http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
+ <bean id="filterChain.davex" parent="filterChain.template">
+ <sec:filter-chain-map path-type="ant">
+ <sec:filter-chain pattern="/*/*/*/**"
+ filters="session,x509,basic,exception,interceptor" />
+ <!-- For some reason the first level listing workspaces must be public -->
+ <sec:filter-chain pattern="/*/*/"
+ filters="anonymous,exception,interceptorPublic" />
+ </sec:filter-chain-map>
+ </bean>
- <!-- Filter chain -->
- <alias name="filterChainProxy" alias="springSecurityFilterChain" />
+ <bean id="filterChain.private" parent="filterChain.template">
+ <sec:filter-chain-map path-type="ant">
+ <sec:filter-chain pattern="/**"
+ filters="session,x509,basic,exception,interceptor" />
+ </sec:filter-chain-map>
+ </bean>
- <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
+ <bean id="filterChain.public" parent="filterChain.template">
<sec:filter-chain-map path-type="ant">
- <sec:filter-chain pattern="/images/*" filters="none" />
<sec:filter-chain pattern="/**"
- filters="securityContextFilter, logoutFilter, requestCacheFilter,
- servletApiFilter, anonFilter, sessionMgmtFilter, exceptionTranslator, filterSecurityInterceptor" />
+ filters="anonymous,exception,interceptorPublic" />
</sec:filter-chain-map>
</bean>
- <!-- Filters -->
- <bean id="securityContextFilter"
- class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
- <property name="securityContextRepository" ref="securityContextRepository" />
+ <bean id="filterChain.template" abstract="true"
+ class="org.springframework.security.util.FilterChainProxy">
+ <property name="matcher">
+ <bean class="org.springframework.security.util.AntUrlPathMatcher">
+ <!-- Do not convert to lower case -->
+ <constructor-arg value="false" />
+ </bean>
+ </property>
</bean>
- <bean id="securityContextRepository"
- class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
+ <!-- The actual authorization checks (called last, but first here for ease
+ of configuration) -->
+ <bean id="interceptor" parent="filterInvocationInterceptorTemplate">
+ <property name="objectDefinitionSource">
+ <value>
+ PATTERN_TYPE_APACHE_ANT
+ /**=ROLE_USER,ROLE_ADMIN
+ </value>
+ </property>
+ </bean>
+ <bean id="interceptorPublic" parent="filterInvocationInterceptorTemplate">
+ <property name="objectDefinitionSource">
+ <value>
+ PATTERN_TYPE_APACHE_ANT
+ /**=IS_AUTHENTICATED_ANONYMOUSLY
+ </value>
+ </property>
+ </bean>
+
+ <bean id="x509"
+ class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
+ <property name="authenticationManager" ref="authenticationManager" />
+ <property name="principalExtractor">
+ <bean
+ class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
+ <property name="subjectDnRegex" value="CN=(.*?)," />
+ </bean>
+ </property>
+ </bean>
- <bean id="logoutFilter"
- class="org.springframework.security.web.authentication.logout.LogoutFilter">
- <constructor-arg value="/logged_out.htm" />
- <constructor-arg>
- <list>
- <bean
- class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
- </list>
- </constructor-arg>
+ <!-- Integrates the authentication information in the http sessions -->
+ <bean id="session"
+ class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
+ <property name="allowSessionCreation" value="true" />
</bean>
- <!-- <bean id="formLoginFilter" -->
- <!-- class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> -->
- <!-- <property name="authenticationManager" ref="authenticationManager"
- /> -->
- <!-- <property name="authenticationSuccessHandler"> -->
- <!-- <bean -->
- <!-- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> -->
- <!-- <property name="defaultTargetUrl" value="/index.jsp" /> -->
- <!-- </bean> -->
- <!-- </property> -->
- <!-- <property name="sessionAuthenticationStrategy"> -->
+ <!-- Processes logouts, removing both session informations and the remember-me
+ cookie from the browser -->
+ <!-- <bean id="logout" class="org.springframework.security.ui.logout.LogoutFilter"> -->
