<!-- Convert string properties to complex types. -->
<bean id="conversionService" class="org.springframework.context.support.ConversionServiceFactoryBean" />
-
+
<!-- Require client id and client secret via basic auth when granting tokens (https://tools.ietf.org/html/rfc6749#section-4.3.2).
Note that public (https://tools.ietf.org/html/rfc6749#section-2.1) clients, such as the CSpace web UI, may supply a
blank or publicly known "secret." The clientAuthenticationManager bean handles this client authentication. -->
<sec:anonymous enabled="false"/>
<sec:csrf disabled="true"/>
<sec:access-denied-handler ref="oauthAccessDeniedHandler"/>
-
+
<!-- Handle CORS (preflight OPTIONS requests must be anonymous) -->
<sec:intercept-url method="OPTIONS" pattern="/oauth/token/**" access="isAnonymous()"/>
<sec:cors configuration-source-ref="corsSource" />
</sec:http>
- <!-- Exclude the resource path to public items' content from AuthN and AuthZ. Lets us publish resources with anonymous access. -->
- <sec:http pattern="/publicitems/*/*/content" security="none" />
-
- <!-- Exclude the resource path to handle an account password reset request from AuthN and AuthZ. Lets us process password resets anonymous access. -->
- <sec:http pattern="/accounts/requestpasswordreset" security="none" />
-
- <!-- Exclude the resource path to account process a password resets from AuthN and AuthZ. Lets us process password resets anonymous access. -->
- <sec:http pattern="/accounts/processpasswordreset" security="none" />
-
- <!-- All other paths must be authenticated. -->
<sec:http realm="org.collectionspace.services" create-session="stateless" authentication-manager-ref="userAuthenticationManager">
+ <!-- Exclude the resource path to public items' content from AuthN and AuthZ. Lets us publish resources with anonymous access. -->
+ <sec:intercept-url pattern="/publicitems/*/*/content" access="isAnonymous()" />
+
+ <!-- Exclude the resource path to handle an account password reset request from AuthN and AuthZ. Lets us process password resets anonymous access. -->
+ <sec:intercept-url pattern="/accounts/requestpasswordreset" access="isAnonymous()" />
+
+ <!-- Exclude the resource path to account process a password resets from AuthN and AuthZ. Lets us process password resets anonymous access. -->
+ <sec:intercept-url pattern="/accounts/processpasswordreset" access="isAnonymous()" />
+
+ <!-- All other paths must be authenticated. -->
<sec:intercept-url pattern="/**" access="isFullyAuthenticated()" />
+
<sec:http-basic />
+ <sec:anonymous username="anonymous" />
<sec:csrf disabled="true" />
-
+
<!-- Handle CORS (preflight OPTIONS requests must be anonymous) -->
<sec:intercept-url method="OPTIONS" pattern="/**" access="isAnonymous()"/>
<sec:cors configuration-source-ref="corsSource" />
-
+
<!-- Insert the username from the security context into a request attribute for logging -->
<sec:custom-filter ref="userAttributeFilter" after="SECURITY_CONTEXT_FILTER" />
</bean>
</property>
</bean>
-
+
<bean id="userDetailsService" class="org.collectionspace.authentication.spring.CSpaceUserDetailsService">
<constructor-arg>
<bean class="org.collectionspace.authentication.realm.db.CSpaceDbRealm">
</bean>
</constructor-arg>
</bean>
-
+
<oauth:resource-server id="oauthResourceServerFilter" resource-id="cspace-services" token-services-ref="tokenServices" />
-
+
<sec:authentication-manager id="clientAuthenticationManager">
<sec:authentication-provider user-service-ref="clientDetailsUserDetailsService"/>
</sec:authentication-manager>
</bean>
<!-- The scope attribute below is a meaningless placeholder. In the future we may want to use it to limit
- the permissions of particular clients. Currently a client has the full permissions of the user on
+ the permissions of particular clients. Currently a client has the full permissions of the user on
whose behalf it is acting. -->
<oauth:client-details-service id="clientDetails">
<oauth:client
access-token-validity="3600"
refresh-token-validity="43200" />
</oauth:client-details-service>
-
+
<bean id="clientAuthenticationEntryPoint" class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
<property name="realmName" value="org.collectionspace.services/client"/>
<property name="typeName" value="Basic"/>
</bean>
-
+
<bean id="oauthAccessDeniedHandler" class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler"/>
-
+
<bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
<property name="tokenStore" ref="tokenStore" />
<property name="tokenEnhancer" ref="tokenEnhancer" />
</bean>
</property>
</bean>
-
+
<bean id="corsSource" class="org.springframework.web.cors.UrlBasedCorsConfigurationSource">
<property name="corsConfigurations">
<util:map>
projects / tmp / jakarta-migration.git / commitdiff