|
|||||||||
| PREV NEXT | FRAMES NO FRAMES | ||||||||
Authentication.
AccessDecisionManager.AfterInvocationProvider which provides commonly-used ACL-related services.AbstractAuthenticationFilterConfigurer.Authentication object as part of the contract.Authentication objects.SecurityBuilder that allows SecurityConfigurer to be
applied to it.ObjectPostProcessor.
ObjectPostProcessor.
MethodSecurityMetadataSource that supports both Spring AOP and AspectJ and
performs attribute resolution from: 1.AuthenticationProvider implementation that retrieves user details from a JAAS login configuration.LdapAuthenticationProvider and the
ActiveDirectoryLdapAuthenticationProvider.ContextSource provided.
Permission implementations.RequestMatcher's.RequestMatcher's.SecurityBuilder that ensures the object being built is only
built one time.DelegatingFilterProxy to use the
springSecurityFilterChain before any other registered Filter.ContextLoaderListener with the specified classes.
AuthenticationProvider that allows subclasses to override and work with UserDetails objects.ConfigAttribute's
AccessDeniedException in the request for rendering.
Acl.AccessControlEntry.Tag that allows its body through if some authorizations are granted to the request's
principal.AccessDecisionManager.
Authentication object does not hold a
required authority.AccessDeniedException with the specified
message.
AccessDeniedException with the specified
message and root cause.
AccessDeniedHandler to be used
ExceptionTranslationFilter to handle an
AccessDeniedException.AccessDeniedHandler.AccessDeniedHandler to be used is a specific error page
AccountExpiredException with the specified
message.
AccountExpiredException with the specified
message and root cause.
AclImpl to determine whether a principal is permitted to call
adminstrative methods on the AclImpl.AclAuthorizationStrategy.JdbcAclService.AclDataAccessException with the specified
message and root cause.
AclDataAccessException with the specified
message and no root cause.
Collection of domain object instances returned from a secure object invocation, remove
any Collection elements the principal does not have appropriate permission to access as defined by the
AclService.AclService.AclService.Acl.MutableAclService.createAcl(ObjectIdentity).
PermissionGrantingStrategy argument instead.
Acl instances.AuthenticationException when attempting to authenticate against
Active Directory using ActiveDirectoryLdapAuthenticationProvider.Filter that must be an instance of or extend one of the
Filters provided within the Security framework.
Filter after one of the known Filter
classes.
Filter before one of the known Filter
classes.
HeaderWriter instance
UserDetails
for a given authentication request.
LogoutHandler.
ObjectPostProcessor to be used for this
SecurityConfigurerAdapter.
SecurityFilterChain instances.
AccessDecisionManager that grants access if any
AccessDecisionVoter returns an affirmative response.Object returned from a secure object invocation,
being able to modify the Object or throw an AccessDeniedException.AfterInvocationManager for the default
implementation of GlobalMethodSecurityConfiguration.methodSecurityInterceptor().
AfterInvocationProviderManager decision.AfterInvocationManager.Token.
FrameOptionsHeaderWriter to determine the actual value to use for the
X-Frame-Options header when using the ALLOW-FROM directive.Acl entry already exists for the object.AlreadyExistsException with the specified message.
AlreadyExistsException with the specified message
and root cause.
LdapAuthenticationProviderConfigurer for further
customizations
LdapAuthenticationProviderConfigurer for further
customizations
UserDetailsManagerRegistry for method chaining (i.e.
SecurityBuilder when done using the
SecurityConfigurer.
HttpSecurity for further customizations
WebSecurity to be returned for chaining.
OpenIDLoginConfigurer to customize the OpenID configuration further
OpenIDLoginConfigurer.AttributeExchangeConfigurer for further
customization of the attributes
SessionManagementConfigurer
ConfigAttributes for
securing a method.Authentication object in the SecurityContextHolder, and
populates it with one if needed.AuthenticationProvider implementation that validates AnonymousAuthenticationTokens.Authentication.HttpSecurity to only be invoked when
matching the provided ant pattern.
List of AntPathRequestMatcher instances.
List of AntPathRequestMatcher instances that do
not care which HttpMethod is used.
servletPath + pathInfo) of an HttpServletRequest.Filters after existing Filters
using default generated names, AbstractSecurityWebApplicationInitializer.getSecurityDispatcherTypes(), and
AbstractSecurityWebApplicationInitializer.isAsyncSecuritySupported().
SecurityConfigurerAdapter to this
SecurityBuilder and invokes
SecurityConfigurerAdapter.setBuilder(SecurityBuilder).
SecurityConfigurer to this SecurityBuilder
overriding any SecurityConfigurer of the exact same class.
AspectJMethodSecurityInterceptor when it wishes for the
AspectJ processing to continue.JoinPoint security interceptor which wraps the JoinPoint in a MethodInvocation
adapter to make it compatible with security infrastructure classes which only support MethodInvocations.OpenIDAttribute to be obtained for the configured OpenID pattern.
OpenIDAttribute with the given name
GrantedAuthoritys.AclImpl to log audit events.Authentication object, returning a fully populated
Authentication object (including granted authorities) if successful.
AuthenticationManager.authenticate(Authentication).
Authentication object.
AuthenticationUserDetailsService that is used with
the PreAuthenticatedAuthenticationProvider.
ConfigAttribute.getAttribute() of IS_AUTHENTICATED_FULLY or
IS_AUTHENTICATED_REMEMBERED or IS_AUTHENTICATED_ANONYMOUSLY is present.AuthenticationManager.authenticate(Authentication) method.ConfigurationAuthentication could not be obtained from
the SecurityContextHolder.Authentication object in the SecurityContext.AuthenticationCredentialsNotFoundException
with the specified message.
AuthenticationCredentialsNotFoundException
with the specified message and root cause.
Authentication.getDetails() object for
a given web request.AuthenticationDetailsSource.
AuthenticationDetailsSource to use for basic
authentication.
AuthenticationDetailsSource
AuthenticationEntryPoint to be used.
AuthenticationEntryPoint to be po pulated on
BasicAuthenticationFilter in the event that authentication fails.
