Use Spring Security beans

Use centralized authentication manager

git-svn-id: https://svn.argeo.org/commons/trunk@4745 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc

diff --git a/server/modules/org.argeo.jackrabbit.webapp/META-INF/MANIFEST.MF b/server/modules/org.argeo.jackrabbit.webapp/META-INF/MANIFEST.MF
index 2cf8f59ddc9fbd2021d18d9cbc31783545115dd1..0a2e781292b71cb259316e4cb577504f3c66f07c 100644 (file)
--- a/server/modules/org.argeo.jackrabbit.webapp/META-INF/MANIFEST.MF
+++ b/server/modules/org.argeo.jackrabbit.webapp/META-INF/MANIFEST.MF
@@ -18,6 +18,7 @@ Import-Package: javax.jcr,
  org.springframework.aop;version="2.5.6.SEC01",
  org.springframework.aop.framework;version="2.5.6.SEC01",
  org.springframework.aop.scope;version="2.5.6.SEC01",
+ org.springframework.beans.factory.config;version="2.5.6.SEC01",
  org.springframework.osgi.web.context.support;version="1.2.1",
  org.springframework.security;version="2.0.6.RELEASE",
  org.springframework.security.providers.anonymous;version="2.0.6.RELEASE",

diff --git a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/applicationContext.xml b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/applicationContext.xml
index faf8e94b8899512e60cd99c669bee288f739a7a8..5e941f99e688435db33d0ec9095fafc5b054a2d4 100644 (file)
--- a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/applicationContext.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/applicationContext.xml
@@ -6,19 +6,27 @@
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.5.xsd">
 
        <import resource="osgi.xml" />
-       <import resource="security.xml" />
+       <import resource="security-filters.xml" />
+
+       <bean
+               class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
+               <property name="systemPropertiesModeName" value="SYSTEM_PROPERTIES_MODE_OVERRIDE" />
+               <property name="locations">
+                       <value>osgibundle:jackrabbit-webapp.properties</value>
+               </property>
+       </bean>
 
        <bean id="repositoryRegister" class="org.argeo.jcr.DefaultRepositoryRegister" />
 
        <bean id="sessionProvider" scope="session" init-method="init"
                destroy-method="dispose" class="org.argeo.jackrabbit.remote.SimpleSessionProvider">
                <aop:scoped-proxy proxy-target-class="false" />
-<!--           <property name="credentials"> -->
-<!--                   <bean class="javax.jcr.SimpleCredentials"> -->
-<!--                           <constructor-arg value="root" /> -->
-<!--                           <constructor-arg value="demo" /> -->
-<!--                   </bean> -->
-<!--           </property> -->
+               <!-- <property name="credentials"> -->
+               <!-- <bean class="javax.jcr.SimpleCredentials"> -->
+               <!-- <constructor-arg value="root" /> -->
+               <!-- <constructor-arg value="demo" /> -->
+               <!-- </bean> -->
+               <!-- </property> -->
        </bean>
 
        <bean id="osivInterceptor" class="org.argeo.jcr.mvc.OpenSessionInViewJcrInterceptor">

diff --git a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/osgi.xml b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/osgi.xml
index 34fe6ad8124244fa189dd0ca9a4eb9f343a21d07..08063ab396e1f8f9a65e888f887e8552ed8eb448 100644 (file)
--- a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/osgi.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/osgi.xml
@@ -8,11 +8,14 @@
        http://www.springframework.org/schema/beans/spring-beans-2.5.xsd\r
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">\r
 \r
-       <set id="repositories" interface="javax.jcr.Repository" cardinality="0..N">\r
+       <set id="repositories" interface="javax.jcr.Repository"\r
+               cardinality="0..N">\r
                <listener ref="repositoryRegister" bind-method="register"\r
                        unbind-method="unregister" />\r
        </set>\r
 \r
-<!--   <reference id="authenticationManager"-->\r
-<!--           interface="org.springframework.security.AuthenticationManager" />-->\r
+       <reference id="authenticationManager"\r
+               interface="org.springframework.security.AuthenticationManager" />\r
+       <reference id="userDetailsService"\r
+               interface="org.springframework.security.userdetails.UserDetailsService" />\r
 </beans:beans>
\ No newline at end of file

diff --git a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
index c969b4d828de61af7875b5fc919ac156df8d78b2..340c8e76d3b231f8bd510d4a4f372d8f10eed364 100644 (file)
--- a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
@@ -6,109 +6,123 @@
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">
 
