|
|
@@ -4,7 +4,7 @@
|
|
|
|
|
|
<!--
|
|
|
* ========================================================================
|
|
|
- *
|
|
|
+ *
|
|
|
* Copyright 2004 Acegi Technology Pty Limited
|
|
|
*
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
@@ -18,7 +18,7 @@
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
* See the License for the specific language governing permissions and
|
|
|
* limitations under the License.
|
|
|
- *
|
|
|
+ *
|
|
|
* ========================================================================
|
|
|
-->
|
|
|
<book>
|
|
|
@@ -27,7 +27,7 @@
|
|
|
|
|
|
<subtitle>Reference Documentation</subtitle>
|
|
|
|
|
|
- <releaseinfo>1.0.4</releaseinfo>
|
|
|
+ <releaseinfo>1.0.5</releaseinfo>
|
|
|
|
|
|
<authorgroup>
|
|
|
<author>
|
|
|
@@ -479,7 +479,7 @@ if (obj instanceof UserDetails) {
|
|
|
<literal>ROLE_HR_SUPERVISOR</literal>. These roles are later on
|
|
|
configured for web authorization, method authorization and domain
|
|
|
object authorization. Other parts of Acegi Security are capable of
|
|
|
- interpreting these authorities, and expect them to be present.
|
|
|
+ interpreting these authorities, and expect them to be present.
|
|
|
<literal>GrantedAuthority</literal> objects are usually loaded by
|
|
|
the <literal>UserDetailsService</literal>.</para>
|
|
|
|
|
|
@@ -1068,6 +1068,19 @@ if (obj instanceof UserDetails) {
|
|
|
any servlet container lifecycle invocations are not delegated through
|
|
|
to <literal>FilterChainProxy</literal>.</para>
|
|
|
|
|
|
+ <para>You can also omit a URI pattern from the filter chain by using
|
|
|
+ the token <literal>#NONE#</literal> on the right-hand side of the
|
|
|
+ <literal><URI Pattern> = <Filter Chain></literal> expression. For example, using
|
|
|
+ the example above, if you wanted to exclude the <filename>/webservices</filename>
|
|
|
+ location completely, you would modify the corresponding line in the bean declaration to be
|
|
|
+ <programlisting>
|
|
|
+/webServices/**=#NONE#
|
|
|
+ </programlisting>
|
|
|
+ Note that anything matching this path will then have no authentication
|
|
|
+ or authorization services applied and will be freely accessible.
|
|
|
+ </para>
|
|
|
+
|
|
|
+
|
|
|
<para>The order that filters are defined in <literal>web.xml</literal>
|
|
|
is very important. Irrespective of which filters you are actually
|
|
|
using, the order of the <literal><filter-mapping></literal>s
|
|
|
@@ -1230,7 +1243,7 @@ if (obj instanceof UserDetails) {
|
|
|
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
|
|
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
\A/acegilogin.jsp.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
- \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
+ \A/j_acegi_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
|
|
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
|
|
</value>
|
|
|
</property>
|
|
|
@@ -1918,7 +1931,7 @@ if (obj instanceof UserDetails) {
|
|
|
<value>classpath:/ehcache-failsafe.xml</value>
|
|
|
</property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
|
|
<property name="cacheManager">
|
|
|
<ref local="cacheManager"/>
|
|
|
@@ -1927,7 +1940,7 @@ if (obj instanceof UserDetails) {
|
|
|
<value>userCache</value>
|
|
|
</property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache">
|
|
|
<property name="cache"><ref local="userCacheBackend"/></property>
|
|
|
</bean> </programlisting></para>
|
|
|
@@ -2774,7 +2787,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
|
|
<property name="key"><value>springRocks</value></property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
|
|
|
<property name="key"><value>springRocks</value></property>
|
|
|
</bean>
|
|
|
@@ -3126,7 +3139,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
|
|
|
<para>A typical configuration, using some of the beans we've discussed
|
|
|
above, might look like this: <programlisting>
|
|
|
- <bean id="initialDirContextFactory"
|
|
|
+ <bean id="initialDirContextFactory"
|
|
|
class="org.acegisecurity.ldap.DefaultInitialDirContextFactory">
|
|
|
<constructor-arg value="ldap://monkeymachine:389/dc=acegisecurity,dc=org"/>
|
|
|
<property name="managerDn"><value>cn=manager,dc=acegisecurity,dc=org</value></property>
|
|
|
@@ -3143,13 +3156,13 @@ key: A private key to prevent modification of the remember-me token
|
|
|
</constructor-arg>
|
|
|
<constructor-arg index="2">
|
|
|
<ref local="initialDirContextFactory" />
|
|
|
- </constructor-arg>
|
|
|
+ </constructor-arg>
|
|
|
<property name="searchSubtree">
|
|
|
<value>true</value>
|
|
|
- </property>
|
|
|
- </bean>
|
|
|
-
|
|
|
- <bean id="ldapAuthProvider"
|
|
|
+ </property>
|
|
|
+ </bean>
|
|
|
+
|
|
|
+ <bean id="ldapAuthProvider"
|
|
|
class="org.acegisecurity.providers.ldap.LdapAuthenticationProvider">
|
|
|
<constructor-arg>
|
|
|
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
|
|
|
@@ -3165,7 +3178,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
</bean>
|
|
|
</constructor-arg>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
</programlisting> This would set up the provider to access an LDAP
|
|
|
server with URL
|
|
|
<literal>ldap://monkeymachine:389/dc=acegisecurity,dc=org</literal>.