ExceptionTranslationFilter to commence an authentication scheme.AuthenticationEventPublisher
Authentication object being invalid for whatever
reason.AuthenticationException with the specified message and root cause.
AuthenticationException with the specified message and no root cause.
AuthenticationProvider that can process the request.AuthenticationManager.AnonymousAuthenticationFilter used to populate an anonymous user.
Authentication request.AuthenticationManager.
AuthenticationManager to use.
AuthenticationManager from
WebSecurityConfigurerAdapter.registerAuthentication(AuthenticationManagerBuilder) to be exposed as
a Bean.
SecurityBuilder used to create an AuthenticationManager.Authentication implementation.AuthenticationProvider
that is passed in.
AuthenticationProvider
that is passed in.
AuthenticationProvider used to validate an anonymous user.
AuthenticationProvider to be used
AuthenticationServiceException with the
specified message.
AuthenticationServiceException with the
specified message and root cause.
SimpleHttpInvokerRequestExecutor.Tag implementation that allows convenient access to the current
Authentication object.Authentication tokensAuthenticationTrustResolver.AuthenticationUserDetailsService to use.
AuthenticationUserDetailsService to use.
Authentication.getAuthorities() for anonymous users
Authentication.getAuthorities() for anonymous users
AuthorizationServiceException with the
specified message.
AuthorizationServiceException with the
specified message and root cause.
HttpServletRequest using
SecurityContextHolder does not contain an
Authentication object and Spring Security wishes to provide an implementation with an
opportunity to authenticate the request using remember-me capabilities.
BadCredentialsException with the specified
message.
BadCredentialsException with the specified
message and root cause.
ExceptionTraslationFilter to commence authentication via the BasicAuthenticationFilter.SecurityContextHolder.AuthenticationManager
and which will ignore failed authentication attempts, allowing the request to proceed down the filter chain.
AuthenticationManager and
use the supplied AuthenticationEntryPoint to handle authentication failures.
PermissionGrantingStrategy argument instead.
SecurityConfigurer.configure(SecurityBuilder) method.
SecurityConfigurer.init(SecurityBuilder) method.
BaseLdapPathContextSource provided.
CumulativePermission or BasePermission representing the
active bits in the passed mask.
Authentication object for the current secure object invocation, or
null if replacement not required.
CacheControlHeadersWriter.
StaticHeadersWriter that inserts headers to prevent caching.ExceptionTranslationFilter to commence authentication via the JA-SIG Central
Authentication Service (CAS).AuthenticationProvider implementation that integrates with JA-SIG Central Authentication Service
(CAS).Authentication.RequestMatcher instances.
RequestMatcher's as unmapped and then calls AbstractRequestMatcherMappingConfigurer.chainRequestMatchersInternal(List).
RequestMatcher instances.
RequestMatcher creation to the UrlAuthorizationConfigurer.AuthorizedUrl class.
HttpServletRequest#changeSessionId() to protect against session
fixation attacks.ChannelDecisionManager.ChannelProcessor to launch a web channel.ChannelProcessor instances to use in ChannelDecisionManagerImpl
Acl cannot be deleted because children Acls exist.ChildrenExistException with the specified
message.
ChildrenExistException with the specified
message and root cause.
Subject (phase two) by adding the Spring Security
Authentication to the Subject's principals.
SessionAuthenticationStrategy that accepts multiple
SessionAuthenticationStrategy implementations to delegate to.ConcurrentSessionControlAuthenticationStrategy insteadSecurityBuilder by setting the necessary properties
on the SecurityBuilder.
WebSecurity.
HttpSecurity.
AccessDecisionManager that uses a
consensus-based approach.AuditLogger.OpenIDConsumer to be used.
ConsumerManager to be used.
XContentTypeOptionsHeaderWriter
RemoteInvocation that is passed from the client to the server.org.springframework.remoting.rmi.RmiProxyFactoryBean when it
wishes to create a remote invocation.BaseLdapPathContextSource to be used.
BaseLdapPathContextSource with
defaults pointing to an embedded LDAP server that is created.
DelegatingSecurityContextCallable and with the given Callable and
SecurityContext, but if the securityContext is null will defaults to the current SecurityContext
on the SecurityContextHolder
DelegatingSecurityContextRunnable.
MethodInvocation for specified methodName on the passed object,
using the args to locate the method.
Acl object in the database.
StandardEvaluationContext and SecurityExpressionRoot
objects.
StandardEvaluationContext.
MethodSecurityEvaluationContext as the EvaluationContext implementation.
EvaluationContext to be customized for variable lookup etc.
MethodInvocation for the specified methodName on the passed class.
MethodInvocation for specified methodName on the passed class,
using the args to locate the method.
DefaultJaasAuthenticationProvider.setConfiguration(Configuration).
RequestMatcher given a loginProcessingUrl
acl_class, creating a new row if needed and the
allowCreate property is true.
Authentication object.
Authentication object which will be returned from the authenticate method.
eraseCredentials method.CredentialsExpiredException with the specified
message.
CredentialsExpiredException with the specified
message and root cause.
CsrfAuthenticationStrategy is in charge of removing the CsrfToken upon
authenticating.CsrfFilter.CsrfConfigurer.requireCsrfProtectionMatcher(RequestMatcher).CsrfLogoutHandler is in charge of removing the CsrfToken upon
logout.CsrfToken
into forms with hidden inputs when using Spring tag libraries.CsrfTokenRepository to use.
CsrfToken
is associated to the HttpServletRequest.Permission that is constructed at runtime from other permissions.MethodSecurityMetadataSource that is registered
with the GlobalMethodSecurityConfiguration.methodSecurityMetadataSource().
DaoAuthenticationProviderAuthenticationProvider implementation that retrieves user details from a UserDetailsService.DataSource to be used.
Object, make an
access control decision or optionally modify the returned Object.
AccessDecisionVoters and grants access
if any AccessDecisionVoter voted affirmatively.
AccessDecisionVoters and upon
completion determines the consensus of granted against denied responses.
AccessDecisionVoters for each ConfigAttribute and grants access if only grant (or abstain) votes were received.
