KYLIN-2564 UsernameNotFoundException: User XXX does not exist
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/6c376b24 Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/6c376b24 Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/6c376b24 Branch: refs/heads/v2.0.0-release-hbase0.98 Commit: 6c376b248eb651afe271a1f1f4b128f7618f1eb0 Parents: 48a1f6f Author: Hongbin Ma <mahong...@apache.org> Authored: Tue Apr 25 18:05:48 2017 +0800 Committer: Hongbin Ma <mahong...@apache.org> Committed: Tue Apr 25 18:05:52 2017 +0800 ---------------------------------------------------------------------- server/src/main/resources/kylinSecurity.xml | 1085 ++++++++++++---------- 1 file changed, 597 insertions(+), 488 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kylin/blob/6c376b24/server/src/main/resources/kylinSecurity.xml ---------------------------------------------------------------------- diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml index 9d633ee..2553374 100644 --- a/server/src/main/resources/kylinSecurity.xml +++ b/server/src/main/resources/kylinSecurity.xml @@ -12,495 +12,604 @@ limitations under the License. See accompanying LICENSE file. --> -<beans xmlns="http://www.springframework.org/schema/beans"; xmlns:tx="http://www.springframework.org/schema/tx"; - xmlns:scr="http://www.springframework.org/schema/security"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xmlns:context="http://www.springframework.org/schema/context"; xsi:schemaLocation="http://www.springframework.org/schema/beans +<beans xmlns="http://www.springframework.org/schema/beans"; + xmlns:scr="http://www.springframework.org/schema/security"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns:context="http://www.springframework.org/schema/context"; + xmlns:util="http://www.springframework.org/schema/util"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd - http://www.springframework.org/schema/tx - http://www.springframework.org/schema/tx/spring-tx-3.1.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd";> - - <scr:global-method-security pre-post-annotations="enabled"> - <scr:expression-handler ref="expressionHandler" /> - </scr:global-method-security> - - <!-- acl config --> - <bean id="aclPermissionFactory" class="org.apache.kylin.rest.security.AclPermissionFactory" /> - - <bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> - <property name="permissionEvaluator" ref="permissionEvaluator" /> - </bean> - - <bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator"> - <constructor-arg ref="aclService" /> - <property name="permissionFactory" ref="aclPermissionFactory" /> - </bean> - - <bean id="aclAuthorizationStrategy" - class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> - <constructor-arg> - <list> - <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> - <constructor-arg value="ROLE_ADMIN" /> - </bean> - <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> - <constructor-arg value="ROLE_ADMIN" /> - </bean> - <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> - <constructor-arg value="ROLE_ADMIN" /> - </bean> - </list> - </constructor-arg> - </bean> - - <bean id="auditLogger" - class="org.springframework.security.acls.domain.ConsoleAuditLogger" /> - - <bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy"> - <constructor-arg ref="auditLogger" /> - </bean> - - <beans profile="ldap,saml"> - <bean id="ldapSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> - <constructor-arg value="${kylin.security.ldap.connection-server}" /> - <property name="userDn" value="${kylin.security.ldap.connection-username}" /> - <property name="password" value="${kylin.security.ldap.connection-password}" /> - </bean> - - <bean id="kylinUserAuthProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> - <constructor-arg> - <bean id="ldapUserAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> - <constructor-arg> - <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> - <constructor-arg ref="ldapSource" /> - <property name="userSearch"> - <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> - <constructor-arg index="0" value="${kylin.security.ldap.user-search-base}" /> - <constructor-arg index="1" value="${kylin.security.ldap.user-search-pattern}" /> - <constructor-arg index="2" ref="ldapSource" /> - </bean> - </property> - </bean> - </constructor-arg> - <constructor-arg> - <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator"> - <constructor-arg index="0" ref="ldapSource" /> - <constructor-arg index="1" value="${kylin.security.ldap.user-group-search-base}" /> - <constructor-arg index="2" value="${kylin.security.acl.admin-role}" /> - <constructor-arg index="3" value="${kylin.security.acl.default-role}" /> - </bean> - </constructor-arg> - </bean> - </constructor-arg> - </bean> - - <bean id="kylinServiceAccountAuthProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> - <constructor-arg> - <bean id="ldapServiceAuthenticationProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> - <constructor-arg> - <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> - <constructor-arg ref="ldapSource" /> - <property name="userSearch"> - <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> - <constructor-arg index="0" value="${kylin.security.ldap.service-search-base}" /> - <constructor-arg index="1" value="${kylin.security.ldap.service-search-pattern}" /> - <constructor-arg index="2" ref="ldapSource" /> - </bean> - </property> - </bean> - </constructor-arg> - <constructor-arg> - <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator"> - <constructor-arg index="0" ref="ldapSource" /> - <constructor-arg index="1" value="${kylin.security.ldap.service-group-search-base}" /> - <constructor-arg index="2" value="${kylin.security.acl.admin-role}" /> - <constructor-arg index="3" value="${kylin.security.acl.default-role}" /> - </bean> - </constructor-arg> - </bean> - </constructor-arg> - </bean> - - </beans> - - <beans profile="ldap"> - <scr:authentication-manager alias="ldapAuthenticationManager"> - <!