denied page can be defined or a reference to an AccessDeniedHandler instance.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:access-denied-handler.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="form-login">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Sets up a form login configuration for authentication with a username
|
|
|
+ and password</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:form-login.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element ref="security:openid-login"/>
|
|
|
+ <xs:element name="x509">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Adds support for X.509 client authentication.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:x509.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="http-basic">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Adds support for basic authentication (this is an element to permit
|
|
|
+ future expansion, such as supporting an "ignoreFailure" attribute)</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType/>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="logout">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Incorporates a logout processing filter. Most web applications require
|
|
|
+ a logout filter, although you may not require one if you write a controller to
|
|
|
+ provider similar logic.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:logout.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="concurrent-session-control">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Adds support for concurrent session control, allowing limits to be
|
|
|
+ placed on the number of sessions a user can have.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:concurrent-sessions.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="remember-me">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Sets up remember-me authentication. If used with the "key" attribute
|
|
|
+ (or no attributes) the cookie-only implementation will be used. Specifying
|
|
|
+ "token-repository-ref" or "remember-me-data-source-ref" will use the more secure,
|
|
|
+ persisten token approach. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:remember-me.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="anonymous">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Adds support for automatically granting all anonymous web requests a
|
|
|
+ particular principal identity and a corresponding granted
|
|
|
+ authority.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:anonymous.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="port-mappings">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the list of mappings between http and https ports for use in
|
|
|
+ redirects</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element maxOccurs="unbounded" ref="security:port-mapping"/>
|
|
|
+ </xs:sequence>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:choice>
|
|
|
+ <xs:attributeGroup ref="security:http.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="http.attlist">
|
|
|
+ <xs:attribute name="auto-config" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Automatically registers a login form, BASIC authentication, anonymous
|
|
|
+ authentication, logout services, remember-me and servlet-api-integration. If set to
|
|
|
+ "true", all of these capabilities are added (although you can still customize the
|
|
|
+ configuration of each by providing the respective element). If unspecified, defaults to
|
|
|
+ "false".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="use-expressions" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Enables the use of expressions in the 'access' attributes in
|
|
|
+ <intercept-url> elements rather than the traditional list of configuration
|
|
|
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
|
|
|
+ boolean expression. If the expression evaluates to 'true', access will be granted.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="create-session">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Controls the eagerness with which an HTTP session is created. If not set,
|
|
|
+ defaults to "ifRequired". Note that if a custom SecurityContextRepository is set using
|
|
|
+ security-context-repository-ref, then the only value which can be set is "always".
|
|
|
+ Otherwise the session creation behaviour will be determined by the repository bean
|
|
|
+ implementation.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="ifRequired"/>
|
|
|
+ <xs:enumeration value="always"/>
|
|
|
+ <xs:enumeration value="never"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="security-context-repository-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a SecurityContextRepository bean. This can be used to
|
|
|
+ customize how the SecurityContext is stored between requests.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="path-type">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the type of pattern used to specify URL paths (either JDK
|
|
|
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
|
|
|
+ unspecified.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="ant"/>
|
|
|
+ <xs:enumeration value="regex"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="lowercase-comparisons" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Whether test URLs should be converted to lower case prior to comparing
|
|
|
+ with defined path patterns. If unspecified, defaults to "true".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="servlet-api-provision" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Provides versions of HttpServletRequest security methods such as
|
|
|
+ isUserInRole() and getPrincipal() which are implemented by accessing the Spring
|
|
|
+ SecurityContext. Defaults to "true".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="access-decision-manager-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Optional attribute specifying the ID of the AccessDecisionManager
|
|
|
+ implementation which should be used for authorizing HTTP requests.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="realm" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Optional attribute specifying the realm name that will be used for all
|
|
|
+ authentication features that require a realm name (eg BASIC and Digest authentication). If
|
|
|
+ unspecified, defaults to "Spring Security Application".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="session-fixation-protection">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Indicates whether an existing session should be invalidated when a user
|
|
|
+ authenticates and a new session started. If set to "none" no change will be made.
