<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:sec="http://www.springframework.org/security/tags"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util="http://www.springframework.org/schema/util"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-2.5.xsd">
<description>
This is the main configuration for the security with cas.
</description>
<!-- Variablen als key/value-Paare in einer Properties-Datei ablegen und dann
in den Context-Dateien auslesen -->
<bean id="placeholderConfig"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>/WEB-INF/environment.properties</value>
<value>/WEB-INF/jdbc.properties</value>
</list>
</property>
<property name="ignoreResourceNotFound" value="false" />
<property name="ignoreUnresolvablePlaceholders" value="false" />
<property name="searchSystemEnvironment" value="false" />
</bean>
<security:global-method-security pre-post-annotations="enabled" />
<!-- ======================== Security Filter Chain ======================= -->
<bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/j_spring_security_logout"
filters="logoutFilter,etf,filterSecurityInterceptor" />
<security:filter-chain pattern="/**" filters="
securityContextPersistentFilter,
anonymousAuthenticationFilter,
casAuthenticationFilter,
logoutFilter,
exceptionTranslationFilterCAS,
filterSecurityInterceptor"
/>
</security:filter-chain-map>
</bean>
<!-- Filter to store the Authentication object in the HTTP Session -->
<bean id="securityContextPersistentFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository" ref="securityContextRepository" />
</bean>
<bean id="securityContextRepository"
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
<!-- anonymousAuthenticationFilter -->
<bean id="anonymousAuthenticationFilter"
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar"/>
<property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS"/>
</bean>
<!-- casAuthenticationFilter -->
<bean id="casAuthenticationFilter"
class="org.springframework.security.cas.web.CasAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationFailureHandler">
<bean
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/casfailed"/>
</bean>
</property>
<property name="authenticationSuccessHandler">
<bean
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
</property>
</bean>
<!-- casAuthenticationEntryPoint -->
<bean id="casAuthenticationEntryPoint"
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
<!--
<property name="loginUrl" value="https://sso.your.server.de"/>
-->
<property name="loginUrl" value="${sso.host}"/>
<property name="serviceProperties" ref="casServiceProperties"/>
</bean>
<!-- exceptionTranslationFilterCAS -->
<bean id="exceptionTranslationFilterCAS"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="casAuthenticationEntryPoint"/>
<!--
<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
-->
</bean>
<!-- logoutFilter: this filter handles the logout.It should be placed at the
beginning of the filter chain so a click on the logout link (or button) will not
go through the rest of the chain -->
<bean id="logoutFilter"
class="org.springframework.security.web.authentication.logout.LogoutFilter">
<!--
<constructor-arg value="/"/>
Logout wird noch nicht richtig durchgeführt,
alternativ https://sso.your.server.de/logout verwenden
-->
<constructor-arg value="/logout"/>
<constructor-arg>
<list>
<bean
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="preAuthEntryPoint"/>
</bean>
<bean id="preAuthEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<bean id="servletContext"
class="org.springframework.web.context.support.ServletContextFactoryBean"/>
<!-- Authentication Manager
Benutzer gegenüber mehreren Quellen zur Identitätsverwaltung authentifizieren.
Dies ermöglicht es Spring Security, mehrere Authentifizierungsmechanismen für
eine einzelne Anwendung zu unterstützen.
-->
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="casAuthenticationProvider"/>
<!--
<ref local="authenticationProvider"/>
<ref local="daoAuthenticationProvider"/>
-->
<ref local="anonymousAuthenticationProvider"/>
</list>
</property>
</bean>
<bean id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
<property name="driverClassName" value="${jdbc.driverClassName}"></property>
<property name="url" value="${jdbc.databaseurl}"></property>
<property name="username" value="${jdbc.username}"></property>
<property name="password" value="${jdbc.password}"></property>
</bean>
<util:list id="predefinedAdminAccounts" list-class="java.util.ArrayList"
value-type="java.lang.String">
<value>adminuser1</value>
<value>adminuser2</value>
</util:list>
<bean id="myUserService" class="de.shemel.cas.MyUserService">
<property name="dataSource" ref="dataSource"/>
<property name="predefinedAdminAccounts" ref="predefinedAdminAccounts"/>
</bean>
<bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<property name="userDetailsService" ref="myUserService" />
<property name="serviceProperties" ref="casServiceProperties"/>
<property name="ticketValidator">
<bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<constructor-arg index="0" value="${sso.host}/" />
<property name="proxyGrantingTicketStorage">
<bean
class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
</property>
</bean>
</property>
<property name="key" value="tudCasAuthProviderId"/>
</bean>
<!-- which service (application) am I authenticating -->
<bean id="casServiceProperties" class="org.springframework.security.cas.ServiceProperties">
<!--
<property name="service"
value="https://your.domain.de/admin/j_spring_cas_security_check"/>
-->
<property name="service" value="${host}/admin/j_spring_cas_security_check"/>
<property name="sendRenew" value="false"/>
</bean>
<!-- Authentication anonymousAuthenticationProvider -->
<bean id="anonymousAuthenticationProvider"
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="foobar"/>
</bean>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg>
<bean
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy">
<value>
ROLE_ADMIN > ROLE_USER
ROLE_EMPLOYEE > ROLE_USER
ROLE_USER > ROLE_ANONYMOUS
</value>
</property>
</bean>
</constructor-arg>
</bean>
<bean class="org.springframework.security.access.vote.RoleVoter"/>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
<security:filter-security-metadata-source id="securityMetadataSource">
<security:intercept-url pattern="/**" method="POST"
access="ROLE_ADMIN, ROLE_USER"/>
<security:intercept-url pattern="/**" method="GET"
access="ROLE_ADMIN, ROLE_USER"/>
<security:intercept-url pattern="/**" method="PUT"
access="ROLE_ADMIN, ROLE_USER"/>
<security:intercept-url pattern="/**" method="DELETE"
access="ROLE_ADMIN, ROLE_USER"/>
<security:intercept-url pattern="/**"
access="ROLE_ADMIN, ROLE_USER" />
<security:intercept-url pattern="/casfailed"
access="ROLE_ANONYMOUS" />
<security:intercept-url pattern="/logout"
access="ROLE_ANONYMOUS"/>
<security:intercept-url pattern="/info"
access="ROLE_ADMIN, ROLE_USER"/>
</security:filter-security-metadata-source>
<!--=============== Absicherung Webschicht=========================-->
<!--Filter für die Rechtevergabe auf der Webschicht -->
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource" ref="securityMetadataSource"/>
</bean>
</beans>*/
environment.propertieshost=http://localhost:8080 #host=your.domain.de sso.host=https://sso.your.server.de
jdbc.properties
jdbc.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver jdbc.databaseurl=jdbc:sqlserver://your.sql.server.de;instanceName=test;databaseName=test-app jdbc.username=user jdbc.password=pw123
In Teil III folgt die Erstellung einer eigenen Java-Klasse für SpringSecurity und CAS (de.shemel.cas.MyUserService) !