eagle-webservice/src/main/resources/eagleSecurity.xml - eagle - Git at Google

 <?xml version="1.0"?>
 <!--
   ~ Licensed to the Apache Software Foundation (ASF) under one or more
   ~ contributor license agreements.  See the NOTICE file distributed with
   ~ this work for additional information regarding copyright ownership.
   ~ The ASF licenses this file to You under the Apache License, Version 2.0
   ~ (the "License"); you may not use this file except in compliance with
   ~ the License.  You may obtain a copy of the License at
   ~
   ~    http://www.apache.org/licenses/LICENSE-2.0
   ~
   ~ Unless required by applicable law or agreed to in writing, software
   ~ distributed under the License is distributed on an "AS IS" BASIS,
   ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   ~ See the License for the specific language governing permissions and
   ~ limitations under the License.
   -->

 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:scr="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
 	http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
 	http://www.springframework.org/schema/security
 	http://www.springframework.org/schema/security/spring-security-3.1.xsd
 	http://www.springframework.org/schema/tx
     http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">

   <scr:http auto-config="true" use-expressions="true">
         <!-- Support HTTP Basic Auth-->
         <scr:http-basic entry-point-ref="unauthorisedEntryPoint"/>
         <scr:intercept-url pattern="/rest/entities" method="POST" access="hasRole('ROLE_ADMIN')" />
         <scr:intercept-url pattern="/rest/entities/delete" method="POST" access="hasRole('ROLE_ADMIN')" />
         <scr:intercept-url pattern="/rest/module/*" method="DELETE" access="hasRole('ROLE_ADMIN')" />
         <scr:intercept-url pattern="/rest/module/*" method="POST" access="hasRole('ROLE_ADMIN')" />
         <scr:intercept-url pattern="/rest/list" method="POST" access="hasRole('ROLE_ADMIN')" />
         <scr:intercept-url pattern="/rest/status" method="GET" access="permitAll" />
         <scr:intercept-url pattern="/rest/*" access="isAuthenticated()" />
         <scr:logout logout-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="logoutSuccessHandler"/>
         <scr:session-management session-fixation-protection="newSession"/>
     </scr:http>

     <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
     <bean id="logoutSuccessHandler" class="org.apache.eagle.service.security.auth.LogoutSuccessHandlerImpl" />
     <bean id="unauthorisedEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

 	<beans profile="default">
 		<bean id="ldapUserAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
 			<constructor-arg>
 				<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
 					<constructor-arg ref="ldapSource" />
 					<property name="userSearch">
 						<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
 							<constructor-arg index="0" value="${ldap.user.searchBase}" />
 							<constructor-arg index="1" value="${ldap.user.searchPattern}" />
 							<constructor-arg index="2" ref="ldapSource" />
 						</bean>
 					</property>
 				</bean>
 			</constructor-arg>
 			<constructor-arg>
 				<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
 					<constructor-arg index="0" ref="ldapSource" />
 					<constructor-arg index="1" value="${ldap.user.groupSearchBase}" />
 					<property name="groupSearchFilter" value="uniqueMember={0}"/>
 					<property name="convertToUpperCase" value="true" />
 					<property name="rolePrefix" value="ROLE_" />
 				</bean>
 			</constructor-arg>
 		</bean>

 		<scr:authentication-manager alias="authenticationManager">
 			<!-- do user ldap auth -->
 			<scr:authentication-provider ref="ldapUserAuthProvider"></scr:authentication-provider>
 		</scr:authentication-manager>

 		<bean id="ldapSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
 			<constructor-arg value="${ldap.server}" />
 			<property name="userDn" value="${ldap.username}" />
 			<property name="password" value="${ldap.password}" />
 		</bean>
 	</beans>

