| <!-- |
| Licensed under the Apache License, Version 2.0 (the "License"); |
| you may not use this file except in compliance with the License. |
| You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. See accompanying LICENSE file. |
| --> |
| |
| <beans xmlns="http://www.springframework.org/schema/beans" |
| xmlns:scr="http://www.springframework.org/schema/security" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xmlns:context="http://www.springframework.org/schema/context" |
| xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/beans |
| http://www.springframework.org/schema/beans/spring-beans-3.1.xsd |
| http://www.springframework.org/schema/security |
| http://www.springframework.org/schema/security/spring-security-3.1.xsd |
| http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd |
| http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"> |
| |
| <scr:global-method-security pre-post-annotations="enabled"> |
| <scr:expression-handler ref="expressionHandler"/> |
| </scr:global-method-security> |
| |
| <!-- acl config --> |
| <bean id="aclPermissionFactory" class="org.apache.kylin.rest.security.AclPermissionFactory"/> |
| |
| <bean id="expressionHandler" |
| class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> |
| <property name="permissionEvaluator" ref="permissionEvaluator"/> |
| </bean> |
| |
| <bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator"> |
| <constructor-arg ref="aclService"/> |
| <property name="permissionFactory" ref="aclPermissionFactory"/> |
| </bean> |
| |
| <bean id="aclAuthorizationStrategy" |
| class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> |
| <constructor-arg> |
| <list> |
| <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> |
| <constructor-arg value="ROLE_ADMIN"/> |
| </bean> |
| <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> |
| <constructor-arg value="ROLE_ADMIN"/> |
| </bean> |
| <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> |
| <constructor-arg value="ROLE_ADMIN"/> |
| </bean> |
| </list> |
| </constructor-arg> |
| </bean> |
| |
| <bean id="auditLogger" |
| class="org.springframework.security.acls.domain.ConsoleAuditLogger"/> |
| |
| <bean id="permissionGrantingStrategy" |
| class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy"> |
| <constructor-arg ref="auditLogger"/> |
| </bean> |
| |
| <beans profile="ldap,saml"> |
| <bean id="ldapSource" |
| class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> |
| <constructor-arg value="${kylin.security.ldap.connection-server}"/> |
| <property name="userDn" value="${kylin.security.ldap.connection-username}"/> |
| <property name="password" value="${kylin.security.ldap.connection-password}"/> |
| </bean> |
| |
| <bean id="kylinUserAuthProvider" |
| class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> |
| <constructor-arg> |
| <bean id="ldapUserAuthenticationProvider" |
| class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> |
| <constructor-arg> |
| <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> |
| <constructor-arg ref="ldapSource"/> |
| <property name="userSearch"> |
| <bean id="userSearch" |
| class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> |
| <constructor-arg index="0" |
| value="${kylin.security.ldap.user-search-base}"/> |
| <constructor-arg index="1" |
| value="${kylin.security.ldap.user-search-pattern}"/> |
| <constructor-arg index="2" ref="ldapSource"/> |
| </bean> |
| </property> |
| </bean> |
| </constructor-arg> |
| <constructor-arg> |
| <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator"> |
| <constructor-arg index="0" ref="ldapSource"/> |
| <constructor-arg index="1" |
| value="${kylin.security.ldap.user-group-search-base}"/> |
| <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/> |
| <constructor-arg index="3" value="${kylin.security.acl.default-role}"/> |
| </bean> |
| </constructor-arg> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| <bean id="kylinServiceAccountAuthProvider" |
| class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> |
| <constructor-arg> |
| <bean id="ldapServiceAuthenticationProvider" |
| class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> |
| <constructor-arg> |
| <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> |
| <constructor-arg ref="ldapSource"/> |
| <property name="userSearch"> |
| <bean id="userSearch" |
| class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> |
| <constructor-arg index="0" |
| value="${kylin.security.ldap.service-search-base}"/> |
| <constructor-arg index="1" |
| value="${kylin.security.ldap.service-search-pattern}"/> |
| <constructor-arg index="2" ref="ldapSource"/> |
| </bean> |
| </property> |
