Use Spring Security for user authentication

README.md

@@ -57,19 +57,37 @@ Please refer to the [wiki](https://github.com/HiromuHota/pentaho-kettle/wiki/Sys
 3. (Optional) download and unzip `pdi-ce-7.0.0.0-25.zip`, then copy the `system` and `plugins` folders to `tomcat/system` and `tomcat/plugins`, respectively.
 4. (Optional) configure Apache Karaf as below.
 5. (Re)start the Tomcat.
-6. Access `http://address:8080/spoon/spoon`
+6. Access `http://address:8080/spoon/spoon` as <i>user</i> with password of <i>password</i>
 
 ### Deploy to Pentaho server
 
 1. Download the latest `spoon.war` from [here](https://github.com/HiromuHota/pentaho-kettle/releases).
 2. Copy the downloaded `spoon.war` to `pentaho-server/tomcat/webapps/spoon.war`.
 3. (Re)start the Pentaho server.
-4. Access `http://address:8080/spoon/spoon`
+4. Access `http://address:8080/spoon/spoon` as <i>user</i> with password of <i>password</i>
 
 It is not recommended to place `system` and `plugins` folders along with the Pentaho server due to [#32](https://github.com/HiromuHota/pentaho-kettle/issues/32) and [#35](https://github.com/HiromuHota/pentaho-kettle/issues/35).
 
 ## Config
 
+### Users
+
+Edit `WEB-INF/spring/security.xml` to manage users.
+The following example shows how to assign <i>user</i> with password of <i>password</i> to <i>USER</i> role.
+
+```
+<b:beans>
+  <user-service>
+    <user name="user" password="password" authorities="ROLE_USER" />
+  </user-service>
+</b:beans>
+```
+
+It would be possible to use LDAP as an authentication provider.
+See [here](http://docs.spring.io/spring-security/site/docs/4.1.x/reference/html/ns-config.html) for more details.
+webSpoon uses the same framework for user authentication: Spring Security, as Pentaho User Console.
+Thus, it would also be possible to use Microsoft Active Directory as described in Pentaho's official documentation for [User Security](https://help.pentaho.com/Documentation/7.0/0P0/Setting_Up_User_Security).
+
 ### Repository
 
 It is strongly recommended to use webSpoon with a Repository (can be Pentaho Repository, Kettle Database Repository, or Kettle File Repository), otherwise opening/saving files does not function as you would expect.
@@ -246,7 +264,7 @@ $ ant compile.res_copy
 - Oracle and Java are registered trademarks of Oracle and/or its affiliates.
 - Ubuntu is a registered trademark of Canonical Ltd.
 - Mac and OS X are trademarks of Apple Inc., registered in the U.S. and other countries.
-- Windows is a registered trademark of Microsoft Corporation in the U.S. and other countries.
+- Windows and Active Directory are registered trademark of Microsoft Corporation in the U.S. and other countries.
 - Eclipse is a registered trademark of the Eclipse Foundation, Inc. in the US and/or other countries.
 - Apache Karaf is a trademark of The Apache Software Foundation.
 - Google Chrome browser is a trademark of Google Inc.

ui/WEB-INF/spring/security.xml

@@ -0,0 +1,20 @@
+<b:beans xmlns="http://www.springframework.org/schema/security"
+     xmlns:b="http://www.springframework.org/schema/beans"
+     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
+
+  <http>
+    <intercept-url pattern="/**" access="hasRole('USER')" />
+    <form-login default-target-url="/spoon" always-use-default-target='true'/>
+    <logout />
+    <!-- Spring Security's CSRF protection is disabled because RAP/RWT does not handle the CSRF token issued by Spring Security.
+         RAP/RWT has its own CSRF protection. See https://bugs.eclipse.org/bugs/show_bug.cgi?id=413668 for more details -->
+    <csrf disabled="true"/>
+  </http>
+
+  <user-service>
+    <user name="user" password="password" authorities="ROLE_USER" />
+  </user-service>
+
+</b:beans>

ui/WEB-INF/web.xml

@@ -4,6 +4,36 @@
   xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
   version="2.4">
 
+  <!--
+    - Location of the XML file that defines the root application context
+    - Applied by ContextLoaderListener.
+    -->
+  <context-param>
+    <param-name>contextConfigLocation</param-name>
+    <param-value>
+      /WEB-INF/spring/*.xml
+    </param-value>
+  </context-param>
+
+
+  <filter>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
+  </filter>
+  <filter-mapping>
+    <filter-name>springSecurityFilterChain</filter-name>
+    <url-pattern>/*</url-pattern>
+  </filter-mapping>
+
+  <!--
+    - Loads the root application context of this web app at startup.
+    - The application context is then available via
+    - WebApplicationContextUtils.getWebApplicationContext(servletContext).
+  -->
+  <listener>
+    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
+  </listener>
+
   <context-param>
     <param-name>org.eclipse.rap.applicationConfiguration</param-name>
     <param-value>org.pentaho.di.ui.spoon.WebSpoon</param-value>

ui/build.xml

@@ -76,6 +76,9 @@
       <fileset file="${dist.dir}/${ivy.artifact.id}-${project.revision}.jar"/>
     </copy>
     <war destfile="${dist.dir}/spoon.war" webxml="WEB-INF/web.xml">
+      <webinf dir="WEB-INF">
+        <exclude name="web.xml"/>
+      </webinf>
       <lib dir="${lib.dir}">
         <exclude name="javax.servlet-api-*.jar"/>
       </lib>

ui/ivy.xml

@@ -123,6 +123,8 @@
     <dependency org="org.springframework" name="spring-beans"   rev="${dependency.spring.framework.revision}" />
     <dependency org="org.springframework" name="spring-context" rev="${dependency.spring.framework.revision}" />
     <dependency org="org.springframework.security" name="spring-security-core" rev="${dependency.spring.security.revision}" />
+    <dependency org="org.springframework.security" name="spring-security-web" rev="${dependency.spring.security.revision}" />
+    <dependency org="org.springframework.security" name="spring-security-config" rev="${dependency.spring.security.revision}" />
     <dependency org="org.glassfish.metro" name="webservices-api" rev="2.1" transitive="false"/>
     <dependency org="org.glassfish.metro" name="webservices-rt" rev="2.1" transitive="false"/>