151 lines
7.9 KiB
XML
151 lines
7.9 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<beans:beans xmlns="http://www.springframework.org/schema/security"
|
|
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:p="http://www.springframework.org/schema/p"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
|
|
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
|
|
|
|
<!-- NOTE: see http://static.springsource.org/spring-security/site/docs/2.0.x/apidocs/org/springframework/security/vote/AuthenticatedVoter.html
|
|
for an explanation of the meaning of IS_AUTHENTICATED_ANONYMOUSLY and IS_AUTHENTICATED_FULLY. -->
|
|
|
|
<http auto-config="false" realm="LibrePlan Web Application"
|
|
entry-point-ref="customAuthenticationEntryPoint">
|
|
|
|
<!-- Web services -->
|
|
<intercept-url pattern="/ws/rest/subcontracting/**" access="ROLE_WS_SUBCONTRACTING"
|
|
method="GET" />
|
|
<intercept-url pattern="/ws/rest/subcontracting/**" access="ROLE_WS_SUBCONTRACTING"
|
|
method="POST" />
|
|
<intercept-url pattern="/ws/rest/**" access="ROLE_WS_READER"
|
|
method="GET" />
|
|
<intercept-url pattern="/ws/rest/**" access="ROLE_WS_WRITER"
|
|
method="POST" />
|
|
|
|
<!-- Web application -->
|
|
<intercept-url pattern="/common/img/**"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/common/css/**"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/planner/css/**"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/callback/**"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/zkau/**"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/help/**"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/common/layout/login.zul"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
<intercept-url pattern="/common/layout/timeout.zul"
|
|
access="IS_AUTHENTICATED_ANONYMOUSLY" />
|
|
|
|
<intercept-url pattern="/advance/**" access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/resources/criterions/**"
|
|
access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/calendars/**" access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/labels/**" access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/materials/**" access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/costcategories/**"
|
|
access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/common/configuration.zul"
|
|
access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/qualityforms/**" access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/users/**" access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/externalcompanies/**"
|
|
access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/workreports/workReportTypes.zul"
|
|
access="ROLE_SUPERUSER" />
|
|
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
|
|
|
|
<!-- These have been added because of auto-config is false now in order
|
|
to use a custom authentication filter.
|
|
See: http://static.springsource.org/spring-security/site/docs/2.0.x/reference/ns-config.html#ns-auto-config -->
|
|
<anonymous />
|
|
<http-basic />
|
|
<logout />
|
|
<remember-me />
|
|
|
|
</http>
|
|
|
|
<!-- Beans used by Spring Security (current configuration assumes users
|
|
are registered in the database). -->
|
|
<beans:bean id="passwordEncoder"
|
|
class="org.springframework.security.providers.encoding.ShaPasswordEncoder">
|
|
<beans:constructor-arg value="512" />
|
|
</beans:bean>
|
|
|
|
<beans:bean id="saltSource"
|
|
class="org.springframework.security.providers.dao.salt.ReflectionSaltSource"
|
|
p:userPropertyToUse="username" />
|
|
<!-- <beans:bean id="realAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider"
|
|
p:passwordEncoder-ref="passwordEncoder" p:saltSource-ref="saltSource" p:userDetailsService-ref="dbUserDetailsService">
|
|
<custom-authentication-provider/> </beans:bean> -->
|
|
<!-- Beans used by the LibrePlan Web application when users are registered
|
|
in the database. When users are registered externally (e.g. in a LDAP server),
|
|
these lines may be commented. <beans:bean id="dbUserDetailsService" class="org.libreplan.web.users.services.DBUserDetailsService"/> -->
|
|
<beans:bean id="dbPasswordEncoderService"
|
|
class="org.libreplan.web.users.services.DBPasswordEncoderService"
|
|
p:passwordEncoder-ref="passwordEncoder" p:saltSource-ref="saltSource" />
|
|
|
|
<beans:bean id="usersBootstrapInDB"
|
|
class="org.libreplan.web.users.bootstrap.UsersBootstrapInDB"
|
|
p:dbPasswordEncoderService-ref="dbPasswordEncoderService" />
|
|
<!-- Beans used by the LibrePlan Web Application when users are registerd
|
|
in LDAP. At this moment users MUST be also in database with same username.
|
|
This will be changed in the near future. the url, base, userDN and password
|
|
properties must be set with the proper values -->
|
|
<beans:bean id="contextSource"
|
|
class="org.libreplan.web.users.services.LDAPCustomContextSource">
|
|
</beans:bean>
|
|
|
|
<beans:bean id="ldapTemplate"
|
|
class="org.springframework.ldap.core.LdapTemplate"
|
|
p:contextSource-ref="contextSource">
|
|
</beans:bean>
|
|
|
|
<!-- This authentication provider will make possible all the login process
|
|
when an LDAP is used. Also will allow authenticate users in database. The
|
|
property strUserId must be set with the proper value. It represents the property
|
|
of the user in LDAP which will be used to check the username. -->
|
|
<beans:bean id="realAuthenticationProvider"
|
|
class="org.libreplan.web.users.services.LDAPCustomAuthenticationProvider"
|
|
p:userDetailsService-ref="ldapUserDetailsService"
|
|
p:ldapTemplate-ref="ldapTemplate"
|
|
p:passwordEncoderService-ref="dbPasswordEncoderService">
|
|
</beans:bean>
|
|
|
|
<beans:bean id="authenticationProvider" class="org.libreplan.web.users.services.AuthenticationProviderLoggingDecorator">
|
|
<beans:property name="decoratedProvider" ref="realAuthenticationProvider"></beans:property>
|
|
<custom-authentication-provider/>
|
|
</beans:bean>
|
|
|
|
<!-- This bean is used to implement UserDetailsService with LDAP authentication
|
|
Provider. -->
|
|
<beans:bean id="ldapUserDetailsService"
|
|
class="org.libreplan.web.users.services.LDAPUserDetailsService" />
|
|
|
|
<!-- Configured a custom authentication filter:
|
|
* This needs a custom authentication entry point
|
|
* Also a custom target URL resolver is used to determine the URL depending on the user -->
|
|
<authentication-manager alias="authenticationManager" />
|
|
|
|
<beans:bean id="customAuthenticationFilter"
|
|
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" >
|
|
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />
|
|
<beans:property name="authenticationManager" ref="authenticationManager" />
|
|
<beans:property name="defaultTargetUrl" value="/planner/index.zul" />
|
|
<beans:property name="authenticationFailureUrl" value="/common/layout/login.zul?login_error=true" />
|
|
<beans:property name="allowSessionCreation" value="true" />
|
|
<beans:property name="targetUrlResolver" ref="customTargetUrlResolver" />
|
|
</beans:bean>
|
|
|
|
<beans:bean id="customAuthenticationEntryPoint"
|
|
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
|
|
<beans:property name="loginFormUrl" value="/common/layout/login.zul"/>
|
|
</beans:bean>
|
|
|
|
<beans:bean id="customTargetUrlResolver"
|
|
class="org.libreplan.web.users.services.CustomTargetUrlResolver" />
|
|
|
|
</beans:beans>
|