| </bean> |
| </constructor-arg> |
| <constructor-arg> |
| <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator"> |
| <constructor-arg index="0" ref="ldapSource"/> |
| <constructor-arg index="1" |
| value="${kylin.security.ldap.service-group-search-base}"/> |
| <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/> |
| <constructor-arg index="3" value="${kylin.security.acl.default-role}"/> |
| </bean> |
| </constructor-arg> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| </beans> |
| |
| <beans profile="ldap"> |
| <scr:authentication-manager alias="ldapAuthenticationManager"> |
| <!-- do user ldap auth --> |
| <scr:authentication-provider ref="kylinUserAuthProvider"></scr:authentication-provider> |
| |
| <!-- do service account ldap auth --> |
| <scr:authentication-provider |
| ref="kylinServiceAccountAuthProvider"></scr:authentication-provider> |
| </scr:authentication-manager> |
| |
| </beans> |
| |
| |
| <beans profile="testing"> |
| <util:list id="adminAuthorities" |
| value-type="org.springframework.security.core.authority.SimpleGrantedAuthority"> |
| <value>ROLE_ADMIN</value> |
| <value>ROLE_MODELER</value> |
| <value>ROLE_ANALYST</value> |
| </util:list> |
| <util:list id="modelerAuthorities" |
| value-type="org.springframework.security.core.authority.SimpleGrantedAuthority"> |
| <value>ROLE_MODELER</value> |
| <value>ROLE_ANALYST</value> |
| </util:list> |
| <util:list id="analystAuthorities" |
| value-type="org.springframework.security.core.authority.SimpleGrantedAuthority"> |
| <value>ROLE_ANALYST</value> |
| </util:list> |
| |
| <bean class="org.springframework.security.core.userdetails.User" id="adminUser"> |
| <constructor-arg value="ADMIN"/> |
| <constructor-arg |
| value="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32"/> |
| <constructor-arg ref="adminAuthorities"/> |
| </bean> |
| <bean class="org.springframework.security.core.userdetails.User" id="modelerUser"> |
| <constructor-arg value="MODELER"/> |
| <constructor-arg |
| value="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG"/> |
| <constructor-arg ref="modelerAuthorities"/> |
| </bean> |
| <bean class="org.springframework.security.core.userdetails.User" id="analystUser"> |
| <constructor-arg value="ANALYST"/> |
| <constructor-arg |
| value="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi"/> |
| <constructor-arg ref="analystAuthorities"/> |
| </bean> |
| |
| <bean id="kylinUserAuthProvider" |
| class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> |
| <constructor-arg> |
| <bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> |
| <property name="userDetailsService"> |
| <bean class="org.springframework.security.provisioning.InMemoryUserDetailsManager"> |
| <constructor-arg> |
| <util:list |
| value-type="org.springframework.security.core.userdetails.User"> |
| <ref bean="adminUser"></ref> |
| <ref bean="modelerUser"></ref> |
| <ref bean="analystUser"></ref> |
| </util:list> |
| </constructor-arg> |
| </bean> |
| </property> |
| <property name="passwordEncoder" ref="passwordEncoder"></property> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| <!-- user auth --> |
| <bean id="passwordEncoder" |
| class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> |
| |
| <scr:authentication-manager alias="testingAuthenticationManager"> |
| <!-- do user ldap auth --> |
| <scr:authentication-provider ref="kylinUserAuthProvider"></scr:authentication-provider> |
| </scr:authentication-manager> |
| </beans> |
| |
| <beans profile="testing,ldap"> |
| <scr:http auto-config="true" use-expressions="true"> |
| <scr:http-basic entry-point-ref="unauthorisedEntryPoint"/> |
| |
| <scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll"/> |
| <scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/**/metrics" access="permitAll"/> |
| <scr:intercept-url pattern="/api/cache*/**" access="permitAll"/> |
| <scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"/> |
| <scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/admin/config" access="permitAll"/> |
| <scr:intercept-url pattern="/api/projects" access="permitAll"/> |
| <scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')"/> |
| <scr:intercept-url pattern="/api/**" access="isAuthenticated()"/> |
| |
| <scr:logout invalidate-session="true" delete-cookies="JSESSIONID"/> |
| <scr:session-management session-fixation-protection="newSession"/> |
| </scr:http> |
| </beans> |
| |
| <beans profile="saml"> |
| <!-- Enable auto-wiring --> |
| <context:annotation-config/> |
| |
| <!-- Scan for auto-wiring classes in spring saml packages --> |
| <context:component-scan base-package="org.springframework.security.saml"/> |
| |
| <!-- Unsecured pages --> |