-
-       <!-- Filter chain -->
-       <alias name="filterChainProxy" alias="springSecurityFilterChain" />
-
-       <bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
+       <bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
                <sec:filter-chain-map path-type="ant">
-                       <sec:filter-chain pattern="/images/*" filters="none" />
                        <sec:filter-chain pattern="/**"
-                               filters="securityContextFilter, logoutFilter, requestCacheFilter,
-                 servletApiFilter, anonFilter, sessionMgmtFilter, exceptionTranslator, filterSecurityInterceptor" />
+                               filters="httpSessionContextIntegrationFilter,logoutFilter,basicProcessingFilter,anonymousProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor" />
                </sec:filter-chain-map>
        </bean>
 
-       <!-- Filters -->
-       <bean id="securityContextFilter"
-               class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
-               <property name="securityContextRepository" ref="securityContextRepository" />
+       <!-- The actual authorization checks (called last, but first here for ease 
+               of configuration) -->
+       <bean id="filterInvocationInterceptor" parent="filterInvocationInterceptorTemplate">
+               <property name="objectDefinitionSource">
+                       <value>
+                               CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
+                               PATTERN_TYPE_APACHE_ANT
+                               /public/**=IS_AUTHENTICATED_ANONYMOUSLY
+                               /**=ROLE_USER
+                       </value>
+                       <!-- <value> -->
+                       <!-- CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON -->
+                       <!-- PATTERN_TYPE_APACHE_ANT -->
+                       <!-- /config/**=ROLE_ADMINISTRATOR -->
+                       <!-- /**=IS_AUTHENTICATED_ANONYMOUSLY -->
+                       <!-- </value> -->
+               </property>
        </bean>
 
-       <bean id="securityContextRepository"
-               class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
+       <!-- Integrates the authentication information in the http sessions -->
+       <bean id="httpSessionContextIntegrationFilter"
+               class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
+               <property name="allowSessionCreation" value="true" />
+       </bean>
 
-       <bean id="logoutFilter"
-               class="org.springframework.security.web.authentication.logout.LogoutFilter">
-               <constructor-arg value="/logged_out.htm" />
+       <!-- Processes logouts, removing both session informations and the remember-me 
+               cookie from the browser -->
+       <bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
+               <constructor-arg value="/web/" />
+               <!-- URL redirected to after logout -->
                <constructor-arg>
                        <list>
+                               <ref bean="rememberMeServices" />
                                <bean
-                                       class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
+                                       class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />
                        </list>
                </constructor-arg>
        </bean>
 
-       <!-- <bean id="formLoginFilter" -->
-       <!-- class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> -->
-       <!-- <property name="authenticationManager" ref="authenticationManager" 
-               /> -->
-       <!-- <property name="authenticationSuccessHandler"> -->
-       <!-- <bean -->
-       <!-- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> -->
-       <!-- <property name="defaultTargetUrl" value="/index.jsp" /> -->
-       <!-- </bean> -->
-       <!-- </property> -->
-       <!-- <property name="sessionAuthenticationStrategy"> -->
-       <!-- <bean -->
-       <!-- class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy" 
-               /> -->
-       <!-- </property> -->
-       <!-- </bean> -->
+       <!-- Double check, this may not be necessary -->
+       <bean id="securityContextHolderAwareRequestFilter"
+               class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter" />
+
+       <!-- Use the remember me cookie to authenticate -->
+       <bean id="rememberMeProcessingFilter"
+               class="org.springframework.security.ui.rememberme.RememberMeProcessingFilter">
+               <property name="authenticationManager" ref="authenticationManager" />
+               <property name="rememberMeServices" ref="rememberMeServices" />
+       </bean>
 
-       <bean id="requestCacheFilter"
-               class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter" />
+       <bean id="rememberMeServices"
+               class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
+               <property name="userDetailsService" ref="userDetailsService" />
+               <property name="key" value="${argeo.security.systemKey}" />
+       </bean>
 
-       <bean id="servletApiFilter"
-               class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter" />
+       <!-- Basic authentication -->
+       <bean id="basicProcessingFilter"
+               class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
+               <property name="authenticationManager">
+                       <ref bean="authenticationManager" />
+               </property>
+               <property name="authenticationEntryPoint">
+                       <ref local="basicProcessingFilterEntryPoint" />
+               </property>
+               <property name="rememberMeServices" ref="rememberMeServices" />
+       </bean>
 