FilterInvocation provides the appropriate level of channel
security based on the requested list of ConfigAttributes.
FilterInvocation provides the appropriate level of channel
security based on the requested list of ConfigAttributes.
Throwable instances.
AuthenticationEntryPoint to be used which prefers
being invoked for the provided RequestMatcher.
servletPath and
pathInfo, which do not contain path parameters (as defined in
RFC 2396).WebSecurityConfigurerAdapter.MethodSecurityExpressionHandler.PermissionFactory.HttpServletRequest.SecurityFilterChain.alwaysUse is true.
Token.AuthenticationEntryPoint which selects a concrete AuthenticationEntryPoint based on a
RequestMatcher evaluation.HeaderWriter when
RequestMatcher.matches(HttpServletRequest) returns true.AsyncTaskExecutor which wraps each Runnable in a DelegatingSecurityContextRunnable and each
Callable in a DelegatingSecurityContextCallable.DelegatingSecurityContextAsyncTaskExecutor that uses the specified SecurityContext.
DelegatingSecurityContextAsyncTaskExecutor that uses the current SecurityContext.
Callable with logic for setting up a SecurityContext before invoking the delegate
Callable and then removing the SecurityContext after the delegate has completed.DelegatingSecurityContextCallable with a specific SecurityContext.
DelegatingSecurityContextCallable with the SecurityContext from the
SecurityContextHolder.
Executor which wraps each Runnable in a DelegatingSecurityContextRunnable.DelegatingSecurityContextExecutor that uses the specified SecurityContext.
DelegatingSecurityContextExecutor that uses the current SecurityContext from the
SecurityContextHolder at the time the task is submitted.
ExecutorService which wraps each Runnable in a DelegatingSecurityContextRunnable and each
Callable in a DelegatingSecurityContextCallable.DelegatingSecurityContextExecutorService that uses the specified SecurityContext.
DelegatingSecurityContextExecutorService that uses the current SecurityContext from
the SecurityContextHolder.
Runnable with logic for setting up a SecurityContext before invoking the delegate
Runnable and then removing the SecurityContext after the delegate has completed.DelegatingSecurityContextRunnable with a specific SecurityContext.
DelegatingSecurityContextRunnable with the SecurityContext from the
SecurityContextHolder.
ScheduledExecutorService which wraps each Runnable in a DelegatingSecurityContextRunnable
and each Callable in a DelegatingSecurityContextCallable.DelegatingSecurityContextScheduledExecutorService that uses the specified
SecurityContext.
DelegatingSecurityContextScheduledExecutorService that uses the current
SecurityContext from the SecurityContextHolder.
SchedulingTaskExecutor which wraps each Runnable in a DelegatingSecurityContextRunnable and each
Callable in a DelegatingSecurityContextCallable.DelegatingSecurityContextSchedulingTaskExecutor that uses the specified SecurityContext.
DelegatingSecurityContextSchedulingTaskExecutor that uses the current SecurityContext.
TaskExecutor which wraps each Runnable in a DelegatingSecurityContextRunnable.DelegatingSecurityContextTaskExecutor that uses the specified SecurityContext.
DelegatingSecurityContextTaskExecutor that uses the current SecurityContext from
the SecurityContextHolder.
String created using
BasePasswordEncoder.mergePasswordAndSalt(String,Object,boolean).
Throwable.
SecurityEnforcementFilter to commence authentication via the DigestAuthenticationFilter.SecurityContextHolder.DisabledException with the specified message.
DisabledException with the specified message
and root cause.
SecurityContext when the HttpServletResponse is
committed.
SecurityConfigurer's that have been applied using the following steps:
Invokes AbstractConfiguredSecurityBuilder.beforeInit() for any subclass to hook into
Invokes SecurityConfigurer.init(SecurityBuilder) for any SecurityConfigurer that was applied to this builder.
Invokes AbstractConfiguredSecurityBuilder.beforeConfigure() for any subclass to hook into
Invokes AbstractConfiguredSecurityBuilder.performBuild() which actually builds the Object
DefaultSavedRequest.
requiresAuthentication
method to determine whether the request is for authentication and should be handled by this filter.
Subject using
JaasApiIntegrationFilter.obtainSubject(ServletRequest).
AbstractAuthorizeTag.authorize() method to
decide if the body of the tag should be skipped or not.
AclCache that delegates to EH-CACHE.User objects using a Spring IoC defined EHCACHE.HttpSessionEventPublisher should be added as a
listener.
HttpServletResponse.encodeRedirectURL(String) or
HttpServletResponse.encodeURL(String), otherwise disallows HTTP
sessions to be included in the URL.
@Configuration class to have the Spring Security
configuration defined in any WebSecurityConfigurer or more likely by extending the
WebSecurityConfigurerAdapter base class and overriding individual methods:
@Configuration
@EnableWebSecurity
public class MyWebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
// Spring Security should completely ignore URLs starting with /resources/
.antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/public/**").permitAll()
.anyRequest().hasRole("USER")
.and()
// Possibly more configuration ...Enumeration around a Java 2 collection Iterator.java.lang.Object documentation for the interface contract.
true if the supplied object is a User instance with the
same username value.
credentials, principal and details objects, invoking the
eraseCredentials method on any which implement CredentialsContainer.
AccessDeniedException and AuthenticationException thrown within the
filter chain.PrePostInvocationAttributeFactory which interprets the annotation value as
an expression to be evaluated at runtime.FilterInvocationSecurityMetadataSource.MethodSecurityExpressionHandler that is
registered with the ExpressionBasedPreInvocationAdvice.
SecurityExpressionHandler to be used.
SecurityExpressionHandler to be used.
Throwable.
AuthenticationFailureHandler to use when
authentication fails.
filterTarget object (which must be either a collection or an array), by evaluating the
supplied expression.
Filter requests to a list of Spring-managed filter beans.SecurityMetadataSource implementations
that are designed to perform lookups keyed on FilterInvocations.FilterInvocationSecurityMetadataSource bean for use with a FilterSecurityInterceptor.HttpFirewall interface.flushBuffer()
getDateHeader().