|
|
|
+ "newSession" will create a new empty session. "migrateSession" will create a new session
|
|
|
+ and copy the session attributes to the new session. Defaults to
|
|
|
+ "migrateSession".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="none"/>
|
|
|
+ <xs:enumeration value="newSession"/>
|
|
|
+ <xs:enumeration value="migrateSession"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="entry-point-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows a customized AuthenticationEntryPoint to be
|
|
|
+ used.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="once-per-request" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Corresponds to the observeOncePerRequest property of
|
|
|
+ FilterSecurityInterceptor. Defaults to "true"</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="access-denied-page" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Deprecated in favour of the access-denied-handler
|
|
|
+ element.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="disable-url-rewriting" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation> </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="access-denied-handler.attlist">
|
|
|
+ <xs:attribute name="ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a Spring bean Id.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="error-page" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The access denied page that an authenticated user will be redirected to if
|
|
|
+ they request a page which they don't have the authority to access. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="access-denied-handler-page">
|
|
|
+ <xs:attribute name="error-page" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The access denied page that an authenticated user will be redirected to if
|
|
|
+ they request a page which they don't have the authority to access. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="intercept-url.attlist">
|
|
|
+ <xs:attribute name="pattern" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The pattern which defines the URL path. The content will depend on the
|
|
|
+ type set in the containing http element, so will default to ant path
|
|
|
+ syntax.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="access" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The access configuration attributes that apply for the configured
|
|
|
+ path.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="method">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The HTTP Method for which the access configuration attributes should
|
|
|
+ apply. If not specified, the attributes will apply to any method.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="GET"/>
|
|
|
+ <xs:enumeration value="DELETE"/>
|
|
|
+ <xs:enumeration value="HEAD"/>
|
|
|
+ <xs:enumeration value="OPTIONS"/>
|
|
|
+ <xs:enumeration value="POST"/>
|
|
|
+ <xs:enumeration value="PUT"/>
|
|
|
+ <xs:enumeration value="TRACE"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="filters">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The filter list for the path. Currently can be set to "none" to remove a
|
|
|
+ path from having any filters applied. The full filter stack (consisting of all filters
|
|
|
+ created by the namespace configuration, and any added using 'custom-filter'), will be
|
|
|
+ applied to any other paths.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="none"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="requires-channel">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Used to specify that a URL must be accessed over http or https, or that
|
|
|
+ there is no preference.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="http"/>
|
|
|
+ <xs:enumeration value="https"/>
|
|
|
+ <xs:enumeration value="any"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="logout.attlist">
|
|
|
+ <xs:attribute name="logout-url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies the URL that will cause a logout. Spring Security will
|
|
|
+ initialize a filter that responds to this particular URL. Defaults to
|
|
|
+ /j_spring_security_logout if unspecified.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="logout-success-url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies the URL to display once the user has logged out. If not
|
|
|
+ specified, defaults to /.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="invalidate-session" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies whether a logout also causes HttpSession invalidation, which is
|
|
|
+ generally desirable. If unspecified, defaults to true.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="form-login.attlist">
|
|
|
+ <xs:attribute name="login-processing-url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The URL that the login form is posted to. If unspecified, it defaults to
|
|
|
+ /j_spring_security_check.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="default-target-url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The URL that will be redirected to after successful authentication, if the
|
|
|
+ user's previous action could not be resumed. This generally happens if the user visits a
|
|
|
+ login page without having first requested a secured operation that triggers
|
|
|
+ authentication. If unspecified, defaults to the root of the
|
|
|
+ application.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="always-use-default-target" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Whether the user should always be redirected to the default-target-url
|
|
|
+ after login. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="login-page" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The URL for the login page. If no login URL is specified, Spring Security
|
|
|
+ will automatically create a login URL at /spring_security_login and a corresponding filter
|
|
|
+ to render that login URL when requested.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="authentication-failure-url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The URL for the login failure page. If no login failure URL is specified,
|
|
|
+ Spring Security will automatically create a failure login URL at
|
|
|
+ /spring_security_login?login_error and a corresponding filter to render that login failure
|
|
|
+ URL when requested.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="authentication-success-handler-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Reference to an AuthenticationSuccessHandler bean which should be used to
|
|
|
+ handle a successful authentication request. Should not be used in combination with
|
|
|
+ default-target-url (or always-use-default-target-url) as the implementation should always
|
|
|
