From 7467ed245f53d1909fa9b5b3e0a118caa5dcce47 Mon Sep 17 00:00:00 2001
From: vipinkumar7 <vipinkumar.work@gmail.com>
Date: Wed, 23 Dec 2015 01:28:33 +0530
Subject: [PATCH] Kylin 458 initial

---
 pom.xml                                            |   2 +-
 server/pom.xml                                     |  12 ++
 server/src/main/resources/applicationContext.xml   |  12 +-
 server/src/main/resources/kylin-oauth-provider.xml | 129 +++++++++++++++++++++
 server/src/main/resources/kylin-oauth-security.xml |  46 ++++++++
 server/src/main/resources/kylinSecurity.xml        |  22 ++--
 server/src/main/webapp/WEB-INF/kylin-servlet.xml   |  10 +-
 server/src/main/webapp/WEB-INF/web.xml             |   5 +-
 8 files changed, 214 insertions(+), 24 deletions(-)
 create mode 100644 server/src/main/resources/kylin-oauth-provider.xml
 create mode 100644 server/src/main/resources/kylin-oauth-security.xml

diff --git a/pom.xml b/pom.xml
index cffd382..134634e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -83,7 +83,7 @@
         <opencsv.version>2.3</opencsv.version>
 
         <!-- REST Service -->
-        <spring.framework.version>3.1.2.RELEASE</spring.framework.version>
+        <spring.framework.version>3.2.7.RELEASE</spring.framework.version>
 