| <scr:http security="none" pattern="/image/**"/> |
| <scr:http security="none" pattern="/css/**"/> |
| <scr:http security="none" pattern="/less/**"/> |
| <scr:http security="none" pattern="/fonts/**"/> |
| <scr:http security="none" pattern="/js/**"/> |
| <scr:http security="none" pattern="/login/**"/> |
| <scr:http security="none" pattern="/routes.json"/> |
| |
| <!-- Secured Rest API urls with LDAP basic authentication --> |
| <scr:http pattern="/api/**" use-expressions="true" |
| authentication-manager-ref="apiAccessAuthenticationManager"> |
| <scr:http-basic entry-point-ref="unauthorisedEntryPoint"/> |
| |
| <scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll"/> |
| <scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/**/metrics" access="permitAll"/> |
| <scr:intercept-url pattern="/api/cache*/**" access="permitAll"/> |
| <scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"/> |
| <scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/admin/config" access="permitAll"/> |
| <scr:intercept-url pattern="/api/projects*/*" access="isAuthenticated()"/> |
| <scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')"/> |
| <scr:intercept-url pattern="/api/**" access="isAuthenticated()"/> |
| |
| <scr:logout invalidate-session="true" delete-cookies="JSESSIONID"/> |
| <scr:session-management session-fixation-protection="newSession"/> |
| </scr:http> |
| |
| <!-- Secured non-api urls with SAML SSO --> |
| <scr:http auto-config="true" entry-point-ref="samlEntryPoint" use-expressions="false" |
| authentication-manager-ref="webAccessAuthenticationManager"> |
| <scr:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> |
| <scr:custom-filter before="FIRST" ref="metadataGeneratorFilter"/> |
| <scr:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/> |
| </scr:http> |
| |
| |
| <!-- API authentication manager --> |
| <scr:authentication-manager id="apiAccessAuthenticationManager"> |
| <scr:authentication-provider ref="kylinServiceAccountAuthProvider"/> |
| <scr:authentication-provider ref="kylinUserAuthProvider"/> |
| </scr:authentication-manager> |
| |
| |
| <!-- Web authentication manager --> |
| <scr:authentication-manager id="webAccessAuthenticationManager"> |
| <scr:authentication-provider ref="kylinSAMLAuthenticationProvider"/> |
| </scr:authentication-manager> |
| |
| <!-- Central storage of cryptographic keys --> |
| <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> |
| <constructor-arg value="classpath:samlKeystore.jks"/> |
| <constructor-arg type="java.lang.String" value="changeit"/> |
| <constructor-arg> |
| <map> |
| <entry key="kylin" value="changeit"/> |
| </map> |
| </constructor-arg> |
| <constructor-arg type="java.lang.String" value="kylin"/> |
| </bean> |
| |
| <!-- Filters for processing of SAML messages --> |
| <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy"> |
| <scr:filter-chain-map request-matcher="ant"> |
| <scr:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/> |
| <scr:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/> |
| <scr:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/> |
| <scr:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/> |
| <scr:filter-chain pattern="/saml/SSOHoK/**" |
| filters="samlWebSSOHoKProcessingFilter"/> |
| <scr:filter-chain pattern="/saml/SingleLogout/**" |
| filters="samlLogoutProcessingFilter"/> |
| </scr:filter-chain-map> |
| </bean> |
| |
| <!-- Handler deciding where to redirect user after successful login --> |
| <bean id="successRedirectHandler" |
| class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> |
| <property name="defaultTargetUrl" value="/models"/> |
| </bean> |
| |
| <!-- Handler deciding where to redirect user after failed login --> |
| <bean id="failureRedirectHandler" |
| class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> |
| <property name="useForward" value="true"/> |
| <property name="defaultFailureUrl" value="/login"/> |
| </bean> |
| |
| <!-- Handler for successful logout --> |
| <bean id="successLogoutHandler" |
| class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"> |
| <property name="defaultTargetUrl" value="/login"/> |
| </bean> |
| |
| <!-- Logger for SAML messages and events --> |
| <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/> |
| |
| <!-- Filter automatically generates default SP metadata --> |
| <bean id="metadataGeneratorFilter" |
| class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> |
| <constructor-arg> |
| <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> |
| <property name="extendedMetadata"> |
| <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> |
| <property name="idpDiscoveryEnabled" value="false"/> |
