Normalizing logout service URIs, patch from Adrian Gonzalez applied, This closes #19
[cxf-fediz.git] / services / idp / src / main / webapp / WEB-INF / security-config.xml
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!--
3 Licensed to the Apache Software Foundation (ASF) under one
4 or more contributor license agreements. See the NOTICE file
5 distributed with this work for additional information
6 regarding copyright ownership. The ASF licenses this file
7 to you under the Apache License, Version 2.0 (the
8 "License"); you may not use this file except in compliance
9 with the License. You may obtain a copy of the License at
10
11 http://www.apache.org/licenses/LICENSE-2.0
12
13 Unless required by applicable law or agreed to in writing,
14 software distributed under the License is distributed on an
15 "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
16 KIND, either express or implied. See the License for the
17 specific language governing permissions and limitations
18 under the License.
19 -->
20 <beans xmlns="http://www.springframework.org/schema/beans"
21 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
22 xmlns:security="http://www.springframework.org/schema/security"
23 xmlns:context="http://www.springframework.org/schema/context"
24 xmlns:util="http://www.springframework.org/schema/util"
25 xsi:schemaLocation="
26 http://www.springframework.org/schema/beans
27 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
28 http://www.springframework.org/schema/context
29 http://www.springframework.org/schema/context/spring-context-3.1.xsd
30 http://www.springframework.org/schema/security
31 http://www.springframework.org/schema/security/spring-security-3.1.xsd
32 http://www.springframework.org/schema/util
33 http://www.springframework.org/schema/util/spring-util-2.0.xsd
34 ">
35
36 <context:property-placeholder location="classpath:realm.properties"/>
37
38 <!-- DISABLE in production as it might log confidential information about the user -->
39 <!-- <security:debug /> -->
40
41 <!-- Configure Spring Security -->
42
43 <!-- If enabled, you can't access the Service layer within the Spring Webflow -->
44 <!-- The user has no role during the login phase of WS-Federation -->
45 <security:global-method-security pre-post-annotations="enabled"/>
46
47 <security:http pattern="/services/rs/**" use-expressions="true" authentication-manager-ref="restAuthenticationManager">
48 <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
49 <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
50 <security:intercept-url pattern="/services/rs/**" access="isAuthenticated()"/>
51 <security:http-basic />
52 </security:http>
53
54 <bean id="bCryptPasswordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
55
56 <bean id="defaultPasswordEncoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder" />
57
58 <security:authentication-manager id="restAuthenticationManager">
59 <security:authentication-provider>
60 <!-- <security:password-encoder ref="defaultPasswordEncoder"/>-->
61 <!-- <security:password-encoder hash="sha-256" base64="true" />-->
62 <!--
63 <security:password-encoder hash="sha-256" base64="true">
64 <security:salt-source user-property="username"/>
65 </security:password-encoder>
66 -->
67 <security:user-service properties="classpath:/users.properties" />
68 </security:authentication-provider>
69 <security:authentication-provider ref="stsUPAuthProvider" />
70 </security:authentication-manager>
71
72 <!-- Redirects to a dedicated http config -->
73 <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint">
74 <property name="realm" value="urn:org:apache:cxf:fediz:idp:realm-A" />
75 <property name="configService" ref="config" />
76 </bean>
77
78 <!-- Main entry point -->
79 <security:http pattern="/federation" use-expressions="true" entry-point-ref="federationEntryPoint">
80 <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
81 <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
82 </security:http>
83
84 <!-- HTTP/BA entry point -->
85 <security:http pattern="/federation/up/**" use-expressions="true">
86 <security:intercept-url requires-channel="https" pattern="/federation/up/login*" access="isAnonymous() or isAuthenticated()" />
87 <security:custom-filter after="CHANNEL_FILTER" ref="stsUPPortFilter" />
88 <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
89
90 <security:http-basic />
91 <!--security:form-login login-page='/federation/up/login'
92 login-processing-url="/federation/up/login.do"
93 authentication-failure-url="/federation/up/login?error"