         <!-- Calcite Version -->
         <calcite.version>1.4.0-incubating</calcite.version>
diff --git a/server/pom.xml b/server/pom.xml
index 722d951..346b39e 100644
--- a/server/pom.xml
+++ b/server/pom.xml
@@ -199,6 +199,18 @@
             <artifactId>spring-security-ldap</artifactId>
             <version>${spring.framework.version}</version>
         </dependency>
+	<dependency>
+	<groupId>org.springframework</groupId>
+	<artifactId>spring-context-support</artifactId>
+	<version>${spring.framework.version}</version>
+	</dependency>
+			<!-- Spring Security OAuth -->
+	<dependency>
+	<groupId>org.springframework.security.oauth</groupId>
+	<artifactId>spring-security-oauth2</artifactId>
+	<version>2.0.8.RELEASE</version>
+	</dependency>
+
         <dependency>
             <groupId>net.sf.ehcache</groupId>
             <artifactId>ehcache</artifactId>
diff --git a/server/src/main/resources/applicationContext.xml b/server/src/main/resources/applicationContext.xml
index 6002098..30499cb 100644
--- a/server/src/main/resources/applicationContext.xml
+++ b/server/src/main/resources/applicationContext.xml
@@ -22,15 +22,15 @@
 	xmlns:p="http://www.springframework.org/schema/p"
 	xmlns:jdbc="http://www.springframework.org/schema/jdbc"
 	xsi:schemaLocation="http://www.springframework.org/schema/beans
-    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
     http://www.springframework.org/schema/context
-    http://www.springframework.org/schema/context/spring-context-3.1.xsd
+    http://www.springframework.org/schema/context/spring-context-3.2.xsd
     http://www.springframework.org/schema/task
-    http://www.springframework.org/schema/task/spring-task-3.1.xsd
+    http://www.springframework.org/schema/task/spring-task-3.2.xsd
     http://www.springframework.org/schema/mvc
-    http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
+    http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
     http://www.springframework.org/schema/aop
-    http://www.springframework.org/schema/aop/spring-aop-3.1.xsd
+    http://www.springframework.org/schema/aop/spring-aop-3.2.xsd
     http://www.springframework.org/schema/cache
     http://www.springframework.org/schema/cache/spring-cache.xsd
     http://www.springframework.org/schema/jdbc  
@@ -113,4 +113,4 @@
 			class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"
 			p:configLocation="classpath:ehcache-test.xml" p:shared="true" />
 	</beans>
-</beans>
\ No newline at end of file
+</beans>
diff --git a/server/src/main/resources/kylin-oauth-provider.xml b/server/src/main/resources/kylin-oauth-provider.xml
new file mode 100644
index 0000000..a9c2b90
--- /dev/null
+++ b/server/src/main/resources/kylin-oauth-provider.xml
@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
+	xmlns:security="http://www.springframework.org/schema/security"
+	xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2 http://www.springframework.org/schema/security/spring-security-oauth2.xsd
+		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
+
+	<bean id="tokenStore"
+		class="org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore" />
+
+
+	<!-- user auth -->
+	<bean id="passwordEncoder"
+		class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
+
+
+	<!--ldap provider can be directly added here -->
+
+	<authentication-manager alias="authenticationManager"
+		xmlns="http://www.springframework.org/schema/security">
+		<authentication-provider>
+			<user-service id="userDetailsService">
+				<user name="MODELER"
+					password="$2a$10$Le5ernTeGNIARwMJsY0WaOLioNQdb0QD11DwjeyNqqNRp5NaDo2FG"
+					authorities="ROLE_MODELER" />
+				<user name="ANALYST"
+					password="$2a$10$s4INO3XHjPP5Vm2xH027Ce9QeXWdrfq5pvzuGr9z/lQmHqi0rsbNi"
+					authorities="ROLE_ANALYST" />
+				<user name="ADMIN"
+					password="$2a$10$o3ktIWsGYxXNuUWQiYlZXOW5hWcqyNAFQsSSCSEWoC/BRVMAUjL32"
+					authorities="ROLE_MODELER, ROLE_ANALYST, ROLE_ADMIN" />
+			</user-service>
+			<security:password-encoder ref="passwordEncoder"></security:password-encoder>
+		</authentication-provider>
+	</authentication-manager>
+
+	<authentication-manager id="clientAuthenticationManager"
+		xmlns="http://www.springframework.org/schema/security">
+		<authentication-provider user-service-ref="clientDetailsUserService" />
+	</authentication-manager>
+
+
+
+	<bean id="clientDetailsUserService"
+		class="org.springframework.security.oauth2.provider.client.ClientDetailsUserDetailsService">
+		<constructor-arg ref="clientDetails" />
+	</bean>
+
+
+	<!-- ========================= -->
+	<!-- OAUTH 2 : RESOURCE SERVER -->
+	<!-- ========================= -->
+	<oauth:resource-server id="resourceServerFilter"
+		resource-id="kylin" token-services-ref="tokenServices" stateless="false" />
+
+
+
+	<bean id="tokenServices"
+		class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
+		<property name="tokenStore" ref="tokenStore" />
