Spring Security

Owned by Shaun Forbes
Last updated: 22 Dec, 2014Version comment
3 min read

Weave 2.5 provides the opportunity to switch from the Acegi security to Spring security (which is the newer version of the Acegi security framework).

If your current security.xml file works with Weave 2.4 then you do not need to change it to use Spring security when switching to Weave 2.5, the upgrade to provide support for Spring security was done because Acegi security is no longer developed and has been succeeded by Spring security, which is still being developed and provides support for additional security mechanisms not supported by the Acegi security framework.

Weave 2.5 provides support for both system, and will dynamically choose which framework to use based on the content of the security.xml file. The security.xml file for Spring security is different from the Acegi version, but they're both based on the same concepts.

Below is the minimum security.xml file required to use Spring security with Weave 2.5.
It outlines the basic changes that must be made to a the equivalent basic Spring security configuration file to properly support Weave.
Some of the changes are to ensure that users can and can't access the parts of Weave they need to, and the others are to make the file compatible with what Weave is expecting based on what it previously did for Ageci security.

Beyond the contents of this file any customisations you need to make to support you security requirements (i.e. Active Directory, LDAP, etc.) should be made based on the standard Spring security documentation available at Spring security documentation

Base security.xml file
<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans
		http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
		http://www.springframework.org/schema/security
		http://www.springframework.org/schema/security/spring-security-3.2.xsd">

	<!-- Allow access to these resources by anyone -->
	<http pattern="/resources/favicon/favicon.ico" security="none"/>
	<http pattern="/resources/images/**" security="none"/>

	<http auto-config="true" create-session="always">
		<!-- Only "Admin" users should be able to access the admin pages -->
		<!-- You can change ROLE_ADMIN to match a different role if you are using 
		     an external authentication source, for example AD or LDAP, and it uses
		     a different role for the users that you want to have access the Admin UI -->
		<intercept-url pattern="/admin.html" access="ROLE_ADMIN"/>
		<intercept-url pattern="/admin.htm" access="ROLE_ADMIN"/>
		<!-- These are the pages where we want to know who the user is, but they can be anonymous -->
		<intercept-url pattern="/index.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<intercept-url pattern="/index.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<intercept-url pattern="/login.*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<intercept-url pattern="/login/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<form-login login-page="/login.html" login-processing-url="/security/j_spring_security_check.do" authentication-success-handler-ref="authenticationSuccessHandler"/>
		<logout logout-url="/security/j_spring_security_logout.do"  logout-success-url="/index.html" />
		<!-- The default anonymous username is "anonymousUser", we change it here to "anonymous"
		     because that is what it was in older versions of Weave, plus it looks nicer when it's displayed. -->
		<!-- Also, we change the default roles from just ROLE_ANONYMOUS, to anonymous and ROLE_ANONYMOUS,
		     because the older Weave ACL parser and it's documentation says that "anonymous" can be used as
		     a role for anonymous users. Internally Weave now uses ROLE_ANONYMOUS, but we want to make sure old
		     ACL's still work, so make sure you always include at least ROLE_ANONYMOUS -->
		<!-- In summary, without the following line an anonymous user would be displayed as "anonymousUser"
		     and any ACL's that wants to check for an anonymous user would have to use "ROLE_ANONYMOUS" -->
		<anonymous username="anonymous" granted-authority="anonymous,ROLE_ANONYMOUS"/>
	</http>

	<!-- This custom authentication success handler is used to allow us to manually change the target page after a successful authentication -->
	<beans:bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
		<!-- This is the page we will redirect to if the user goes straight to the login page and logs in -->
		<beans:property name="defaultTargetUrl" value="/index.html"/>
		<!-- The reason we have this bean is so that we can set the following value -->
		<!-- This allows us to manually set the target page after performing authentication -->
		<beans:property name="targetUrlParameter" value="_spring_security_redirect"/>
	</beans:bean>
        
	<authentication-manager alias="authenticationManager">
		<authentication-provider user-service-ref="userDetailsService"/>
	</authentication-manager>

	<user-service id="userDetailsService" properties="users.properties"/>

</beans:beans>