XFrameOptionsHeaderWriter with all the default settings.
CsrfToken
SecurityContextHolder.createEmptyContext() to obtain a new context (there should be
no context present in the holder when this method is called).
ConfigAttributes defined by the implementing class.
SessionRegistry.
ConfigAttribute can be represented as a String and that
String is sufficient in precision to be relied upon as a configuration parameter by a RunAsManager, AccessDecisionManager or AccessDecisionManager delegate, this method should
return such a String.
ConfigAttributes that apply to a given secure object.
Authentication request that caused the event.
AuthenticationManager to indicate the authorities that the principal has been
granted.
GrantedAuthority can be represented as a String and that
String is sufficient in precision to be relied upon for an access control decision by an AccessDecisionManager (or delegate), this method should return such a String.
SecurityBuilder.
CasAuthenticationToken associated with the
specified ticket.
SecurityConfigurer by its class name or
null if not found.
SecurityConfigurer by its class name or
null if not found.
SecurityConfigurer instances by its class name or an
empty List if not found.
SecurityContext.
String
String
alwaysUseDefaultTargetUrl property is set to true.
UserDetailsService for the
AuthenticationManagerBuilder.
WebApplicationContext to find the DelegatingFilterProxy
or null to use the parent ApplicationContext.
MethodSecurityExpressionHandler or creates it using GlobalMethodSecurityConfiguration.expressionHandler.
SecurityExpressionHandler to be used.
SecurityFilterChains instead
Class that generated this event.
HttpSecurity or returns the current instance
SecurityContextHolderStrategy.
NoOpPasswordEncoder.
AbstractSecurityBuilder.build() and AbstractSecurityBuilder.getObject() but checks the state
to determine if AbstractSecurityBuilder.build() needs to be called first.
getOutputStream().close() or
getOutputStream().flush()
String representing this permission.
credentialsRequestHeader is set, this
will be read and used as the credentials value.
principalRequestHeader from the request.
Authentication object, such as a String or UserDetails instance
WebInvocationPrivilegeEvaluator to be used.
SecurityContextHolder.
User to obtain the salt.
SecurityContext instances which were associated with the destroyed session.
DispatcherType for the springSecurityFilterChain.
ServletRequest was received on.
HttpSession id the authentication request was received from.
sessionId.
UserDetailsContextMapper strategy for use by subclasses.
UserDetailsService or null if it is not available
UserDetails from the cache.
Authentication (which is a subclass of Principal), or
null if unavailable.
getWriter().close() or
getWriter().flush()
Configuration for enabling global method security.Authentication object.Authentication object.GrantedAuthoritys for a user by reading a list of attributes that were returned as
part of the CAS response.SimpleGrantedAuthority or implement your own.GrantedAuthority as a Sid.RedirectStrategy with the URL returned by the determineTargetUrl method.
LoginContext.logout() for any which contain a JaasAuthenticationToken.
java.lang.Object documentation for the interface contract.
username.
HttpServletResponseHeadersFilter.HttpServletResponseHttpFirewall.
HttpFirewall bean reference into the FilterChainProxy.SecurityContextRepository.loadContext(HttpRequestResponseHolder),
allowing the method to swap the request for a wrapped version, as well as returning the SecurityContext
value.HttpSecurity is similar to Spring Security's XML HttpSecurity will be used forHttpSessionEventPublisher when an HttpSession is created by the containerCsrfTokenRepository that stores the CsrfToken in the HttpSession.HttpSessionEventPublisher when a HttpSession is created in the containerRequestCache which stores the SavedRequest in the HttpSession.SecurityContextRepository implementation which stores the security context in the HttpSession
between requests.HstsHeaderWriter.
IdentityUnavailableException with the specified message.
IdentityUnavailableException with the specified message
and root cause.
RequestMatcher instances that should that Spring
Security should ignore.
SecurityBuilder.
PreAuthenticatedAuthenticationProvider into
HttpSecurity.authenticationProvider(org.springframework.security.authentication.AuthenticationProvider)
and a Http403ForbiddenEntryPoint into
HttpSecurity#authenticationEntryPoint(org.springframework.security.web.AuthenticationEntryPoint)
Throwables and ThrowableCauseExtractors.
LoginModule.
UserDetailsService.
AuthenticationManagerBuilder
and return a InMemoryUserDetailsManagerConfigurer to
allow customization of the in memory authentication.
AppConfigurationEntrys.
AppConfigurationEntrys along with a default configuration that
will be used if no mapping is found for the given login context name.
Resource interface.UserDetailsManager which is backed by an in-memory map.AuthenticationManagerBuilder to
have in memory authentication.HttpServletRequest.isSecure() responses.Filters before existing Filters
using default generated names, AbstractSecurityWebApplicationInitializer.getSecurityDispatcherTypes(), and
AbstractSecurityWebApplicationInitializer.isAsyncSecuritySupported().
InsufficientAuthenticationException with the
specified message.
InsufficientAuthenticationException with the
specified message and root cause.
AbstractSecurityInterceptor subclasses.SecurityContextLogoutHandler to invalidate the HttpSession at the time of logout.
CsrfToken is found in the HttpServletRequestSessionManagementFilter when an invalid session Id is submitted and
detected in the SessionManagementFilter.SessionManagementFilter with a
SimpleRedirectInvalidSessionStrategy configured with the attribute value.
InvocationTargetException instances.
MethodInvocation.
Authentication token represents an anonymous user.
AbstractSecurityInterceptor whether it should present the
authentication token to the AuthenticationManager.
saveContext() because of this wrapper.
Acl.getParentAcl() should flow down into the current
Acl.
PermissionGrantingStrategy.
Acl grants access
based on the supplied list of permissions and sids.
Authentication token represents user that has been remembered
(i.e.
renew parameter should be sent to the CAS login URL and CAS
validation URL.
GrantedAuthority.getAuthority().
HttpServletRequest.isUserInRole(String)) into GrantedAuthoritys and stores these in the authentication
details object.MappableAttributesRetriever
J2eePreAuthenticatedProcessingFilter to
use.
