webapp/src/main/resources/spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor
    license agreements. See the NOTICE file distributed with this work for additional
    information regarding copyright ownership. The ASF licenses this file to
    You under the Apache License, Version 2.0 (the "License"); you may not use
    this file except in compliance with the License. You may obtain a copy of
    the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required
    by applicable law or agreed to in writing, software distributed under the
    License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS
    OF ANY KIND, either express or implied. See the License for the specific
    language governing permissions and limitations under the License. -->

<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">

    <!-- This XML is no longer being used, @see AtlasSecurityConfig for the equivalent java config -->

    <security:http pattern="/login.jsp" security="none" />
    <security:http pattern="/css/**" security="none" />
    <security:http pattern="/img/**" security="none" />
    <security:http pattern="/libs/**" security="none" />
    <security:http pattern="/js/**" security="none" />
    <security:http pattern="/ieerror.html" security="none" />
    <security:http pattern="/api/atlas/admin/status" security="none" />
    <security:http pattern="/api/atlas/admin/metrics" security="none" />

    <security:http create-session="always"
                   entry-point-ref="entryPoint">
        <security:session-management
                session-fixation-protection="newSession" />
        <intercept-url pattern="/**" access="isAuthenticated()" />
        <custom-filter ref="ssoAuthenticationFilter" after="BASIC_AUTH_FILTER" />

        <security:custom-filter ref="krbAuthenticationFilter" after="SERVLET_API_SUPPORT_FILTER" />
        <security:custom-filter ref="CSRFPreventionFilter" after="REMEMBER_ME_FILTER" />

        <form-login
                login-page="/login.jsp"
                login-processing-url="/j_spring_security_check"
                authentication-success-handler-ref="atlasAuthenticationSuccessHandler"
                authentication-failure-handler-ref="atlasAuthenticationFailureHandler"
                username-parameter="j_username"
                password-parameter="j_password" />

        <security:logout logout-success-url="/login.jsp" delete-cookies="ATLASSESSIONID"
                         logout-url="/logout.html" />
        <http-basic />
        <headers disabled="true"/>
        <csrf disabled="true"/>
        <security:custom-filter position="LAST" ref="atlasAuthorizationFilter"/>
    </security:http>

    <beans:bean id="krbAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasAuthenticationFilter">
    </beans:bean>

    <beans:bean id="ssoAuthenticationFilter" class="org.apache.atlas.web.filters.AtlasKnoxSSOAuthenticationFilter">
    </beans:bean>

    <beans:bean id="CSRFPreventionFilter" class="org.apache.atlas.web.filters.AtlasCSRFPreventionFilter">
    </beans:bean>

    <beans:bean id="atlasAuthenticationSuccessHandler"
                class="org.apache.atlas.web.security.AtlasAuthenticationSuccessHandler" />

    <beans:bean id="atlasAuthenticationFailureHandler"
                class="org.apache.atlas.web.security.AtlasAuthenticationFailureHandler" />

    <beans:bean id="formAuthenticationEntryPoint"
                class="org.apache.atlas.web.filters.AtlasAuthenticationEntryPoint">
        <beans:constructor-arg value="/login.jsp"/>
    </beans:bean>

    <beans:bean id="authenticationEntryPoint"
                class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
        <beans:property name="realmName" value="atlas.com" />
    </beans:bean>

    <beans:bean id="entryPoint" class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
        <beans:constructor-arg>
            <beans:map>
                <beans:entry key="hasHeader('User-Agent','Mozilla')" value-ref="formAuthenticationEntryPoint" />
            </beans:map>
        </beans:constructor-arg>
        <beans:property name="defaultEntryPoint" ref="authenticationEntryPoint"/>
    </beans:bean>


    <beans:bean id="atlasAuthenticationProvider"
                class="org.apache.atlas.web.security.AtlasAuthenticationProvider">
    </beans:bean>

    <security:authentication-manager
            alias="authenticationManager">
        <security:authentication-provider
                ref="atlasAuthenticationProvider" />
    </security:authentication-manager>


    <security:global-method-security
            pre-post-annotations="enabled" />

    <beans:bean id = "atlasAuthorizationFilter" class="org.apache.atlas.web.filters.AtlasAuthorizationFilter"/>
</beans:beans>