Google Git
Sign in
eclipse / gerrit / www.eclipse.org / keti / 3cf7ae040e74c70884287a8d8c9335a2801c78e4 / . / service / src / main / resources / security-config.xml
blob: 7cf10859d1650d25b879b0d0dec3187063c7d621 [file] [log] [blame]
<?xml version="1.0" encoding="UTF-8"?>
<!--
- Copyright 2017 General Electric Company
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-
- SPDX-License-Identifier: Apache-2.0
-->
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:redis="http://www.springframework.org/schema/redis"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd">
<!-- Register Oauth AuthN Manager -->
<sec:authentication-manager />
<bean
class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping">
<property name="order" value="-1"></property>
<property name="urlPathHelper">
<bean class="com.ge.predix.acs.config.UrlPathHelperNonDecoding"></bean>
</property>
</bean>
<context:component-scan base-package="com.ge.predix.web.cors"/>
<!-- Correlation Log Filter -->
<bean id="logFilter" class="com.ge.predix.log.filter.LogFilter">
<constructor-arg>
<set value-type="java.lang.String">
<value>${ACS_BASE_DOMAIN:localhost}</value>
</set>
</constructor-arg>
<constructor-arg>
<set value-type="java.lang.String">
<value>Predix-Zone-Id</value>
<value>ACS-Zone-Subdomain</value>
</set>
</constructor-arg>
<constructor-arg value="acs" />
</bean>
<!-- Authentication Filter -->
<bean id="preAuthenticationEntryPoint"
class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint" />
<!-- Filter for Oauth Token Validation -->
<oauth:resource-server id="oauth2remoteTokenFilter"
token-services-ref="tokenService" />
<!-- Authorization Configuration For V1 policy-set APIS -->
<http pattern="/v1/policy-set/**" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/v1/policy-set/**" method="GET"
access="hasAnyAuthority('acs.policies.read') " />
<intercept-url pattern="/v1/policy-set/**" method="HEAD"
access="hasAnyAuthority('acs.policies.read') " />
<intercept-url pattern="/v1/policy-set/**" method="OPTIONS"
access="hasAnyAuthority('acs.policies.read') " />
<intercept-url pattern="/v1/policy-set/**" method="PUT"
access="hasAnyAuthority('acs.policies.write') " />
<intercept-url pattern="/v1/policy-set/**" method="POST"
access="hasAnyAuthority('acs.policies.write') " />
<intercept-url pattern="/v1/policy-set/**" method="DELETE"
access="hasAnyAuthority('acs.policies.write') " />
<intercept-url pattern="/v1/policy-set/**" method="PATCH"
access="hasAnyAuthority('acs.policies.write') " />
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="policyHttpMethodsFilter" before="FIRST"/>
<custom-filter ref="oauth2remoteTokenFilter"
position="PRE_AUTH_FILTER" />
<custom-filter ref="acsRequestEnrichingFilter"
after="BASIC_AUTH_FILTER" />
</http>
<!-- Authorization Configuration For V1 policy-evaluation APIS -->
<http pattern="/v1/policy-evaluation/**" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/v1/policy-evaluation"
access="isFullyAuthenticated() " />
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="evaluationHttpMethodsFilter" before="FIRST"/>
<custom-filter ref="oauth2remoteTokenFilter"
position="PRE_AUTH_FILTER" />
<custom-filter ref="acsRequestEnrichingFilter"
after="BASIC_AUTH_FILTER" />
</http>
<!-- Authorization Configuration For V1 resource APIS -->
<http pattern="/v1/resource/**" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/v1/resource/**" method="GET"
access="hasAnyAuthority('acs.attributes.read') " />
<intercept-url pattern="/v1/resource/**" method="HEAD"
access="hasAnyAuthority('acs.attributes.read') " />
<intercept-url pattern="/v1/resource/**" method="OPTIONS"
access="hasAnyAuthority('acs.attributes.read') " />
<intercept-url pattern="/v1/resource/**" method="PUT"
access="hasAnyAuthority('acs.attributes.write') " />
<intercept-url pattern="/v1/resource/**" method="POST"
access="hasAnyAuthority('acs.attributes.write') " />
<intercept-url pattern="/v1/resource/**" method="DELETE"
access="hasAnyAuthority('acs.attributes.write') " />
<intercept-url pattern="/v1/resource/**" method="PATCH"
access="hasAnyAuthority('acs.attributes.write') "/>
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="resourceHttpMethodsFilter" before="FIRST"/>
<custom-filter ref="oauth2remoteTokenFilter"
position="PRE_AUTH_FILTER" />
<custom-filter ref="acsRequestEnrichingFilter"
after="BASIC_AUTH_FILTER" />
</http>
<!-- Authorization Configuration For V1 subject APIS -->
<http pattern="/v1/subject/**" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/v1/subject/**" method="GET"
access="hasAnyAuthority('acs.attributes.read') " />
<intercept-url pattern="/v1/subject/**" method="HEAD"
access="hasAnyAuthority('acs.attributes.read') " />
<intercept-url pattern="/v1/subject/**" method="OPTIONS"
access="hasAnyAuthority('acs.attributes.read') " />