Filter which attempts to obtain a JAAS Subject
and continue the FilterChain running as that
Subject.JaasAuthenticationProvider.AuthenticationProvider implementation that retrieves user details from a JAAS login configuration.JaasAuthenticationProvider
after successfully logging the user into the LoginContext, handling all callbacks, and calling all
AuthorityGranters.GrantedAuthority which, in addition to the assigned role, holds the principal that an
AuthorityGranter used as a reason to grant this authority.AclService.AuthenticationManagerBuilder and
return a JdbcUserDetailsManagerConfigurer to allow customization of the
JDBC authentication.
MutableAclService.AuthenticationManagerBuilder to
have JDBC authentication.Tag implementation of AbstractAuthorizeTag.TokenService that is compatible with clusters and across machine restarts,
without requiring database persistence.AuthenticationManagerBuilder and
return a LdapAuthenticationProviderConfigurer to allow
customization of the LDAP authentication.
AuthenticationProvider implementation that authenticates
against an LDAP server.AuthenticationProvider in the ProviderManagerBuilder.BaseLdapPathContextSource and optionally
creating an embedded LDAP instance.ShaPasswordEncoder which supports Ldap SHA and SSHA (salted-SHA) encodings.LdapUserSearch
and an LdapAuthoritiesPopulator.CsrfToken from the HttpServletRequest
memberOf attribute obtained from the user's
Active Directory entry.
UserDetails via the supplied CAS
assertion.
LockedException with the specified message.
LockedException with the specified message and
root cause.
Subject (phase one) by extracting the Spring Security
Authentication from the current SecurityContext.
ExceptionTranslationFilter to commence a form login
authentication via the UsernamePasswordAuthenticationFilter.Subject.
LogoutHandler.
CsrfToken
LogoutSuccessHandler to use.
LogoutFilter, to handle redirection or
forwarding to the appropriate destination.AclService.HttpServletRequest to the
UserDetails.
HttpServletRequest to the
UserDetails.
HttpServletRequest to the
UserDetails and automatically prefixes it with "ROLE_".
RequestMatcher types supported by the namespace.servletPath + pathInfo + queryString) against
the compiled pattern.
SessionManagementConfigurer.maximumSessions(int) has been reached.
HttpServletRequest based upon the MediaType's
resolved from a ContentNegotiationStrategy.String.
MethodSecurityMetadataSourceAdvisor to be used.
MethodSecurityExpressionHandler to be used.
MethodInvocation instances.MethodInvocations usable within Spring Security.SecurityMetadataSource implementations
that are designed to perform lookups keyed on Methods.MethodSecurityMetadataSource that will be
used.
MethodSecurityMetadataSource, used to exclude a MethodSecurityInterceptor from
public (non-secure) methods.HttpSession should be
retained.
Acl instances.HttpSession should not be
retained.
NonceExpiredException with the specified
message.
NonceExpiredException with the specified
message and root cause.
NotFoundException with the specified message.
NotFoundException with the specified message
and root cause.
NullRememberMeServices that does nothing.StatelessTicketCache that has no backing cache.ObjectIdentity from an object identifier (such as a primary key)
and type information.ObjectIdentity.ObjectIdentityImpl based on the passed
object instance.
ObjectIdentity
will be returned for a particular domain objectObjectIdentityRetrievalStrategy and ObjectIdentityGenerator
that uses the constructors of ObjectIdentityImpl to create the ObjectIdentity.ObjectPostProcessor to use.
Configuration that exports the default
ObjectPostProcessor.HttpServletRequest.
PlaintextPasswordEncoder.encodePassword(String, Object)String.
Subject to run as or null if no
Subject is available.
defaultFailureUrl if set, otherwise returns a 401 error code.
handle() method to forward or redirect to the target URL, and
then calls clearAuthenticationAttributes() to remove any leftover session data.
RememberMeServices
autoLogin method and the AuthenticationManager.
AuthenticationManager rejects the authentication object returned from the
RememberMeServices autoLogin method.
AxFetchListFactory version instead.
OpenIDAttributeAccessDecisionManager interface.@Secured annotations.@PreAuthorize, @PreFilter,
@PostAuthorize and @PostFilter annotations.MethodInvocations, such as via Spring AOP.JointPoints, delegating secure object callbacks to the calling aspect.SecurityMetadataSource implementations for securing Java method invocations via different
AOP libraries.@PreAuthorize, @PreFilter, @PostAuthorize
and @PostFilter annotations.AuthenticationProvider which relies upon a data access object.Authentication object.AuthenticationProvider that can process CAS service tickets and proxy tickets.GrantedAuthority interface.GrantedAuthoritys.org.springframework.security.core.session.SessionInformation
SessionInformation class.UserCache.org.springframework.security.core.userdetails.UserDetailsService UserDetailsService.LdapUserSearch implementations.UserDetails implementations which map from a ubset of the data
contained in some of the standard LDAP types (such as InetOrgPerson).HttpInvoker extension points to
present the principal and credentials located
in the ContextHolder via BASIC authentication.SecurityContextHolder (which
should contain an Authentication request token) from one JVM to the remote JVM.HttpServletRequest which requires authentication.HttpServletRequestWrapper.HttpSession events and publisher classes.AuthenticationManager that will be
tried if this AuthenticationManager was unable to attempt to
authenticate the provided Authentication.
LdapAuthenticator which compares the login
password with the value stored in the directory using a remote LDAP "compare" operation.PasswordEncoder
instead which better accommodates best practice of randomly
generated salt that is included with the password.PasswordEncoder to use.
PasswordEncoder to be used when authenticating with
password comparison.
PasswordPolicyControl to make use of user account data stored in the directory.Permission instances from integer masks.Acl.AbstractAuthenticationFilterConfigurer.failureUrl(String) and
#authenticationUrls(String) are granted access to any user.
LogoutConfigurer.permitAll(boolean) with true as an argument.
LogoutConfigurer.logoutSuccessUrl(String) and the LogoutConfigurer.logoutUrl(String) for every user.
