Red Hat Application Migration Toolkit
<?xml version="1.0" encoding="UTF-8"?> <!-- $Id: applicationContext-security.xml 4315 2013-07-01 20:31:21Z mitcje $ $URL: https://open.jira.com/svn/IKASAN/tags/ikasaneip-0.9.0/console/war/src/main/webapp/WEB-INF/applicationContext-security.xml $ ==================================================================== Ikasan Enterprise Integration Platform Distributed under the Modified BSD License. Copyright notice: The copyright for this software and a full listing of individual contributors are as shown in the packaged copyright.txt file. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - Neither the name of the ORGANIZATION nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ==================================================================== Author: Ikasan Development Team --> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- Automatically receives AuthenticationEvent messages IKASAN-240 Disabled LoggerListener because it logs everything at WARN and the log messages aren't useful either <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" /> --> <!-- The access decision manager --> <global-method-security access-decision-manager-ref="accessDecisionManager"> <!-- AspectJ pointcut expressions that locates our "post" method and applies security to that call. --> <!-- TODO: Temporarily unblock the service and block the admin controller instead --> <!-- <protect-pointcut expression="execution(* org.ikasan.framework.security.service.UserService.changeUsersPassword(..))" access="ROLE_ADMIN" /> --> <protect-pointcut expression="execution(* org.ikasan.console.web.controller.UsersController.changePassword(..))" access="ROLE_ADMIN" /> <protect-pointcut expression="execution(* org.ikasan.security.service.UserService.grantAuthority(..))" access="ROLE_ADMIN" /> <protect-pointcut expression="execution(* org.ikasan.security.service.UserService.revokeAuthority(..))" access="ROLE_ADMIN" /> <!-- Gaining access to a Module requires security check --> <!-- <protect-pointcut expression="execution(* org.ikasan.framework.module.service.ModuleService.getModule(..))" access="ROLE_USER,AFTER_MODULE_READ" /> --> <protect-pointcut expression="execution(* org.ikasan.console.module.service.ModuleService.getAllModules())" access="ROLE_USER,AFTER_MODULE_COLLECTION_READ" /> <protect-pointcut expression="execution(* org.ikasan.console.pointtopointflow.service.PointToPointFlowProfileService.getAllPointToPointFlowProfiles(..))" access="ROLE_USER,AFTER_POINT_TO_POINT_FLOW_PROFILE_COLLECTION_READ" /> <protect-pointcut expression="execution(* org.ikasan.console.pointtopointflow.dao.PointToPointFlowProfileDao.findPointToPointFlowProfiles(..))" access="ROLE_USER,AFTER_POINT_TO_POINT_FLOW_PROFILE_COLLECTION_READ" /> <after-invocation-provider ref="moduleCollectionFilteringAfterInvocationProvider"/> <after-invocation-provider ref="pointToPointFlowProfileCollectionFilteringAfterInvocationProvider"/> </global-method-security> <!-- Declare the access denied page & force people to go to the login screen if they try to go elsewhere first. --> <http pattern="/login.jsp*" security="none" /> <http pattern="/users/forgotPassword.htm" security="none" /> <http pattern="/users/sendPassword.htm" security="none" /> <http pattern="/css/*" security="none" /> <http pattern="/images/*" security="none" /> <http pattern="/js/*" security="none" /> <http access-denied-page="/accessDenied.jsp" auto-config='true'> <!-- For login.jsp, changePassword.jsp, sendPassword.htm, css and images we don't apply security --> <!-- You need ROLE_ADMIN for admin pages --> <intercept-url pattern="/admin/**" access="ROLE_ADMIN" /> <!-- You need ROLE_USER for all pages --> <intercept-url pattern="/**" access="ROLE_USER" /> <!-- If you fail login then redirect to the login.jsp page but with the extra parameter indicating failure --> <form-login login-page='/login.jsp' authentication-failure-url='/login.jsp?login_error=1' /> </http> <!-- The authentication provider, use the SHA1 encoding for password obscuring --> <authentication-manager> <authentication-provider user-service-ref="userDetailsService"> <password-encoder ref="sha1PasswordEncoder" /> </authentication-provider> </authentication-manager> <!-- The SHA1 password encoder provider --> <beans:bean id="sha1PasswordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"/> <!-- The user details service --> <beans:bean id="userDetailsService" class="org.ikasan.security.service.UserServiceImpl"> <beans:constructor-arg ref="userDao"/> <beans:constructor-arg ref="authorityDao"/> <beans:constructor-arg ref="sha1PasswordEncoder"/> </beans:bean> <!-- The User DAO --> <beans:bean id="userDao" class="org.ikasan.security.dao.HibernateUserDao"> <beans:property name="sessionFactory" ref="securitySessionFactory"/> </beans:bean> <!-- The Authority DAO --> <beans:bean id="authorityDao" class="org.ikasan.security.dao.HibernateAuthorityDao"> <beans:property name="sessionFactory" ref="securitySessionFactory"/> </beans:bean> <!-- The security session factory --> <beans:bean id="securitySessionFactory" class="org.springframework.orm.hibernate3.LocalSessionFactoryBean"> <beans:property name="dataSource" ref="eai.ds" /> <beans:property name="mappingResources"> <beans:list> <beans:value>org/ikasan/security/model/User.hbm.xml</beans:value> <beans:value>org/ikasan/security/model/Authority.hbm.xml</beans:value> </beans:list> </beans:property> <beans:property name="hibernateProperties" ref="platformHibernateProperties"/> </beans:bean> <!-- The access decision manager --> <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"> <beans:property name="allowIfAllAbstainDecisions" value="true"/> <beans:property name="decisionVoters"> <beans:list> <beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter"/> </beans:list> </beans:property> </beans:bean> <!-- The access decision manager for what modules are allowed to be viewed by a user --> <beans:bean id="moduleCollectionFilteringAfterInvocationProvider" class="org.ikasan.console.security.AfterInvocationModuleCollectionFilteringProvider"> </beans:bean> <!-- The access decision manager for what point to point flow profiles are allowed to be viewed by a user --> <beans:bean id="pointToPointFlowProfileCollectionFilteringAfterInvocationProvider" class="org.ikasan.console.security.AfterInvocationPointToPointFlowProfileCollectionFilteringProvider"> </beans:bean> </beans:beans>