.main.1.7.0.source-code.applicationSecurityContext.xml Maven / Gradle / Ivy
The newest version!
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> <beans> <!-- ========================================================================================= --> <!-- The following is the Acegi configuration for form based authentication, with login/logout --> <!-- handling, as well as remember-me cookie handling, and session integration so that user --> <!-- does not have to login for each page. --> <!-- This also makes sure that when you request a secured resource you go first to the --> <!-- login page, but get redirected to the origally requested page once login is succefull --> <!-- ========================================================================================= --> <!-- This filter delegates a different chain of sub-filters for administration console pages and OWS services. Basically, we set up a chain involving basic/anonymous authentication for OWS services, and a form based authentication for the web console, so that accessing the console by means of simple calls is still easy. An attempt at form+basic has been done, that would have eased writing code accessing directly the console, but it does not play well with logout: once the browser learns about basic auth credentials it'll keep on using them, the only way to make it stop is to declare a different user in the location bar, such as in: http://user@host:port/... For filters introduction, their meanining, the different setup between form and basic authentication accesses, and importance of the order please see the Acegi reference guide, chapter 3.2, (page 17 of the PDF version) --> <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /wfs/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,filterInvocationInterceptor /ows/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,filterInvocationInterceptor /wfsv/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,filterInvocationInterceptor /wms/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,filterInvocationInterceptor /wcs/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,filterInvocationInterceptor /rest/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,restFilterInvocationInterceptor /gwc/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,restFilterInvocationInterceptor /**=httpSessionContextIntegrationFilterWithASCTrue,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,consoleExceptionTranslationFilter,filterInvocationInterceptor </value> <!-- /api/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,restFilterInvocationInterceptor --> </property> </bean> <bean id="restFilterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager"> <bean class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false" /> <property name="decisionVoters"> <list> <bean class="org.acegisecurity.vote.RoleVoter" /> <bean class="org.acegisecurity.vote.AuthenticatedVoter" /> </list> </property> </bean> </property> <property name="objectDefinitionSource" ref="restFilterDefinitionMap"/> </bean> <!-- HTTP Method security rules. This follows the same format as the normal DefinitionSource, but allows methods to be specified as well. Remember that rules are matched in order, so please put the most specific rules at the beginning of the list. In order to have these applied, add restFilterDefintionMap to the end of the filter list in the filterChainProxy above Note that GeoWebCache /gwc also depends on this chain --> <bean id="restFilterDefinitionMap" class="org.geoserver.security.RESTfulDefinitionSource"> <constructor-arg type="java.lang.String"> <value> /**:GET=IS_AUTHENTICATED_ANONYMOUSLY /**:POST,DELETE,PUT=ROLE_AUTHENTICATED,ROLE_ADMINISTRATOR </value> </constructor-arg> </bean> <!-- The actual authorization checks at the filter level. The voters make sure the user is both authenticated (the anonymous filter ensures there is at least an anonymous one) and have the roles required. The objectDefinitionSource provides a set of path along with the roles that the user must have in order to access the secured resource --> <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager"> <bean class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false" /> <property name="decisionVoters"> <list> <bean class="org.acegisecurity.vote.RoleVoter" /> <bean class="org.acegisecurity.vote.AuthenticatedVoter" /> </list> </property> </bean> </property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /config/**=ROLE_ADMINISTRATOR /**=IS_AUTHENTICATED_ANONYMOUSLY </value> </property> </bean> <!-- This filter integrates the authentication information in the http sessions, so it's meant to be used only for the administration console, but not for the services. Gathers authentication infos from the session, so that you don't have to re-authenticate at each request, and adds it to the session after authentication. This specific instance is configured with remember-me functionality, so that authentication information can be gathered from a cookie set on the browser, too. This version will create the user session if missing, it's meant for web console operation. --> <bean id="httpSessionContextIntegrationFilterWithASCTrue" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> <property name="allowSessionCreation" value="true" /> </bean> <!-- Same as the one above, but this one uses a session if it's already there, otherwise it won't create it. This is meant to keep the overhead on service call low, but allow users that have already authenticated using a form based access to keep using that authentication when accessing services. --> <bean id="httpSessionContextIntegrationFilterWithASCFalse" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"> <property name="allowSessionCreation" value="false" /> </bean> <!