| </bean> |
| </property> |
| <property name="entityBaseURL" |
| value="${kylin.security.saml.metadata-entity-base-url}"/> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| <!-- Entry point to initialize authentication, default values taken from properties file --> |
| <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint"> |
| <property name="defaultProfileOptions"> |
| <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> |
| <property name="includeScoping" value="false"/> |
| </bean> |
| </property> |
| </bean> |
| |
| <!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there --> |
| <bean id="metadataDisplayFilter" |
| class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/> |
| |
| <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here --> |
| <bean id="metadata" |
| class="org.springframework.security.saml.metadata.CachingMetadataManager"> |
| <constructor-arg> |
| <list> |
| <!-- Example of classpath metadata with Extended Metadata --> |
| <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> |
| <constructor-arg> |
| <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> |
| <constructor-arg> |
| <value type="java.io.File">classpath:sso_metadata.xml</value> |
| </constructor-arg> |
| <property name="parserPool" ref="parserPool"/> |
| </bean> |
| </constructor-arg> |
| <constructor-arg> |
| <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> |
| </bean> |
| </constructor-arg> |
| <property name="metadataTrustCheck" value="false"/> |
| </bean> |
| </list> |
| </constructor-arg> |
| </bean> |
| |
| <bean id="ldapUserAuthoritiesPopulator" |
| class="org.apache.kylin.rest.security.AuthoritiesPopulator"> |
| <constructor-arg index="0" ref="ldapSource"/> |
| <constructor-arg index="1" value="${kylin.security.ldap.user-group-search-base}"/> |
| <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/> |
| <constructor-arg index="3" value="${kylin.security.acl.default-role}"/> |
| </bean> |
| |
| <bean id="userSearch" |
| class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> |
| <constructor-arg index="0" value="${kylin.security.ldap.user-search-base}"/> |
| <constructor-arg index="1" value="${kylin.security.ldap.user-search-pattern}"/> |
| <constructor-arg index="2" ref="ldapSource"/> |
| </bean> |
| |
| |
| <bean id="samlUserDetailsService" |
| class="org.apache.kylin.rest.security.SAMLUserDetailsService"> |
| <constructor-arg> |
| <bean id="ldapUserDetailsService" |
| class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> |
| <constructor-arg ref="userSearch"/> |
| <constructor-arg ref="ldapUserAuthoritiesPopulator"/> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| <bean id="kylinSAMLAuthenticationProvider" |
| class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> |
| <constructor-arg> |
| <!-- SAML Authentication Provider responsible for validating of received SAML messages --> |
| <bean id="samlAuthenticationProvider" |
| class="org.springframework.security.saml.SAMLAuthenticationProvider"> |
| <!-- OPTIONAL property: can be used to store/load user data after login --> |
| <property name="userDetails" ref="samlUserDetailsService"/> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| |
| <!-- Provider of default SAML Context --> |
| <!-- |
| <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/> |
| --> |
| |
| <!-- Provider of a SAML Context behind a LoadBanlancer or reverse proxy --> |
| <bean id="contextProvider" |
| class="org.springframework.security.saml.context.SAMLContextProviderLB"> |
| <property name="scheme" value="${kylin.security.saml.context-scheme}"/> |
| <property name="serverName" value="${kylin.security.saml.context-server-name}"/> |
| <property name="serverPort" value="${kylin.security.saml.context-server-port}"/> |
| <property name="includeServerPortInRequestURL" value="false"/> |
| <property name="contextPath" value="${kylin.security.saml.context-path}"/> |
| </bean> |
| |
| |
| <!-- Processing filter for WebSSO profile messages --> |
| <bean id="samlWebSSOProcessingFilter" |
| class="org.springframework.security.saml.SAMLProcessingFilter"> |
| <property name="authenticationManager" ref="webAccessAuthenticationManager"/> |
| <property name="authenticationSuccessHandler" ref="successRedirectHandler"/> |
| <property name="authenticationFailureHandler" ref="failureRedirectHandler"/> |
| </bean> |
| |
| <!-- Processing filter for WebSSO Holder-of-Key profile --> |
| <bean id="samlWebSSOHoKProcessingFilter" |
| class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter"> |
| <property name="authenticationManager" ref="webAccessAuthenticationManager"/> |
| <property name="authenticationSuccessHandler" ref="successRedirectHandler"/> |