     <beans profile="sandbox,testing">
         <scr:authentication-manager alias="authenticationManager">
             <scr:authentication-provider>
                 <scr:user-service>
                     <!-- user admin has role ADMIN, user eagle has role USER, both have password "secret" -->
                 	<scr:user name="eagle" password="$2a$10$TwALMRHpSetDaeTurg9rj.DnIdOde4fkQGBSPG3fVqtH.G5ZH8sQK" authorities="ROLE_USER" />
                     <scr:user name="admin" password="$2a$10$TwALMRHpSetDaeTurg9rj.DnIdOde4fkQGBSPG3fVqtH.G5ZH8sQK" authorities="ROLE_ADMIN" />
                 </scr:user-service>
                 <scr:password-encoder ref="passwordEncoder" />
             </scr:authentication-provider>
         </scr:authentication-manager>
     </beans>
 </beans>
	<?xml version="1.0"?>
	<!--
	~ Licensed to the Apache Software Foundation (ASF) under one or more
	~ contributor license agreements. See the NOTICE file distributed with
	~ this work for additional information regarding copyright ownership.
	~ The ASF licenses this file to You under the Apache License, Version 2.0
	~ (the "License"); you may not use this file except in compliance with
	~ the License. You may obtain a copy of the License at
	~
	~ http://www.apache.org/licenses/LICENSE-2.0
	~
	~ Unless required by applicable law or agreed to in writing, software
	~ distributed under the License is distributed on an "AS IS" BASIS,
	~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	~ See the License for the specific language governing permissions and
	~ limitations under the License.
	-->

	<beans xmlns="http://www.springframework.org/schema/beans" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:scr="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
	http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
	http://www.springframework.org/schema/security
	http://www.springframework.org/schema/security/spring-security-3.1.xsd
	http://www.springframework.org/schema/tx
	http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">

	<scr:http auto-config="true" use-expressions="true">
	<!-- Support HTTP Basic Auth-->
	<scr:http-basic entry-point-ref="unauthorisedEntryPoint"/>
	<scr:intercept-url pattern="/rest/entities" method="POST" access="hasRole('ROLE_ADMIN')" />
	<scr:intercept-url pattern="/rest/entities/delete" method="POST" access="hasRole('ROLE_ADMIN')" />
	<scr:intercept-url pattern="/rest/module/*" method="DELETE" access="hasRole('ROLE_ADMIN')" />
	<scr:intercept-url pattern="/rest/module/*" method="POST" access="hasRole('ROLE_ADMIN')" />
	<scr:intercept-url pattern="/rest/list" method="POST" access="hasRole('ROLE_ADMIN')" />
	<scr:intercept-url pattern="/rest/status" method="GET" access="permitAll" />
	<scr:intercept-url pattern="/rest/*" access="isAuthenticated()" />
	<scr:logout logout-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="logoutSuccessHandler"/>
	<scr:session-management session-fixation-protection="newSession"/>
	</scr:http>

	<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
	<bean id="logoutSuccessHandler" class="org.apache.eagle.service.security.auth.LogoutSuccessHandlerImpl" />
	<bean id="unauthorisedEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

	<beans profile="default">
	<bean id="ldapUserAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	<constructor-arg>
	<bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
	<constructor-arg ref="ldapSource" />
	<property name="userSearch">
	<bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
	<constructor-arg index="0" value="${ldap.user.searchBase}" />
	<constructor-arg index="1" value="${ldap.user.searchPattern}" />
	<constructor-arg index="2" ref="ldapSource" />
	</bean>
	</property>
	</bean>
	</constructor-arg>
	<constructor-arg>
	<bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
	<constructor-arg index="0" ref="ldapSource" />
	<constructor-arg index="1" value="${ldap.user.groupSearchBase}" />
	<property name="groupSearchFilter" value="uniqueMember={0}"/>
	<property name="convertToUpperCase" value="true" />
	<property name="rolePrefix" value="ROLE_" />
	</bean>
	</constructor-arg>
	</bean>

	<scr:authentication-manager alias="authenticationManager">
	<!-- do user ldap auth -->
	<scr:authentication-provider ref="ldapUserAuthProvider"></scr:authentication-provider>
	</scr:authentication-manager>

	<bean id="ldapSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
	<constructor-arg value="${ldap.server}" />
	<property name="userDn" value="${ldap.username}" />
	<property name="password" value="${ldap.password}" />
	</bean>
	</beans>

	<beans profile="sandbox,testing">
	<scr:authentication-manager alias="authenticationManager">
	<scr:authentication-provider>
	<scr:user-service>
	<!-- user admin has role ADMIN, user eagle has role USER, both have password "secret" -->
	<scr:user name="eagle" password="$2a$10$TwALMRHpSetDaeTurg9rj.DnIdOde4fkQGBSPG3fVqtH.G5ZH8sQK" authorities="ROLE_USER" />
	<scr:user name="admin" password="$2a$10$TwALMRHpSetDaeTurg9rj.DnIdOde4fkQGBSPG3fVqtH.G5ZH8sQK" authorities="ROLE_ADMIN" />
	</scr:user-service>
	<scr:password-encoder ref="passwordEncoder" />
	</scr:authentication-provider>
	</scr:authentication-manager>
	</beans>
	</beans>