-- This filters processes logouts, removing both session informations, and the remember-me cookie from the browser --> <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> <constructor-arg value="/index.jsp" /> <!-- URL redirected to after logout --> <constructor-arg> <list> <ref bean="rememberMeServices" /> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" /> </list> </constructor-arg> </bean> <!-- This filter does the actual main authentication workflow and handles form based authentication too. It asks the authentication manager wheter access is granted to the resource the user is trying to access, redirects to a failure page if it fails, and to another filter if the authentication informations are just being provided. This is useful only for form based authentication, the OWS services do use another authentication processing filter. --> <bean id="authenticationProcessingFilter" class="org.geoserver.security.GeoserverAuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationFailureUrl" value="/admin/login.do?login_error=1" /> <property name="defaultTargetUrl" value="/" /> <property name="filterProcessesUrl" value="/j_acegi_security_check" /> <property name="rememberMeServices" ref="rememberMeServices" /> </bean> <!-- Double check, this may not be necessary --> <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter" /> <!-- If authentication is missing from the SecurityContext, tries to put authentication information into the context using remember-me cookies. Will try to authenticate the contents of the cookie against the authentication manager --> <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="rememberMeServices" ref="rememberMeServices" /> </bean> <!-- Puts default authentication informations in the security context, making sure we always get an anonymous user and anonymous role if all other authentication attempts failed --> <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="key" value="geoserver" /> <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS" /> </bean> <!-- Handles the basic authentication headers. This integrates with the remember-me services, so that you'll have to provide username/password just once during interactive tests. --> <bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> <property name="authenticationManager"> <ref local="authenticationManager" /> </property> <property name="authenticationEntryPoint"> <ref local="basicProcessingFilterEntryPoint" /> </property> <property name="rememberMeServices"> <ref local="rememberMeServices" /> </property> </bean> <!-- This entry point gets called when basic authentication is needed (or a previous attempt fail) to commence authentication with the basic processing filter --> <bean id="basicProcessingFilterEntryPoint" class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint"> <property name="realmName"> <value>GeoServer Realm</value> </property> </bean> <!-- During the request execution security exceptions may be thrown, either during the authentication or authorization phase. This filter redirects authentication failures to the login form, whilst returns the user to an access denied page if the authorization levels are not enough --> <bean id="consoleExceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/admin/login.do" /> <property name="forceHttps" value="false" /> </bean> </property> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.jsp" /> </bean> </property> </bean> <!-- During the request execution security exceptions may be thrown, either during the authentication or authorization phase. This filter redirects authentication failures to the login form, whilst returns the user to an access denied page if the authorization levels are not enough --> <bean id="owsExceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <ref bean="basicProcessingFilterEntryPoint" /> </property> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/accessDenied.jsp" /> </bean> </property> </bean> <!-- The actual remember-me cookie handler --> <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService" ref="userDetailsService" /> <property name="key" value="geoserver" /> </bean> <!-- The bean managing authentication, basically forwards authentication requests against a number of child providers --> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider" /> <bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <property name="key" value="geoserver" /> </bean> <bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key" value="geoserver" /> </bean> </list> </property> </bean> <!-- This one adds passoword checks, eventual password encryption and other services on on top of a user details service that is asked to provide user informations given just the user name --> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="userDetailsService" /> </bean> <!-- Ah, finally the one that hits the disk and, backed by a property file, returns known users, their passwords and roles --> <bean id="userDetailsService" class="org.geoserver.security.GeoserverUserDao"> <property name="geoServer" ref="geoServer" /> </bean> <!-- This interceptor will be used before calling operations on OWS stuff, and making it secure --> <bean id="operationSecurityInterceptor" class="org.geoserver.security.OperationSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager"> <bean class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false" /> <property name="decisionVoters"> <list> <bean class="org.acegisecurity.vote.RoleVoter" /> <bean class="org.acegisecurity.vote.AuthenticatedVoter" /> </list> </property> </bean> </property> <property name="objectDefinitionSource"> <bean class="org.geoserver.security.OperationDefinitionSource" /> </property> </bean> </beans>