-- do user ldap auth --> - <scr:authentication-provider ref="kylinUserAuthProvider"></scr:authentication-provider> - - <!-- do service account ldap auth --> - <scr:authentication-provider ref="kylinServiceAccountAuthProvider"></scr:authentication-provider> - </scr:authentication-manager> - - </beans> - - <beans profile="testing"> - <!-- user auth --> - <bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" /> - - <scr:authentication-manager alias="testingAuthenticationManager"> - <scr:authentication-provider> - <scr:user-service> - <scr:user name="MODELER" password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG" authorities="ROLE_MODELER, ROLE_ANALYST" /> - <scr:user name="ANALYST" password="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi" authorities="ROLE_ANALYST" /> - <scr:user name="ADMIN" password="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32" authorities="ROLE_MODELER, ROLE_ANALYST, ROLE_ADMIN" /> - </scr:user-service> - <scr:password-encoder ref="passwordEncoder" /> - </scr:authentication-provider> - </scr:authentication-manager> - </beans> - - <beans profile="testing,ldap"> - <scr:http auto-config="true" use-expressions="true"> - <scr:http-basic entry-point-ref="unauthorisedEntryPoint" /> - - <scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll" /> - <scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/**/metrics" access="permitAll" /> - <scr:intercept-url pattern="/api/cache*/**" access="permitAll" /> - <scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')" /> - <scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/admin/config" access="permitAll" /> - <scr:intercept-url pattern="/api/projects" access="permitAll" /> - <scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')" /> - <scr:intercept-url pattern="/api/**" access="isAuthenticated()" /> - - <scr:logout invalidate-session="true" delete-cookies="JSESSIONID" /> - <scr:session-management session-fixation-protection="newSession" /> - </scr:http> - </beans> - - <beans profile="saml"> - <!-- Enable auto-wiring --> - <context:annotation-config/> - - <!-- Scan for auto-wiring classes in spring saml packages --> - <context:component-scan base-package="org.springframework.security.saml"/> - - <!-- Unsecured pages --> - <scr:http security="none" pattern="/image/**"/> - <scr:http security="none" pattern="/css/**"/> - <scr:http security="none" pattern="/less/**"/> - <scr:http security="none" pattern="/fonts/**"/> - <scr:http security="none" pattern="/js/**"/> - <scr:http security="none" pattern="/login/**"/> - <scr:http security="none" pattern="/routes.json"/> - - <!-- Secured Rest API urls with LDAP basic authentication --> - <scr:http pattern="/api/**" use-expressions="true" authentication-manager-ref="apiAccessAuthenticationManager"> - <scr:http-basic entry-point-ref="unauthorisedEntryPoint" /> - - <scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll" /> - <scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/**/metrics" access="permitAll" /> - <scr:intercept-url pattern="/api/cache*/**" access="permitAll" /> - <scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')" /> - <scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/admin/config" access="permitAll" /> - <scr:intercept-url pattern="/api/projects*/*" access="isAuthenticated()" /> - <scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')" /> - <scr:intercept-url pattern="/api/**" access="isAuthenticated()" /> - - <scr:logout invalidate-session="true" delete-cookies="JSESSIONID" /> - <scr:session-management session-fixation-protection="newSession" /> - </scr:http> - - <!-- Secured non-api urls with SAML SSO --> - <scr:http auto-config="true" entry-point-ref="samlEntryPoint" use-expressions="false" authentication-manager-ref="webAccessAuthenticationManager"> - <scr:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> - <scr:custom-filter before="FIRST" ref="metadataGeneratorFilter"/> - <scr:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/> - </scr:http> - - - <!-- API authentication manager --> - <scr:authentication-manager id="apiAccessAuthenticationManager"> - <scr:authentication-provider ref="kylinServiceAccountAuthProvider" /> - <scr:authentication-provider ref="kylinUserAuthProvider" /> - </scr:authentication-manager> - - - <!-- Web authentication manager --> - <scr:authentication-manager id="webAccessAuthenticationManager"> - <scr:authentication-provider ref="kylinSAMLAuthenticationProvider"/> - </scr:authentication-manager> - - <!-- Central storage of cryptographic keys --> - <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> - <constructor-arg value="classpath:samlKeystore.jks"/> - <constructor-arg type="java.lang.String" value="changeit"/> - <constructor-arg> - <map> - <entry key="kylin" value="changeit"/> - </map> - </constructor-arg> - <constructor-arg type="java.lang.String" value="kylin"/> - </bean> - - <!