Configured contacts app to use namespaces. Removed ldap, cas, x509 files to avoid confusion. Ldap and CAS will be better served by new samples.
This commit is contained in:
parent
b115f4aa83
commit
7583aca3eb
|
@ -148,9 +148,7 @@
|
|||
<!-- Processes AFTER_ACL_COLLECTION_READ configuration settings -->
|
||||
<bean id="afterAclCollectionRead"
|
||||
class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider">
|
||||
<constructor-arg>
|
||||
<ref bean="aclService"/>
|
||||
</constructor-arg>
|
||||
<constructor-arg ref="aclService"/>
|
||||
<constructor-arg>
|
||||
<list>
|
||||
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
|
||||
|
@ -161,9 +159,7 @@
|
|||
|
||||
<!-- Processes AFTER_ACL_READ configuration settings -->
|
||||
<bean id="afterAclRead" class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider">
|
||||
<constructor-arg>
|
||||
<ref bean="aclService"/>
|
||||
</constructor-arg>
|
||||
<constructor-arg ref="aclService"/>
|
||||
<constructor-arg>
|
||||
<list>
|
||||
<ref local="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/>
|
||||
|
@ -183,15 +179,12 @@
|
|||
ensure the user is authenticated via their ACL_CONTACT_DELETE or
|
||||
ACL_CONTACT_READ attribute, which also ensures the user has permission
|
||||
to the Contact presented as a method argument.
|
||||
|
||||
Autowired to pick up authentication manager from namespace config.
|
||||
-->
|
||||
<bean id="contactManagerSecurity" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor">
|
||||
<property name="authenticationManager" ref="authenticationManager"/>
|
||||
<property name="accessDecisionManager">
|
||||
<ref local="businessAccessDecisionManager"/>
|
||||
</property>
|
||||
<property name="afterInvocationManager">
|
||||
<ref local="afterInvocationManager"/>
|
||||
</property>
|
||||
<bean id="contactManagerSecurity" class="org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor" autowire="byType">
|
||||
<property name="accessDecisionManager" ref="businessAccessDecisionManager"/>
|
||||
<property name="afterInvocationManager" ref="afterInvocationManager"/>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
sample.contact.ContactManager.create=ROLE_USER
|
||||
|
|
|
@ -1,192 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
|
||||
|
||||
<!--
|
||||
- Application context containing authentication, channel
|
||||
- security and web URI beans.
|
||||
-
|
||||
- Only used by "cas" artifact.
|
||||
-
|
||||
- $Id: applicationContext-acegi-security.xml 1409 2006-04-26 23:36:03Z benalex $
|
||||
-->
|
||||
|
||||
<beans>
|
||||
|
||||
<!-- ======================== FILTER CHAIN ======================= -->
|
||||
|
||||
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
PATTERN_TYPE_APACHE_ANT
|
||||
/**=channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,basicProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- ======================== AUTHENTICATION ======================= -->
|
||||
|
||||
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
|
||||
<property name="providers">
|
||||
<list>
|
||||
<ref local="casAuthenticationProvider"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
|
||||
<property name="dataSource" ref="dataSource"/>
|
||||
</bean>
|
||||
|
||||
<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
<property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="basicProcessingFilterEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
|
||||
<property name="realmName"><value>Contacts Realm</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter"/>
|
||||
|
||||
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
|
||||
<property name="casAuthoritiesPopulator"><ref local="casAuthoritiesPopulator"/></property>
|
||||
<property name="casProxyDecider"><ref local="casProxyDecider"/></property>
|
||||
<property name="ticketValidator"><ref local="casProxyTicketValidator"/></property>
|
||||
<property name="statelessTicketCache"><ref local="statelessTicketCache"/></property>
|
||||
<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="casProxyTicketValidator" class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator">
|
||||
<property name="casValidate" value="https://localhost:8443/cas/proxyValidate"/>
|
||||
<property name="proxyCallbackUrl" value="https://localhost:8443/contacts-cas/casProxy/receptor"/>
|
||||
<property name="serviceProperties"><ref local="serviceProperties"/></property>
|
||||
<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> -->
|
||||
</bean>
|
||||
|
||||
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
|
||||
|
||||
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||
<property name="cacheManager"><ref local="cacheManager"/></property>
|
||||
<property name="cacheName" value="ticketCache"/>
|
||||
</bean>
|
||||
|
||||
<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
|
||||
<property name="cache"><ref local="ticketCacheBackend"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="casAuthoritiesPopulator" class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator">
|
||||
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets"/>
|
||||
|
||||
