server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml

   1 <?xml version="1.0" encoding="UTF-8"?>
   2 <beans xmlns="http://www.springframework.org/schema/beans"
   3         xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   4         xmlns:aop="http://www.springframework.org/schema/aop"
   5         xsi:schemaLocation="
   6        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
   7        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
   8
   9         <bean id="filterChain.davex" parent="filterChain.template">
  10                 <sec:filter-chain-map path-type="ant">
  11                         <sec:filter-chain pattern="/*/*/*/**"
  12                                 filters="session,x509,basic,exception,interceptor" />
  13                         <!-- For some reason the first level listing workspaces must be public -->
  14                         <sec:filter-chain pattern="/*/*/" filters="anonymous,exception" />
  15                 </sec:filter-chain-map>
  16         </bean>
  17
  18         <bean id="filterChain.private" parent="filterChain.template">
  19                 <sec:filter-chain-map path-type="ant">
  20                         <sec:filter-chain pattern="/**"
  21                                 filters="session,x509,basic,exception,interceptor" />
  22                 </sec:filter-chain-map>
  23         </bean>
  24
  25         <bean id="filterChain.public" parent="filterChain.template">
  26                 <sec:filter-chain-map path-type="ant">
  27                         <sec:filter-chain pattern="/**"
  28                                 filters="anonymous,exception,interceptorPublic" />
  29                 </sec:filter-chain-map>
  30         </bean>
  31
  32         <bean id="filterChain.template" abstract="true"
  33                 class="org.springframework.security.util.FilterChainProxy">
  34                 <property name="matcher">
  35                         <bean class="org.springframework.security.util.AntUrlPathMatcher">
  36                                 <!-- Do not convert to lower case -->
  37                                 <constructor-arg value="false" />
  38                         </bean>
  39                 </property>
  40         </bean>
  41
  42         <!-- The actual authorization checks (called last, but first here for ease
  43                 of configuration) -->
  44         <bean id="interceptor" parent="filterInvocationInterceptorTemplate">
  45                 <property name="objectDefinitionSource">
  46                         <value>
  47                                 PATTERN_TYPE_APACHE_ANT
  48                                 /**=ROLE_USER,ROLE_ADMIN
  49                         </value>
  50                 </property>
  51         </bean>
  52         <bean id="interceptorPublic" parent="filterInvocationInterceptorTemplate">
  53                 <property name="objectDefinitionSource">
  54                         <value>
  55                                 PATTERN_TYPE_APACHE_ANT
  56                                 /**=IS_AUTHENTICATED_ANONYMOUSLY
  57                         </value>
  58                 </property>
  59         </bean>
  60
  61         <bean id="x509"
  62                 class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
  63                 <property name="authenticationManager" ref="authenticationManager" />
  64                 <property name="principalExtractor">
  65                         <bean
  66                                 class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
  67                                 <property name="subjectDnRegex" value="CN=(.*?)," />
  68                         </bean>
  69                 </property>
  70         </bean>
  71
  72         <!-- Integrates the authentication information in the http sessions -->
  73         <bean id="session"
  74                 class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
  75                 <property name="allowSessionCreation" value="true" />
  76         </bean>
  77
  78         <!-- Processes logouts, removing both session informations and the remember-me
  79                 cookie from the browser -->
  80         <!-- <bean id="logout" class="org.springframework.security.ui.logout.LogoutFilter"> -->
  81         <!-- <constructor-arg value="/webdav/node/main" /> -->
  82         <!-- <constructor-arg> -->
  83         <!-- <list> -->
  84         <!-- <bean -->
  85         <!-- class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"
  86                 /> -->
  87         <!-- </list> -->
  88         <!-- </constructor-arg> -->
  89         <!-- </bean> -->
  90
  91         <!-- Basic authentication -->
  92         <bean id="basic"
  93                 class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
  94                 <property name="authenticationManager">
  95                         <ref bean="authenticationManager" />
  96                 </property>
  97                 <property name="authenticationEntryPoint">
  98                         <ref local="basicProcessingFilterEntryPoint" />
  99                 </property>
 100         </bean>
 101
 102         <!-- Activate basic auth when needed -->
 103         <bean id="basicProcessingFilterEntryPoint"
 104                 class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
 105                 <property name="realmName">
 106                         <value>${argeo.server.realmName}</value>
 107                 </property>
 108         </bean>
 109
 110         <!-- If everything else failed, anonymous authentication -->
 111         <bean id="anonymous"
 112                 class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
 113                 <property name="key" value="${argeo.security.systemKey}" />
 114                 <property name="userAttribute" value="anonymous,ROLE_ANONYMOUS" />
 115         </bean>
 116
 117         <!-- Reacts to security related exceptions -->
 118         <bean id="exception"
 119                 class="org.springframework.security.ui.ExceptionTranslationFilter">
 120                 <property name="authenticationEntryPoint">
 121                         <ref bean="basicProcessingFilterEntryPoint" />
 122                 </property>
 123                 <property name="accessDeniedHandler">
 124                         <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
 125                                 <!-- <property name="errorPage" value="/accessDenied.jsp" /> -->
 126                         </bean>
 127                 </property>
 128         </bean>
 129
 130         <!-- Template for authorization checks -->
 131         <bean id="filterInvocationInterceptorTemplate" abstract="true"
 132                 class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
 133                 <property name="authenticationManager" ref="authenticationManager" />
 134                 <property name="accessDecisionManager">
 135                         <bean class="org.springframework.security.vote.AffirmativeBased">
 136                                 <property name="allowIfAllAbstainDecisions" value="false" />
 137                                 <property name="decisionVoters">
 138                                         <list>
 139                                                 <bean class="org.springframework.security.vote.RoleVoter" />
 140                                                 <bean class="org.springframework.security.vote.AuthenticatedVoter" />
 141                                         </list>
 142                                 </property>
 143                         </bean>
 144                 </property>
 145         </bean>
 146 </beans>