wisemapping-open-source/wise-webapp/src/main/webapp/WEB-INF/wisemapping-security.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security.xsd">

    <bean id="custom-firewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">
        <property name="allowSemicolon" value="true"/>
    </bean>

    <sec:http-firewall ref="custom-firewall"/>


    <sec:http pattern="/static/webapp/**" security="none"/>
    <sec:http pattern="/static/mindplot/**" security="none"/>
    <sec:http pattern="/css/**" security="none"/>
    <sec:http pattern="/js/**" security="none"/>
    <sec:http pattern="/images/**" security="none"/>
    <sec:http pattern="/icons/**" security="none"/>

    <sec:http pattern="/c/home" security="none"/>

    <sec:http pattern="/c/maps/*/embed" security="none"/>
    <sec:http pattern="/c/maps/*/try" security="none"/>
    <sec:http pattern="/c/maps/*/public" security="none"/>
    <sec:http pattern="/c/restful/maps/*/document/xml-pub" security="none"/>

    <sec:http pattern="/c/publicview.htm" security="none"/>
    <sec:http pattern="/c/embeddedview.htm" security="none"/>
    <sec:http pattern="/c/termsOfUse" security="none"/>
    <sec:http pattern="/c/activation" security="none"/>

    <!-- Admin related services that required admin role-->
    <sec:http use-expressions="true" create-session="stateless" pattern="/service/**">
        <sec:csrf/>

        <!-- Enabled only for cors -->
        <sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>
        <sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>


        <sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>
        <sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>

        <sec:intercept-url pattern="/service/admin/users/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>
        <sec:intercept-url pattern="/service/admin/database/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>
        <sec:intercept-url pattern="/service/**" access="isAuthenticated() and hasRole('ROLE_USER')"/>

        <sec:http-basic/>
    </sec:http>

    <sec:http use-expressions="true" pattern="/c/**/*">
        <sec:intercept-url pattern="/c/login" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/logout" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/registration" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/registration-success" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/forgot-password" access="hasRole('ANONYMOUS')"/>
        <sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>

        <sec:intercept-url pattern="/c/**/*" access="isAuthenticated() and hasRole('ROLE_USER')"/>
        <sec:access-denied-handler error-page="/c/login"/>
        <sec:form-login login-page="/c/login"
                        authentication-success-handler-ref="authenticationSuccessHandler"
                        always-use-default-target="false"
                        authentication-failure-url="/c/login?login_error=2"
                        login-processing-url="/c/perform-login"/>

        <!-- Expire in 28 days -->
        <sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>
        <sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>
        <sec:csrf request-matcher-ref="requestMatcher"/>
    </sec:http>

    <!-- Extends CFSR check to get methods to have consistency in all errors. Otherwise, request is forward in some cases -->
    <bean id="requestMatcher"
          class="com.wisemapping.security.CSFRRequestMatcher">
        <property name="prefix" value="/c/restful/"/>
    </bean>

    <import resource="wisemapping-security-${security.type}.xml"/>

    <bean id="userDetailsService" class="com.wisemapping.security.UserDetailsService">
        <property name="userService" ref="userService"/>
        <property name="adminUser" value="${admin.user}"/>
    </bean>

    <bean id="authenticationSuccessHandler" class="com.wisemapping.security.AuthenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/c/maps/"/>
        <property name="alwaysUseDefaultTargetUrl" value="false"/>
    </bean>

</beans>
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00			`<?xml version="1.0" encoding="UTF-8"?>`

			`<beans xmlns="http://www.springframework.org/schema/beans"`
			`xmlns:sec="http://www.springframework.org/schema/security"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"`
			`xsi:schemaLocation="http://www.springframework.org/schema/beans`
Initial commit 2020-11-07 11:56:38 -08:00			`http://www.springframework.org/schema/beans/spring-beans.xsd`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00			`http://www.springframework.org/schema/security`
Initial commit 2020-11-07 11:56:38 -08:00			`http://www.springframework.org/schema/security/spring-security.xsd">`
Add configurable support for admin profile. 2012-02-21 16:36:19 -03:00
Disable ; strict control 2022-02-12 08:04:16 -08:00			`<bean id="custom-firewall" class="org.springframework.security.web.firewall.StrictHttpFirewall">`
			`<property name="allowSemicolon" value="true"/>`
			`</bean>`