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
|
||||
<property name="service" value="https://localhost:8443/contacts-cas/j_spring_cas_security_check"/>
|
||||
<property name="sendRenew" value="false"/>
|
||||
</bean>
|
||||
|
||||
<!-- note logout has little impact, due to CAS reauthentication functionality (it will cause a refresh of the authentication though) -->
|
||||
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
|
||||
<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout -->
|
||||
<constructor-arg>
|
||||
<list>
|
||||
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
|
||||
<!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
|
||||
|
||||
<!-- Enabled by default for CAS, as a CAS deployment uses HTTPS -->
|
||||
<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
|
||||
<property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A/j_spring_cas_security_check.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
|
||||
<property name="channelProcessors">
|
||||
<list>
|
||||
<ref local="secureChannelProcessor"/>
|
||||
<ref local="insecureChannelProcessor"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
|
||||
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
|
||||
|
||||
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
|
||||
|
||||
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="casProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
<property name="authenticationFailureUrl"><value>/casfailed.jsp</value></property>
|
||||
<property name="defaultTargetUrl"><value>/</value></property>
|
||||
<property name="filterProcessesUrl"><value>/j_spring_cas_security_check</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
|
||||
<property name="loginUrl"><value>https://localhost:8443/cas/login</value></property>
|
||||
<property name="serviceProperties"><ref local="serviceProperties"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
|
||||
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
|
||||
<property name="decisionVoters">
|
||||
<list>
|
||||
<ref bean="roleVoter"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
|
||||
The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
|
||||
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
|
||||
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
|
||||
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- BASIC Regular Expression Syntax (for beginners):
|
||||
|
||||
\A means the start of the string (ie the beginning of the URL)
|
||||
\Z means the end of the string (ie the end of the URL)
|
||||
. means any single character
|
||||
* means null or any number of repetitions of the last expression (so .* means zero or more characters)
|
||||
|
||||
Some examples:
|
||||
|
||||
Expression: \A/my/directory/.*\Z
|
||||
Would match: /my/directory/
|
||||
/my/directory/hello.html
|
||||
|
||||
Expression: \A/.*\Z
|
||||
Would match: /hello.html
|
||||
/
|
||||
|
||||
Expression: \A/.*/secret.html\Z
|
||||
Would match: /some/directory/secret.html
|
||||
/another/secret.html
|
||||
Not match: /anothersecret.html (missing required /)
|
||||
-->
|
||||
|
||||
</beans>
|
|
@ -1,142 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
|
||||
|
||||
<!--
|
||||
- Application context containing authentication, channel
|
||||
- security and web URI beans.
|
||||
-
|
||||
- Only used by "ldap" artifact.
|
||||
-
|
||||
- $Id: applicationContext-acegi-security.xml 1468 2006-05-20 17:50:51Z luke_t $
|
||||
-->
|
||||
|
||||
<beans>
|
||||
|
||||
<!-- ======================== FILTER CHAIN ======================= -->
|
||||
|
||||
<!-- if you wish to use channel security, add "channelProcessingFilter," in front
|
||||
of "httpSessionContextIntegrationFilter" in the list below -->
|
||||
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
PATTERN_TYPE_APACHE_ANT
|
||||
/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- ======================== AUTHENTICATION ======================= -->
|
||||
|
||||
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
|
||||
<property name="providers">
|
||||
<list>
|
||||
<ref local="ldapAuthenticationProvider"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
|
||||
<constructor-arg value="ldap://monkeymachine.co.uk:389/dc=springframework,dc=org"/>
|
||||
<property name="userDn" value="cn=manager,dc=springframework,dc=org" />
|
||||
<property name="password" value="acegisecurity"/>
|
||||
</bean>
|
||||
|
||||
<bean id="ldapAuthenticationProvider" class="org.springframework.security.providers.ldap.LdapAuthenticationProvider">
|
||||
<constructor-arg>
|
||||
<bean class="org.springframework.security.providers.ldap.authenticator.BindAuthenticator">
|
||||
<constructor-arg><ref local="contextSource"/></constructor-arg>
|
||||
<property name="userDnPatterns"><list><value>uid={0},ou=people</value></list></property>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<constructor-arg>
|
||||
<bean class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
|
||||
<constructor-arg><ref local="contextSource"/></constructor-arg>
|
||||
<constructor-arg><value>ou=groups</value></constructor-arg>
|
