1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd"
default-autowire="no">
<!-- We do not use autowiring for documentation generation purpose.
A lot of copy/paste, but it's the prize to maintain a valid doc -->
<bean id="placeholderConfig" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:cas.properties</value>
</list>
</property>
</bean>
<!-- This file handle the security configuration management provided by Acegisecurity -->
<bean id="springFilterChainProxy" class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,securityContextHolderAwareRequestFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
<property name="allowSessionCreation">
<value>true</value>
</property>
</bean>
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
<!-- redirect to cas logout after local logout -->
<constructor-arg value="${cas.server}/logout"/>
<constructor-arg index="1">
<list>
<ref bean="securityContextLogoutHandler"/>
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/cas_logout" />
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
<bean id="securityContextHolderAwareRequestFilter" class="org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter"/>
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<!-- this is the CAS entry point -->
<ref local="casProcessingFilterEntryPoint" />
</property>
<property name="accessDeniedHandler">
<bean class="org.spring.ui.AccessDeniedHandlerImpl">
<!-- page to redirect to if rights are not sufficients -->
<property name="errorPage" value="/accessDenied"/>
</bean>
</property>
</bean>
<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="decisionManager" />
<property name="objectDefinitionSource">
<value>
<!-- yu must have ROLE_USER to access page in /secure/* path -->
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**/secure/*=ROLE_USER
</value>
</property>
</bean>
<bean id="decisionManager" class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.vote.RoleVoter" />
<bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
</list>
</property>
</bean>
<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
<bean id="loggerListener" class="org.spring.event.authentication.LoggerListener"/>
<!-- =================================
| CAS SPECIFIC CONFIGURATION |
================================= -->
<!-- define the url for the CAS service for this web app (it's the call-back URL -->
<bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties">
<property name="service"><value>http://localhost:8080/cas/cas_check</value></property>
<property name="sendRenew"><value>false</value></property>
</bean>
<!-- equivalent to authenticationProcesingFilter, specialized for CAS -->
<bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/start/loginError=1"/>
<property name="defaultTargetUrl" value="/"/>
<property name="filterProcessesUrl"><value>/cas_check</value></property>
</bean>
<!-- The url of the CAS server and the assoicated services -->
<bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">
<property name="loginUrl"><value>${cas.server}/</value></property>
<property name="serviceProperties"><ref bean="serviceProperties" /></property>
</bean>
<!-- Authentication provider for CAS -->
<bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
<property name="casAuthoritiesPopulator"><ref bean="casAuthoritiesPopulator" /></property>
<property name="casProxyDecider"><ref bean="casProxyDecider" /></property>
<property name="ticketValidator"><ref bean="casProxyTicketValidator" /></property>
<property name="statelessTicketCache"><ref bean="statelessTicketCache" /></property>
<property name="key"><value>my_password_for_this_auth_provider_only</value></property>
</bean>
<!-- CAS ticket validator -->
<bean id="casProxyTicketValidator" class="org.springframework.security.providers.cas.ticketvalidator.CasProxyTicketValidator">
<property name="casValidate"><value>${cas.server}/proxyValidate</value></property>
<property name="proxyCallbackUrl"><value>${cas.server}/casProxy/receptor</value></property>
<property name="serviceProperties"><ref bean="serviceProperties" /></property>
<!-- <property name="trustStore"><value>/some/path/to/your/lib/security/cacerts</value></property> -->
</bean>
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
<property name="configLocation"><value>classpath:/ehcache-failsafe.xml</value></property>
</bean>
<bean id="ticketCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager"><ref local="cacheManager" /></property>
<property name="cacheName"><value>ticketCache</value></property>
</bean>
<bean id="statelessTicketCache" class="org.springframework.security.providers.cas.cache.EhCacheBasedTicketCache">
<property name="cache"><ref local="ticketCacheBackend" /></property>
</bean>
<bean id="casAuthoritiesPopulator" class="org.springframework.security.providers.cas.populator.DaoCasAuthoritiesPopulator">
<property name="userDetailsService"><ref bean="constantRoleUserService" /></property>
</bean>
<bean id="casProxyDecider" class="org.springframework.security.providers.cas.proxy.RejectProxyTickets" />
<!-- this is a local user association between login and role.
this a trivial provider which always reply ROLE_USER, not really secure :)
-->
<bean id="constantRoleUserService" class="org.interldap.castest.acegi.ConstantRoleUserService"/>
</beans> |
Migration acegi vers Spring security 3.1.2
Répondre avec citation
Partager