|
|
|
@@ -3620,7 +3633,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
<bean class="org.jasig.cas.authentication.principal.HttpBasedServiceCredentialsToPrincipalResolver" />
|
|
|
</list>
|
|
|
</property>
|
|
|
-
|
|
|
+
|
|
|
<property name="authenticationHandlers">
|
|
|
<list>
|
|
|
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler" />
|
|
|
@@ -3630,8 +3643,8 @@ key: A private key to prevent modification of the remember-me token
|
|
|
</list>
|
|
|
</property>
|
|
|
</bean>
|
|
|
-
|
|
|
-
|
|
|
+
|
|
|
+
|
|
|
<bean id="inMemoryDaoImpl" class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
|
|
|
<property name="userMap">
|
|
|
<value>
|
|
|
@@ -3642,11 +3655,11 @@ key: A private key to prevent modification of the remember-me token
|
|
|
</value>
|
|
|
</property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
|
|
|
<property name="userDetailsService"><ref bean="inMemoryDaoImpl"/></property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="acegiAuthenticationManager" class="org.acegisecurity.providers.ProviderManager">
|
|
|
<property name="providers">
|
|
|
<list>
|
|
|
@@ -3655,7 +3668,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
</property>
|
|
|
</bean>
|
|
|
</beans>
|
|
|
-
|
|
|
+
|
|
|
</programlisting>
|
|
|
|
|
|
<para>Note the granted authorities are ignored by CAS because it has
|
|
|
@@ -3663,7 +3676,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
applications. CAS is only concerned with username and passwords (and
|
|
|
the enabled/disabled status).</para>
|
|
|
|
|
|
- <para>Copy <literal>acegi-security.jar</literal> and
|
|
|
+ <para>Copy <literal>acegi-security.jar</literal> and
|
|
|
<literal>acegi-security-cas.jar</literal> files into
|
|
|
<literal>/localPlugins/lib</literal>. Now use the <literal>ant
|
|
|
war</literal> task in the <literal>build.xml</literal> in the
|
|
|
@@ -3721,7 +3734,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
|
|
|
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
|
|
|
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
|
|
|
-</bean>
|
|
|
+</bean>
|
|
|
|
|
|
<bean id="casProcessingFilterEntryPoint" class="org.acegisecurity.ui.cas.CasProcessingFilterEntryPoint">
|
|
|
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
|
|
@@ -3733,7 +3746,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
<para>You will also need to add the
|
|
|
<literal>CasProcessingFilter</literal> to web.xml:</para>
|
|
|
|
|
|
- <para><programlisting>
|
|
|
+ <para><programlisting>
|
|
|
<filter>
|
|
|
<filter-name>Acegi CAS Processing Filter</filter-name>
|
|
|
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
|
|
|
@@ -3798,7 +3811,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
<value>classpath:/ehcache-failsafe.xml</value>
|
|
|
</property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
|
|
<property name="cacheManager">
|
|
|
<ref local="cacheManager"/>
|
|
|
@@ -3807,7 +3820,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
<value>ticketCache</value>
|
|
|
</property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="statelessTicketCache" class="org.acegisecurity.providers.cas.cache.EhCacheBasedTicketCache">
|
|
|
<property name="cache"><ref local="ticketCacheBackend"/></property>
|
|
|
</bean>
|
|
|
@@ -4110,7 +4123,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
file so that it contains a new entry under the
|
|
|
<literal><Policy></literal> section:</para>
|
|
|
|
|
|
- <para><programlisting>
|
|
|
+ <para><programlisting>
|
|
|
<application-policy name = "SpringPoweredRealm">
|
|
|
<authentication>
|
|
|
<login-module code = "org.acegisecurity.adapters.jboss.JbossAcegiLoginModule"
|
|
|
@@ -4120,7 +4133,7 @@ key: A private key to prevent modification of the remember-me token
|
|
|
</login-module>
|
|
|
</authentication>
|
|
|
</application-policy>
|
|
|
-
|
|
|
+
|
|
|
</programlisting></para>
|
|
|
|
|
|
<para>Copy <literal>acegisecurity.xml</literal> into
|
|
|
@@ -5224,7 +5237,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|
|
|
|
|
private AspectJSecurityInterceptor securityInterceptor;
|
|
|
|
|
|
- pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
|
|
+ pointcut domainObjectInstanceExecution(): target(PersistableEntity)
|
|
|
&& execution(public * *(..)) && !within(DomainObjectInstanceSecurityAspect);
|
|
|
|
|
|
Object around(): domainObjectInstanceExecution() {
|
|
|
@@ -5270,7 +5283,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|
|
declaration which achieves this is shown below:</para>
|
|
|
|
|
|
<programlisting>
|
|
|
-<bean id="domainObjectInstanceSecurityAspect"
|
|
|
+<bean id="domainObjectInstanceSecurityAspect"
|
|
|
class="org.acegisecurity.samples.aspectj.DomainObjectInstanceSecurityAspect"
|
|
|
factory-method="aspectOf">
|
|
|
<property name="securityInterceptor"><ref bean="aspectJSecurityInterceptor"/></property>
|
|
|
@@ -5322,7 +5335,7 @@ public aspect DomainObjectInstanceSecurityAspect implements InitializingBean {
|
|
|
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
|
|
<property name="forceHttps"><value>false</value></property>
|
|
|
</bean>
|
|
|
-
|
|
|
+
|
|
|
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
|
|
|
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
|
|
<property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
|
Luke Taylor