RememberMeServices implementation based on Barry Jaspan's
Improved Persistent Login Cookie
Best Practice.PersistentTokenBasedRememberMeServices to store the persistent
login tokens for a user.PortMapper that is available from
AbstractConfiguredSecurityBuilder.getSharedObject(Class).
PortMapper instance.
PortMapper implementations provide callers with information
about which HTTP ports are associated with which HTTPS ports on the system,
and vice versa.PortMapper instance used to determine the
ports when redirecting between HTTP and HTTPS.PortMapper that obtains HTTP:HTTPS pairs from the application context.PortResolver determines the port a web request was received
on.PortResolver that obtains the port from ServletRequest.getServerPort().PostInvocationAuthorizationAdvice instance
passing it the PostInvocationAttribute created from @PostAuthorize and @PostFilter annotations.Authentication implementation for pre-authenticated
authentication.PreInvocationAuthorizationAdvice to be used.
Authentication objects of anonymous users
Authentication.getPrincipal() as a Sid.WebInvocationPrivilegeEvaluator to be used.
WebInvocationPrivilegeEvaluator that is necessary for the JSP tag support.
Authentication request through a list of AuthenticationProviders.ProviderManagerProviderManager if no AuthenticationProvider could be found that supports the
presented Authentication object.ProviderNotFoundException with the specified
message.
JaasAuthenticationFailedEvent.
JaasAuthenticationFailedEvent.
JaasAuthenticationSuccessEvent.
CasAuthenticationToken to the cache.
UserDetails in the cache.
ObjectPostProcessor
AclService.readAclsById(List) except it returns only a single Acl.
AclService.readAclsById(List, List) except it returns only a single Acl.
HttpBasicConfigurer.authenticationEntryPoint(AuthenticationEntryPoint)
specifying a BasicAuthenticationEntryPoint with the specified
realm name.
User object.sessionId so its last request time is equal to the present date and time.
HttpSecurity to only be invoked when
matching the provided regex pattern.
List of RegexRequestMatcher instances.
List of RegexRequestMatcher instances that do not
specify an HttpMethod.
HttpServletRequest.Pattern instance to match against the request.
WebSecurityConfigurerAdapter.authenticationManager() to attempt to obtain an
AuthenticationManager.
ThrowableCauseExtractor for the specified type.
Permission for a give class.
SessionRegistry after
successful Authentication.Authentication object in the SecurityContext, and populates the context with
a remember-me authentication token if a RememberMeServices implementation so requests.AuthenticationProvider implementation that validates RememberMeAuthenticationTokens.Authentication.RememberMeServices to use.
RemoteAuthenticationManager cannot validate the presented authentication request.RemoteAuthenticationException with the
specified message and no root cause.
RemoteAuthenticationManager to validate an authentication request.SecurityConfigurer by its class name or
null if not found.
SecurityConfigurer by its class name or
null if not found.
SecurityConfigurer instances by its class name or an
empty List if not found.
sessionId.
StatelessTicketCache.removeTicketFromCache(String).
RequestCache to be used.
HttpSecurity to only be invoked when
matching the provided RequestMatcher.
RequestMatcher instances with the AbstractRequestMatcherMappingConfigurer
HttpServletRequest instances this
HttpSecurity will be invoked on.
RequestMatcher to use for determining when CSRF
should be applied.
AbstractAuthenticationProcessingFilter.setRequiresAuthenticationRequestMatcher(RequestMatcher) instead
UserDetails from an implementation-specific
location, with the option of throwing an AuthenticationException immediately if the presented
credentials are incorrect (this is especially useful if it is necessary to bind to a resource as the user in
order to obtain or generate a UserDetails).
RoleHierarchy definition to determine the
roles allocated to the current user before voting.ConfigAttribute.getAttribute() starts with a prefix
indicating that it is a role.AuthenticationProvider implementation that can authenticate a RunAsUserToken.Authentication object for the current secure
object invocation only.RunAsManager for the default implementation of
GlobalMethodSecurityConfiguration.methodSecurityInterceptor().
RunAsManager.Authentication implementation that supports RunAsManagerImpl.SecurityContext when a sendError(), sendRedirect,
getOutputStream().close(), getOutputStream().flush(), getWriter().close(), or
getWriter().flush() happens on the same thread that this
SaveContextOnUpdateOrErrorResponseWrapper was created.DefaultSavedRequest which may have been stored in
the session by the ExceptionTranslationFilter.AuthenticationException for use in view rendering.
CsrfToken using the HttpServletRequest and
HttpServletResponse.
HttpServletRequest.isSecure() responses.Secured annotation.BytesKeyGenerator that uses a SecureRandom to generate keys of 8 bytes in length.
BytesKeyGenerator that uses a SecureRandom to generate keys of a custom length.
SecureRandom instance.ConfigAttribute as a String.SecurityBuilder.SecurityConfigurer that allows subclasses to only
implement the methods they are interested in.SecurityContext on the
SecurityContextHolder between HttpServletRequest's.
Callable support.SecurityContextCallableProcessingInterceptor that uses the SecurityContext from the
SecurityContextHolder at the time SecurityContextCallableProcessingInterceptor.beforeConcurrentHandling(NativeWebRequest, Callable) is invoked.
SecurityContextCallableProcessingInterceptor with the specified SecurityContext.
SecurityContext found on the
SecurityContextHolder for each request by configuring the
SecurityContextPersistenceFilter.SecurityContext with the current execution thread.Filter which populates the ServletRequest with a request wrapper
which implements the servlet API security methods.HttpServletRequestWrapper, which uses the
SecurityContext-defined Authentication object to implement the servlet API security
methods:
SecurityContextHolderAwareRequestWrapper.getUserPrincipal()
SecurityContextHolderAwareRequestWrapper.isUserInRole(String)
HttpServletRequestWrapper.getRemoteUser().
SecurityContext.LoginModule that uses a Spring Security SecurityContext to provide authentication.SecurityContextHolder.SecurityContextHolder with information obtained from
the configured SecurityContextRepository prior to the request and stores it back in the repository
once the request has completed and clearing the context holder.SecurityContextRepository that is to be used
SecurityContext between requests.HttpServletRequest.FilterSecurityInterceptor.
