Google Git
Sign in
apache / kylin / 28cedc4048cc3b7ea8837ffe9d4071e3f75b0324 / . / server / src / main / resources / kylin-security-cas-plugin.xml
blob: 8cc24b5cfdf3f937e048c6c9eaa3f7d8bac5e0e4 [file] [log] [blame]
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. See accompanying LICENSE file.
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:scr="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<beans profile="authn-cas">
<context:annotation-config/>
<context:component-scan base-package="org.springframework.security.cas"/>
<!-- public resources -->
<scr:http security="none" pattern="/image/**"/>
<scr:http security="none" pattern="/css/**"/>
<scr:http security="none" pattern="/less/**"/>
<scr:http security="none" pattern="/fonts/**"/>
<scr:http security="none" pattern="/js/**"/>
<scr:http security="none" pattern="/login/**"/>
<scr:http security="none" pattern="/routes.json"/>
<!-- Secured Rest API urls with basic authentication -->
<scr:http pattern="/api/**" use-expressions="true" authentication-manager-ref="authenticationManager">
<scr:csrf disabled="true"/>
<scr:http-basic entry-point-ref="unauthorisedEntryPoint"/>
<scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll"/>
<scr:intercept-url pattern="/api/query/runningQueries" access="hasRole('ROLE_ADMIN')"/>
<scr:intercept-url pattern="/api/query/*/stop" access="hasRole('ROLE_ADMIN')"/>
<scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/**/metrics" access="permitAll"/>
<scr:intercept-url pattern="/api/cache*/**" access="permitAll"/>
<scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"/>
<scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/admin/public_config" access="permitAll"/>
<scr:intercept-url pattern="/api/projects*/*" access="isAuthenticated()"/>
<scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')"/>
<scr:intercept-url pattern="/api/tables/**/snapshotLocalCache/**" access="permitAll"/>
<scr:intercept-url pattern="/api/**" access="isAuthenticated()"/>
<scr:form-login login-page="/login"/>
<scr:session-management session-fixation-protection="newSession"/>
</scr:http>
<!-- filter on /cas/** for form login compatibility -->
<scr:http pattern="/cas/**" auto-config="true" entry-point-ref="casEntryPoint" use-expressions="false"
authentication-manager-ref="authenticationManager">
<scr:csrf disabled="true"/>
<scr:intercept-url pattern="/cas/**" access="IS_AUTHENTICATED_FULLY"/>
<scr:custom-filter before="CAS_FILTER" ref="casHandleSingleLogoutFilter"/>
<scr:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"/>
</scr:http>
<scr:http auto-config="true" use-expressions="false" authentication-manager-ref="authenticationManager">
<scr:csrf disabled="true"/>
<scr:http-basic entry-point-ref="unauthorisedEntryPoint"/>
<scr:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<scr:form-login login-page="/login"/>
<scr:logout invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/login"
logout-url="/j_spring_security_logout"/>
</scr:http>
<!-- AuthenticationProvider based on username/password authentication -->
<bean id="kylinUserAuthProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<bean class="org.apache.kylin.rest.service.KylinUserService"/>
</property>
<property name="passwordEncoder">
<bean class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</property>
</bean>
</constructor-arg>
</bean>
<!-- AuthenticationProvider based on CAS authentication -->
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="key" value="changeit"/>
<property name="authenticationUserDetailsService" ref="casUserDetailsService"/>
<property name="serviceProperties" ref="casServiceProperties"/>
<property name="ticketValidator" ref="casValidator"/>
</bean>
<!-- Default AuthenticationManager which tried in order until one provider return non-null -->
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<constructor-arg>
<list>
<ref bean="casAuthenticationProvider"/>
<ref bean="kylinUserAuthProvider"/>
</list>
</constructor-arg>
</bean>
<bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="serviceProperties" ref="casServiceProperties"/>
<property name="authenticationManager" ref="authenticationManager"/>
<property name="filterProcessesUrl" value="/cas/service"/>
</bean>
<!-- CAS Client related beans -->
<bean id="casServiceProperties" class="org.springframework.security.cas.ServiceProperties">
<property name="artifactParameter" value="${kylin.security.cas.artifact-param:ticket}"/>
<property name="serviceParameter" value="${kylin.security.cas.service-param:service}"/>
<property name="authenticateAllArtifacts" value="${kylin.security.cas.auth-all-artifact:false}"/>
<property name="sendRenew" value="${kylin.security.cas.send-renew:false}"/>
<property name="service" value="${kylin.server.url}/cas/service"/>
</bean>
<bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<property name="loginUrl" value="${kylin.security.cas.server.login-url}"/>
<property name="encodeServiceUrlWithSessionId" value="true"/>
<property name="serviceProperties" ref="casServiceProperties"/>
</bean>
<bean id="casValidator" class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" name="casServerUrlPrefix" value="${kylin.security.cas.server.prefix}"/>
</bean>
<bean id="casUserDetailsService" class="org.apache.kylin.rest.security.cas.CasUserDetailsService">
<property name="defaultAuthorities" value="${kylin.security.cas.default-groups:ALL_USERS}"/>
</bean>
<!-- handle the CAS server to ends the CAS SSO session, not used -->
<bean id="casHandleSingleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/>
<!-- logout in Kylin when CAS SSO session ends. redirect to CAS server logout page when accessing /cas/logout -->
<bean id="casRequestSingleLogoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg value="${kylin.security.cas.server.logout-url}"/>
<constructor-arg>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</constructor-arg>
<property name="filterProcessesUrl" value="/cas/logout"/>
</bean>
</beans>
</beans>