-- Filters for processing of SAML messages --> - <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy"> - <scr:filter-chain-map request-matcher="ant"> - <scr:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/> - <scr:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/> - <scr:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/> - <scr:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/> - <scr:filter-chain pattern="/saml/SSOHoK/**" filters="samlWebSSOHoKProcessingFilter"/> - <scr:filter-chain pattern="/saml/SingleLogout/**" filters="samlLogoutProcessingFilter"/> - </scr:filter-chain-map> - </bean> - - <!-- Handler deciding where to redirect user after successful login --> - <bean id="successRedirectHandler" - class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> - <property name="defaultTargetUrl" value="/models"/> - </bean> - - <!-- Handler deciding where to redirect user after failed login --> - <bean id="failureRedirectHandler" - class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> - <property name="useForward" value="true"/> - <property name="defaultFailureUrl" value="/login"/> - </bean> - - <!-- Handler for successful logout --> - <bean id="successLogoutHandler" class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"> - <property name="defaultTargetUrl" value="/login"/> - </bean> - - <!-- Logger for SAML messages and events --> - <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/> - - <!-- Filter automatically generates default SP metadata --> - <bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> - <constructor-arg> - <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> - <property name="extendedMetadata"> - <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> - <property name="idpDiscoveryEnabled" value="false"/> - </bean> - </property> - <property name="entityBaseURL" value = "${kylin.security.saml.metadata-entity-base-url}"/> - </bean> - </constructor-arg> - </bean> - - <!-- Entry point to initialize authentication, default values taken from properties file --> - <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint"> - <property name="defaultProfileOptions"> - <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> - <property name="includeScoping" value="false"/> - </bean> - </property> - </bean> - - <!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there --> - <bean id="metadataDisplayFilter" class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/> - - <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here --> - <bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager"> - <constructor-arg> - <list> - <!-- Example of classpath metadata with Extended Metadata --> - <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> - <constructor-arg> - <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> - <constructor-arg> - <value type="java.io.File">classpath:sso_metadata.xml</value> - </constructor-arg> - <property name="parserPool" ref="parserPool"/> - </bean> - </constructor-arg> - <constructor-arg> - <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> - </bean> - </constructor-arg> - <property name="metadataTrustCheck" value="false"/> - </bean> - </list> - </constructor-arg> - </bean> - - <bean id="ldapUserAuthoritiesPopulator" class="org.apache.kylin.rest.security.AuthoritiesPopulator"> - <constructor-arg index="0" ref="ldapSource" /> - <constructor-arg index="1" value="${kylin.security.ldap.user-group-search-base}" /> - <constructor-arg index="2" value="${kylin.security.acl.admin-role}" /> - <constructor-arg index="3" value="${kylin.security.acl.default-role}" /> - </bean> - - <bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> - <constructor-arg index="0" value="${kylin.security.ldap.user-search-base}" /> - <constructor-arg index="1" value="${kylin.security.ldap.user-search-pattern}" /> - <constructor-arg index="2" ref="ldapSource" /> - </bean> - - - <bean id="samlUserDetailsService" class="org.apache.kylin.rest.security.SAMLUserDetailsService"> - <constructor-arg> - <bean id="ldapUserDetailsService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> - <constructor-arg ref="userSearch" /> - <constructor-arg ref="ldapUserAuthoritiesPopulator" /> - </bean> - </constructor-arg> - </bean> - - <bean id="kylinSAMLAuthenticationProvider" class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> - <constructor-arg> - <!-- SAML Authentication Provider responsible for validating of received SAML messages --> - <bean id="samlAuthenticationProvider" class="org.springframework.security.saml.SAMLAuthenticationProvider"> - <!-- OPTIONAL property: can be used to store/load user data after login --> - <property name="userDetails" ref="samlUserDetailsService" /> - </bean> - </constructor-arg> - </bean> - - - <!-- Provider of default SAML Context --> - <!-- - <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/> - --> - - <!-- Provider of a SAML Context behind a LoadBanlancer or reverse proxy --> - <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB"> - <property name="scheme" value="${kylin.security.saml.context-scheme}"/> - <property name="serverName" value="${kylin.security.saml.context-server-name}"/> - <property name="serverPort" value="${kylin.security.saml.context-server-port}"/> - <property name="includeServerPortInRequestURL" value="false"/> - <property name="contextPath" value="${kylin.security.saml.context-path}"/> - </bean> - - - <!