+ deal with navigation to the subsequent destination</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="authentication-failure-handler-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Reference to an AuthenticationFailureHandler bean which should be used to
|
|
|
+ handle a failed authentication request. Should not be used in combination with
|
|
|
+ authentication-failure-url as the implementation should always deal with navigation to the
|
|
|
+ subsequent destination</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="openid-login">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Sets up form login for authentication with an Open ID
|
|
|
+ identity</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:form-login.attlist"/>
|
|
|
+ <xs:attribute name="user-service-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a user-service (or UserDetailsService bean)
|
|
|
+ Id</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="filter-chain-map">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Used to explicitly configure a FilterChainProxy instance with a
|
|
|
+ FilterChainMap</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element maxOccurs="unbounded" name="filter-chain">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Used within filter-chain-map to define a specific URL pattern and the
|
|
|
+ list of filters which apply to the URLs matching that pattern. When multiple
|
|
|
+ filter-chain elements are used within a filter-chain-map element, the most specific
|
|
|
+ patterns must be placed at the top of the list, with most general ones at the
|
|
|
+ bottom.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:filter-chain.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:filter-chain-map.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="filter-chain-map.attlist">
|
|
|
+ <xs:attributeGroup ref="security:path-type"/>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="filter-chain.attlist">
|
|
|
+ <xs:attribute name="pattern" use="required" type="xs:string"/>
|
|
|
+ <xs:attribute name="filters" use="required" type="xs:string"/>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="filter-invocation-definition-source">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Used to explicitly configure a FilterInvocationDefinitionSource bean for use
|
|
|
+ with a FilterSecurityInterceptor. Usually only needed if you are configuring a
|
|
|
+ FilterChainProxy explicitly, rather than using the <http> element. The
|
|
|
+ intercept-url elements used should only contain pattern, method and access attributes. Any
|
|
|
+ others will result in a configuration error. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element maxOccurs="unbounded" name="intercept-url">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies the access attributes and/or filter list for a particular
|
|
|
+ set of URLs.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:intercept-url.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:fids.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="fids.attlist">
|
|
|
+ <xs:attribute name="use-expressions" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Enables the use of expressions in the 'access' attributes in
|
|
|
+ <intercept-url> elements rather than the traditional list of configuration
|
|
|
+ attributes. Defaults to 'false'. If enabled, each attribute should contain a single
|
|
|
+ boolean expression. If the expression evaluates to 'true', access will be granted.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="id" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the
|
|
|
+ context.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="lowercase-comparisons" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>as for http element</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="path-type">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines the type of pattern used to specify URL paths (either JDK
|
|
|
+ 1.4-compatible regular expressions, or Apache Ant expressions). Defaults to "ant" if
|
|
|
+ unspecified.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:simpleType>
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="ant"/>
|
|
|
+ <xs:enumeration value="regex"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="concurrent-sessions.attlist">
|
|
|
+ <xs:attribute name="max-sessions" type="xs:positiveInteger">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The maximum number of sessions a single user can have open at the same
|
|
|
+ time. Defaults to "1".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="expired-url" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The URL a user will be redirected to if they attempt to use a session
|
|
|
+ which has been "expired" by the concurrent session controller because they have logged in
|
|
|
+ again.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="exception-if-maximum-exceeded" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Specifies that an exception should be raised when a user attempts to login
|
|
|
+ when they already have the maximum configured sessions open. The default behaviour is to
|
|
|
+ expire the original session.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="session-registry-alias" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows you to define an alias for the SessionRegistry bean in order to
|
|
|
+ access it in your own configuration</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="session-registry-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to an external SessionRegistry implementation which will be
|
|
|
+ used in place of the standard one. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="remember-me.attlist">
|
|
|
+ <xs:attribute name="key" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The "key" used to identify cookies from a specific token-based remember-me
|
|
|
+ application. You should set this to a unique value for your
|
|
|
+ application.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="token-repository-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Reference to a PersistentTokenRepository bean for use with the persistent
|
|
|
+ token remember-me implementation. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="data-source-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a DataSource bean</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attributeGroup ref="security:remember-me-services-ref"/>
|
|
|
+ <xs:attribute name="user-service-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a user-service (or UserDetailsService bean)
|
|
|
+ Id</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="token-validity-seconds" type="xs:integer">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The period (in seconds) for which the remember-me cookie should be valid.
