RenJuan/TASKPM
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
TASKPM/libreplan-webapp/src/main/resources/libreplan-webapp-spring-security-config.xml
Manuel Rego Casasnovas 1a19400990 Add new role to protect subcontracting services 
New role ROLE_WS_SUBCONTRACTING has been created, now the web services are
separated in two parts:
* Common web services are allowed to be read by role ROLE_WS_READER and written
  by role ROLE_WS_WRITER
* Subcontracting web services are allowed to be read and written by role
  ROLE_WS_SUBCONTRACTING

In this way you can give access to a different companies to your subcontracting
services, however prevent them to access to the rest of your data (via common
web services).

FEA: ItEr76S30PermissionsEnhancements
2012-06-11 17:08:09 +02:00

153 lines
8.2 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<!-- NOTE: see http://static.springsource.org/spring-security/site/docs/2.0.x/apidocs/org/springframework/security/vote/AuthenticatedVoter.html
for an explanation of the meaning of IS_AUTHENTICATED_ANONYMOUSLY and IS_AUTHENTICATED_FULLY. -->
<http auto-config="false" realm="LibrePlan Web Application"
entry-point-ref="customAuthenticationEntryPoint">
<!-- Web services -->
<intercept-url pattern="/ws/rest/subcontracting/**" access="ROLE_WS_SUBCONTRACTING"
method="GET" />
<intercept-url pattern="/ws/rest/subcontracting/**" access="ROLE_WS_SUBCONTRACTING"
method="POST" />
<intercept-url pattern="/ws/rest/**" access="ROLE_WS_READER"
method="GET" />
<intercept-url pattern="/ws/rest/**" access="ROLE_WS_WRITER"
method="POST" />
<!-- Web application -->
<intercept-url pattern="/common/img/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/common/css/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/planner/css/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/callback/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/zkau/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/help/**"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/common/layout/login.zul"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/common/layout/timeout.zul"
access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/advance/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/resources/criterions/**"
access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/calendars/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/labels/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/materials/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/costcategories/**"
access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/common/configuration.zul"
access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/qualityforms/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/users/**" access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/externalcompanies/**"
access="ROLE_ADMINISTRATION" />
<intercept-url pattern="/workreports/workReportTypes.zul"
access="ROLE_ADMINISTRATION" />
<!-- FIXME review when role for bound users is set -->
<!-- intercept-url pattern="/expensesheet/**" access="ROLE_ADMINISTRATION,ROLE_EXPENSE_TRACKING"/ -->
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<!-- These have been added because of auto-config is false now in order
to use a custom authentication filter.
See: http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-auto-config -->
<anonymous />
<http-basic />
<logout />
<remember-me />
</http>
<!-- Beans used by Spring Security (current configuration assumes users
are registered in the database). -->
<beans:bean id="passwordEncoder"
class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
<beans:constructor-arg value="512" />
</beans:bean>
<beans:bean id="saltSource"
class="org.springframework.security.providers.dao.salt.ReflectionSaltSource"
p:userPropertyToUse="username" />
<!-- <beans:bean id="realAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider"
p:passwordEncoder-ref="passwordEncoder" p:saltSource-ref="saltSource" p:userDetailsService-ref="dbUserDetailsService">
<custom-authentication-provider/> </beans:bean> -->
<!-- Beans used by the LibrePlan Web application when users are registered
in the database. When users are registered externally (e.g. in a LDAP server),
these lines may be commented. <beans:bean id="dbUserDetailsService" class="org.libreplan.web.users.services.DBUserDetailsService"/> -->
<beans:bean id="dbPasswordEncoderService"
class="org.libreplan.web.users.services.DBPasswordEncoderService"
p:passwordEncoder-ref="passwordEncoder" p:saltSource-ref="saltSource" />
<beans:bean id="usersBootstrapInDB"
class="org.libreplan.web.users.bootstrap.UsersBootstrapInDB"
p:dbPasswordEncoderService-ref="dbPasswordEncoderService" />
<!-- Beans used by the LibrePlan Web Application when users are registerd
in LDAP. At this moment users MUST be also in database with same username.
This will be changed in the near future. the url, base, userDN and password
properties must be set with the proper values -->
<beans:bean id="contextSource"
class="org.libreplan.web.users.services.LDAPCustomContextSource">
</beans:bean>
<beans:bean id="ldapTemplate"
class="org.springframework.ldap.core.LdapTemplate"
p:contextSource-ref="contextSource">
</beans:bean>
<!-- This authentication provider will make possible all the login process
when an LDAP is used. Also will allow authenticate users in database. The
property strUserId must be set with the proper value. It represents the property
of the user in LDAP which will be used to check the username. -->
<beans:bean id="realAuthenticationProvider"
class="org.libreplan.web.users.services.LDAPCustomAuthenticationProvider"
p:userDetailsService-ref="ldapUserDetailsService"
p:ldapTemplate-ref="ldapTemplate"
p:passwordEncoderService-ref="dbPasswordEncoderService">
</beans:bean>
<beans:bean id="authenticationProvider" class="org.libreplan.web.users.services.AuthenticationProviderLoggingDecorator">
<beans:property name="decoratedProvider" ref="realAuthenticationProvider"></beans:property>
<custom-authentication-provider/>
</beans:bean>
<!-- This bean is used to implement UserDetailsService with LDAP authentication
Provider. -->
<beans:bean id="ldapUserDetailsService"
class="org.libreplan.web.users.services.LDAPUserDetailsService" />
<!-- Configured a custom authentication filter:
* This needs a custom authentication entry point
* Also a custom target URL resolver is used to determine the URL depending on the user -->
<authentication-manager alias="authenticationManager" />
<beans:bean id="customAuthenticationFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" >
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="defaultTargetUrl" value="/planner/index.zul" />
<beans:property name="authenticationFailureUrl" value="/common/layout/login.zul?login_error=true" />
<beans:property name="allowSessionCreation" value="true" />
<beans:property name="targetUrlResolver" ref="customTargetUrlResolver" />
</beans:bean>
<beans:bean id="customAuthenticationEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<beans:property name="loginFormUrl" value="/common/layout/login.zul"/>
</beans:bean>
<beans:bean id="customTargetUrlResolver"
class="org.libreplan.web.users.services.CustomTargetUrlResolver" />
</beans:beans>
Reference in a new issue View git blame Copy permalink