-       <bean id="anonFilter"
-               class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
-               <property name="key" value="SomeUniqueKeyForThisApplication" />
-               <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" />
+       <!-- Activate basic auth when needed -->
+       <bean id="basicProcessingFilterEntryPoint"
+               class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
+               <property name="realmName">
+                       <value>Argeo</value>
+               </property>
        </bean>
 
-       <bean id="sessionMgmtFilter"
-               class="org.springframework.security.web.session.SessionManagementFilter">
-               <constructor-arg ref="securityContextRepository" />
+       <!-- If everything else failed, anonymous authentication -->
+       <bean id="anonymousProcessingFilter"
+               class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter">
+               <property name="key" value="${argeo.security.systemKey}" />
+               <property name="userAttribute" value="anonymous,ROLE_ANONYMOUS" />
        </bean>
 
-       <bean id="exceptionTranslator"
-               class="org.springframework.security.web.access.ExceptionTranslationFilter">
+       <!-- Reacts to security related exceptions -->
+       <bean id="exceptionTranslationFilter"
+               class="org.springframework.security.ui.ExceptionTranslationFilter">
                <property name="authenticationEntryPoint">
-                       <bean
-                               class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
-                               <property name="loginFormUrl" value="/login.htm" />
+                       <ref bean="basicProcessingFilterEntryPoint" />
+               </property>
+               <property name="accessDeniedHandler">
+                       <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
+                               <property name="errorPage" value="/accessDenied.jsp" />
                        </bean>
                </property>
        </bean>
 
-       <bean id="filterSecurityInterceptor"
-               class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
-               <!-- <property name="securityMetadataSource"> -->
-               <!-- <sec:filter-security-metadata-source> -->
-               <!-- <sec:intercept-url pattern="/secure/extreme/*" -->
-               <!-- access="ROLE_SUPERVISOR" /> -->
-               <!-- <sec:intercept-url pattern="/secure/**" -->
-               <!-- access="IS_AUTHENTICATED_FULLY" /> -->
-               <!-- <sec:intercept-url pattern="/login.htm" -->
-               <!-- access="IS_AUTHENTICATED_ANONYMOUSLY" /> -->
-               <!-- <sec:intercept-url pattern="/**" access="ROLE_USER" /> -->
-               <!-- </sec:filter-security-metadata-source> -->
-               <!-- </property> -->
+       <!-- Template for authorization checks -->
+       <bean id="filterInvocationInterceptorTemplate" abstract="true"
+               class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
                <property name="authenticationManager" ref="authenticationManager" />
-               <property name="accessDecisionManager" ref="accessDecisionManager" />
-       </bean>
-
-       <!-- Access decision manager -->
-       <bean id="accessDecisionManager"
-               class="org.springframework.security.access.vote.AffirmativeBased">
-               <property name="decisionVoters">
-                       <list>
-                               <bean class="org.springframework.security.access.vote.RoleVoter" />
-                               <bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
-                       </list>
+               <property name="accessDecisionManager">
+                       <bean class="org.springframework.security.vote.AffirmativeBased">
+                               <property name="allowIfAllAbstainDecisions" value="false" />
+                               <property name="decisionVoters">
+                                       <list>
+                                               <bean class="org.springframework.security.vote.RoleVoter" />
+                                               <bean class="org.springframework.security.vote.AuthenticatedVoter" />
+                                       </list>
+                               </property>
+                       </bean>
                </property>
        </bean>
-
 </beans>
\ No newline at end of file

diff --git a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/web.xml b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/web.xml
index c3ee9fb86ad27a9fa16d1af45dab9c612967d46b..2371e291782ff5f7bc03342d8cd81ac7d0964e81 100644 (file)
--- a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/web.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/web.xml
@@ -75,6 +75,11 @@
                <url-pattern>/webdav/*</url-pattern>
        </servlet-mapping>
 
+       <servlet-mapping>
+               <servlet-name>webdav</servlet-name>
+               <url-pattern>/public/webdav/*</url-pattern>
+       </servlet-mapping>
+
        <!-- JCR-MANAGER servlet -->
        <servlet>
                <servlet-name>jcr-manager</servlet-name>

diff --git a/server/modules/org.argeo.jackrabbit.webapp/jackrabbit-webapp.properties b/server/modules/org.argeo.jackrabbit.webapp/jackrabbit-webapp.properties
new file mode 100644 (file)
index 0000000..ae7aa87
--- /dev/null
+++ b/server/modules/org.argeo.jackrabbit.webapp/jackrabbit-webapp.properties
@@ -0,0 +1 @@
+argeo.security.systemKey=argeo