|
|
|
+ If set to a negative value</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="token-repository-ref">
|
|
|
+ <xs:attribute name="token-repository-ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Reference to a PersistentTokenRepository bean for use with the persistent
|
|
|
+ token remember-me implementation. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="remember-me-services-ref">
|
|
|
+ <xs:attribute name="services-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows a custom implementation of RememberMeServices to be used. Note that
|
|
|
+ this implementation should return RememberMeAuthenticationToken instances with the same
|
|
|
+ "key" value as specified in the remember-me element. Alternatively it should register its
|
|
|
+ own AuthenticationProvider. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="remember-me-data-source-ref">
|
|
|
+ <xs:attributeGroup ref="security:data-source-ref"/>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="anonymous.attlist">
|
|
|
+ <xs:attribute name="key" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The key shared between the provider and filter. This generally does not
|
|
|
+ need to be set. If unset, it will default to "doesNotMatter".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="username" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The username that should be assigned to the anonymous request. This allows
|
|
|
+ the principal to be identified, which may be important for logging and auditing. if unset,
|
|
|
+ defaults to "anonymousUser".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="granted-authority" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The granted authority that should be assigned to the anonymous request.
|
|
|
+ Commonly this is used to assign the anonymous request particular roles, which can
|
|
|
+ subsequently be used in authorization decisions. If unset, defaults to
|
|
|
+ "ROLE_ANONYMOUS".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="port-mapping">
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:http-port"/>
|
|
|
+ <xs:attributeGroup ref="security:https-port"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="http-port">
|
|
|
+ <xs:attribute name="http" use="required" type="xs:string"/>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="https-port">
|
|
|
+ <xs:attribute name="https" use="required" type="xs:string"/>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="x509.attlist">
|
|
|
+ <xs:attribute name="subject-principal-regex" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The regular expression used to obtain the username from the certificate's
|
|
|
+ subject. Defaults to matching on the common name using the pattern
|
|
|
+ "CN=(.*?),".</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="user-service-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a user-service (or UserDetailsService bean)
|
|
|
+ Id</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="authentication-manager">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>If you are using namespace configuration with Spring Security, an
|
|
|
+ AuthenticationManager will automatically be registered. This element allows you to define an
|
|
|
+ alias to allow you to reference the authentication-manager in your own beans.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:authman.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="authman.attlist">
|
|
|
+ <xs:attribute name="alias" use="required" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The alias you wish to use for the AuthenticationManager
|
|
|
+ bean</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="session-controller-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Allows the session controller to be set on the internal
|
|
|
+ AuthenticationManager. This should not be used with the <concurrent-session-control
|
|
|
+ /> element</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="authentication-provider">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Indicates that the contained user-service should be used as an
|
|
|
+ authentication source. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:choice minOccurs="0" maxOccurs="unbounded">
|
|
|
+ <xs:element ref="security:any-user-service"/>
|
|
|
+ <xs:element name="password-encoder">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>element which defines a password encoding strategy. Used by an
|
|
|
+ authentication provider to convert submitted passwords to hashed versions, for
|
|
|
+ example.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" name="salt-source">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Password salting strategy. A system-wide constant or a property
|
|
|