-- Processing filter for WebSSO profile messages --> - <bean id="samlWebSSOProcessingFilter" class="org.springframework.security.saml.SAMLProcessingFilter"> - <property name="authenticationManager" ref="webAccessAuthenticationManager"/> - <property name="authenticationSuccessHandler" ref="successRedirectHandler"/> - <property name="authenticationFailureHandler" ref="failureRedirectHandler"/> - </bean> - - <!-- Processing filter for WebSSO Holder-of-Key profile --> - <bean id="samlWebSSOHoKProcessingFilter" class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter"> - <property name="authenticationManager" ref="webAccessAuthenticationManager"/> - <property name="authenticationSuccessHandler" ref="successRedirectHandler"/> - <property name="authenticationFailureHandler" ref="failureRedirectHandler"/> - </bean> - - <!-- Logout handler terminating local session --> - <bean id="logoutHandler" - class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> - <property name="invalidateHttpSession" value="false"/> - </bean> - - <!-- Override default logout processing filter with the one processing SAML messages --> - <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> - <constructor-arg index="0" ref="successLogoutHandler"/> - <constructor-arg index="1" ref="logoutHandler"/> - <constructor-arg index="2" ref="logoutHandler"/> - </bean> - - <!-- Filter processing incoming logout messages --> - <!-- First argument determines URL user will be redirected to after successful global logout --> - <bean id="samlLogoutProcessingFilter" class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> - <constructor-arg index="0" ref="successLogoutHandler"/> - <constructor-arg index="1" ref="logoutHandler"/> - </bean> - - <!-- Class loading incoming SAML messages from httpRequest stream --> - <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> - <constructor-arg> - <list> - <ref bean="redirectBinding"/> - <ref bean="postBinding"/> - <ref bean="artifactBinding"/> - <ref bean="soapBinding"/> - <ref bean="paosBinding"/> - </list> - </constructor-arg> - </bean> - - <!-- SAML 2.0 WebSSO Assertion Consumer --> - <bean id="webSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> - <property name="responseSkew" value="600"/> <!-- 10 minutes --> - </bean> - - <!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer --> - <bean id="hokWebSSOprofileConsumer" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/> - - <!-- SAML 2.0 Web SSO profile --> - <bean id="webSSOprofile" class="org.springframework.security.saml.websso.WebSSOProfileImpl"/> - - <!-- SAML 2.0 Holder-of-Key Web SSO profile --> - <bean id="hokWebSSOProfile" class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/> - - <!-- SAML 2.0 ECP profile --> - <bean id="ecpprofile" class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/> - - <!-- SAML 2.0 Logout Profile --> - <bean id="logoutprofile" class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"> - <property name="responseSkew" value="600"/> <!-- 10 minutes --> - </bean> - - <!-- Bindings, encoders and decoders used for creating and parsing messages --> - <bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding"> - <constructor-arg ref="parserPool"/> - <constructor-arg ref="velocityEngine"/> - </bean> - - <bean id="redirectBinding" class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding"> - <constructor-arg ref="parserPool"/> - </bean> - - <bean id="artifactBinding" class="org.springframework.security.saml.processor.HTTPArtifactBinding"> - <constructor-arg ref="parserPool"/> - <constructor-arg ref="velocityEngine"/> - <constructor-arg> - <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl"> - <constructor-arg> - <bean class="org.apache.commons.httpclient.HttpClient"> - <constructor-arg> - <bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/> - </constructor-arg> - </bean> - </constructor-arg> - <property name="processor"> - <bean class="org.springframework.security.saml.processor.SAMLProcessorImpl"> - <constructor-arg ref="soapBinding"/> - </bean> - </property> - </bean> - </constructor-arg> - </bean> - - <bean id="soapBinding" class="org.springframework.security.saml.processor.HTTPSOAP11Binding"> - <constructor-arg ref="parserPool"/> - </bean> - - <bean id="paosBinding" class="org.springframework.security.saml.processor.HTTPPAOS11Binding"> - <constructor-arg ref="parserPool"/> - </bean> - - <!-- Initialization of OpenSAML library--> - <bean class="org.springframework.security.saml.SAMLBootstrap"/> - - <!-- Initialization of the velocity engine --> - <bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" factory-method="getEngine"/> - - <!-- XML parser pool needed for OpenSAML parsing --> - <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" init-method="initialize"> - <property name="builderFeatures"> - <map> - <entry key="http://apache.org/xml/features/dom/defer-node-expansion"; value="false"/> - </map> - </property> - </bean> - - <bean id="parserPoolHolder" class="org.springframework.security.saml.parser.ParserPoolHolder"/> - </beans> + http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd + http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd";> + + <scr:global-method-security pre-post-annotations="enabled"> + <scr:expression-handler ref="expressionHandler"/> + </scr:global-method-security> + + <!