wisemapping-open-source/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security.xsd">

    <bean id="custom-firewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">
        <property name="allowSemicolon" value="true"/>
    </bean>

    <sec:http-firewall ref="custom-firewall"/>
    <sec:http pattern="/static/webapp/**" security="none"/>
    <sec:http pattern="/static/mindplot/**" security="none"/>
    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/js/**" security="none"/>
    <sec:http pattern="/images/**" security="none"/>
    <sec:http pattern="/icons/**" security="none"/>

    <sec:http pattern="/c/home" security="none"/>

    <sec:http pattern="/c/maps/*/embed" security="none"/>
    <sec:http pattern="/c/maps/*/try" security="none"/>
    <sec:http pattern="/c/maps/*/public" security="none"/>
    <sec:http pattern="/c/restful/maps/*/document/xml-pub" security="none"/>

    <sec:http pattern="/c/termsOfUse" security="none"/>
    <sec:http pattern="/c/activation" security="none"/>

    <!-- Admin related services that required admin role-->
    <sec:http use-expressions="true" create-session="stateless" pattern="/service/**">
        <sec:csrf/>

        <!-- Enabled only for cors -->
        <sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
        <sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>


        <sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
        <sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>

        <sec:intercept-url pattern="/service/admin/users/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>
        <sec:intercept-url pattern="/service/admin/database/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>
        <sec:intercept-url pattern="/service/**" access="isAuthenticated() and hasRole('ROLE_USER')"/>

        <sec:http-basic/>
    </sec:http>

    <sec:http use-expressions="true" pattern="/c/**/*">
        <sec:csrf request-matcher-ref="requestMatcher"/>
        <sec:intercept-url pattern="/c/login" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/registration" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/registration-success" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/forgot-password" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>

        <sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>
        <sec:access-denied-handler error-page="/c/login"/>
        <sec:form-login login-page="/c/login"
                        authentication-success-handler-ref="authenticationSuccessHandler"
                        always-use-default-target="false"
                        authentication-failure-url="/c/login?login_error=2"
                        login-processing-url="/c/perform-login"/>

        <!-- Expire in 28 days -->
        <sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
        <sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
    </sec:http>

    <!-- Extends CSFR match to get methods to have consistency in all errors. Otherwise, get requests are forward in some cases -->
    <bean id="requestMatcher"
          class="com.wisemapping.security.CSFRRequestMatcher">
        <property name="prefix" value="/c/restful/"/>
    </bean>

    <import resource="wisemapping-security-${security.type}.xml"/>

    <bean id="userDetailsService" class="com.wisemapping.security.UserDetailsService">
        <property name="userService" ref="userService"/>
        <property name="adminUser" value="${admin.user}"/>
    </bean>

    <bean id="authenticationSuccessHandler" class="com.wisemapping.security.AuthenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/c/maps/"/>
        <property name="alwaysUseDefaultTargetUrl" value="false"/>
    </bean>

</beans>
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00			`<?xml version="1.0" encoding="UTF-8"?>`

			`<beans xmlns="http://www.springframework.org/schema/beans"`
			`xmlns:sec="http://www.springframework.org/schema/security"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://www.springframework.org/schema/beans`
Initial commit 2020-11-07 20:56:38 +01:00			`http://www.springframework.org/schema/beans/spring-beans.xsd`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00			`http://www.springframework.org/schema/security`
Initial commit 2020-11-07 20:56:38 +01:00			`http://www.springframework.org/schema/security/spring-security.xsd">`
Add configurable support for admin profile. 2012-02-21 20:36:19 +01:00
Disable ; strict control 2022-02-12 17:04:16 +01:00			`<bean id="custom-firewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">`
			`<property name="allowSemicolon" value="true"/>`
			`</bean>`

			`<sec:http-firewall ref="custom-firewall"/>`
Fix major update integrating with external wisemapping frond end 2021-12-25 03:03:23 +01:00			`<sec:http pattern="/static/webapp/**" security="none"/>`
			`<sec:http pattern="/static/mindplot/**" security="none"/>`
- First REST operation working 2012-02-13 01:57:11 +01:00			`<sec:http pattern="/css/**" security="none"/>`
			`<sec:http pattern="/js/**" security="none"/>`
			`<sec:http pattern="/images/**" security="none"/>`
Update to HSQLDB driver Remove DWR Remove native SVG tables Add new REST services for persistence. 2012-02-21 18:22:43 +01:00			`<sec:http pattern="/icons/**" security="none"/>`
- Remove .htm - Keep working on export. 2012-06-03 16:16:38 +02:00
			`<sec:http pattern="/c/home" security="none"/>`
Add embedded and public view compatibility. Remove Utils method 2012-06-18 05:40:42 +02:00
Add zoom support for embedded maps. Add new url to embedded maps 2012-06-04 01:23:31 +02:00			`<sec:http pattern="/c/maps/*/embed" security="none"/>`
Several fixes. 2012-08-26 21:53:33 +02:00			`<sec:http pattern="/c/maps/*/try" security="none"/>`
Add embedded and public view compatibility. Remove Utils method 2012-06-18 05:40:42 +02:00			`<sec:http pattern="/c/maps/*/public" security="none"/>`
- Fix security issues when the map is loaded from the rest service. Two URL has been defined for each type of access. 2013-02-08 01:44:20 +01:00			`<sec:http pattern="/c/restful/maps/*/document/xml-pub" security="none"/>`
Add Google Crome Frame support. 2012-06-22 03:18:04 +02:00
Add embedded and public view compatibility. Remove Utils method 2012-06-18 05:40:42 +02:00			`<sec:http pattern="/c/termsOfUse" security="none"/>`
Add zoom support for embedded maps. Add new url to embedded maps 2012-06-04 01:23:31 +02:00			`<sec:http pattern="/c/activation" security="none"/>`
Add embedded and public view compatibility. Remove Utils method 2012-06-18 05:40:42 +02:00
Fix major update integrating with external wisemapping frond end 2021-12-25 03:03:23 +01:00			`<!-- Admin related services that required admin role-->`
Split rest authentication into two. For web apps integration url is /c/restful/ 2012-11-10 21:19:28 +01:00			`<sec:http use-expressions="true" create-session="stateless" pattern="/service/**">`
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`<sec:csrf/>`
Support for Java 11 2020-11-07 06:35:54 +01:00
Fix major update integrating with external wisemapping frond end 2021-12-25 03:03:23 +01:00			`<!-- Enabled only for cors -->`
			`<sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>`
			`<sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>`