<intercept-url pattern="/v1/subject/**" method="PUT"
access="hasAnyAuthority('acs.attributes.write') " />
<intercept-url pattern="/v1/subject/**" method="POST"
access="hasAnyAuthority('acs.attributes.write') " />
<intercept-url pattern="/v1/subject/**" method="DELETE"
access="hasAnyAuthority('acs.attributes.write') " />
<intercept-url pattern="/v1/subject/**" method="PATCH"
access="hasAnyAuthority('acs.attributes.write') "/>
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="subjectHttpMethodsFilter" before="FIRST"/>
<custom-filter ref="oauth2remoteTokenFilter"
position="PRE_AUTH_FILTER" />
<custom-filter ref="acsRequestEnrichingFilter"
after="BASIC_AUTH_FILTER" />
</http>
<!-- Authorization Configuration For V1 connector APIS -->
<http pattern="/v1/connector/*" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/v1/connector/*" method="GET"
access="hasAnyAuthority('acs.connectors.read') " />
<intercept-url pattern="/v1/connector/*" method="HEAD"
access="hasAnyAuthority('acs.connectors.read') " />
<intercept-url pattern="/v1/connector/*" method="OPTIONS"
access="hasAnyAuthority('acs.connectors.read') " />
<intercept-url pattern="/v1/connector/*" method="PUT"
access="hasAnyAuthority('acs.connectors.write') " />
<intercept-url pattern="/v1/connector/*" method="POST"
access="hasAnyAuthority('acs.connectors.write') " />
<intercept-url pattern="/v1/connector/*" method="DELETE"
access="hasAnyAuthority('acs.connectors.write') " />
<intercept-url pattern="/v1/connector/*" method="PATCH"
access="hasAnyAuthority('acs.connectors.write') "/>
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="connectorHttpMethodsFilter" before="FIRST"/>
<custom-filter ref="oauth2remoteTokenFilter"
position="PRE_AUTH_FILTER" />
<custom-filter ref="acsRequestEnrichingFilter"
after="BASIC_AUTH_FILTER" />
</http>
<!-- Authorization Configuration For V1 APIS -->
<http pattern="/v1/zone/**" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<!-- TokenService will only verify the token against defaultTrustedIssuerId
for requests with no zone. Additional scope acs.zones.admin needs to be asserted
here. -->
<intercept-url pattern="/v1/zone/**"
access="isFullyAuthenticated() and hasAnyAuthority('acs.zones.admin')" />
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="zoneHttpMethodsFilter" before="FIRST"/>
<custom-filter ref="oauth2remoteTokenFilter"
position="PRE_AUTH_FILTER" />
</http>
<!-- Authorization Configuration For Monitoring APIs -->
<bean id="noAuthenticationEntryPoint" class="com.ge.predix.acs.security.NoAuthenticationEntryPoint" />
<http pattern="/monitoring/heartbeat*" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="noAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/monitoring/heartbeat*" access="permitAll()"/>
<!-- This filter must always be first in the Spring Security filter chain for this URI pattern -->
<custom-filter ref="monitoringHttpMethodsFilter" before="FIRST"/>
</http>
<http pattern="/health*" request-matcher="ant" create-session="stateless"
xmlns="http://www.springframework.org/schema/security"
disable-url-rewriting="true" use-expressions="true"
entry-point-ref="preAuthenticationEntryPoint">
<csrf disabled="true"/>
<intercept-url pattern="/health*" access="isAnonymous() or hasAnyAuthority('acs.monitoring')"/>
<custom-filter ref="oauth2remoteTokenFilter" position="PRE_AUTH_FILTER"/>
<custom-filter ref="managementSecurityRoleFilter" after="BASIC_AUTH_FILTER"/>
</http>
<beans profile="httpValidation">
<bean id="policyHttpMethodsFilter" class="com.ge.predix.acs.service.policy.admin.PolicyHttpMethodsFilter"/>
<bean id="evaluationHttpMethodsFilter" class="com.ge.predix.acs.service.policy.evaluation.EvaluationHttpMethodsFilter"/>
<bean id="resourceHttpMethodsFilter" class="com.ge.predix.acs.privilege.management.ResourceHttpMethodsFilter"/>
<bean id="subjectHttpMethodsFilter" class="com.ge.predix.acs.privilege.management.SubjectHttpMethodsFilter"/>
<bean id="connectorHttpMethodsFilter" class="com.ge.predix.acs.attribute.connector.ConnectorHttpMethodsFilter"/>
<bean id="zoneHttpMethodsFilter" class="com.ge.predix.acs.zone.management.ZoneHttpMethodsFilter"/>
<bean id="monitoringHttpMethodsFilter" class="com.ge.predix.acs.monitoring.MonitoringHttpMethodsFilter"/>
</beans>
<beans profile="!httpValidation">
<bean id="policyHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
<bean id="evaluationHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
<bean id="resourceHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
<bean id="subjectHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
<bean id="connectorHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
<bean id="zoneHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
<bean id="monitoringHttpMethodsFilter" class="com.ge.predix.acs.security.EmptyHttpMethodsFilter"/>
</beans>
</beans>