georchestra#37: simplified backend security configuration and switche…

…d SecurityDAO to the one supporting external users

web/src/main/resources/geostore-spring-security.xml

@@ -22,11 +22,11 @@
 
 	<security:http auto-config="true" create-session="never" >
 		<security:http-basic entry-point-ref="restAuthenticationEntryPoint"/>
-		<!--security:custom-filter ref="authenticationTokenProcessingFilter" before="FORM_LOGIN_FILTER"/-->
 		<security:custom-filter ref="sessionTokenProcessingFilter" after="FORM_LOGIN_FILTER"/>
 		<security:custom-filter ref="headersProcessingFilter" before="FORM_LOGIN_FILTER"/>
 		<security:anonymous />
 	</security:http>
+
 	<!-- Entry point -->
 	<bean id="restAuthenticationEntryPoint" class="it.geosolutions.geostore.services.rest.security.RestAuthenticationEntryPoint" >
 		<property name="realmName" value="GeoStore"></property>
@@ -35,11 +35,6 @@
 	<bean id="geoStoreUserServiceAuthenticationProvider"
 		class="it.geosolutions.geostore.services.rest.security.UserServiceAuthenticationProvider">
 	</bean>
-
-    <!-- GeOrchestra header based Auth Provider -->
-	<bean id="georchestraAuthenticationProvider"
-		class="it.geosolutions.geostore.services.rest.security.PreAuthenticatedAuthenticationProvider">
-	</bean>
 
 	<bean class="it.geosolutions.geostore.services.rest.security.UserAttributeTokenAuthenticationFilter"
         id="authenticationTokenProcessingFilter">
@@ -50,100 +45,35 @@
             <property name="validateUserFromService" value="false"/>
 	</bean>
 
+    <!-- GeOrchestra header based Auth Provider -->
+	<bean id="georchestraAuthenticationProvider"
+		class="it.geosolutions.geostore.services.rest.security.PreAuthenticatedAuthenticationProvider">
+	</bean>
+
     <!-- GeOrchestra header based Auth Filter -->
     <bean class="it.geosolutions.geostore.services.rest.security.HeadersAuthenticationFilter"
         id="headersProcessingFilter">
+            <property name="addEveryOneGroup" value="true"/>
             <property name="usernameHeader" value="sec-username"/>
             <property name="groupsHeader" value="sec-roles"/>
             <property name="authoritiesMapper" ref="rolesMapper"/>
 	</bean>
 
+    <!-- GeOrchestra groups to roles mapper for Headers Auth Filter -->
     <bean id="rolesMapper" class="it.geosolutions.geostore.core.security.SimpleGrantedAuthoritiesMapper">
         <constructor-arg>
             <map>
                 <entry key="MAPSTORE_ADMIN" value="ADMIN"/>
             </map>
         </constructor-arg>
     </bean>
-
-	<!-- bean class="it.geosolutions.geostore.services.rest.security.WebServiceTokenAuthenticationFilter"
-        id="authenticationTokenProcessingFilter">
-        <constructor-arg><value>http://localhost:8080/geoserver/www/{token}.txt</value></constructor-arg>
-    </bean-->
 
-	<!-- Inject into the Authentication Manager the GeoStore Auth Provider -->
+	<!-- Inject into the Authentication Manager the GeOrchestra Auth Provider -->
 	<security:authentication-manager>
         <security:authentication-provider ref='georchestraAuthenticationProvider' />
-		<!--security:authentication-provider ref='geoStoreUserServiceAuthenticationProvider' /-->
-		<!-- security:authentication-provider ref='geostoreLdapProvider' / -->
 	</security:authentication-manager>
-
-	<!-- LDAP Auth Provider -->
-	<!-- Simple namespace-based configuration -->
-
-	<!-- Starts an internal LDAP server -->
-	<!-- security:ldap-server ldif="classpath*:users.ldif" port="33389" root="${ldap.root}"/ -->
-
-	<!-- security:authentication-manager>
-		<security:ldap-authentication-provider
-			user-search-filter="(uid={0})" 
-			user-search-base="ou=people"
-			group-search-filter="(member={0})" 
-			group-search-base="ou=groups"
-			group-role-attribute="cn" 
-			role-prefix="ROLE_">
-		</security:ldap-authentication-provider>
-		<security:authentication-provider ref='geostoreLdapProvider' />
-	</security:authentication-manager -->
-
-	<!-- Traditional Bean version of the same configuration -->
-
-	<!-- This bean points at the embedded directory server created by the ldap-server element above -->
-	<bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
-		<constructor-arg value="ldap://${ldap.host}:${ldap.port}/${ldap.root}" />
-	</bean>
-
-    <!-- 
-     <bean id="ldapInitializer" class="it.geosolutions.geostore.init.LDAPInit" lazy-init="false">
-       <constructor-arg ref="geostoreLdapProvider" />
-     </bean>
-     -->
-
-	<bean id="geostoreLdapProvider"
-		class="it.geosolutions.geostore.services.rest.security.UserLdapAuthenticationProvider">
-		<constructor-arg>
-			<bean
-				class="org.springframework.security.ldap.authentication.BindAuthenticator">
-				<constructor-arg ref="contextSource" />
-				<property name="userSearch">
-					<bean id="userSearch"
-						class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
-						<constructor-arg index="0" value="ou=people" />
-						<constructor-arg index="1" value="(uid={0})" />
-						<constructor-arg index="2" ref="contextSource" />
-					</bean>
-				</property>
-			</bean>
-		</constructor-arg>
-		<constructor-arg>
-			<bean
-				class="it.geosolutions.geostore.services.rest.security.GeoStoreLdapAuthoritiesPopulator">
-				<constructor-arg ref="contextSource" />
-				<!-- groupSearchBase -->
-				<constructor-arg value="ou=groups" />
-				<!-- roleSearchBase -->
-				<constructor-arg value="ou=roles" />
-				<property name="groupSearchFilter" value="(lrGroupOccupant={0})" />
-				<property name="roleSearchFilter" value="(roleOccupant={0})" />
-				<!-- the GeoStore convetion is:
-				  * Groups starting with 'ROLE_' will be threated as Auth Roles
-				  * Groups starting withOUT 'ROLE_' will be threated as Groups
-				 -->
-				<property name="rolePrefix" value="ROLE_" />
-				<property name="searchSubtree" value="true" />
-				<property name="convertToUpperCase" value="true" />
-			</bean>
-		</constructor-arg>
-	</bean>
+
+    <!-- SecurityDAO using externals users -->
+    <alias name="externalSecurityDAO" alias="securityDAO"/>
 
 </beans>