-- acl config --> + <bean id="aclPermissionFactory" class="org.apache.kylin.rest.security.AclPermissionFactory"/> + + <bean id="expressionHandler" + class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> + <property name="permissionEvaluator" ref="permissionEvaluator"/> + </bean> + + <bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator"> + <constructor-arg ref="aclService"/> + <property name="permissionFactory" ref="aclPermissionFactory"/> + </bean> + + <bean id="aclAuthorizationStrategy" + class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> + <constructor-arg> + <list> + <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> + <constructor-arg value="ROLE_ADMIN"/> + </bean> + <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> + <constructor-arg value="ROLE_ADMIN"/> + </bean> + <bean class="org.springframework.security.core.authority.GrantedAuthorityImpl"> + <constructor-arg value="ROLE_ADMIN"/> + </bean> + </list> + </constructor-arg> + </bean> + + <bean id="auditLogger" + class="org.springframework.security.acls.domain.ConsoleAuditLogger"/> + + <bean id="permissionGrantingStrategy" + class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy"> + <constructor-arg ref="auditLogger"/> + </bean> + + <beans profile="ldap,saml"> + <bean id="ldapSource" + class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> + <constructor-arg value="${kylin.security.ldap.connection-server}"/> + <property name="userDn" value="${kylin.security.ldap.connection-username}"/> + <property name="password" value="${kylin.security.ldap.connection-password}"/> + </bean> + + <bean id="kylinUserAuthProvider" + class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> + <constructor-arg> + <bean id="ldapUserAuthenticationProvider" + class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> + <constructor-arg> + <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> + <constructor-arg ref="ldapSource"/> + <property name="userSearch"> + <bean id="userSearch" + class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> + <constructor-arg index="0" + value="${kylin.security.ldap.user-search-base}"/> + <constructor-arg index="1" + value="${kylin.security.ldap.user-search-pattern}"/> + <constructor-arg index="2" ref="ldapSource"/> + </bean> + </property> + </bean> + </constructor-arg> + <constructor-arg> + <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator"> + <constructor-arg index="0" ref="ldapSource"/> + <constructor-arg index="1" + value="${kylin.security.ldap.user-group-search-base}"/> + <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/> + <constructor-arg index="3" value="${kylin.security.acl.default-role}"/> + </bean> + </constructor-arg> + </bean> + </constructor-arg> + </bean> + + <bean id="kylinServiceAccountAuthProvider" + class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> + <constructor-arg> + <bean id="ldapServiceAuthenticationProvider" + class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> + <constructor-arg> + <bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> + <constructor-arg ref="ldapSource"/> + <property name="userSearch"> + <bean id="userSearch" + class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> + <constructor-arg index="0" + value="${kylin.security.ldap.service-search-base}"/> + <constructor-arg index="1" + value="${kylin.security.ldap.service-search-pattern}"/> + <constructor-arg index="2" ref="ldapSource"/> + </bean> + </property> + </bean> + </constructor-arg> + <constructor-arg> + <bean class="org.apache.kylin.rest.security.AuthoritiesPopulator"> + <constructor-arg index="0" ref="ldapSource"/> + <constructor-arg index="1" + value="${kylin.security.ldap.service-group-search-base}"/> + <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/> + <constructor-arg index="3" value="${kylin.security.acl.default-role}"/> + </bean> + </constructor-arg> + </bean> + </constructor-arg> + </bean> + + </beans> + + <beans profile="ldap"> + <scr:authentication-manager alias="ldapAuthenticationManager"> + <!-- do user ldap auth --> + <scr:authentication-provider ref="kylinUserAuthProvider"></scr:authentication-provider> + + <!-- do service account ldap auth --> + <scr:authentication-provider + ref="kylinServiceAccountAuthProvider"></scr:authentication-provider> + </scr:authentication-manager> + + </beans> + + + <beans profile="testing"> + <util:list id="adminAuthorities" + value-type="org.springframework.security.core.authority.SimpleGrantedAuthority"> + <value>ROLE_ADMIN</value> + <value>ROLE_MODELER</value> + <value>ROLE_ANALYST</value> + </util:list> + <util:list id="modelerAuthorities" + value-type="org.springframework.security.core.authority.SimpleGrantedAuthority"> + <value>ROLE_MODELER</value> + <value>ROLE_ANALYST</value> + </util:list> + <util:list id="analystAuthorities" + value-type="org.springframework.security.core.authority.SimpleGrantedAuthority"> + <value>ROLE_ANALYST</value> + </util:list> + + <bean id="kylinUserAuthProvider" + class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> + <constructor-arg> + <bean class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> + <property name="userDetailsService"> + <bean class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl"> + <property name="userMap"> + <bean class="org.springframework.security.core.userdetails.memory.UserMap"> + <property name="users"> + <util:map key-type="java.lang.String" + value-type="org.springframework.security.core.userdetails.User"> + <entry key="admin"> + <bean class="org.springframework.security.core.userdetails.User"> + <constructor-arg value="ADMIN"/> + <constructor-arg + value="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32"/> + <constructor-arg ref="adminAuthorities"/> + </bean> + </entry> + <entry key="modeler"> + <bean class="org.springframework.security.core.userdetails.User"> + <constructor-arg value="MODELER"/> + <constructor-arg + value="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG"/> + <constructor-arg ref="modelerAuthorities"/> + </bean> + </entry> + <entry key="analyst"> + <bean class="org.springframework.security.core.userdetails.User"> + <constructor-arg value="ANALYST"/> + <constructor-arg + value="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi"/> + <constructor-arg ref="analystAuthorities"/> + </bean> + </entry> + </util:map> + </property> + </bean> + </property> + </bean> + </property> + <property name="passwordEncoder" ref="passwordEncoder"></property> + </bean> + </constructor-arg> + </bean> + + <!