| <property name="authenticationFailureHandler" ref="failureRedirectHandler"/> |
| </bean> |
| |
| <!-- Logout handler terminating local session --> |
| <bean id="logoutHandler" |
| class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> |
| <property name="invalidateHttpSession" value="false"/> |
| </bean> |
| |
| <!-- Override default logout processing filter with the one processing SAML messages --> |
| <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> |
| <constructor-arg index="0" ref="successLogoutHandler"/> |
| <constructor-arg index="1" ref="logoutHandler"/> |
| <constructor-arg index="2" ref="logoutHandler"/> |
| </bean> |
| |
| <!-- Filter processing incoming logout messages --> |
| <!-- First argument determines URL user will be redirected to after successful global logout --> |
| <bean id="samlLogoutProcessingFilter" |
| class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> |
| <constructor-arg index="0" ref="successLogoutHandler"/> |
| <constructor-arg index="1" ref="logoutHandler"/> |
| </bean> |
| |
| <!-- Class loading incoming SAML messages from httpRequest stream --> |
| <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> |
| <constructor-arg> |
| <list> |
| <ref bean="redirectBinding"/> |
| <ref bean="postBinding"/> |
| <ref bean="artifactBinding"/> |
| <ref bean="soapBinding"/> |
| <ref bean="paosBinding"/> |
| </list> |
| </constructor-arg> |
| </bean> |
| |
| <!-- SAML 2.0 WebSSO Assertion Consumer --> |
| <bean id="webSSOprofileConsumer" |
| class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> |
| <property name="responseSkew" value="600"/> <!-- 10 minutes --> |
| </bean> |
| |
| <!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer --> |
| <bean id="hokWebSSOprofileConsumer" |
| class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/> |
| |
| <!-- SAML 2.0 Web SSO profile --> |
| <bean id="webSSOprofile" |
| class="org.springframework.security.saml.websso.WebSSOProfileImpl"/> |
| |
| <!-- SAML 2.0 Holder-of-Key Web SSO profile --> |
| <bean id="hokWebSSOProfile" |
| class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/> |
| |
| <!-- SAML 2.0 ECP profile --> |
| <bean id="ecpprofile" |
| class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/> |
| |
| <!-- SAML 2.0 Logout Profile --> |
| <bean id="logoutprofile" |
| class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"> |
| <property name="responseSkew" value="600"/> <!-- 10 minutes --> |
| </bean> |
| |
| <!-- Bindings, encoders and decoders used for creating and parsing messages --> |
| <bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding"> |
| <constructor-arg ref="parserPool"/> |
| <constructor-arg ref="velocityEngine"/> |
| </bean> |
| |
| <bean id="redirectBinding" |
| class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding"> |
| <constructor-arg ref="parserPool"/> |
| </bean> |
| |
| <bean id="artifactBinding" |
| class="org.springframework.security.saml.processor.HTTPArtifactBinding"> |
| <constructor-arg ref="parserPool"/> |
| <constructor-arg ref="velocityEngine"/> |
| <constructor-arg> |
| <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl"> |
| <constructor-arg> |
| <bean class="org.apache.commons.httpclient.HttpClient"> |
| <constructor-arg> |
| <bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/> |
| </constructor-arg> |
| </bean> |
| </constructor-arg> |
| <property name="processor"> |
| <bean class="org.springframework.security.saml.processor.SAMLProcessorImpl"> |
| <constructor-arg ref="soapBinding"/> |
| </bean> |
| </property> |
| </bean> |
| </constructor-arg> |
| </bean> |
| |
| <bean id="soapBinding" |
| class="org.springframework.security.saml.processor.HTTPSOAP11Binding"> |
| <constructor-arg ref="parserPool"/> |
| </bean> |
| |
| <bean id="paosBinding" |
| class="org.springframework.security.saml.processor.HTTPPAOS11Binding"> |
| <constructor-arg ref="parserPool"/> |
| </bean> |
| |
| <!-- Initialization of OpenSAML library--> |
| <bean class="org.springframework.security.saml.SAMLBootstrap"/> |
| |
| <!-- Initialization of the velocity engine --> |
| <bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" |
| factory-method="getEngine"/> |
| |
| <!-- XML parser pool needed for OpenSAML parsing --> |
| <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" |
| init-method="initialize"> |
| <property name="builderFeatures"> |
| <map> |
| <entry key="http://apache.org/xml/features/dom/defer-node-expansion" |
| value="false"/> |
| </map> |
| </property> |
| </bean> |
| |
| <bean id="parserPoolHolder" |
| class="org.springframework.security.saml.parser.ParserPoolHolder"/> |
| </beans> |
| </beans> |