			`<sec:http-firewall ref="custom-firewall"/>`


Fix major update integrating with external wisemapping frond end 2021-12-24 18:03:23 -08:00			`<sec:http pattern="/static/webapp/**" security="none"/>`
			`<sec:http pattern="/static/mindplot/**" security="none"/>`
- First REST operation working 2012-02-12 21:57:11 -03:00			`<sec:http pattern="/css/**" security="none"/>`
			`<sec:http pattern="/js/**" security="none"/>`
			`<sec:http pattern="/images/**" security="none"/>`
Update to HSQLDB driver Remove DWR Remove native SVG tables Add new REST services for persistence. 2012-02-21 14:22:43 -03:00			`<sec:http pattern="/icons/**" security="none"/>`
- Remove .htm - Keep working on export. 2012-06-03 11:16:38 -03:00
			`<sec:http pattern="/c/home" security="none"/>`
Add embedded and public view compatibility. Remove Utils method 2012-06-18 00:40:42 -03:00
Add zoom support for embedded maps. Add new url to embedded maps 2012-06-03 20:23:31 -03:00			`<sec:http pattern="/c/maps/*/embed" security="none"/>`
Several fixes. 2012-08-26 16:53:33 -03:00			`<sec:http pattern="/c/maps/*/try" security="none"/>`
Add embedded and public view compatibility. Remove Utils method 2012-06-18 00:40:42 -03:00			`<sec:http pattern="/c/maps/*/public" security="none"/>`
- Fix security issues when the map is loaded from the rest service. Two URL has been defined for each type of access. 2013-02-07 21:44:20 -03:00			`<sec:http pattern="/c/restful/maps/*/document/xml-pub" security="none"/>`
Add Google Crome Frame support. 2012-06-21 22:18:04 -03:00
Add embedded and public view compatibility. Remove Utils method 2012-06-18 00:40:42 -03:00			`<sec:http pattern="/c/publicview.htm" security="none"/>`
			`<sec:http pattern="/c/embeddedview.htm" security="none"/>`
			`<sec:http pattern="/c/termsOfUse" security="none"/>`
Add zoom support for embedded maps. Add new url to embedded maps 2012-06-03 20:23:31 -03:00			`<sec:http pattern="/c/activation" security="none"/>`
Add embedded and public view compatibility. Remove Utils method 2012-06-18 00:40:42 -03:00
Fix major update integrating with external wisemapping frond end 2021-12-24 18:03:23 -08:00			`<!-- Admin related services that required admin role-->`
Split rest authentication into two. For web apps integration url is /c/restful/ 2012-11-10 17:19:28 -03:00			`<sec:http use-expressions="true" create-session="stateless" pattern="/service/**">`
First steps on csfr impl 2022-02-19 12:39:38 -08:00			`<sec:csrf/>`
Support for Java 11 2020-11-06 21:35:54 -08:00
Fix major update integrating with external wisemapping frond end 2021-12-24 18:03:23 -08:00			`<!-- Enabled only for cors -->`
			`<sec:intercept-url pattern="/service/users" method="OPTIONS" access="permitAll"/>`
			`<sec:intercept-url pattern="/service/users/resetPassword" method="OPTIONS" access="permitAll"/>`

Add CSRD to get operations 2022-02-19 15:57:57 -08:00
Fix major update integrating with external wisemapping frond end 2021-12-24 18:03:23 -08:00			`<sec:intercept-url pattern="/service/users/" method="POST" access="permitAll"/>`
			`<sec:intercept-url pattern="/service/users/resetPassword" method="PUT" access="permitAll"/>`