+		<property name="supportRefreshToken" value="true" />
+		<property name="clientDetailsService" ref="clientDetails" />
+		<property name="accessTokenValiditySeconds" value="604800" />
+	</bean>
+
+
+	<!-- client for test only jdbc will be used later -->
+	<oauth:client-details-service id="clientDetails">
+
+		<oauth:client client-id="kylinadmin"
+			authorized-grant-types="password,authorization_code,refresh_token"
+			authorities="ROLE_ADMIN,ROLE_MODELER,ROLE_ANALYST" scope="read,write,trust"
+			secret="kylinsecret" autoapprove="true" redirect-uri="http://example.com" />
+		<oauth:client client-id="kylinanalyst"
+			authorized-grant-types="password,authorization_code,refresh_token"
+			authorities="ROLE_ANALYST" scope="read,trust" secret="kylinsecret"
+			autoapprove="true" redirect-uri="http://example.com" />
+	</oauth:client-details-service>
+	<!-- ============================== -->
+	<!-- OAUTH 2 : AUTHORIZATION SERVER -->
+	<!-- ============================== -->
+	<oauth:authorization-server
+		client-details-service-ref="clientDetails" token-services-ref="tokenServices">
+		<oauth:authorization-code />
+		<oauth:implicit />
+		<oauth:refresh-token />
+		<oauth:client-credentials />
+		<oauth:password />
+	</oauth:authorization-server>
+
+	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.UnanimousBased"
+		xmlns="http://www.springframework.org/schema/beans">
+		<constructor-arg>
+			<list>
+				<bean class="org.springframework.security.oauth2.provider.vote.ScopeVoter" />
+				<bean class="org.springframework.security.access.vote.RoleVoter" />
+				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
+			</list>
+		</constructor-arg>
+	</bean>
+	<security:global-method-security
+		pre-post-annotations="enabled" proxy-target-class="true">
+		<security:expression-handler ref="oauthExpressionHandler" />
+	</security:global-method-security>
+
+	<oauth:expression-handler id="oauthExpressionHandler" />
+
+	<oauth:web-expression-handler id="oauthWebExpressionHandler" />
+
+	<!-- this is for parameter based authntication -->
+	<bean id="clientCredentialsTokenEndpointFilter"
+		class="org.springframework.security.oauth2.provider.client.ClientCredentialsTokenEndpointFilter">
+		<property name="authenticationManager" ref="clientAuthenticationManager" />
+	</bean>
+
+	<bean id="oauthAccessDeniedHandler"
+		class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />
+
+	<bean id="oauthAuthenticationEntryPoint"
+		class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
+	</bean>
+
+	<bean id="clientAuthenticationEntryPoint"
+		class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
+		<property name="realmName" value="kylin" />
+
+	</bean>
+</beans>
diff --git a/server/src/main/resources/kylin-oauth-security.xml b/server/src/main/resources/kylin-oauth-security.xml
new file mode 100644
index 0000000..8f9be16
--- /dev/null
+++ b/server/src/main/resources/kylin-oauth-security.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
+	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
+		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
+
+
+	<http pattern="/oauth/token" create-session="stateless"
+		authentication-manager-ref="clientAuthenticationManager"
+		xmlns="http://www.springframework.org/schema/security">
+		<intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY" />
+		<anonymous enabled="false" />
+		<http-basic entry-point-ref="oauthAuthenticationEntryPoint" />
+		<custom-filter ref="clientCredentialsTokenEndpointFilter"
+			before="BASIC_AUTH_FILTER" />
+
+		<access-denied-handler ref="oauthAccessDeniedHandler" />
+	</http>
+
+
+	<http security="none" pattern="/resources/**" />
+
+
+	<http pattern="cubes*/**" create-session="never"
+		entry-point-ref="oauthAuthenticationEntryPoint"
+		access-decision-manager-ref="accessDecisionManager"
+		xmlns="http://www.springframework.org/schema/security">
+		<anonymous enabled="false" />
+		<intercept-url pattern="/cubes*/**" access="ROLE_ADMIN,SCOPE_WRITE" />
+		<custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
+		<access-denied-handler ref="oauthAccessDeniedHandler" />
+	</http>
+
+
+	<http create-session="ifRequired" entry-point-ref="oauthAuthenticationEntryPoint"
+		use-expressions="true" xmlns="http://www.springframework.org/schema/security">
+		<anonymous enabled="false" />
+		<form-login  login-processing-url="/login"/>
+		<intercept-url pattern="/login" access="permitAll" />
+		<intercept-url pattern="/oauth/**" access="hasRole('ROLE_ADMIN')"/>
+		<intercept-url pattern="/**" access="authenticated" />
+	</http>
+
+	<beans:import resource="kylin-oauth-provider.xml" />
+
+</beans:beans>
diff --git a/server/src/main/resources/kylinSecurity.xml b/server/src/main/resources/kylinSecurity.xml
index 22eea4c..2c952e7 100644
--- a/server/src/main/resources/kylinSecurity.xml
+++ b/server/src/main/resources/kylinSecurity.xml
@@ -13,12 +13,13 @@
 -->
 
