home.applicationContext-security.xml Maven / Gradle / Ivy
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="false" disable-url-rewriting="true"
access-decision-manager-ref="fascinatorAccessDecisionManagerBean" use-expressions="true"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/**/maintenance" access="permitAll"/>
<intercept-url pattern="/**/login" access="permitAll"/>
<intercept-url pattern="/**/sso/*" access="permitAll"/>
<intercept-url pattern="/**/accessDenied" access="permitAll"/>
<intercept-url pattern="/**/history/*" access="hasRole('admin')"/>
<intercept-url pattern="/**/admin" access="hasRole('admin')"/>
<intercept-url pattern="/**/apiAdmin" access="hasRole('admin')"/>
<intercept-url pattern="/**/settings" access="hasRole('admin')"/>
<intercept-url pattern="/**/systemSettings" access="hasRole('admin')"/>
<intercept-url pattern="/**/logviewer" access="hasRole('admin')"/>
<intercept-url pattern="/**/batchprocesses" access="hasRole('admin')"/>
<intercept-url pattern="/**/jws/admin/**" access="hasRole('admin')"/>
<intercept-url pattern="/**/queues" access="hasRole('admin')"/>
<intercept-url pattern="/**/workflow/*" access="hasWorkflowAccess()"/>
<intercept-url pattern="/**/workflows/simpleworkflow.script" access="hasWorkflowAccess()"/>
<intercept-url pattern="/**/workflows/simpleworkflow.ajax" access="hasWorkflowAccess()"/>
<intercept-url pattern="/**/workflows/simpleworkflow*" access="hasWorkflowAccess()"/>
<intercept-url pattern="/**/download/**/*.tfPackage" access="hasRole('admin')"/>
<intercept-url pattern="/**/download/**/*" access="hasDownloadAccess()"/>
<intercept-url pattern="/**/detail/*" access="hasViewAccess()"/>
<intercept-url pattern="/dashboard/**" access="isAuthenticated()"/>
<intercept-url pattern="/**/*.*" access="permitAll"/>
<intercept-url pattern="/*/**" access="permitAll"/>
<custom-filter ref="fascinatorOwaspInterceptor" before="HEADERS_FILTER"/>
<custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="fascinatorAuthInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
<access-denied-handler ref="accessDeniedHandler"/>
<!-- implementing spring's default owasp see: https://docs.spring.io/spring-security/site/docs/current/reference/html/appendix-namespace.html#nsa-headers-->
<headers>
<!-- spring defaults -->
<cache-control/>
<content-type-options/>
<hsts/>
<frame-options/>
<xss-protection/>
<!-- custom headers -->
<!-- append -Report-Only to Content-Security-Policy to report, rather than block -->
<header name="Content-Security-Policy-Report-Only"
value="default-src 'none'; img-src 'self' http://tile.openstreetmap.org; style-src 'self' 'unsafe-inline'; connect-src 'self';script-src 'self' 'unsafe-inline' 'unsafe-eval' ajax.googleapis.com http://ajax.aspnetcdn.com http://code.jquery.com; font-src 'self'; report-uri /redbox/csp-reports/"/>
</headers>
</http>
<beans:bean id="fascinatorWebSecurityExpressionHandler"
class="com.googlecode.fascinator.portal.security.FascinatorWebSecurityExpressionHandler">
<beans:property name="storage" ref="fascinatorStorage"/>
<beans:property name="accessControl" ref="fascinatorAccess"/>
</beans:bean>
<beans:bean id="fascinatorAccessDecisionManagerBean"
class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler" ref="fascinatorWebSecurityExpressionHandler"/>
</beans:bean>
</beans:list>
</beans:property>
</beans:bean>
<authentication-manager/>
</beans:beans>