+ from the UserDetails object can be used.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attribute name="user-property" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A property of the UserDetails object which will be used as
|
|
|
+ salt by a password encoder. Typically something like "username" might be
|
|
|
+ used. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="system-wide" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A single value that will be used as the salt for a password
|
|
|
+ encoder. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a Spring bean Id.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attributeGroup ref="security:password-encoder.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ </xs:choice>
|
|
|
+ <xs:attributeGroup ref="security:ap.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="ap.attlist">
|
|
|
+ <xs:attribute name="user-service-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A reference to a user-service (or UserDetailsService bean)
|
|
|
+ Id</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="custom-authentication-provider">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Element used to decorate an AuthenticationProvider bean to add it to the
|
|
|
+ internal AuthenticationManager maintained by the namespace.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType/>
|
|
|
+ </xs:element>
|
|
|
+ <xs:element name="user-service" substitutionGroup="security:any-user-service">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Creates an in-memory UserDetailsService from a properties file or a list of
|
|
|
+ "user" child elements.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" maxOccurs="unbounded" ref="security:user"/>
|
|
|
+ </xs:sequence>
|
|
|
+ <xs:attribute name="id" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the
|
|
|
+ context.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attributeGroup ref="security:properties-file"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="properties-file">
|
|
|
+ <xs:attribute name="properties" type="xs:string"/>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="user">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Represents a user in the application.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attributeGroup ref="security:user.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="user.attlist">
|
|
|
+ <xs:attribute name="name" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The username assigned to the user.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="password" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The password assigned to the user. This may be hashed if the corresponding
|
|
|
+ authentication provider supports hashing (remember to set the "hash" attribute of the
|
|
|
+ "user-service" element).</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="authorities" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>One of more authorities granted to the user. Separate authorities with a
|
|
|
+ comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="locked" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Can be set to "true" to mark an account as locked and
|
|
|
+ unusable.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="disabled" type="security:boolean">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Can be set to "true" to mark an account as disabled and
|
|
|
+ unusable.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="jdbc-user-service" substitutionGroup="security:any-user-service">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Causes creation of a JDBC-based UserDetailsService.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attribute name="id" type="xs:ID">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A bean identifier, used for referring to the bean elsewhere in the
|
|
|
+ context.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attributeGroup ref="security:jdbc-user-service.attlist"/>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="jdbc-user-service.attlist">
|
|
|
+ <xs:attribute name="data-source-ref" use="required" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The bean ID of the DataSource which provides the required
|
|
|
+ tables.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="cache-ref" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Defines a reference to a cache for use with a
|
|
|
+ UserDetailsService.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="users-by-username-query" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>An SQL statement to query a username, password, and enabled status given a
|
|
|
+ username</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="authorities-by-username-query" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>An SQL statement to query for a user's granted authorities given a
|
|
|