Add CSRD to get operations 2022-02-20 00:57:57 +01:00
Fix major update integrating with external wisemapping frond end 2021-12-25 03:03:23 +01:00			`<sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>`
			`<sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>`

Update to HSQLDB driver Remove DWR Remove native SVG tables Add new REST services for persistence. 2012-02-21 18:22:43 +01:00			`<sec:intercept-url pattern="/service/admin/users/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>`
Add purge flag. 2013-03-24 19:42:25 +01:00			`<sec:intercept-url pattern="/service/admin/database/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>`
Fix remember me issue. 2012-06-18 06:15:46 +02:00			`<sec:intercept-url pattern="/service/**" access="isAuthenticated() and hasRole('ROLE_USER')"/>`
Fix major update integrating with external wisemapping frond end 2021-12-25 03:03:23 +01:00
- First REST operation working 2012-02-13 01:57:11 +01:00			`<sec:http-basic/>`
			`</sec:http>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`<sec:http use-expressions="true" pattern="/c/*/">`
Complete security filter 2022-02-20 02:21:45 +01:00			`<sec:csrf request-matcher-ref="requestMatcher"/>`
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`<sec:intercept-url pattern="/c/login" access="hasRole('ANONYMOUS')"/>`
			`<sec:intercept-url pattern="/c/registration" access="hasRole('ANONYMOUS')"/>`
Clean up paths 2022-02-19 21:43:35 +01:00			`<sec:intercept-url pattern="/c/registration-success" access="hasRole('ANONYMOUS')"/>`
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`<sec:intercept-url pattern="/c/forgot-password" access="hasRole('ANONYMOUS')"/>`
Clean up paths 2022-02-19 21:43:35 +01:00			`<sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>`

Fix remember me issue. 2012-06-18 06:15:46 +02:00			`<sec:intercept-url pattern="/c/*/" access="isAuthenticated() and hasRole('ROLE_USER')"/>`
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`<sec:access-denied-handler error-page="/c/login"/>`
- Remove .htm - Keep working on export. 2012-06-03 16:16:38 +02:00			`<sec:form-login login-page="/c/login"`
Split rest authentication into two. For web apps integration url is /c/restful/ 2012-11-10 21:19:28 +01:00			`authentication-success-handler-ref="authenticationSuccessHandler"`
			`always-use-default-target="false"`
- Remove .htm - Keep working on export. 2012-06-03 16:16:38 +02:00			`authentication-failure-url="/c/login?login_error=2"`
Support for Java 11 2020-11-07 06:35:54 +01:00			`login-processing-url="/c/perform-login"/>`
Fix open id. 2013-03-10 23:07:52 +01:00
Fix major update integrating with external wisemapping frond end 2021-12-25 03:03:23 +01:00			`<!-- Expire in 28 days -->`
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`<sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>`
- Remove .htm - Keep working on export. 2012-06-03 16:16:38 +02:00			`<sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00			`</sec:http>`

Complete security filter 2022-02-20 02:21:45 +01:00			`<!-- Extends CSFR match to get methods to have consistency in all errors. Otherwise, get requests are forward in some cases -->`
Add CSRD to get operations 2022-02-20 00:57:57 +01:00			`<bean id="requestMatcher"`
			`class="com.wisemapping.security.CSFRRequestMatcher">`
			`<property name="prefix" value="/c/restful/"/>`
First steps on csfr impl 2022-02-19 21:39:38 +01:00			`</bean>`

Enable security configuration from properties. 2013-02-18 03:10:04 +01:00			`<import resource="wisemapping-security-${security.type}.xml"/>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00
Add configurable support for admin profile. 2012-02-21 20:36:19 +01:00			`<bean id="userDetailsService" class="com.wisemapping.security.UserDetailsService">`
Audith login operations. 2012-06-23 21:15:59 +02:00			`<property name="userService" ref="userService"/>`
Add configurable support for admin profile. 2012-02-21 20:36:19 +01:00			`<property name="adminUser" value="${admin.user}"/>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00			`</bean>`
Split rest authentication into two. For web apps integration url is /c/restful/ 2012-11-10 21:19:28 +01:00
			`<bean id="authenticationSuccessHandler" class="com.wisemapping.security.AuthenticationSuccessHandler">`
			`<property name="defaultTargetUrl" value="/c/maps/"/>`
			`<property name="alwaysUseDefaultTargetUrl" value="false"/>`
			`</bean>`
Add LDAP support. 2013-02-18 01:00:08 +01:00
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 06:55:42 +01:00			`</beans>`