<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:security="http://www.springframework.org/schema/security";
xmlns:context="http://www.springframework.org/schema/context";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd";>
<context:annotation-config/>
<bean id="springSecurityFilterChain"
class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<!-- Backend - getDSAuthenticated gets auth filters, getDS does not -->
<security:filter-chain pattern="/getDSAuth*"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/getDS*" filters="ChannelFilter"/>
<!-- RISearch service gets auth protection -->
<security:filter-chain pattern="/risearch*"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<!-- REST API -->
<security:filter-chain pattern="/objects*/**"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<!-- User servlet -->
<security:filter-chain pattern="/user*"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter "/>
<!-- Lite APIs -->
<security:filter-chain pattern="/get*/**"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/search*"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/describe*"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/list*/**"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/management/*/**"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/access"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/upload*"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<!-- SOAP APIs -->
<security:filter-chain pattern="/services/access"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/services/accessMTOM"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/services/management"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/services/managementMTOM"
filters="ChannelFilter,AuthFilterJAAS,PEPFilter"/>
<security:filter-chain pattern="/**" filters="ChannelFilter"/>
<!-- Uncomment to enable Classic AuthN <security:filter-chain
pattern="/**"
filters="ChannelFilter,SetupFilter,XmlUserfileFilter,EnforceAuthnFilter.FinalizeFilter"
/> End Classic AuthN -->
</security:filter-chain-map>
</bean>
<bean id="ChannelFilter"
class="org.springframework.security.web.access.channel.ChannelProcessingFilter">
<property name="channelDecisionManager" ref="channelDecisionManager"/>
<property name="securityMetadataSource">
<security:filter-invocation-definition-source path-type="ant">
<!-- This pattern is used by FedoraClient to determine whether apim
endpoint requires SSL or not -->
<security:intercept-url pattern="/management/upload"
access="${security.ssl.api.management}"/>
<security:intercept-url pattern="/services/management"
access="${security.ssl.api.management}"/>
<security:intercept-url pattern="/services/managementMTOM"
access="${security.ssl.api.management}"/>
<security:intercept-url pattern="/management/getNextPID"
access="${security.ssl.api.management}"/>
<security:intercept-url pattern="/getDSAuthenticated*/**"
access="${security.ssl.api.management}"/>
<security:intercept-url pattern="/**.jws"
access="${security.ssl.api.management}"/>
<security:intercept-url pattern="/get*/**"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/describe*/**"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/list*/**"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/oai*"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/risearch*"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/search*"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/services/access"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="/services/accessMTOM"
access="${security.ssl.api.access}"/>
<!-- This pattern is used by FedoraClient to determine whether apia
endpoint requires SSL or not -->
<security:intercept-url pattern="/wsdl*"
access="${security.ssl.api.access}"/>
<security:intercept-url pattern="**.jsp"
access="${security.ssl.api.access}"/>
</security:filter-invocation-definition-source>
</property>
</bean>
<bean id="channelDecisionManager"
class="org.springframework.security.web.access.channel.ChannelDecisionManagerImpl"
lazy-init="true">
<property name="channelProcessors">
<list>
<ref bean="secureChannelProcessor"/>
<ref bean="insecureChannelProcessor"/>
</list>
</property>
</bean>
<bean id="insecureChannelProcessor"
class="org.springframework.security.web.access.channel.InsecureChannelProcessor"
lazy-init="true"/>
<bean id="secureChannelProcessor"
class="org.springframework.security.web.access.channel.SecureChannelProcessor"
lazy-init="true">
<property name="entryPoint" ref="HTTPS"/>
</bean>
<bean id="HTTPS"
class="org.springframework.security.web.access.channel.RetryWithHttpsEntryPoint"
lazy-init="true">
<property name="portMapper" ref="portMapper"/>
<property name="portResolver" ref="portResolver"/>
</bean>
<bean id="portMapper" class="org.springframework.security.web.PortMapperImpl">
<property name="portMappings">
<map>
<entry key="${fedora.port}" value="${fedora.port.secure}"/>
</map>
</property>
</bean>
<bean id="portResolver"
class="org.springframework.security.web.PortResolverImpl">
<property name="portMapper" ref="portMapper"/>
</bean>
<!-- FeSL JAAS Authn bean -->
<bean id="AuthFilterJAAS"
class="org.fcrepo.server.security.jaas.AuthFilterJAAS"
init-method="init" lazy-init="true">
<!-- OPTIONAL. A comma separated list of class names for user principals.
First one that is found is effective only. -->
<property name="userClassNames"
value="org.fcrepo.server.security.jaas.auth.UserPrincipal"/>
<!-- True iff API-A requests via the REST API require authentication.