+ username.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="group-authorities-by-username-query" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>An SQL statement to query user's group authorities given a
|
|
|
+ username.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="role-prefix" type="xs:string">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>A non-empty string prefix that will be added to role strings loaded from
|
|
|
+ persistent storage (e.g. "ROLE_"). Use the value "none" for no prefix in cases where the
|
|
|
+ default is non-empty.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:element name="any-user-service" abstract="true"/>
|
|
|
+ <xs:group name="custom-filter">
|
|
|
+ <xs:sequence>
|
|
|
+ <xs:element minOccurs="0" ref="security:custom-filter"/>
|
|
|
+ </xs:sequence>
|
|
|
+ </xs:group>
|
|
|
+ <xs:element name="custom-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>Used to indicate that a filter bean declaration should be incorporated into
|
|
|
+ the security filter chain. If neither the 'after' or 'before' options are supplied, then the
|
|
|
+ filter must implement the Ordered interface directly. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ <xs:complexType>
|
|
|
+ <xs:attribute name="after" type="security:named-security-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The filter immediately after which the custom-filter should be placed in
|
|
|
+ the chain. This feature will only be needed by advanced users who wish to mix their own
|
|
|
+ filters into the security filter chain and have some knowledge of the standard Spring
|
|
|
+ Security filters. The filter names map to specific Spring Security implementation
|
|
|
+ filters. </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="before" type="security:named-security-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The filter immediately before which the custom-filter should be placed
|
|
|
+ in the chain</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ <xs:attribute name="position" type="security:named-security-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The explicit position at which the custom-filter should be placed in the
|
|
|
+ chain. Use if you are replacing a standard filter.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:complexType>
|
|
|
+ </xs:element>
|
|
|
+ <xs:attributeGroup name="after">
|
|
|
+ <xs:attribute name="after" use="required" type="security:named-security-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The filter immediately after which the custom-filter should be placed in
|
|
|
+ the chain. This feature will only be needed by advanced users who wish to mix their own
|
|
|
+ filters into the security filter chain and have some knowledge of the standard Spring
|
|
|
+ Security filters. The filter names map to specific Spring Security implementation filters.
|
|
|
+ </xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="before">
|
|
|
+ <xs:attribute name="before" use="required" type="security:named-security-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The filter immediately before which the custom-filter should be placed in
|
|
|
+ the chain</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:attributeGroup name="position">
|
|
|
+ <xs:attribute name="position" use="required" type="security:named-security-filter">
|
|
|
+ <xs:annotation>
|
|
|
+ <xs:documentation>The explicit position at which the custom-filter should be placed in the
|
|
|
+ chain. Use if you are replacing a standard filter.</xs:documentation>
|
|
|
+ </xs:annotation>
|
|
|
+ </xs:attribute>
|
|
|
+ </xs:attributeGroup>
|
|
|
+ <xs:simpleType name="named-security-filter">
|
|
|
+ <xs:restriction base="xs:token">
|
|
|
+ <xs:enumeration value="FIRST"/>
|
|
|
+ <xs:enumeration value="CHANNEL_FILTER"/>
|
|
|
+ <xs:enumeration value="CONCURRENT_SESSION_FILTER"/>
|
|
|
+ <xs:enumeration value="SESSION_CONTEXT_INTEGRATION_FILTER"/>
|
|
|
+ <xs:enumeration value="LOGOUT_FILTER"/>
|
|
|
+ <xs:enumeration value="X509_FILTER"/>
|
|
|
+ <xs:enumeration value="PRE_AUTH_FILTER"/>
|
|
|
+ <xs:enumeration value="CAS_PROCESSING_FILTER"/>
|
|
|
+ <xs:enumeration value="AUTHENTICATION_PROCESSING_FILTER"/>
|
|
|
+ <xs:enumeration value="OPENID_PROCESSING_FILTER"/>
|
|
|
+ <xs:enumeration value="BASIC_PROCESSING_FILTER"/>
|
|
|
+ <xs:enumeration value="SERVLET_API_SUPPORT_FILTER"/>
|
|
|
+ <xs:enumeration value="REMEMBER_ME_FILTER"/>
|
|
|
+ <xs:enumeration value="ANONYMOUS_FILTER"/>
|
|
|
+ <xs:enumeration value="EXCEPTION_TRANSLATION_FILTER"/>
|
|
|
+ <xs:enumeration value="NTLM_FILTER"/>
|
|
|
+ <xs:enumeration value="FILTER_SECURITY_INTERCEPTOR"/>
|
|
|
+ <xs:enumeration value="SWITCH_USER_FILTER"/>
|
|
|
+ <xs:enumeration value="LAST"/>
|
|
|
+ </xs:restriction>
|
|
|
+ </xs:simpleType>
|
|
|
+</xs:schema>
|
Luke Taylor