-- user auth --> + <bean id="passwordEncoder" + class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/> + + <scr:authentication-manager alias="testingAuthenticationManager"> + <!-- do user ldap auth --> + <scr:authentication-provider ref="kylinUserAuthProvider"></scr:authentication-provider> + </scr:authentication-manager> + </beans> + + <beans profile="testing,ldap"> + <scr:http auto-config="true" use-expressions="true"> + <scr:http-basic entry-point-ref="unauthorisedEntryPoint"/> + + <scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll"/> + <scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/**/metrics" access="permitAll"/> + <scr:intercept-url pattern="/api/cache*/**" access="permitAll"/> + <scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"/> + <scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/admin/config" access="permitAll"/> + <scr:intercept-url pattern="/api/projects" access="permitAll"/> + <scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')"/> + <scr:intercept-url pattern="/api/**" access="isAuthenticated()"/> + + <scr:logout invalidate-session="true" delete-cookies="JSESSIONID"/> + <scr:session-management session-fixation-protection="newSession"/> + </scr:http> + </beans> + + <beans profile="saml"> + <!-- Enable auto-wiring --> + <context:annotation-config/> + + <!-- Scan for auto-wiring classes in spring saml packages --> + <context:component-scan base-package="org.springframework.security.saml"/> + + <!-- Unsecured pages --> + <scr:http security="none" pattern="/image/**"/> + <scr:http security="none" pattern="/css/**"/> + <scr:http security="none" pattern="/less/**"/> + <scr:http security="none" pattern="/fonts/**"/> + <scr:http security="none" pattern="/js/**"/> + <scr:http security="none" pattern="/login/**"/> + <scr:http security="none" pattern="/routes.json"/> + + <!-- Secured Rest API urls with LDAP basic authentication --> + <scr:http pattern="/api/**" use-expressions="true" + authentication-manager-ref="apiAccessAuthenticationManager"> + <scr:http-basic entry-point-ref="unauthorisedEntryPoint"/> + + <scr:intercept-url pattern="/api/user/authentication*/**" access="permitAll"/> + <scr:intercept-url pattern="/api/query*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/metadata*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/**/metrics" access="permitAll"/> + <scr:intercept-url pattern="/api/cache*/**" access="permitAll"/> + <scr:intercept-url pattern="/api/cubes/src/tables" access="hasAnyRole('ROLE_ANALYST')"/> + <scr:intercept-url pattern="/api/cubes*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/models*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/streaming*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/job*/**" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/admin/config" access="permitAll"/> + <scr:intercept-url pattern="/api/projects*/*" access="isAuthenticated()"/> + <scr:intercept-url pattern="/api/admin*/**" access="hasRole('ROLE_ADMIN')"/> + <scr:intercept-url pattern="/api/**" access="isAuthenticated()"/> + + <scr:logout invalidate-session="true" delete-cookies="JSESSIONID"/> + <scr:session-management session-fixation-protection="newSession"/> + </scr:http> + + <!-- Secured non-api urls with SAML SSO --> + <scr:http auto-config="true" entry-point-ref="samlEntryPoint" use-expressions="false" + authentication-manager-ref="webAccessAuthenticationManager"> + <scr:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/> + <scr:custom-filter before="FIRST" ref="metadataGeneratorFilter"/> + <scr:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/> + </scr:http> + + + <!-- API authentication manager --> + <scr:authentication-manager id="apiAccessAuthenticationManager"> + <scr:authentication-provider ref="kylinServiceAccountAuthProvider"/> + <scr:authentication-provider ref="kylinUserAuthProvider"/> + </scr:authentication-manager> + + + <!-- Web authentication manager --> + <scr:authentication-manager id="webAccessAuthenticationManager"> + <scr:authentication-provider ref="kylinSAMLAuthenticationProvider"/> + </scr:authentication-manager> + + <!-- Central storage of cryptographic keys --> + <bean id="keyManager" class="org.springframework.security.saml.key.JKSKeyManager"> + <constructor-arg value="classpath:samlKeystore.jks"/> + <constructor-arg type="java.lang.String" value="changeit"/> + <constructor-arg> + <map> + <entry key="kylin" value="changeit"/> + </map> + </constructor-arg> + <constructor-arg type="java.lang.String" value="kylin"/> + </bean> + + <!