This element is the primary means of adding support for securing methods on Spring Security beans. Methods can be secured by the use of annotations (defined at the interface or class level) or by defining a set of pointcuts as child elements, using AspectJ syntax.
Method security uses the same AccessDecisionManager
configuration as web security,
but this can be overridden as explained above the section called “access-decision-manager-ref
”, using the same
attribute.
Setting these to "true" will enable support for Spring Security's own @Secured
annotations and
JSR-250 annotations, respectively. They are both disabled by default. Use of JSR-250 annotations also adds a
Jsr250Voter
to the AccessDecisionManager
, so you need to
make sure you do this if you are using a custom implementation and want to use these annotations.
Rather than defining security attributes on an individual method or class basis using the
@Secured
annotation, you can define cross-cutting security constraints across whole
sets of methods and interfaces in your service layer using the <protect-pointcut>
element. This has two attributes:
expression
- the pointcut expression
access
- the security attributes which apply
You can find an example in the namespace introduction.
LDAP is covered in some details in its own chapter. We will expand on that here with some explanation of how the namespace options map to Spring beans. The LDAP implementation uses Spring LDAP extensively, so some familiarity with that project's API may be useful.
This element sets up a Spring LDAP ContextSource
for use by the
other LDAP beans, defining the location of the LDAP server and other information (such as a username
and password, if it doesn't allow anonymous access) for connecting to it. It can also be used to
create an embedded server for testing.
Details of the syntax for both options are covered in the LDAP chapter.
The actual ContextSource
implementation is
DefaultSpringSecurityContextSource
which extends Spring LDAP's
LdapContextSource
class. The manager-dn
and manager-password
attributes map to the latter's userDn
and password
properties respectively.
If you only have one server defined in your application context, the other LDAP namespace-defined beans
will use it automatically. Otherwise, you can give the element an "id" attribute and refer to it from other
namespace beans using the server-ref
attribute. This is actually the bean Id of the
ContextSource
instance, if you want to use it in other traditional Spring beans.
This element is shorthand for the creation of an LdapAuthenticationProvider
instance.
By default this will be configured with a BindAuthenticator
instance and a
DefaultAuthoritiesPopulator
.
If your users are at a fixed location in the directory (i.e. you can work out the DN
directly from the username without doing a directory search), you can use this attribute
to map directly to the DN. It maps directly to the userDnPatterns
property of AbstractLdapAuthenticator
.
If you need to perform a search to locate the user in the directory, then you
can set these attributes to control the search. The BindAuthenticator
will be configured
with a FilterBasedLdapUserSearch
and the attribute values map directly to the first two
arguments of that bean's constructor. If these attributes aren't set and no user-dn-pattern
has been supplied as an alternative, then the default search values of user-search-filter="(uid={0})"
and user-search-base=""
will be used.
The value of group-search-base
is mapped to the groupSearchBase
constructor argument
of DefaultAuthoritiesPopulator
and defaults to "ou=groups". The default filter value is
"(uniqueMember={0})", which assumes that the entry is of type "groupOfUniqueNames". group-role-attribute
maps to the groupRoleAttribute
attribute and defaults to "cn". Similarly role-prefix
maps to rolePrefix
and defaults to "ROLE_".
This is used as child element to <ldap-provider>
and switches
the authentication strategy from BindAuthenticator
to
PasswordComparisonAuthenticator
. This can optionally be supplied with a
hash
attribute or with a child <password-encoder>
element to hash the password before submitting it to the directory for comparison.