||||
<property name="groupRoleAttribute"><value>ou</value></property>
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
<!-- Automatically receives AuthenticationEvent messages -->
|
||||
<bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>
|
||||
|
||||
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
|
||||
</bean>
|
||||
|
||||
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
|
||||
<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout -->
|
||||
<constructor-arg>
|
||||
<list>
|
||||
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
|
||||
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
|
||||
|
||||
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="authenticationProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
|
||||
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
|
||||
<property name="authenticationFailureUrl"><value>/acegilogin.jsp?login_error=1</value></property>
|
||||
<property name="defaultTargetUrl"><value>/</value></property>
|
||||
<property name="filterProcessesUrl"><value>/j_spring_security_check</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
||||
<property name="loginFormUrl"><value>/acegilogin.jsp</value></property>
|
||||
<property name="forceHttps"><value>false</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
|
||||
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
|
||||
<property name="decisionVoters">
|
||||
<list>
|
||||
<ref bean="roleVoter"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
|
||||
The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
|
||||
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
|
||||
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
|
||||
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- BASIC Regular Expression Syntax (for beginners):
|
||||
|
||||
\A means the start of the string (ie the beginning of the URL)
|
||||
\Z means the end of the string (ie the end of the URL)
|
||||
. means any single character
|
||||
* means null or any number of repetitions of the last expression (so .* means zero or more characters)
|
||||
|
||||
Some examples:
|
||||
|
||||
Expression: \A/my/directory/.*\Z
|
||||
Would match: /my/directory/
|
||||
/my/directory/hello.html
|
||||
|
||||
Expression: \A/.*\Z
|
||||
Would match: /hello.html
|
||||
/
|
||||
|
||||
Expression: \A/.*/secret.html\Z
|
||||
Would match: /some/directory/secret.html
|
||||
/another/secret.html
|
||||
Not match: /anothersecret.html (missing required /)
|
||||
-->
|
||||
|
||||
</beans>
|
|
@ -1,175 +0,0 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
|
||||
|
||||
<!--
|
||||
- Application context containing authentication, channel
|
||||
- security and web URI beans.
|
||||
-
|
||||
- Only used by "x509" artifact.
|
||||
-
|
||||
- $Id: applicationContext-acegi-security.xml 1409 2006-04-26 23:36:03Z benalex $
|
||||
-->
|
||||
|
||||
<beans>
|
||||
|
||||
<!-- ======================== FILTER CHAIN ======================= -->
|
||||
|
||||
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
PATTERN_TYPE_APACHE_ANT
|
||||
/**=channelProcessingFilter,httpSessionContextIntegrationFilter,logoutFilter,x509ProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- ======================== AUTHENTICATION ======================= -->
|
||||
|
||||
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
|
||||
<property name="providers">
|
||||
<list>
|
||||
<ref local="x509AuthenticationProvider"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="jdbcDaoImpl" class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
|
||||
<property name="dataSource"><ref bean="dataSource"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="basicProcessingFilter" class="org.springframework.security.ui.basicauth.BasicProcessingFilter">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
<property name="authenticationEntryPoint"><ref local="basicProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="basicProcessingFilterEntryPoint" class="org.springframework.security.ui.basicauth.BasicProcessingFilterEntryPoint">
|
||||
<property name="realmName"><value>Contacts Realm</value></property>
|
||||
</bean>
|
||||
|
||||
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
|
||||
</bean>
|
||||
|
||||
<bean id="x509AuthenticationProvider" class="org.springframework.security.providers.x509.X509AuthenticationProvider">
|
||||
<property name="x509AuthoritiesPopulator"><ref local="x509AuthoritiesPopulator"/></property>
|
||||
<property name="x509UserCache"><ref local="x509UserCache"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
|
||||
|
||||
<bean id="x509UserCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
|
||||
<property name="cacheManager">
|
||||
<ref local="cacheManager"/>
|
||||
</property>
|
||||
<property name="cacheName">
|
||||
<value>x509Cache</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="x509UserCache" class="org.springframework.security.providers.x509.cache.EhCacheBasedX509UserCache">
|
||||
<property name="cache"><ref local="x509UserCacheBackend"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="x509AuthoritiesPopulator" class="org.springframework.security.providers.x509.populator.DaoX509AuthoritiesPopulator">
