a new topics, on my way to master.
1. web.xml, define the secure filters. one special points, about “springSecurityFilterChain”, which is a special spring internal infrastructure bean created by the namespace to handle web security.
If you are familiar with pre-namespace versions of the framework, you can probably already guess roughly what’s going on here. The <http> element is responsible for creating a FilterChainProxy and the filter beans which it uses. Common problems like incorrect filter ordering are no longer an issue as the filter positions are predefined.>
as “http://static.springsource.org/spring-security/site/docs/3.1.x/reference/ns-config.html”.
2.
<!-- This bean id should not be changed --> <bean id="authenticationProcessingFilter" scope="prototype" class="com.db.cfc.frontend.common.security.filter.AuthProcessinglFilter"> <security:custom-filter position="PRE_AUTH_FILTER" /> <property name="authenticationManager" ref="authenticationManager" /> </bean> <bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> <property name="accessDeniedHandler"> <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/WEB-INF/jsp/error/AccessDenied.jsp" /> </bean> </property> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" /> <bean id="preAuthenticatedAuthenticationProvider" class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> <security:custom-authentication-provider /> <property name="preAuthenticatedUserDetailsService" ref="preAuthenticatedUserDetailsService" /> </bean> <bean id="preAuthenticatedUserDetailsService" class="com.db.cfc.frontend.common.security.service.impl.UserDetailsService"> <property name="profileService" ref="profileService" /> <property name="securityService" ref="securityService" /> </bean> <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager"> <property name="providers"> <list> <ref bean="preAuthenticatedAuthenticationProvider" /> </list> </property> </bean>
inside, the application_context_security.xml, using the xmlns:security=”http://www.springframework.org/schema/security” namespace, to define the < http > configuration, would automatically create the springSecurityFilterChain, which is something like an alias to the filterChainProxy.
and the filter –> authenticationManager –> provider –> userDetailService configuration inside the application_context_security.xml, would configure corresponding beans.
in addition, there is something called, “entry-point”, which i need to continue investigate.
<!– ACL context configuration start –>
<security:http entry-point-ref=”authenticationEntryPoint”
auto-config=”false” session-fixation-protection=”none”
lowercase-comparisons=”false” access-denied-page=”/WEB-INF/jsp/error/AccessDenied.jsp”>
<!– Common to all roles, but authenticated –>
<security:intercept-url pattern=”/1/*.action”
access=”ROLE_BR_B_C_E,ROLE_BR_B_C_V,ROLE_BR_B_M_E,
ROLE_BR_B_M_V,ROLE_BR_S_C_E,
ROLE_BR_S_C_V,ROLE_BR_S_M_E,ROLE_BR_S_M_V,ROLE_DD_B_C_E,
ROLE_DD_B_C_V,ROLE_DD_B_M_E,
ROLE_DD_B_M_V,ROLE_DD_S_C_E,ROLE_DD_S_C_V,ROLE_DD_S_M_E,
ROLE_DD_S_M_V,
ROLE_SA_E,ROLE_SA_V,ROLE_CFC-SALES_V,ROLE_CFC-SALES_E” />
<security:anonymous />
</security:http>
<bean id=”exceptionTranslationFilter”
class=”org.springframework.security.ui.ExceptionTranslationFilter”>
<property name=”authenticationEntryPoint” ref=”authenticationEntryPoint” />
<property name=”accessDeniedHandler”>
<bean class=”org.springframework.security.ui.AccessDeniedHandlerImpl”>
<property name=”errorPage” value=”/WEB-INF/jsp/error/AccessDenied.jsp” />
</bean>
</property>
</bean>
<bean id=”authenticationEntryPoint”
class=”org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint” /
in addition, http://heraclitusonsoftware.wordpress.com/software-development/spring/simple-web-application-with-spring-security-part-13/#comment-1882
which explains some part of my foundings, saved my effort for typing. ^_^
addon, i found out its FilterSecurityInterceptor.java, which maintains the security configurations inside the applcation_context_security.xml, as
<security:http entry-point-ref=”authenticationEntryPoint”
auto-config=”false” session-fixation-protection=”none”
lowercase-comparisons=”false” access-denied-page=”/WEB-INF/jsp/error/AccessDenied.jsp”>
<!– Common to all roles, but authenticated –>
<security:intercept-url pattern=”/1/*.action”
access=”ROLE_BR_B_C_E,ROLE_BR_B_C_V,ROLE_BR_B_M_E,ROLE_BR_B_M_V,ROLE_BR_S_C_E,
ROLE_BR_S_C_V,ROLE_BR_S_M_E,ROLE_BR_S_M_V,ROLE_DD_B_C_E,ROLE_DD_B_C_V,ROLE_DD_B_M_E,
ROLE_DD_B_M_V,ROLE_DD_S_C_E,ROLE_DD_S_C_V,ROLE_DD_S_M_E,ROLE_DD_S_M_V,
ROLE_SA_E,ROLE_SA_V,ROLE_CFC-SALES_V,ROLE_CFC-SALES_E” />
<security:anonymous />
</security:http>
and this same class, FilterSecurityInterceptor,during its doFilter() process, it would call its super class AbstractSecurityInterceptor ‘s method AbstractSecurityInterceptor.beforeInvocation(), where the xml configuration checks against the userDetails data.
