Freitag, 30. August 2013

CAS (Central Authentication Service) mit Spring Security - Teil 2

Konfiguration der spring/applicationContextSecurityCas.xml

<beans xmlns="http://www.springframework.org/schema/beans"
 xmlns:security="http://www.springframework.org/schema/security"
 xmlns:sec="http://www.springframework.org/security/tags"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:util="http://www.springframework.org/schema/util"
 xsi:schemaLocation="http://www.springframework.org/schema/beans
  http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
  http://www.springframework.org/schema/security
  http://www.springframework.org/schema/security/spring-security-3.1.xsd
  http://www.springframework.org/schema/util
  http://www.springframework.org/schema/util/spring-util-2.5.xsd">

 <description>
  This is the main configuration for the security with cas.
 </description>
 
  <!-- Variablen als key/value-Paare in einer Properties-Datei ablegen und dann 
in den Context-Dateien auslesen -->
 <bean id="placeholderConfig" 
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
  <property name="locations">
  <list>
   <value>/WEB-INF/environment.properties</value>
   <value>/WEB-INF/jdbc.properties</value>
  </list>
  </property>
  <property name="ignoreResourceNotFound" value="false" />
  <property name="ignoreUnresolvablePlaceholders" value="false" />
  <property name="searchSystemEnvironment" value="false" />
 </bean>
  
 
 <security:global-method-security pre-post-annotations="enabled" /> 

 <!-- ======================== Security Filter Chain ======================= -->
 <bean id="springSecurityFilterChain"
  class="org.springframework.security.web.FilterChainProxy">
  <security:filter-chain-map path-type="ant">
   <security:filter-chain pattern="/j_spring_security_logout" 
filters="logoutFilter,etf,filterSecurityInterceptor" />
   <security:filter-chain pattern="/**" filters="
    securityContextPersistentFilter, 
    anonymousAuthenticationFilter, 
    
    casAuthenticationFilter, 
    logoutFilter,
    exceptionTranslationFilterCAS, 
    filterSecurityInterceptor"
   />
 
  </security:filter-chain-map>
 </bean>
 
 <!-- Filter to store the Authentication object in the HTTP Session -->   
 <bean id="securityContextPersistentFilter" 
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
  <property name="securityContextRepository" ref="securityContextRepository" />
 </bean>
 <bean id="securityContextRepository" 
class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />

 <!-- anonymousAuthenticationFilter -->
 <bean id="anonymousAuthenticationFilter" 
class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
  <property name="key" value="foobar"/>
  <property name="userAttribute" value="anonymousUser, ROLE_ANONYMOUS"/>
 </bean>
 
 <!-- casAuthenticationFilter -->
 <bean id="casAuthenticationFilter" 
class="org.springframework.security.cas.web.CasAuthenticationFilter">
  <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationFailureHandler">
            <bean 
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                <property name="defaultFailureUrl" value="/casfailed"/>
            </bean>
        </property>
  <property name="authenticationSuccessHandler">
   <bean 
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/"/>
   </bean>
  </property>
 </bean>
    
   <!-- casAuthenticationEntryPoint  -->
   <bean id="casAuthenticationEntryPoint" 
class="org.springframework.security.cas.web.CasAuthenticationEntryPoint">
    <!--
    <property name="loginUrl" value="https://sso.your.server.de"/>
    -->
    <property name="loginUrl" value="${sso.host}"/>
    <property name="serviceProperties" ref="casServiceProperties"/>
   </bean>
   
 <!-- exceptionTranslationFilterCAS -->
 <bean id="exceptionTranslationFilterCAS" 
class="org.springframework.security.web.access.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint" ref="casAuthenticationEntryPoint"/>
  <!--
  <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
  -->
 </bean>
 
 <!-- logoutFilter: this filter handles the logout.It should be placed at the 
beginning of the filter chain so a click on the logout link (or button) will not
   go through the rest of the chain -->
    <bean id="logoutFilter" 
class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <!-- 
  <constructor-arg value="/"/>  
  Logout wird noch nicht richtig durchgeführt, 
alternativ https://sso.your.server.de/logout verwenden
  -->  
        <constructor-arg value="/logout"/> 
        <constructor-arg>
            <list>
                <bean 
class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
            </list>
        </constructor-arg>
    </bean>
    
     <bean id="etf" class="org.springframework.security.web.access.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint" ref="preAuthEntryPoint"/>
    </bean>   

 <bean id="preAuthEntryPoint" 
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

    <bean id="servletContext" 
class="org.springframework.web.context.support.ServletContextFactoryBean"/>

 <!-- Authentication Manager 
 Benutzer gegenüber mehreren Quellen zur Identitätsverwaltung authentifizieren.
 Dies ermöglicht es Spring Security, mehrere Authentifizierungsmechanismen für 
        eine einzelne Anwendung zu unterstützen.
 -->
 <bean id="authenticationManager"
  class="org.springframework.security.authentication.ProviderManager">
  <property name="providers">
   <list>
    <ref local="casAuthenticationProvider"/>
    <!--
    <ref local="authenticationProvider"/>
    <ref local="daoAuthenticationProvider"/>
    -->
    <ref local="anonymousAuthenticationProvider"/>
   </list>
  </property>
 </bean>