|
||||
<property name="userDetailsService"><ref local="jdbcDaoImpl"/></property>
|
||||
<!-- <property name="subjectDNRegex"><value>emailAddress=(.*?),</value></property> -->
|
||||
</bean>
|
||||
|
||||
<!-- note logout has little impact, due to X509 certificate still being presented (it will cause a refresh of the authentication though) -->
|
||||
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
|
||||
<constructor-arg value="/index.jsp"/> <!-- URL redirected to after logout -->
|
||||
<constructor-arg>
|
||||
<list>
|
||||
<bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
</bean>
|
||||
|
||||
|
||||
<!-- ===================== HTTP CHANNEL REQUIREMENTS ==================== -->
|
||||
|
||||
<!-- Enabled by default for X.509 (obviously) -->
|
||||
<bean id="channelProcessingFilter" class="org.springframework.security.securechannel.ChannelProcessingFilter">
|
||||
<property name="channelDecisionManager"><ref local="channelDecisionManager"/></property>
|
||||
<property name="filterInvocationDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/.*\Z=REQUIRES_SECURE_CHANNEL
|
||||
\A.*\Z=REQUIRES_INSECURE_CHANNEL
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="channelDecisionManager" class="org.springframework.security.securechannel.ChannelDecisionManagerImpl">
|
||||
<property name="channelProcessors">
|
||||
<list>
|
||||
<ref local="secureChannelProcessor"/>
|
||||
<ref local="insecureChannelProcessor"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="secureChannelProcessor" class="org.springframework.security.securechannel.SecureChannelProcessor"/>
|
||||
<bean id="insecureChannelProcessor" class="org.springframework.security.securechannel.InsecureChannelProcessor"/>
|
||||
|
||||
<!-- ===================== HTTP REQUEST SECURITY ==================== -->
|
||||
|
||||
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
|
||||
<property name="authenticationEntryPoint"><ref local="x509ProcessingFilterEntryPoint"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="x509ProcessingFilter" class="org.springframework.security.ui.x509.X509ProcessingFilter">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
</bean>
|
||||
|
||||
<bean id="x509ProcessingFilterEntryPoint" class="org.springframework.security.ui.x509.X509ProcessingFilterEntryPoint">
|
||||
</bean>
|
||||
|
||||
<bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
|
||||
<property name="allowIfAllAbstainDecisions"><value>false</value></property>
|
||||
<property name="decisionVoters">
|
||||
<list>
|
||||
<ref bean="roleVoter"/>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- Note the order that entries are placed against the objectDefinitionSource is critical.
|
||||
The FilterSecurityInterceptor will work from the top of the list down to the FIRST pattern that matches the request URL.
|
||||
Accordingly, you should place MOST SPECIFIC (ie a/b/c/d.*) expressions first, with LEAST SPECIFIC (ie a/.*) expressions last -->
|
||||
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
|
||||
<property name="authenticationManager"><ref local="authenticationManager"/></property>
|
||||
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
|
||||
<property name="objectDefinitionSource">
|
||||
<value>
|
||||
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
|
||||
\A/secure/super.*\Z=ROLE_WE_DONT_HAVE
|
||||
\A/secure/.*\Z=ROLE_SUPERVISOR,ROLE_TELLER
|
||||
</value>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<!-- BASIC Regular Expression Syntax (for beginners):
|
||||
|
||||
\A means the start of the string (ie the beginning of the URL)
|
||||
\Z means the end of the string (ie the end of the URL)
|
||||
. means any single character
|
||||
* means null or any number of repetitions of the last expression (so .* means zero or more characters)
|
||||
|
||||
Some examples:
|
||||
|
||||
Expression: \A/my/directory/.*\Z
|
||||
Would match: /my/directory/
|
||||
/my/directory/hello.html
|
||||
|
||||
Expression: \A/.*\Z
|
||||
Would match: /hello.html
|
||||
/
|
||||
|
||||
Expression: \A/.*/secret.html\Z
|
||||
Would match: /some/directory/secret.html
|
||||
/another/secret.html
|
||||
Not match: /anothersecret.html (missing required /)
|
||||
-->
|
||||
|
||||
</beans>
|
|
@ -24,7 +24,7 @@
|
|||
<intercept-url pattern="/**" access="ROLE_USER"/>
|
||||
|
||||
<form-login login-page="/acegilogin.jsp" authentication-failure-url="/acegilogin.jsp?login_error=1"/>
|
||||
<logout logout-url="/index.jsp"/>
|
||||
<logout logout-success-url="/index.jsp"/>
|
||||
</http>
|
||||
|
||||
<!--
|
||||
|
|
|
@ -46,12 +46,12 @@
|
|||
|
||||
|
||||
<filter>
|
||||
<filter-name>filterChainProxy</filter-name>
|
||||
<filter-name>_filterChainProxy</filter-name>
|
||||
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
|
||||
</filter>
|
||||
|
||||
<filter-mapping>
|
||||
<filter-name>filterChainProxy</filter-name>
|
||||
<filter-name>_filterChainProxy</filter-name>
|
||||
<url-pattern>/*</url-pattern>
|
||||
</filter-mapping>
|
||||
|
||||
|
|
Loading…
Reference in New Issue