If not specified, defaults to true. -->
<property name="authnAPIA"
value="${security.fesl.authN.jaas.apia.enabled}"/>
</bean>
<!-- Upstream authn bean -->
<bean id="UpstreamAuthFilter"
class="org.fcrepo.security.http.AuthZHttpRequestAttributesFilter"
lazy-init="true" init-method="init">
<property name="names" value="eduPersonPrincipalName eduPersonAffiliation"/>
<property name="principalHeader" value="eduPersonPrincipalName"></property>
</bean>
<!-- Classic authn beans -->
<bean id="SetupFilter"
class="org.fcrepo.server.security.servletfilters.FilterSetup"
lazy-init="true" init-method="init">
<property name="config">
<bean class="org.fcrepo.common.http.FilterConfigBean">
<property name="filterName" value="SetupFilter"/>
</bean>
</property>
</bean>
<bean id="XmlUserfileFilter"
class="org.fcrepo.server.security.servletfilters.xmluserfile.FilterXmlUserfile"
lazy-init="true"
init-method="init">
<property name="config">
<bean class="org.fcrepo.common.http.FilterConfigBean">
<property name="filterName" value="XmlUserfileFilter"/>
</bean>
</property>
</bean>
<bean id="EnforceAuthnFilter"
class="org.fcrepo.server.security.servletfilters.FilterEnforceAuthn"
lazy-init="true" init-method="init">
<property name="config">
<bean class="org.fcrepo.common.http.FilterConfigBean">
<property name="filterName" value="EnforceAuthnFilter"/>
</bean>
</property>
</bean>
<bean id="FinalizeFilter"
class="org.fcrepo.server.security.servletfilters.FilterFinalize"
lazy-init="true" init-method="init">
<property name="config">
<bean class="org.fcrepo.common.http.FilterConfigBean">
<property name="filterName" value="FinalizeFilte"/>
</bean>
</property>
</bean>
<bean id="RestApiAuthnFilter"
class="org.fcrepo.server.security.servletfilters.FilterRestApiAuthn"
lazy-init="true" init-method="init">
<property name="config">
<bean class="org.fcrepo.common.http.FilterConfigBean">
<property name="filterName" value="FilterRestApiAuthn"/>
</bean>
</property>
</bean>
</beans>
David Lacy
Falvey Library Technology Services
Villanova University
library.villanova.edu
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Tuesday, October 09, 2012 10:59 AM
> To: Support and info exchange list for Fedora users.
> Subject: Re: [fcrepo-user] findObjects REST API and 3.6 problem
>
> Can you show us your Spring config for authN
> (config/spring/web/security.xml)? I
> could be totally off-base here, but I suspect this may have to do with the
> fact that
> findObjects is supported by a distinct servlet.
>
> ---
> A. Soroka
> Software & Systems Engineering :: Online Library Environment
> the University of Virginia Library
>
> On Oct 9, 2012, at 10:53 AM, David Lacy wrote:
>
> > Greetings,
> >
> > I've been testing 3.6.1 and encountered a weird problem. I have a repo-wide
> policy (FESL) that grants API-A access to localhost, which works across the
> board
> except on the findObjects method. If I pass along admin credentials, the
> fedora-
> policy:access-admin policy matches and I receive the expected results. My
> combining algorithm is set to HierarchicalLowestChildPermitOverridesPolicyAlg
> >
> > Here's my service call:
> > http://localhost:8088/fedora/objects?pid=true&title=true&terms=fedora-
> system:FedoraObject-3.0&query=&maxResults=20&resultFormat=xml
> >
> > Here is what I believe to be a pertinent section of the log:
> >
> > ....
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (AttributeFinderModule) exiting
> parmsOk normally org.fcrepo.server.security.ContextAttributeFinderModule
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (AttributeFinderModule)
> willService() org.fcrepo.server.security.ContextAttributeFinderModule deny
> this
> known adhoc attribute urn:fedora:names:fedora:2.1:action:contextId
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (AttributeFinderModule)
> AttributeFinder:willService()
> org.fcrepo.server.security.ContextAttributeFinderModule returns false
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (AttributeFinderModule)
> AttributeFinder:getAttributeFromEvaluationCtxorg.fcrepo.server.security.ContextAtt
> ributeFinderModule exit on couldn't get resource attribute from xacml request
> wrong bag n=0
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (ContextAttributeFinderModule)
> ContextAttributeFinder:getContextId exit on can't get contextId on request
> callback
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (ContextAttributeFinderModule)
> contextId=null attributeId=urn:fedora:names:fedora:2.1:subject:role
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (AttributeFinderModule)
> org.fcrepo.server.security.ContextAttributeFinderModule got temp=null
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (AttributeFinderModule)
> AttributeFinder:findAttribute exit on attribute value not
> foundorg.fcrepo.server.security.ContextAttributeFinderModule
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (PolicyManager) Matched policies
> and created abstract policy.
> > DEBUG 2012-10-09 10:31:53.516 [http-8088-2] (MelcoePDPImpl) response is:
> <Response>
> > <Result ResourceId="/fedora-system:FedoraObject-3.0">
> > <Decision>NotApplicable</Decision>
> > <Status>
> > <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
> > </Status>
> > </Result>
> > </Response>
> > .....
> >
> > Thanks for your time.
> >
> > David Lacy
> > Falvey Library Technology Services
> > Villanova University
> > library.villanova.edu
> >
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-
> dev2dev_______________________________________________
> > Fedora-commons-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