 <bean id="dataSource" 
class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
  <property name="driverClassName" value="${jdbc.driverClassName}"></property>
  <property name="url" value="${jdbc.databaseurl}"></property>
  <property name="username" value="${jdbc.username}"></property>
  <property name="password" value="${jdbc.password}"></property>
 </bean>
   
 <util:list id="predefinedAdminAccounts" list-class="java.util.ArrayList" 
value-type="java.lang.String">
   <value>adminuser1</value>
   <value>adminuser2</value>
 </util:list>
   
 <bean id="myUserService" class="de.shemel.cas.MyUserService">
  <property name="dataSource" ref="dataSource"/>
  <property name="predefinedAdminAccounts" ref="predefinedAdminAccounts"/>
 </bean>
   
 <bean id="casAuthenticationProvider" 
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
  <property name="userDetailsService" ref="myUserService" />
  <property name="serviceProperties" ref="casServiceProperties"/>
  <property name="ticketValidator">
   <bean 
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
    <constructor-arg index="0" value="${sso.host}/" />
    <property name="proxyGrantingTicketStorage">
     <bean 
class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl"/>
    </property>
   </bean>
  </property>
  <property name="key" value="tudCasAuthProviderId"/>
 </bean>

 <!-- which service (application) am I authenticating -->
 <bean id="casServiceProperties" class="org.springframework.security.cas.ServiceProperties">
  <!-- 
  <property name="service" 
value="https://your.domain.de/admin/j_spring_cas_security_check"/>
  -->
  <property name="service" value="${host}/admin/j_spring_cas_security_check"/>
  <property name="sendRenew" value="false"/>
 </bean>
 
 <!-- Authentication anonymousAuthenticationProvider -->
 <bean id="anonymousAuthenticationProvider" 
class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
  <property name="key" value="foobar"/>
 </bean>
   
 <bean id="accessDecisionManager" 
class="org.springframework.security.access.vote.AffirmativeBased">
 <property name="allowIfAllAbstainDecisions" value="false"/>
 <property name="decisionVoters">
  <list>
  <bean class="org.springframework.security.access.vote.RoleHierarchyVoter">
     <constructor-arg>
      <bean 
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
     <value>
      ROLE_ADMIN &gt; ROLE_USER
      ROLE_EMPLOYEE &gt; ROLE_USER
      ROLE_USER &gt; ROLE_ANONYMOUS
     </value>
    </property>
    </bean>
   </constructor-arg>
  </bean>
 <bean class="org.springframework.security.access.vote.RoleVoter"/>
 <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
   </list>
  </property>
 </bean>

 <security:filter-security-metadata-source id="securityMetadataSource">
  <security:intercept-url pattern="/**" method="POST"  
access="ROLE_ADMIN, ROLE_USER"/>
  <security:intercept-url pattern="/**" method="GET"  
access="ROLE_ADMIN, ROLE_USER"/>
  <security:intercept-url pattern="/**" method="PUT"  
access="ROLE_ADMIN, ROLE_USER"/>
  <security:intercept-url pattern="/**" method="DELETE"          
access="ROLE_ADMIN, ROLE_USER"/>
  <security:intercept-url pattern="/**"     
access="ROLE_ADMIN, ROLE_USER" />  
  <security:intercept-url pattern="/casfailed"    
access="ROLE_ANONYMOUS" />
  <security:intercept-url pattern="/logout"    
access="ROLE_ANONYMOUS"/>
  <security:intercept-url pattern="/info"    
access="ROLE_ADMIN, ROLE_USER"/>
 </security:filter-security-metadata-source>
 
 <!--=============== Absicherung Webschicht=========================-->
 <!--Filter für die Rechtevergabe auf der Webschicht --> 
 <bean id="filterSecurityInterceptor" 
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
  <property name="authenticationManager" ref="authenticationManager"/>
  <property name="accessDecisionManager" ref="accessDecisionManager"/>
  <property name="securityMetadataSource" ref="securityMetadataSource"/>
 </bean>

</beans>*/
environment.properties
host=http://localhost:8080
#host=your.domain.de
sso.host=https://sso.your.server.de

jdbc.properties
jdbc.driverClassName=com.microsoft.sqlserver.jdbc.SQLServerDriver
jdbc.databaseurl=jdbc:sqlserver://your.sql.server.de;instanceName=test;databaseName=test-app
jdbc.username=user
jdbc.password=pw123

In Teil III folgt die Erstellung einer eigenen Java-Klasse für SpringSecurity und CAS (de.shemel.cas.MyUserService) !

Keine Kommentare:

Kommentar posten