...
Beyond the contents of this file any customisations you need to make to support you security requirements (i.e. Active Directory, LDAP, etc.) should be made based on the standard Spring security documentation available at Spring security documentation
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Allow access to these resources by anyone -->
<http pattern="/resources/favicon/favicon.ico" security="none"/>
<http pattern="/resources/images/**" security="none"/>
<http auto-config="true" create-session="always">
<!-- Only "Admin" users should be able to access the admin pages -->
<!-- You can change ROLE_ADMIN to match a different role if you are using
an external authentication source, for example AD or LDAP, and it uses
a different role for the users that you want to have access the Admin UI -->
<intercept-url pattern="/admin.html" access="ROLE_ADMIN"/>
<intercept-url pattern="/admin.htm" access="ROLE_ADMIN"/>
<!-- These are the pages where we want to know who the user is, but they can be anonymous -->
<intercept-url pattern="/index.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/index.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login.*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<form-login login-page="/login.html" login-processing-url="/security/j_spring_security_check.do" authentication-success-handler-ref="authenticationSuccessHandler"/>
<logout logout-url="/security/j_spring_security_logout.do" logout-success-url="/index.html" />
<!-- The default anonymous username is "anonymousUser", we change it here to "anonymous"
because that is what it was in older versions of Weave, plus it looks nicer when it's displayed. -->
<!-- Also, we change the default roles from just ROLE_ANONYMOUS, to anonymous and ROLE_ANONYMOUS,
because the older Weave ACL parser and it's documentation says that "anonymous" can be used as
a role for anonymous users. Internally Weave now uses ROLE_ANONYMOUS, but we want to make sure old
ACL's still work, so make sure you always include at least ROLE_ANONYMOUS -->
<!-- In summary, without the following line an anonymous user would be displayed as "anonymousUser"
and any ACL's that wants to check for an anonymous user would have to use "ROLE_ANONYMOUS" -->
<anonymous username="anonymous" granted-authority="anonymous,ROLE_ANONYMOUS"/>
</http>
<!-- This custom authentication success handler is used to allow us to manually change the target page after a successful authentication -->
<beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<!-- This is the page we will redirect to if the user goes straight to the login page and logs in -->
<beans:property name="defaultTargetUrl" value="/index.html"/>
<!-- The reason we have this bean is so that we can set the following value -->
<!-- This allows us to manually set the target page after performing authentication -->
<beans:property name="targetUrlParameter" value="_spring_security_redirect"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userDetailsService"/>
</authentication-manager>
<user-service id="userDetailsService" properties="users.properties"/>
</beans:beans>
|