-- Filters for processing of SAML messages --> + <bean id="samlFilter" class="org.springframework.security.web.FilterChainProxy"> + <scr:filter-chain-map request-matcher="ant"> + <scr:filter-chain pattern="/saml/login/**" filters="samlEntryPoint"/> + <scr:filter-chain pattern="/saml/logout/**" filters="samlLogoutFilter"/> + <scr:filter-chain pattern="/saml/metadata/**" filters="metadataDisplayFilter"/> + <scr:filter-chain pattern="/saml/SSO/**" filters="samlWebSSOProcessingFilter"/> + <scr:filter-chain pattern="/saml/SSOHoK/**" + filters="samlWebSSOHoKProcessingFilter"/> + <scr:filter-chain pattern="/saml/SingleLogout/**" + filters="samlLogoutProcessingFilter"/> + </scr:filter-chain-map> + </bean> + + <!-- Handler deciding where to redirect user after successful login --> + <bean id="successRedirectHandler" + class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"> + <property name="defaultTargetUrl" value="/models"/> + </bean> + + <!-- Handler deciding where to redirect user after failed login --> + <bean id="failureRedirectHandler" + class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"> + <property name="useForward" value="true"/> + <property name="defaultFailureUrl" value="/login"/> + </bean> + + <!-- Handler for successful logout --> + <bean id="successLogoutHandler" + class="org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler"> + <property name="defaultTargetUrl" value="/login"/> + </bean> + + <!-- Logger for SAML messages and events --> + <bean id="samlLogger" class="org.springframework.security.saml.log.SAMLDefaultLogger"/> + + <!-- Filter automatically generates default SP metadata --> + <bean id="metadataGeneratorFilter" + class="org.springframework.security.saml.metadata.MetadataGeneratorFilter"> + <constructor-arg> + <bean class="org.springframework.security.saml.metadata.MetadataGenerator"> + <property name="extendedMetadata"> + <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> + <property name="idpDiscoveryEnabled" value="false"/> + </bean> + </property> + <property name="entityBaseURL" + value="${kylin.security.saml.metadata-entity-base-url}"/> + </bean> + </constructor-arg> + </bean> + + <!-- Entry point to initialize authentication, default values taken from properties file --> + <bean id="samlEntryPoint" class="org.springframework.security.saml.SAMLEntryPoint"> + <property name="defaultProfileOptions"> + <bean class="org.springframework.security.saml.websso.WebSSOProfileOptions"> + <property name="includeScoping" value="false"/> + </bean> + </property> + </bean> + + <!-- The filter is waiting for connections on URL suffixed with filterSuffix and presents SP metadata there --> + <bean id="metadataDisplayFilter" + class="org.springframework.security.saml.metadata.MetadataDisplayFilter"/> + + <!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here --> + <bean id="metadata" + class="org.springframework.security.saml.metadata.CachingMetadataManager"> + <constructor-arg> + <list> + <!-- Example of classpath metadata with Extended Metadata --> + <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate"> + <constructor-arg> + <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider"> + <constructor-arg> + <value type="java.io.File">classpath:sso_metadata.xml</value> + </constructor-arg> + <property name="parserPool" ref="parserPool"/> + </bean> + </constructor-arg> + <constructor-arg> + <bean class="org.springframework.security.saml.metadata.ExtendedMetadata"> + </bean> + </constructor-arg> + <property name="metadataTrustCheck" value="false"/> + </bean> + </list> + </constructor-arg> + </bean> + + <bean id="ldapUserAuthoritiesPopulator" + class="org.apache.kylin.rest.security.AuthoritiesPopulator"> + <constructor-arg index="0" ref="ldapSource"/> + <constructor-arg index="1" value="${kylin.security.ldap.user-group-search-base}"/> + <constructor-arg index="2" value="${kylin.security.acl.admin-role}"/> + <constructor-arg index="3" value="${kylin.security.acl.default-role}"/> + </bean> + + <bean id="userSearch" + class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch"> + <constructor-arg index="0" value="${kylin.security.ldap.user-search-base}"/> + <constructor-arg index="1" value="${kylin.security.ldap.user-search-pattern}"/> + <constructor-arg index="2" ref="ldapSource"/> + </bean> + + + <bean id="samlUserDetailsService" + class="org.apache.kylin.rest.security.SAMLUserDetailsService"> + <constructor-arg> + <bean id="ldapUserDetailsService" + class="org.springframework.security.ldap.userdetails.LdapUserDetailsService"> + <constructor-arg ref="userSearch"/> + <constructor-arg ref="ldapUserAuthoritiesPopulator"/> + </bean> + </constructor-arg> + </bean> + + <bean id="kylinSAMLAuthenticationProvider" + class="org.apache.kylin.rest.security.KylinAuthenticationProvider"> + <constructor-arg> + <!-- SAML Authentication Provider responsible for validating of received SAML messages --> + <bean id="samlAuthenticationProvider" + class="org.springframework.security.saml.SAMLAuthenticationProvider"> + <!-- OPTIONAL property: can be used to store/load user data after login --> + <property name="userDetails" ref="samlUserDetailsService"/> + </bean> + </constructor-arg> + </bean> + + + <!-- Provider of default SAML Context --> + <!-- + <bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderImpl"/> + --> + + <!-- Provider of a SAML Context behind a LoadBanlancer or reverse proxy --> + <bean id="contextProvider" + class="org.springframework.security.saml.context.SAMLContextProviderLB"> + <property name="scheme" value="${kylin.security.saml.context-scheme}"/> + <property name="serverName" value="${kylin.security.saml.context-server-name}"/> + <property name="serverPort" value="${kylin.security.saml.context-server-port}"/> + <property name="includeServerPortInRequestURL" value="false"/> + <property name="contextPath" value="${kylin.security.saml.context-path}"/> + </bean> + + + <!