ConfigAttributes that applies to a given secure object
invocation.sendError()
sendError()
sendRedirect()
CasAuthenticationProvider to provide the correct
service url to authenticate the ticket, the returned value of
Authentication.getDetails() should implement this interface when
tickets can be sent to any URL rather than only
ServiceProperties.getService().AuthenticationDetailsSource that is set on the
CasAuthenticationFilter should return a value that implements
ServiceAuthenticationDetails if the application needs to authenticate
dynamic service urls.HttpServletRequest methods with the values found
on the SecurityContext.
HttpServletRequest using the SecurityContext from the SecurityContextHolder.SessionAuthenticationStrategy.
HttpSessionCreatedEvent to the application
appContext.
SessionCreationPolicy
HttpSessionDestroyedEvent to the application
appContext.
SessionAuthenticationStrategy when using < Servlet 3.1.SessionAuthenticationStrategy to perform any session-related activity such as
activating session-fixation protection mechanisms or checking for multiple concurrent logins.SessionRegistry implementation used.
SessionInformation instances.SessionRegistry
which listens for SessionDestroyedEvents
published in the Spring application context.AccessDeniedHandler that should be used when CSRF protection fails.
AbstractSecurityInterceptor should
ignore the Authentication.isAuthenticated() property.
true, will always redirect to the value of defaultTargetUrl
(defaults to false).
Authentication.isAuthenticated() for a full description.
AuthenticationEntryPoint used when integrating HttpServletRequest with Servlet 3 APIs.
AuthenticationFailureHandler to distinguish between
handling proxy ticket authentication failures and service ticket
failures.
AuthenticationManager used when integrating HttpServletRequest with Servlet 3 APIs.
UserDetails for the authenticated OpenID user.
SecurityBuilder to be used.
Authentication from the SecurityContext to prevent issues with concurrent
requests.
extraInformation property is deprecated
SecurityContext with the current thread of execution.
AbstractAuthenticationProcessingFilter.successfulAuthentication(HttpServletRequest, HttpServletResponse,
Authentication), which may be useful in certain environment (such as
Tapestry applications).
true, any AuthenticationException raised by the AuthenticationManager will be
swallowed, and the request will be allowed to proceed, potentially using alternative authentication mechanisms.
BadCredentialsException.
AuthenticationProvider using a GrantedAuthoritiesMapper.
createEmptySubject.
true, indicates that it is permitted to store the target
URL and exception information in a new HttpSession (the default).
AuthenticationProvider using a GrantedAuthoritiesMapper.
alwaysUseDefaultTargetUrl property is set to true.
SearchControls instance used in the search.
Acl.isEntriesInheriting().
Authentication which implements the CredentialsContainer interface
will have its eraseCredentials method called before it is returned
from the authenticate() method.
List<SecurityFilterChain> instead.
<SecurityConfigurer<FilterChainProxy, WebSecurityBuilder> instances used to create the web configuration.
AbstractAuthenticationProcessingFilter.setRequiresAuthenticationRequestMatcher(RequestMatcher) instead
CsrfToken is expected to appear on
and the header that the response will contain the CsrfToken.
AbstractUserDetailsAuthenticationProvider throws a
BadCredentialsException if a username is not found or the password is incorrect.
MediaType to ignore from the
ContentNegotiationStrategy.
EnableGlobalMethodSecurity if this class was imported using the EnableGlobalMethodSecurity annotation.
HttpSession to be invalidated when this LogoutHandler is invoked.
LogoutHandlers used when integrating with HttpServletRequest with Servlet 3 APIs.
MessageSource used for reporting errors back to the user
when the user has exceeded the maximum number of authentications.
HttpServletRequest parameter name that the CsrfToken is expected to appear on
PermissionFactory instance which will be used to convert loaded permission
data values to Permissions.
UserDetails for the authenticated user.
AuthenticationFailureHandler for proxy requests.
AuthorizationFailureEvent will be published.
Configuration#refresh() will be made by #configureJaas(Resource)
method.
AbstractSecurityInterceptor has a configuration
attribute defined.
RequestMatcher used to determine if the
"Strict-Transport-Security" should be added.
RequestMatcher that is used to determine if CSRF
protection should be applied.
extractAttributes method instead
return_to URL which is assembled by OpenIDAuthenticationFilter.buildReturnToUrl(javax.servlet.http.HttpServletRequest).
ROLE_ to be overridden.
ROLE_ to be overridden.
AuthenticationProvider using a GrantedAuthoritiesMapper.
SecureRandom
instance.
HttpSession attribute name that the CsrfToken is stored in
SecurityConfigurer.
SecurityConfigurer.
MediaType, else uses
MediaType.isCompatibleWith(MediaType).
loginFormUrl using the RequestDispatcher,
instead of a 302 redirect.
UserDetails object obtained for
the user when processing a remember-me cookie to automatically log in a user.
AbstractLdapAuthenticationProvider.createSuccessfulAuthentication(org.springframework.security.authentication.UsernamePasswordAuthenticationToken, org.springframework.security.core.userdetails.UserDetails) method.
UserDetails for the authenticated OpenID user.
true the Referer header will be used (if available).
true (the default), indicates the JdbcDaoImpl.getUsersByUsernameQuery() returns a username
in response to a query.
UserMap to reflect the Properties instance passed.
UserMap.
byte[].
byte[].
ShaPasswordEncoder encoder = new ShaPasswordEncoder(256); initializes with SHA-256
BytesKeyGenerator that returns a single, shared SecureRandom key of a custom length.
Sid instances applicable
for an Authentication.SidRetrievalStrategy that creates a Sid for the principal, as well as
every granted authority the principal holds.GrantedAuthoritiesMapper which allows for case conversion of the authority name
and the addition of a string prefix (which defaults to ROLE_).GrantedAuthority.MethodInvocation.SessionManagementFilter.defaultFailureUrl property when the onAuthenticationFailure method is called.AbstractAuthenticationTargetUrlRequestHandler
base class logic.WebAttributes directly.
