1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164
|
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"
default-autowire="no">
<!-- We do not use autowiring for documentation generation purpose.
A lot of copy/paste, but it's the prize to maintain a valid doc -->
<bean id="placeholderConfig" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:cas.properties</value>
</list>
</property>
</bean>
<!-- This file handle the security configuration management provided by Acegisecurity -->
<bean id="springFilterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
<property name="allowSessionCreation">
<value>true</value>
</property>
</bean>
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<!-- redirect to cas logout after local logout -->
<constructor-arg value="${cas.server}/logout"/>
<constructor-arg index="1">
<list>
<ref bean="securityContextLogoutHandler"/>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/cas_logout" />
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<!-- this is the CAS entry point -->
<ref local="casProcessingFilterEntryPoint" />
</property>
<property name="accessDeniedHandler">
<bean class="org.spring.ui.AccessDeniedHandlerImpl">
<!-- page to redirect to if rights are not sufficients -->
<property name="errorPage" value="/accessDenied"/>
</bean>
</property>
</bean>
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="decisionManager" />
<property name="objectDefinitionSource">
<value>
<!-- yu must have ROLE_USER to access page in /secure/* path -->
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**/secure/*=ROLE_USER
</value>
</property>
</bean>
<bean id="decisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.vote.RoleVoter" />
<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
<bean id="loggerListener" class="org.spring.event.authentication.LoggerListener"/>
<!-- =================================
| CAS SPECIFIC CONFIGURATION |
================================= -->
<!-- define the url for the CAS service for this web app (it's the call-back URL -->
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
<property name="service"><value>http://localhost:8080/cas/cas_check</value></property>
<property name="sendRenew"><value>false</value></property>
</bean>
<!-- equivalent to authenticationProcesingFilter, specialized for CAS -->
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/start/loginError=1"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl"><value>/cas_check</value></property>
</bean>
<!-- The url of the CAS server and the assoicated services -->
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl"><value>${cas.server}/</value></property>
<property name="serviceProperties"><ref bean="serviceProperties" /></property>
</bean>
<!-- Authentication provider for CAS -->
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator" /></property>
<property name="casProxyDecider"><ref bean="casProxyDecider" /></property>
<property name="ticketValidator"><ref bean="casProxyTicketValidator" /></property>
<property name="statelessTicketCache"><ref bean="statelessTicketCache" /></property>
<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
</bean>
<!-- CAS ticket validator -->
<bean id="casProxyTicketValidator" class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="casValidate"><value>${cas.server}/proxyValidate</value></property>
<property name="proxyCallbackUrl"><value>${cas.server}/casProxy/receptor</value></property>
<property name="serviceProperties"><ref bean="serviceProperties" /></property>
<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> -->
</bean>
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property>
</bean>
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager"><ref local="cacheManager" /></property>
<property name="cacheName"><value>ticketCache</value></property>
</bean>
<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
<property name="cache"><ref local="ticketCacheBackend" /></property>
</bean>
<bean id="casAuthoritiesPopulator" class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator">
<property name="userDetailsService"><ref bean="constantRoleUserService" /></property>
</bean>
<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets" />
<!-- this is a local user association between login and role.
this a trivial provider which always reply ROLE_USER, not really secure :)
-->
<bean id="constantRoleUserService" class="org.interldap.castest.acegi.ConstantRoleUserService"/>
</beans> |
Partager