Update to HSQLDB driver Remove DWR Remove native SVG tables Add new REST services for persistence. 2012-02-21 14:22:43 -03:00			`<sec:intercept-url pattern="/service/admin/users/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>`
Add purge flag. 2013-03-24 15:42:25 -03:00			`<sec:intercept-url pattern="/service/admin/database/**" access="isAuthenticated() and hasRole('ROLE_ADMIN')"/>`
Fix remember me issue. 2012-06-18 01:15:46 -03:00			`<sec:intercept-url pattern="/service/**" access="isAuthenticated() and hasRole('ROLE_USER')"/>`
Fix major update integrating with external wisemapping frond end 2021-12-24 18:03:23 -08:00
- First REST operation working 2012-02-12 21:57:11 -03:00			`<sec:http-basic/>`
			`</sec:http>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00
First steps on csfr impl 2022-02-19 12:39:38 -08:00			`<sec:http use-expressions="true" pattern="/c/*/">`
			`<sec:intercept-url pattern="/c/login" access="hasRole('ANONYMOUS')"/>`
			`<sec:intercept-url pattern="/c/logout" access="hasRole('ANONYMOUS')"/>`
			`<sec:intercept-url pattern="/c/registration" access="hasRole('ANONYMOUS')"/>`
Clean up paths 2022-02-19 12:43:35 -08:00			`<sec:intercept-url pattern="/c/registration-success" access="hasRole('ANONYMOUS')"/>`
First steps on csfr impl 2022-02-19 12:39:38 -08:00			`<sec:intercept-url pattern="/c/forgot-password" access="hasRole('ANONYMOUS')"/>`
Clean up paths 2022-02-19 12:43:35 -08:00			`<sec:intercept-url pattern="/c/forgot-password-success" access="hasRole('ANONYMOUS')"/>`

Fix remember me issue. 2012-06-18 01:15:46 -03:00			`<sec:intercept-url pattern="/c/*/" access="isAuthenticated() and hasRole('ROLE_USER')"/>`
First steps on csfr impl 2022-02-19 12:39:38 -08:00			`<sec:access-denied-handler error-page="/c/login"/>`
- Remove .htm - Keep working on export. 2012-06-03 11:16:38 -03:00			`<sec:form-login login-page="/c/login"`
Split rest authentication into two. For web apps integration url is /c/restful/ 2012-11-10 17:19:28 -03:00			`authentication-success-handler-ref="authenticationSuccessHandler"`
			`always-use-default-target="false"`
- Remove .htm - Keep working on export. 2012-06-03 11:16:38 -03:00			`authentication-failure-url="/c/login?login_error=2"`
Support for Java 11 2020-11-06 21:35:54 -08:00			`login-processing-url="/c/perform-login"/>`
Fix open id. 2013-03-10 19:07:52 -03:00
Fix major update integrating with external wisemapping frond end 2021-12-24 18:03:23 -08:00			`<!-- Expire in 28 days -->`
First steps on csfr impl 2022-02-19 12:39:38 -08:00			`<sec:remember-me token-validity-seconds="2419200" remember-me-parameter="remember-me"/>`
- Remove .htm - Keep working on export. 2012-06-03 11:16:38 -03:00			`<sec:logout logout-url="/c/logout" invalidate-session="true" logout-success-url="/c/login"/>`
Add CSRD to get operations 2022-02-19 15:57:57 -08:00			`<sec:csrf request-matcher-ref="requestMatcher"/>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00			`</sec:http>`

Add CSRD to get operations 2022-02-19 15:57:57 -08:00			`<!-- Extends CFSR check to get methods to have consistency in all errors. Otherwise, request is forward in some cases -->`
			`<bean id="requestMatcher"`
			`class="com.wisemapping.security.CSFRRequestMatcher">`
			`<property name="prefix" value="/c/restful/"/>`
First steps on csfr impl 2022-02-19 12:39:38 -08:00			`</bean>`

Enable security configuration from properties. 2013-02-17 23:10:04 -03:00			`<import resource="wisemapping-security-${security.type}.xml"/>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00
Add configurable support for admin profile. 2012-02-21 16:36:19 -03:00			`<bean id="userDetailsService" class="com.wisemapping.security.UserDetailsService">`
Audith login operations. 2012-06-23 16:15:59 -03:00			`<property name="userService" ref="userService"/>`
Add configurable support for admin profile. 2012-02-21 16:36:19 -03:00			`<property name="adminUser" value="${admin.user}"/>`
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00			`</bean>`
Split rest authentication into two. For web apps integration url is /c/restful/ 2012-11-10 17:19:28 -03:00
			`<bean id="authenticationSuccessHandler" class="com.wisemapping.security.AuthenticationSuccessHandler">`
			`<property name="defaultTargetUrl" value="/c/maps/"/>`
			`<property name="alwaysUseDefaultTargetUrl" value="false"/>`
			`</bean>`
Add LDAP support. 2013-02-17 21:00:08 -03:00
- Migrate to Spring 3.1 - Remove Acegy - Fix editor partially 2012-02-12 02:55:42 -03:00			`</beans>`