and
Abstract class that implements security interception for secure objects.The
AbstractSecurityInterceptor
will ensure the proper startup configuration of the security interceptor. It will also implement the proper handling of secure object invocations, namely:@author Ben Alex @version $Id: AbstractSecurityInterceptor.java 3046 2008-05-09 18:09:56Z luke_t $
- Obtain the {@link Authentication} object from the {@link SecurityContextHolder}.
- Determine if the request relates to a secured or public invocation by looking up the secure object request against the {@link ObjectDefinitionSource}.
- For an invocation that is secured (there is a
ConfigAttributeDefinition
for the secure object invocation):
- If either the {@link org.springframework.security.Authentication#isAuthenticated()} returns
false
, or the {@link #alwaysReauthenticate} istrue
, authenticate the request against the configured {@link AuthenticationManager}. When authenticated, replace theAuthentication
object on theSecurityContextHolder
with the returned value.- Authorize the request against the configured {@link AccessDecisionManager}.
- Perform any run-as replacement via the configured {@link RunAsManager}.
- Pass control back to the concrete subclass, which will actually proceed with executing the object. A {@link InterceptorStatusToken} is returned so that after the subclass has finished proceeding with execution of the object, its finally clause can ensure the
AbstractSecurityInterceptor
is re-called and tidies up correctly.- The concrete subclass will re-call the
AbstractSecurityInterceptor
via the {@link #afterInvocation(InterceptorStatusToken, Object)} method.- If the
RunAsManager
replaced theAuthentication
object, return theSecurityContextHolder
to the object that existed after the call toAuthenticationManager
.- If an
AfterInvocationManager
is defined, invoke the invocation manager and allow it to replace the object due to be returned to the caller.- For an invocation that is public (there is no
ConfigAttributeDefinition
for the secure object invocation):
- As described above, the concrete subclass will be returned an
InterceptorStatusToken
which is subsequently re-presented to theAbstractSecurityInterceptor
after the secure object has been executed. TheAbstractSecurityInterceptor
will take no further action when its {@link #afterInvocation(InterceptorStatusToken, Object)} is called.- Control again returns to the concrete subclass, along with the
Object
that should be returned to the caller. The subclass will then return that result or exception to the original caller.
i love spring security, its cool.!
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/technical-overview.html#tech-intro-authentication
there are in general two steps, authentication and authorisation.
1. authentication is generally done by authenticationManager, eg, org.springframework.security.providers.ProviderManager, together with providers, userDetailService.
2. authorisation is generally done by AbstractSecurityInterceptor, which would retrieve the configureAttributes, like ROLE_A, ROLE_B in <intercept-url pattern=’/secure/**’ access=’ROLE_A,ROLE_B’/>, for example; and using a accessDecisionManager to decide, the previously retrieved authentication object against the configAttributes.
and these two postes, are equally cool,
http://asahu05.wordpress.com/2010/07/20/spring-acegi-security-in-flex-application
and http://enlightensoft.wordpress.com/2010/04/09/spring-security-3-0-part-1/
Useful blog on spring security lwpro2, unlike the others!
LikeLike
Someone essentially help to make significantly posts I might state. This is the first time I frequented your web page and so far? I surprised with the research you made to create this actual submit amazing. Magnificent activity! cgdkakkdfacd
LikeLike
Excellent blog here! Also your web site loads up very fast! What web host are you using? Can I get your affiliate link to your host? I wish my website loaded up as quickly as yours lol dggeedkffegf
LikeLike