web.xml

• contains context-param contextConfigLocation which points to pentaho-spring-beans.xml
• adds Spring Security Filter Chain Proxy filter using targetBean filterChainProxy

pentaho-spring-beans.xml

• imports security centric spring xml config files

applicationContext-spring-security.xml

• defines filterChainProxy which maps filter beans to URL patterns
• defines custom applicationEventMulticaster to ensure order of listeners is preserved
• provide support for anonymous session handling
• adds listeners to start session upon successful authentication event
• httpSessionReuseDetectionFilter
  • prevents multiple logins
• requestParameterProcessingFilter
  • attempt authentication using provided manager when username and password credentials are present
• httpSessionPentahoSessionContextIntegrationFilter
  • Provides persistance of PentahoSession between requests for an authenticated user
  • Stores Pentaho session in PentahoSessionHolder before filter chain is executed
  • Stores Pentaho session in HttpSession after chain is executed
  • Limits use of session creation and access to preserve resources
• httpSessionContextIntegrationFilter
  • Persists SecurityContext between requests in HttpSession
  • defines logoutFilter which uses PentahoLogoutHandler to invalidate PentahoSession and Spring's SecurityContextLogoutHandler to invalidate HttpSession and clear SecurityContext
• securityContextHolderAwareRequestFilter
  • Adds securityContextHolderAwareRequestWrapper which uses SecurityContext defined Authentication object for responses to isUserInRole() and getRemoteUser()
  • another instance is added for web service requests to /webservices/* and /api/*
• exceptionTranslationFilter
  • used to handle AccessDeniedException and AuthenticationExceptions thrown in the filter chain and redirect accordingly
  • uses authenticationProcessingFilterEntryPoint for /*, basicProcessingFilterEntryPoint for /webservices/* and /api/*
• filterInvocationInterceptor and filterInvocationInterceptorWS map resource URL patterns to roles

applicationContext-spring-security-superuser.xml

• uses in memory user map to provide fallback in case repo credentials are lost
• Provides superAuthenticationProvider which uses DaoAuthenticationProvider to access in memory user map provided by superUserDetailsService

applicationContext-common-authorization.xml

• provides custom RoleVoter impl that will strip off the user specified prefix from config attributes before comparing with authorities

applicationContext-pentaho-security-jackrabbit.xml

• defines UserRoleListService using userRoleDaoProxy bean provided by repository.spring.xml which wraps the default JCR DAO implementation with transaction management and method level security
• UserRoleListService uses tenantedUserNameUtils and tenantedRoleNameUtils beans defined in repository.spring.xml which are used to derive a user's tenant and user name from a user id and visa-versa

applicationContext-spring-security-jackrabbit.xml

• defines authenticationProvider and userDetailsService beans which use userRoleDaoTxn defined in repository.spring.xml, which in turn wraps the default JCR DAO implementation with transaction management (but not method level security)