<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:sec="http://www.springframework.org/schema/security"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.8.xsd">
  <!-- The Spring Schemas are the latest available schemas with pinned version numbers -->
  <!-- Configure security for the web interface. -->
  <sec:http pattern="/**" use-expressions="false" disable-url-rewriting="true" entry-point-ref="portalAuthenticationEntryPoint">
    <!-- This is needed for CSRF protection and must not be removed -->
    <sec:custom-filter ref="csrfChannelProcessingFilter" before="LOGOUT_FILTER" />
    <sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="appianForcedLogoutSessionFilter" />
    <sec:csrf disabled="true"/>

    <sec:custom-filter ref="logoutReasonFilter" before="CONCURRENT_SESSION_FILTER"/>

    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY,IS_AUTHENTICATED_REMEMBERED" />

    <sec:anonymous enabled="false"/>

    <sec:custom-filter ref="loginFormAuthenticationFilter" position="FORM_LOGIN_FILTER" />

    <sec:session-management session-authentication-strategy-ref="portalSessionAuthenticationStrategy"/>

    <sec:custom-filter ref="oAuthMobileFilter" after="SECURITY_CONTEXT_FILTER" />
    <sec:custom-filter ref="userActivityFilter" after="FILTER_SECURITY_INTERCEPTOR" />
    <sec:custom-filter ref="postRememberMeFilter" after="REMEMBER_ME_FILTER" />

    <sec:custom-filter ref="logoutFilter" position="LOGOUT_FILTER" />

    <sec:remember-me services-ref="appianRememberMeServices"/>
    <sec:headers disabled="true"/>

    <!-- Cloud security customizations: do not add anything below this line in AE -->
  </sec:http>

  <bean id="portalAuthenticationEntryPoint" class="com.appiancorp.security.auth.AppianPortalAuthenticationEntryPoint">
    <constructor-arg name="loginFormUrl" value="#{pageUrls.login}" />
    <constructor-arg name="inAppBrowserClientRequestMatcher" ref="inAppBrowserClientRequestMatcher" />
    <constructor-arg name="cspConfigurationForLoginForm" ref="cspConfigurationForLoginForm" />
    <constructor-arg name="cspEnforcementConfiguration" ref="cspEnforcementConfiguration" />
  </bean>

  <bean id="loginFormAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="usernameParameter" value="un" />
    <property name="passwordParameter" value="pw" />
    <property name="filterProcessesUrl" value="#{T(com.appiancorp.security.SecurityConstants).AUTH_PATH}" />
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="sessionAuthenticationStrategy" ref="portalSessionAuthenticationStrategy" />
    <property name="authenticationSuccessHandler" ref="appianAuthenticationSuccessHandler" />
    <property name="authenticationFailureHandler" ref="appianAuthenticationFailureHandler" />
    <property name="authenticationDetailsSource" ref="portalAuthenticationDetailsSource" />
    <property name="rememberMeServices" ref="appianRememberMeServices" />
  </bean>

  <!-- These configurations are not yet available through the security namespace,
  so we use a BeanPostProcessor to apply settings required by the Portal environment. -->
  <bean id="appianSpringSecurityBeanPostProcessor" class="com.appiancorp.security.auth.BeanPostProcessorForPortalAuth">
    <property name="allowPostOnlyForAuthentication" value="true"/>
    <property name="useForwardForLoginPage" value="true"/>
  </bean>

  <!-- Cloud beans: do not add anything below this line in AE -->
</beans>