 <beans xmlns="http://www.springframework.org/schema/beans" xmlns:tx="http://www.springframework.org/schema/tx" xmlns:scr="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
-	http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+	http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
 	http://www.springframework.org/schema/security
-	http://www.springframework.org/schema/security/spring-security-3.1.xsd
+	http://www.springframework.org/schema/security/spring-security-3.2.xsd
 	http://www.springframework.org/schema/tx
-    http://www.springframework.org/schema/tx/spring-tx-3.1.xsd">
+    http://www.springframework.org/schema/tx/spring-tx-3.2.xsd">
 
+<!--
 	<scr:global-method-security pre-post-annotations="enabled">
 		<scr:expression-handler ref="expressionHandler" />
 	</scr:global-method-security>
@@ -44,9 +45,9 @@
 		<scr:session-management session-fixation-protection="newSession" />
 	</scr:http>
 	
-	<!-- user auth -->
+	
 	<bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
-
+-->
 	<!-- acl config -->
 	<bean id="aclPermissionFactory" class="org.apache.kylin.rest.security.AclPermissionFactory" />
 
@@ -82,7 +83,7 @@
 	<bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy">
 		<constructor-arg ref="auditLogger" />
 	</bean>
-	
+	<!--
 	<beans profile="default">
 		<bean id="ldapUserAuthProvider" class="org.apache.kylin.rest.security.LdapProvider">
 			<constructor-arg>
@@ -131,13 +132,13 @@
 		</bean>
 
 		<scr:authentication-manager alias="authenticationManager">
-			<!-- do user ldap auth -->
+			
 			<scr:authentication-provider ref="ldapUserAuthProvider"></scr:authentication-provider>
 
-			<!-- do service account ldap auth -->
+			
 			<scr:authentication-provider ref="ldapServiceAccountAuthProvider"></scr:authentication-provider>
 
-			<!-- custom user provider <authentication-provider user-service-ref="userService"> <password-encoder ref="passwordEncoder" /> </authentication-provider> -->
+			<authentication-provider user-service-ref="userService"> <password-encoder ref="passwordEncoder" /> </authentication-provider> 
 		</scr:authentication-manager>
 
 		<bean id="ldapSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
@@ -159,4 +160,5 @@
 			</scr:authentication-provider>
 		</scr:authentication-manager>
 	</beans>
-</beans>
\ No newline at end of file
+-->
+</beans>
diff --git a/server/src/main/webapp/WEB-INF/kylin-servlet.xml b/server/src/main/webapp/WEB-INF/kylin-servlet.xml
index c351c6b..3c01a6c 100644
--- a/server/src/main/webapp/WEB-INF/kylin-servlet.xml
+++ b/server/src/main/webapp/WEB-INF/kylin-servlet.xml
@@ -18,11 +18,11 @@
        xmlns:mvc="http://www.springframework.org/schema/mvc"
        xmlns:task="http://www.springframework.org/schema/task"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
-    http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
+    http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
     http://www.springframework.org/schema/context
-    http://www.springframework.org/schema/context/spring-context-3.1.xsd
+    http://www.springframework.org/schema/context/spring-context-3.2.xsd
     http://www.springframework.org/schema/task
-    http://www.springframework.org/schema/task/spring-task-3.1.xsd
+    http://www.springframework.org/schema/task/spring-task-3.2.xsd
     http://www.springframework.org/schema/mvc
-    http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd">
-</beans>
\ No newline at end of file
+    http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd">
+</beans>
diff --git a/server/src/main/webapp/WEB-INF/web.xml b/server/src/main/webapp/WEB-INF/web.xml
index d0b413a..578558c 100644
--- a/server/src/main/webapp/WEB-INF/web.xml
+++ b/server/src/main/webapp/WEB-INF/web.xml
@@ -39,7 +39,8 @@ limitations under the License. See accompanying LICENSE file.
         <param-value>
             classpath:applicationContext.xml
             classpath:kylinSecurity.xml
-            classpath*:kylin-*-plugin.xml
+	    classpath:kylin-oauth-security.xml
+	    classpath*:kylin-*-plugin.xml
         </param-value>
     </context-param>
 
@@ -111,7 +112,7 @@ limitations under the License. See accompanying LICENSE file.
     </servlet>
     <servlet-mapping>
         <servlet-name>kylin</servlet-name>
-        <url-pattern>/api/*</url-pattern>
+        <url-pattern>/</url-pattern>
     </servlet-mapping>
     <distributable />
 </web-app>
-- 
1.9.1