<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:util="http://www.springframework.org/schema/util"
  xmlns:sec="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.8.xsd">
  <!-- The Spring Schemas are the latest available schemas with pinned version numbers -->
  <!-- Skip security for static content. A corresponding update to web.xml is required after any changes are made -->
  <sec:http pattern="/**/*.svg" security="none"/>
  <sec:http pattern="/**/*.ttf" security="none"/>
  <sec:http pattern="/**/*.woff" security="none"/>
  <sec:http pattern="/**/*.woff2" security="none"/>
  <sec:http pattern="/**/*.eot" security="none"/>
  <sec:http pattern="/**/*.otf" security="none"/>
  <sec:http pattern="/**/*.gif" security="none"/>
  <sec:http pattern="/**/*.png" security="none"/>
  <sec:http pattern="/**/*.jpg" security="none"/>
  <sec:http pattern="/**/*.jpeg" security="none"/>
  <sec:http pattern="/**/*.ico" security="none"/>
  <sec:http pattern="/**/*.css" security="none"/>
  <sec:http pattern="/**/*.css.map" security="none"/>
  <sec:http pattern="/**/*.htc" security="none"/>
  <sec:http pattern="/**/css/*.jsp" security="none"/>
  <sec:http pattern="/**/*.js" security="none"/>
  <sec:http pattern="/**/*.js.map" security="none"/>
  <sec:http pattern="/**/js/*.jsp" security="none"/>
  <sec:http pattern="/forms/templates/**/*.html" security="none"/>
  <sec:http pattern="/masterapp/*.html" security="none"/>
  <sec:http pattern="/portal/blank.jsp" security="none"/>
  <sec:http pattern="/portal/blank_uncached.jsp" security="none"/>
  <sec:http pattern="/portal/logout.jsp" security="none"/>
  <sec:http pattern="/portal/saml_auth_failure.jsp" security="none"/>
  <sec:http pattern="/**/*.htm" security="none"/>
  <sec:http pattern="/**/*.html" security="none"/>
  <sec:http pattern="/**/*.less" security="none"/>

  <!-- Skip security for email notifications rendering. -->
  <sec:http pattern="/portal/initEmailNtfRequest.none" security="none"/>
  <sec:http pattern="/ntf/notificationEmail_css.jsp" security="none"/>
  <sec:http pattern="/ntf/emailHtml/*.jsp" security="none"/>
  <sec:http pattern="/ntf/modernEmailHtml/*.jsp" security="none"/>

  <!-- Skip security for the process model web service feature (it currently has its own custom authentication mechanism). -->
  <sec:http pattern="/webservice/processmodel/**" security="none"/>

  <!-- Skip security for Sharepoint (it currently has its own custom authentication mechanism). -->
  <sec:http pattern="/webpart/**" security="none"/>

  <!-- Skip security for cors requests -->
  <sec:http pattern="/cors" security="none"/>
  <sec:http pattern="/cors/ping" security="none"/>

  <!-- Allow un-authenticated access for the login page (and supporting pages). -->
  <sec:http pattern="#{pageUrls.login}" security="none"/>
  <sec:http pattern="/portal/welcome.jsp" security="none"/>
  <sec:http pattern="/portal/login.jsp" security="none"/>
  <sec:http pattern="/portal/loginadmin.jsp" security="none"/>

  <!-- Engineering Forgot Password -->
  <sec:http pattern="/forgotpasswordrequest" security="none"/>
  <sec:http pattern="/forgotpassword/passwordresetrequest.jsp" security="none"/>
  <sec:http pattern="/forgotpassword/error.jsp" security="none"/>

  <sec:http pattern="/rest/a/content/latest/branding/logo/*" security="none"/>
  <sec:http pattern="/rest/a/content/latest/branding/secondary-logo/*" security="none"/>
  <sec:http pattern="/rest/a/content/latest/branding/favicon/*" security="none"/>
  <sec:http pattern="/rest/a/siteaccess/latest/termsofservice" security="none"/>

  <!-- DocViewer -->
  <sec:http pattern="/rest/a/content/latest/docview/*" security="none"/>

  <!-- Allow un-authenticated access CSP logging for dynamic/static domains -->
  <sec:http pattern="/rest/a/logging/latest/csp-dynamic/report" security="none"/>
  <sec:http pattern="/rest/a/logging/latest/csp-static/report" security="none"/>
  <sec:http pattern="/rest/a/content/latest/webcontent/**" security="none"/>

  <!-- Allow un-authenticated access for the error pages. -->
  <sec:http pattern="/framework/error/*.jsp" security="none"/>

  <!-- Skip security for incoming SAML Logout Requests -->
  <sec:http pattern="/saml/LogoutConsumer" security="none"/>

  <!-- Allow un-authenticated access for self-selection SAML IdP page-->
  <sec:http pattern="/saml/idp_selection.jsp" security="none"/>

  <!-- Allow un-authenticated access for embedded redirect servlet -->
  <sec:http pattern="/embedded/redirect" security="none"/>

  <!-- Allow un-authenticated access for the healthcheck servlet -->
  <sec:http pattern="/healthz" security="none"/>

  <!-- The self-test endpoint does not use Spring security, instead it is authenticated by an API key -->
  <sec:http pattern="/self-test" security="none"/>
  <sec:http pattern="/self-test/*" security="none"/>

  <!-- Allow un-authenticated access for the metrics servlet -->
  <sec:http pattern="/metrics" security="none"/>

  <!-- Allow un-authenticated access for embedded Office servlet -->
  <sec:http pattern="/integrations/office/*" security="none"/>
  <sec:http pattern="/plugins/outlook/TaskViewer.jsp" security="none"/>

  <!-- Allow un-authenticated access for devops infrastructure servlet-->
  <sec:http pattern="/devops-infrastructure/**" security="none"/>

  <!-- Allow un-authenticated access for appian RPA servlet since the servlet will validate the auth token -->
  <sec:http pattern="/rpa/**" security="none"/>

  <!-- Allow un-authenticated access for phpMyAdmin servlet since the servlet will validate the auth token -->
  <sec:http pattern="/dbauth" security="none"/>

  <!-- Allow un-authenticated access for the WOPI host functionality, this will still require a valid auth token -->
  <sec:http pattern="/wopi" security="none"/>
  <sec:http pattern="/wopi/**" security="none"/>

  <!-- Allow un-authenticated access for OAuth token endpoint -->
  <sec:http pattern="/authorization/oauth/token" security="none"/>
  <sec:http pattern="/authorization/oauth/token/" security="none"/>

  <!-- Allow un-authenticated access for mobile landing page -->
  <sec:http pattern="/mobile/mobile_landing_page.jsp" security="none"/>
</beans>