-- Processing filter for WebSSO profile messages --> + <bean id="samlWebSSOProcessingFilter" + class="org.springframework.security.saml.SAMLProcessingFilter"> + <property name="authenticationManager" ref="webAccessAuthenticationManager"/> + <property name="authenticationSuccessHandler" ref="successRedirectHandler"/> + <property name="authenticationFailureHandler" ref="failureRedirectHandler"/> + </bean> + + <!-- Processing filter for WebSSO Holder-of-Key profile --> + <bean id="samlWebSSOHoKProcessingFilter" + class="org.springframework.security.saml.SAMLWebSSOHoKProcessingFilter"> + <property name="authenticationManager" ref="webAccessAuthenticationManager"/> + <property name="authenticationSuccessHandler" ref="successRedirectHandler"/> + <property name="authenticationFailureHandler" ref="failureRedirectHandler"/> + </bean> + + <!-- Logout handler terminating local session --> + <bean id="logoutHandler" + class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"> + <property name="invalidateHttpSession" value="false"/> + </bean> + + <!-- Override default logout processing filter with the one processing SAML messages --> + <bean id="samlLogoutFilter" class="org.springframework.security.saml.SAMLLogoutFilter"> + <constructor-arg index="0" ref="successLogoutHandler"/> + <constructor-arg index="1" ref="logoutHandler"/> + <constructor-arg index="2" ref="logoutHandler"/> + </bean> + + <!-- Filter processing incoming logout messages --> + <!-- First argument determines URL user will be redirected to after successful global logout --> + <bean id="samlLogoutProcessingFilter" + class="org.springframework.security.saml.SAMLLogoutProcessingFilter"> + <constructor-arg index="0" ref="successLogoutHandler"/> + <constructor-arg index="1" ref="logoutHandler"/> + </bean> + + <!-- Class loading incoming SAML messages from httpRequest stream --> + <bean id="processor" class="org.springframework.security.saml.processor.SAMLProcessorImpl"> + <constructor-arg> + <list> + <ref bean="redirectBinding"/> + <ref bean="postBinding"/> + <ref bean="artifactBinding"/> + <ref bean="soapBinding"/> + <ref bean="paosBinding"/> + </list> + </constructor-arg> + </bean> + + <!-- SAML 2.0 WebSSO Assertion Consumer --> + <bean id="webSSOprofileConsumer" + class="org.springframework.security.saml.websso.WebSSOProfileConsumerImpl"> + <property name="responseSkew" value="600"/> <!-- 10 minutes --> + </bean> + + <!-- SAML 2.0 Holder-of-Key WebSSO Assertion Consumer --> + <bean id="hokWebSSOprofileConsumer" + class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/> + + <!-- SAML 2.0 Web SSO profile --> + <bean id="webSSOprofile" + class="org.springframework.security.saml.websso.WebSSOProfileImpl"/> + + <!-- SAML 2.0 Holder-of-Key Web SSO profile --> + <bean id="hokWebSSOProfile" + class="org.springframework.security.saml.websso.WebSSOProfileConsumerHoKImpl"/> + + <!-- SAML 2.0 ECP profile --> + <bean id="ecpprofile" + class="org.springframework.security.saml.websso.WebSSOProfileECPImpl"/> + + <!-- SAML 2.0 Logout Profile --> + <bean id="logoutprofile" + class="org.springframework.security.saml.websso.SingleLogoutProfileImpl"> + <property name="responseSkew" value="600"/> <!-- 10 minutes --> + </bean> + + <!-- Bindings, encoders and decoders used for creating and parsing messages --> + <bean id="postBinding" class="org.springframework.security.saml.processor.HTTPPostBinding"> + <constructor-arg ref="parserPool"/> + <constructor-arg ref="velocityEngine"/> + </bean> + + <bean id="redirectBinding" + class="org.springframework.security.saml.processor.HTTPRedirectDeflateBinding"> + <constructor-arg ref="parserPool"/> + </bean> + + <bean id="artifactBinding" + class="org.springframework.security.saml.processor.HTTPArtifactBinding"> + <constructor-arg ref="parserPool"/> + <constructor-arg ref="velocityEngine"/> + <constructor-arg> + <bean class="org.springframework.security.saml.websso.ArtifactResolutionProfileImpl"> + <constructor-arg> + <bean class="org.apache.commons.httpclient.HttpClient"> + <constructor-arg> + <bean class="org.apache.commons.httpclient.MultiThreadedHttpConnectionManager"/> + </constructor-arg> + </bean> + </constructor-arg> + <property name="processor"> + <bean class="org.springframework.security.saml.processor.SAMLProcessorImpl"> + <constructor-arg ref="soapBinding"/> + </bean> + </property> + </bean> + </constructor-arg> + </bean> + + <bean id="soapBinding" + class="org.springframework.security.saml.processor.HTTPSOAP11Binding"> + <constructor-arg ref="parserPool"/> + </bean> + + <bean id="paosBinding" + class="org.springframework.security.saml.processor.HTTPPAOS11Binding"> + <constructor-arg ref="parserPool"/> + </bean> + + <!-- Initialization of OpenSAML library--> + <bean class="org.springframework.security.saml.SAMLBootstrap"/> + + <!-- Initialization of the velocity engine --> + <bean id="velocityEngine" class="org.springframework.security.saml.util.VelocityFactory" + factory-method="getEngine"/> + + <!-- XML parser pool needed for OpenSAML parsing --> + <bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" + init-method="initialize"> + <property name="builderFeatures"> + <map> + <entry key="http://apache.org/xml/features/dom/defer-node-expansion"; + value="false"/> + </map> + </property> + </bean> + + <bean id="parserPoolHolder" + class="org.springframework.security.saml.parser.ParserPoolHolder"/> + </beans> </beans>
