github
/
spring-security-samples
mirror of https://github.com/spring-projects/spring-security-samples


			
				
					
						
						
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
							<?xml version="1.0" encoding="UTF-8"?>
<!--
  - Application context containing authentication, channel
  - security and web URI beans.
  -
  - Only used by "filter" artifact.
  -
  -->

<b:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:b="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd
						http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd">

	<global-method-security pre-post-annotations="enabled">
		<expression-handler ref="expressionHandler"/>
	</global-method-security>

	<http realm="Contacts Realm">
		<intercept-url pattern="/" access="permitAll"/>
		<intercept-url pattern="/index.jsp" access="permitAll"/>
		<intercept-url pattern="/hello.htm" access="permitAll"/>
		<intercept-url pattern="/login.jsp*" access="permitAll"/>
		<intercept-url pattern="/switchuser.jsp" access="hasRole('SUPERVISOR')"/>
		<intercept-url pattern="/login/impersonate" access="hasRole('SUPERVISOR')"/>
		<intercept-url pattern="/**" access="hasRole('USER')"/>

		<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
		<http-basic/>
		<logout logout-success-url="/index.jsp"/>
		<remember-me />
		<headers/>
		<csrf/>
		<custom-filter ref="switchUserProcessingFilter" position="SWITCH_USER_FILTER"/>
	</http>

	<b:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

	<authentication-manager>
		<authentication-provider>
		   <password-encoder ref="encoder"/>
		   <jdbc-user-service data-source-ref="dataSource"/>
		</authentication-provider>
	</authentication-manager>

	<!-- Automatically receives AuthenticationEvent messages -->
	<b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>

	<!-- Filter used to switch the user context. Note: the switch and exit url must be secured
		based on the role granted the ability to 'switch' to another user -->
	<!-- In this example 'rod' has ROLE_SUPERVISOR that can switch to regular ROLE_USER(s) -->
	<b:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter" autowire="byType">
	   <b:property name="targetUrl" value="/secure/index.htm"/>
	</b:bean>

	<b:bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
		<b:property name="permissionEvaluator" ref="permissionEvaluator"/>
		<b:property name="permissionCacheOptimizer">
			<b:bean class="org.springframework.security.acls.AclPermissionCacheOptimizer">
				<b:constructor-arg ref="aclService"/>
			</b:bean>
		</b:property>
	</b:bean>

	<b:bean id="permissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator">
		<b:constructor-arg ref="aclService"/>
	</b:bean>

</b:beans>