+ <!-- <constructor-arg value="/webdav/node/main" /> -->
+ <!-- <constructor-arg> -->
+ <!-- <list> -->
<!-- <bean -->
- <!-- class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy"
+ <!-- class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"
/> -->
- <!-- </property> -->
+ <!-- </list> -->
+ <!-- </constructor-arg> -->
<!-- </bean> -->
- <bean id="requestCacheFilter"
- class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter" />
-
- <bean id="servletApiFilter"
- class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
+ <!-- Basic authentication -->
+ <bean id="basic"
+ class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
+ <property name="authenticationManager">
+ <ref bean="authenticationManager" />
+ </property>
+ <property name="authenticationEntryPoint">
+ <ref local="basicProcessingFilterEntryPoint" />
+ </property>
+ </bean>
- <bean id="anonFilter"
- class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
- <property name="key" value="SomeUniqueKeyForThisApplication" />
- <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
+ <!-- Activate basic auth when needed -->
+ <bean id="basicProcessingFilterEntryPoint"
+ class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
+ <property name="realmName">
+ <value>${argeo.server.realmName}</value>
+ </property>
</bean>
- <bean id="sessionMgmtFilter"
- class="org.springframework.security.web.session.SessionManagementFilter">
- <constructor-arg ref="securityContextRepository" />
+ <!-- If everything else failed, anonymous authentication -->
+ <bean id="anonymous"
+ class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
+ <property name="key" value="${argeo.security.systemKey}" />
+ <property name="userAttribute" value="anonymous,ROLE_ANONYMOUS" />
</bean>
- <bean id="exceptionTranslator"
- class="org.springframework.security.web.access.ExceptionTranslationFilter">
+ <!-- Reacts to security related exceptions -->
+ <bean id="exception"
+ class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
- <bean
- class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <property name="loginFormUrl" value="/login.htm" />
+ <ref bean="basicProcessingFilterEntryPoint" />
+ </property>
+ <property name="accessDeniedHandler">
+ <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
+ <!-- <property name="errorPage" value="/accessDenied.jsp" /> -->
</bean>
</property>
</bean>
- <bean id="filterSecurityInterceptor"
- class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
- <!-- <property name="securityMetadataSource"> -->
- <!-- <sec:filter-security-metadata-source> -->
- <!-- <sec:intercept-url pattern="/secure/extreme/*" -->
- <!-- access="ROLE_SUPERVISOR" /> -->
- <!-- <sec:intercept-url pattern="/secure/**" -->
- <!-- access="IS_AUTHENTICATED_FULLY" /> -->
- <!-- <sec:intercept-url pattern="/login.htm" -->
- <!-- access="IS_AUTHENTICATED_ANONYMOUSLY" /> -->
- <!-- <sec:intercept-url pattern="/**" access="ROLE_USER" /> -->
- <!-- </sec:filter-security-metadata-source> -->
- <!-- </property> -->
+ <!-- Template for authorization checks -->
+ <bean id="filterInvocationInterceptorTemplate" abstract="true"
+ class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
- <property name="accessDecisionManager" ref="accessDecisionManager" />
- </bean>
-
- <!-- Access decision manager -->
- <bean id="accessDecisionManager"
- class="org.springframework.security.access.vote.AffirmativeBased">
- <property name="decisionVoters">
- <list>
- <bean class="org.springframework.security.access.vote.RoleVoter" />
- <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
- </list>
+ <property name="accessDecisionManager">
+ <bean class="org.springframework.security.vote.AffirmativeBased">
+ <property name="allowIfAllAbstainDecisions" value="false" />
+ <property name="decisionVoters">
+ <list>
+ <bean class="org.springframework.security.vote.RoleVoter" />
+ <bean class="org.springframework.security.vote.AuthenticatedVoter" />
+ </list>
+ </property>
+ </bean>
</property>
</bean>
-
</beans>
\ No newline at end of file