94 default-target-url="/"
95 username-parameter="username"
96 password-parameter="password"
97 /-->
98 <security:logout logout-url="/federation/up/logout"
99 logout-success-url="/federation/up/login?out"
100 delete-cookies="FEDIZ_HOME_REALM,JSESSIONID"
101 invalidate-session="true"
102 />
103 </security:http>
104
105 <!-- Kerberos entry point -->
106 <bean id="kerberosEntryPoint"
107 class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
108
109 <bean id="kerberosAuthenticationProcessingFilter"
110 class="org.apache.cxf.fediz.service.idp.kerberos.KerberosAuthenticationProcessingFilter">
111 <property name="authenticationManager" ref="authenticationManagers" />
112 </bean>
113
114 <security:http pattern="/federation/krb" use-expressions="true" entry-point-ref="kerberosEntryPoint">
115 <security:custom-filter after="CHANNEL_FILTER" ref="stsKrbPortFilter" />
116 <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
117
118 <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
119 <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
120 </security:http>
121
122 <!-- SSL Client Cert entry point -->
123 <security:http pattern="/federation/clientcert" use-expressions="true">
124 <security:custom-filter after="CHANNEL_FILTER" ref="stsClientCertPortFilter" />
125 <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
126
127 <security:x509 />
128 <security:logout delete-cookies="FEDIZ_HOME_REALM" invalidate-session="true" />
129 </security:http>
130
131 <security:authentication-manager alias="authenticationManagers">
132 <security:authentication-provider ref="stsUPAuthProvider" />
133 <security:authentication-provider ref="stsKrbAuthProvider" />
134 <security:authentication-provider ref="stsClientCertAuthProvider" />
135 </security:authentication-manager>
136
137 <bean id="stsUPPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
138 <property name="authenticationProvider" ref="stsUPAuthProvider" />
139 </bean>
140
141 <bean id="entitlementsEnricher" class="org.apache.cxf.fediz.service.idp.service.security.GrantedAuthorityEntitlements" />
142
143 <!-- U/P Authentication Provider -->
144 <bean id="stsUPAuthProvider" class="org.apache.cxf.fediz.service.idp.STSUPAuthenticationProvider">
145 <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
146 <property name="wsdlEndpoint" value="TransportUT_Port"/>
147 <property name="wsdlService" value="SecurityTokenService"/>
148 <property name="appliesTo" value="urn:fediz:idp"/>
149 <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
150 </bean>
151
152 <bean id="stsKrbPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
153 <property name="authenticationProvider" ref="stsKrbAuthProvider" />
154 </bean>
155
156 <!--<bean id="kerberosTokenValidator" class="org.apache.cxf.fediz.service.idp.kerberos.KerberosTokenValidator">
157 <property name="contextName" value="bob"/>
158 <property name="serviceName" value="bob@service.ws.apache.org"/>
159 </bean>-->
160
161 <!-- Kerberos authentication provider -->
162 <bean id="stsKrbAuthProvider" class="org.apache.cxf.fediz.service.idp.STSKrbAuthenticationProvider">
163 <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportKerberos?wsdl"/>
164 <property name="wsdlEndpoint" value="TransportKerberos_Port"/>
165 <property name="wsdlService" value="SecurityTokenService"/>
166 <property name="appliesTo" value="urn:fediz:idp"/>
167 <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
168 <!-- <property name="kerberosTokenValidator" ref="kerberosTokenValidator"/>
169 <property name="requireDelegation" value="true"/>-->
170 </bean>
171
172 <bean id="stsClientCertPortFilter" class="org.apache.cxf.fediz.service.idp.STSPortFilter">
173 <property name="authenticationProvider" ref="stsClientCertAuthProvider" />
174 </bean>
175
176 <util:map id="securityProperties">
177 <entry key="ws-security.username" value="idp-user" />
178 <entry key="ws-security.password" value="idp-pass" />
179 </util:map>
180
181 <bean id="stsClientCertAuthProvider" class="org.apache.cxf.fediz.service.idp.STSPreAuthAuthenticationProvider">
182 <property name="wsdlLocation" value="https://localhost:0/fediz-idp-sts/${realm.STS_URI}/STSServiceTransportUT?wsdl"/>
183 <property name="wsdlEndpoint" value="TransportUT_Port"/>
184 <property name="wsdlService" value="SecurityTokenService"/>
185 <property name="appliesTo" value="urn:fediz:idp"/>
186 <property name="tokenType" value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
187 <property name="properties" ref="securityProperties"/>
188 </bean>
189
190 </beans>