AuthenticationFailureHandler
AclCache that delegates to Cache implementation.Cache.UserDetails instances in a Spring defined Cache.SecurityContextHolder.MessageSource used by Spring Security.PasswordEncoder implementation that uses SHA-256 hashing with 1024 iterations and a
random 8-byte random salt value.AllowFromStrategyHeaderWriter implementation which writes the same Header instance.StringKeyGenerator that hex-encodes SecureRandom keys of 8 bytes in length.
X509Certificate.getSubjectDN()).AbstractAuthenticationProcessingFilter.successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) instead.
Authentication instance returned by the
authentication manager into the secure context.
AuthenticationSuccessHandler to be used.
AccessDecisionManager is able to process authorization requests
presented with the passed ConfigAttribute.
AccessDecisionManager implementation is able to provide access
control decisions for the indicated secured object type.
AccessDecisionVoter is able to vote on the passed ConfigAttribute.
AccessDecisionVoter implementation is able to provide access control
votes for the indicated secured object type.
AfterInvocationProvider is able to participate in a decision
involving the passed ConfigAttribute.
AfterInvocationProvider is able to provide "after invocation"
processing for the indicated secured object type.
Jsr250SecurityConfig.
AfterInvocationManager is able to process "after invocation"
requests presented with the passed ConfigAttribute.
AfterInvocationManager implementation is able to provide access
control decisions for the indicated secured object type.
AfterInvocationProviders and ensures each can support the presented
class.
RunAsManager is able to process the passed
ConfigAttribute.
RunAsManager implementation is able to provide run-as replacement for
the indicated secure object type.
SecurityMetadataSource implementation is able to provide
ConfigAttributes for the indicated secure object type.
AccessDecisionVoters and ensures each can support the presented class.
MethodSecurityInterceptor, because it queries the
presented MethodInvocation.
true if this AuthenticationProvider supports the indicated
Authentication object.
ChannelDecisionManager is able to process the passed
ConfigAttribute.
ChannelProcessor is able to process the passed
ConfigAttribute.
GrantedAuthority list that will be assigned to the principal
when they assume the identity of a different principal.GrantedAuthority used by
SwitchUserFilterString as the salt.AuthenticationProvider implementation for the TestingAuthenticationToken.Authentication implementation that is designed for use whilst unit testing.Throwable instances.ThrowableAnalyzer instance.
Throwable type.TokenService.PersistentTokenRepository to use.
AccessDecisionManager that requires all
voters to abstain or grant access.Acl cannot perform an operation because it only loaded a subset of Sids and
the caller has requested details for an unloaded Sid.NotFoundException with the specified message.
NotFoundException with the specified message
and root cause.
Acl in the database.
DefaultFilterInvocationSecurityMetadataSource.RequestMatcher instances to ConfigAttribute instances.UserDetailsService.true.
User with the details required by
DaoAuthenticationProvider.
InMemoryDaoImpl to temporarily store the attributes associated with a user.UserAttribute from a comma separated list of values.UserCache to use
UserDetails objects.UserDetailsService for using as a default value with AuthenticationManagerBuilder.UserDetailsService
as the service to delegate to.
UserDetailsService to check the status of the loaded
UserDetails object.DirContextOperations implementation.UserDetailsService which provides the ability
to create new users and update existing ones.AuthenticationManagerBuilder with a
UserDetailsManager.UserDetailsService that
is passed in.
UserDetailsService from
WebSecurityConfigurerAdapter.userDetailsServiceBean()() without interacting with the
ApplicationContext.
UserDetailsService used to look up the
UserDetails when a remember me token is valid.
X509Configurer.authenticationUserDetailsService(AuthenticationUserDetailsService) with a UserDetailsByNameServiceWrapper.
UserDetailsService to be used
UserDetailsService created from
WebSecurityConfigurerAdapter.registerAuthentication(AuthenticationManagerBuilder) as a bean.
UserDetailsService within a AuthenticationManagerBuilder.RoleHierarchyVoter or use a RoleHierarchyAuthoritiesMapper to populate the
Authentication object with the additional authorities.RoleHierarchyVoter or RoleHierarchyAuthoritiesMapper instead.UserDetailsService implementation cannot locate a User by its username.UsernameNotFoundException with the specified
message.
UsernameNotFoundException with the specified message and root cause.
Authentication implementation that is designed for simple presentation
of a username and password.UsernamePasswordAuthenticationToken, as the AbstractAuthenticationToken.isAuthenticated() will return false.
AuthenticationManager or AuthenticationProvider
implementations that are satisfied with producing a trusted (i.e.
Token.getKey() was issued by this TokenService and
reconstructs the corresponding Token.
WebInvocationPrivilegeEvaluator
SecurityContext and Spring Web's WebAsyncManager by using the
SecurityContextCallableProcessingInterceptor.beforeConcurrentHandling(org.springframework.web.context.request.NativeWebRequest, Callable)
to populate the SecurityContext on the Callable.AuthenticationDetailsSource which builds the details object from
an HttpServletRequest object, creating a WebAuthenticationDetails.WebSecurity is created by WebSecurityConfiguration
to create the FilterChainProxy known as the Spring Security Filter
Chain (springSecurityFilterChain).RequestMatcher instances that should be
ignored by Spring Security.WebSecurity to create the FilterChainProxy that
performs the web based security for Spring Security.WebSecurity.WebSecurityConfigurer
instance.WebXmlMappableAttributesRetriever.getMappableAttributes().ObjectPostProcessor for this class.
ObjectPostProcessor for this class.
ObjectPostProcessor for this class.
ObjectPostProcessor for this class.
UserDetailsManager that is being created.
Header instance.
X509AuthenticationFilter.
StaticHeadersWriter that inserts headers to prevent content
sniffing.HeaderWriter implementation for the X-Frame-Options headers.XFrameOptionsHeaderWriter.XFrameOptionsMode.DENY
XFrameOptionsHeaderWriter.XFrameOptionsMode.ALLOW_FROM.
XXssProtectionHeaderWriter.
|
|||||||||
| PREV NEXT | FRAMES NO FRAMES | ||||||||