Commit 53d1d351 authored by Gradl, Tobias's avatar Gradl, Tobias
Browse files

709: Consolidate security configurations

Task-Url: https://minfba.de.dariah.eu/mantisbt/view.php?id=709
parent 345ac3ed
......@@ -15,6 +15,28 @@
<security:http security="none" pattern="/logout.jsp"/>
<security:http security="none" pattern="/resources/**"/>
<security:http entry-point-ref="securityEntryPoint" use-expressions="false" access-decision-manager-ref="accessDecisionManager" >
<security:intercept-url pattern="/protected/**" access="IS_AUTHENTICATED_FULLY"/>
<security:intercept-url pattern="/saml/web/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- <security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/> -->
<security:custom-filter after="BASIC_AUTH_FILTER" ref="authFilter"/>
<security:custom-filter ref="redirectionAwareFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="redirectionAwareFilter" after="REQUEST_CACHE_FILTER" />
<security:request-cache ref="requestCache"/>
<!-- Disable only for /saml/SSO** ?? -->
<security:csrf disabled="true" />
</security:http>
<!-- This probably needs to be changed to a persisting extension of BaseUserService -->
<bean id="userDetailsService" class="eu.dariah.de.dariahsp.sample.service.CachingUserServiceImpl" />
......
......@@ -8,8 +8,11 @@
<import resource="security-context-common.xml"/>
<security:http disable-url-rewriting="true" auto-config="true" use-expressions="false" access-decision-manager-ref="accessDecisionManager" >
<!-- <security:http disable-url-rewriting="true" auto-config="true" use-expressions="false" access-decision-manager-ref="accessDecisionManager" >
<security:csrf disabled="true"/>
<security:intercept-url pattern="/test/jumboFluid" requires-channel="http" access="IS_AUTHENTICATED_FULLY" />
......@@ -28,20 +31,28 @@
<security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/" />
<security:request-cache ref="requestCache"/>
</security:http>
</security:http> -->
<bean id="authFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter" >
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<security:authentication-manager id="authenticationManager" alias="authenticationManager">
<security:authentication-provider ref="localAuthenticationProvider" />
</security:authentication-manager>
<!-- Map only for ajax calls; how??? entry-point-ref="ajaxEntryPoint" -->
<bean id="ajaxEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint">
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="localAuthenticationProvider" />
</security:authentication-manager>
<bean id="localAuthenticationProvider" class="eu.dariah.de.dariahsp.local.LocalAuthenticationProvider">
<property name="localUserDb">
<bean class="eu.dariah.de.dariahsp.local.LocalUserConfService">
<property name="userfile" value="${saml.local.userfile}" />
<property name="encoder"><bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/></property>
</bean>
</property>
<property name="userService" ref="userDetailsService" />
......
......@@ -11,44 +11,13 @@
<import resource="security-context-common.xml"/>
<!-- Scan for auto-wiring classes in spring saml packages -->
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- Security for the administration UI -->
<!-- <security:http pattern="/saml/web/**" use-expressions="false">
<security:access-denied-handler error-page="/saml/web/metadata/login"/>
<security:form-login login-processing-url="/saml/web/login" login-page="/saml/web/metadata/login" default-target-url="/saml/web/metadata"/>
<security:intercept-url pattern="/saml/web/metadata/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/>
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
</security:http> -->
<!-- Secured pages with SAML as entry point -->
<security:http entry-point-ref="samlEntryPoint" use-expressions="false" access-decision-manager-ref="accessDecisionManager" >
<security:intercept-url pattern="/protected/**" access="IS_AUTHENTICATED_FULLY"/>
<security:intercept-url pattern="/saml/web/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- <security:intercept-url pattern="/saml/web/**" access="ROLE_ADMIN"/> -->
<security:custom-filter before="FIRST" ref="metadataGeneratorFilter"/>
<security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
<security:custom-filter ref="redirectionAwareFilter" before="PRE_AUTH_FILTER" />
<security:custom-filter ref="redirectionAwareFilter" after="REQUEST_CACHE_FILTER" />
<security:request-cache ref="requestCache"/>
<!-- Disable only for /saml/SSO** ?? -->
<security:csrf disabled="true" />
</security:http>
<context:component-scan base-package="org.springframework.security.saml"/>
<!-- Filters for processing of SAML messages -->
<bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy">
<bean id="authFilter" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map request-matcher="ant">
<security:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/>
<security:filter-chain pattern="/saml/login/**" filters="securityEntryPoint"/>
<security:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/>
<security:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/>
<security:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/>
......@@ -86,7 +55,7 @@
<bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/>
<!-- Entry point to initialize authentication, default values taken from properties file -->
<bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<bean id="securityEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint">
<property name="defaultProfileOptions">
<bean class="org.springframework.security.saml.websso.WebSSOProfileOptions">
<property name="includeScoping" value="false"/>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment