| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <beans:beans xmlns="http://www.springframework.org/schema/security" |
| xmlns:beans="http://www.springframework.org/schema/beans" |
| xmlns:context="http://www.springframework.org/schema/context" |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| xsi:schemaLocation="http://www.springframework.org/schema/beans |
| http://www.springframework.org/schema/beans/spring-beans.xsd |
| http://www.springframework.org/schema/security |
| http://www.springframework.org/schema/security/spring-security.xsd"> |
| |
| <http auto-config="true" use-expressions="true"> |
| <csrf disabled="true"/> |
| <!-- Can be invoked w/o auth --> |
| <intercept-url pattern="/login.html" access="permitAll" /> |
| <intercept-url pattern="/authenticateUser" access="permitAll" /> |
| <intercept-url pattern="/pulseVersion" access="permitAll" /> |
| <!-- Can be invoked w/o auth --> |
| |
| <!-- Restricted urls --> |
| <intercept-url pattern="/accessDenied*" access="isAuthenticated()"/> |
| <intercept-url pattern="/dataBrowser*" access="hasRole('CLUSTER:READ') and hasRole('DATA:READ')" /> |
| <intercept-url pattern="/getQueryStatisticsGridModel/*" access="hasRole('CLUSTER:READ') and hasRole('DATA:READ')" /> |
| <intercept-url pattern="/*" access="hasRole('CLUSTER:READ')" /> |
| |
| <!-- Restricted urls --> |
| <form-login login-page="/login.html" |
| authentication-failure-handler-ref="authenticationFailureHandler" |
| default-target-url="/clusterDetail.html" |
| always-use-default-target="true"/> |
| <headers> |
| <frame-options policy="DENY" /> |
| <content-type-options /> |
| <xss-protection enabled="true" block="true" /> |
| </headers> |
| |
| <access-denied-handler error-page="/accessDenied.html"/> |
| |
| <logout logout-url="/clusterLogout" success-handler-ref="customLogoutSuccessHandler"/> |
| |
| </http> |
| |
| <beans:bean name="customLogoutSuccessHandler" |
| class="org.apache.geode.tools.pulse.internal.security.LogoutHandler"> |
| <beans:constructor-arg value="/login.html"/> |
| </beans:bean> |
| |
| <beans:bean id="authenticationFailureHandler" |
| class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> |
| <beans:property name="exceptionMappings"> |
| <beans:props> |
| <beans:prop key="org.springframework.security.authentication.BadCredentialsException">/login.html?error=BAD_CREDS</beans:prop> |
| <beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/login.html?error=CRED_EXP</beans:prop> |
| <beans:prop key="org.springframework.security.authentication.LockedException">/login.html?error=ACC_LOCKED</beans:prop> |
| <beans:prop key="org.springframework.security.authentication.DisabledException">/login.html?error=ACC_DISABLED</beans:prop> |
| </beans:props> |
| </beans:property> |
| </beans:bean> |
| |
| <beans:bean id="gemAuthenticationProvider" |
| class="org.apache.geode.tools.pulse.internal.security.GemFireAuthenticationProvider"> |
| </beans:bean> |
| |
| <beans:bean id="passwordEncoder" |
| class="org.springframework.security.crypto.password.NoOpPasswordEncoder" |
| factory-method="getInstance" /> |
| |
| <!-- Default user authentication --> |
| <beans:beans profile="pulse.authentication.default"> |
| <authentication-manager> |
| <authentication-provider> |
| <password-encoder ref="passwordEncoder"/> |
| <user-service> |
| <user name="admin" password="admin" |
| authorities="ROLE_CLUSTER:READ,ROLE_DATA:READ"/> |
| </user-service> |
| </authentication-provider> |
| </authentication-manager> |
| </beans:beans> |
| |
| <!-- Default user authentication based on gemfire integrated security --> |
| <beans:beans profile="pulse.authentication.gemfire"> |
| <authentication-manager alias="authenticationManager"> |
| <authentication-provider ref="gemAuthenticationProvider"/> |
| </authentication-manager> |
| </beans:beans> |
| |
| <!-- Custom user authentication specified externally --> |
| <beans:beans profile="pulse.authentication.custom"> |
| <beans:import resource="classpath:pulse-authentication-custom.xml" /> |
| </beans:beans> |
| |
| </beans:beans> |