Configuring Seraph

There are two places you need to modify your web application to configure Seraph. See the concepts document for explanation of the various pieces of Seraph.

seraph-config.xml File

The core of Seraph is configured through a single config file, named seraph-config.xml. This is usually placed in your web application's WEB-INF/classes directory. Here is a commented sample: 

<security-config>
  <parameters>
    <init-param>
      <!--
      the URL to redirect to when the user tries to access a protected resource (rather than clicking on
        an explicit login link). Most of the time, this will be the same value as 'link.login.url'.
      - if the URL is absolute (contains '://'), then redirect that URL (for SSO applications)
      - else the context path will be prepended to this URL

      If '${originalurl}' is present in the URL, it will be replaced with the context-relative URL that the user requested.
      This gives SSO login pages the chance to redirect to the original page
      -->
      <param-name>login.url</param-name>
      <param-value>/login.jsp?os_destination=${originalurl}</param-value>
      <!-- <param-value>http://example.com/SSOLogin?target=${originalurl}</param-value>-->
    </init-param>
    <init-param>
      <!--
      the URL to redirect to when the user explicitly clicks on a login link (rather than being redirected after
        trying to access a protected resource). Most of the time, this will be the same value as 'login.url'.
      - same properties as login.url above
      -->
      <param-name>link.login.url</param-name>
      <param-value>/secure/Dashboard.jspa?os_destination=${originalurl}</param-value>
      <!-- <param-value>http://mycompany.com/SSOLogin?target=${originalurl}</param-value>-->
    </init-param>
    <init-param>
      <!-- URL for logging out.
      - If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
      - If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
      -->
      <param-name>logout.url</param-name>
      <param-value>/secure/Logout!default.jspa</param-value>
      <!-- <param-value>http://mycompany.com/SSOLogout</param-value>-->
    </init-param>

    <!-- The key that the original URL is stored with in the session -->
    <init-param>
      <param-name>original.url.key</param-name>
      <param-value>os_security_originalurl</param-value>
    </init-param>
    <init-param>
      <param-name>login.cookie.key</param-name>
      <param-value>seraph.os.cookie</param-value>
    </init-param>
    <!-- Specify 3 characters to make cookie encoding unique for your application, to prevent collisions
    if more than one Seraph-based app is used.
    <init-param>
      <param-name>cookie.encoding</param-name>
      <param-value>xYz</param-value>
    </init-param>
    -->
    <!-- Basic Authentication can be enabled by passing the authentication type as a configurable url parameter.
    With this example, you will need to pass http://mycompany.com/anypage?os_authType=basic in the url to enable Basic Authentication -->
    <init-param>
        <param-name>authentication.type</param-name>
        <param-value>os_authType</param-value>
    </init-param>
  </parameters>

  <!-- Determines what roles (permissions) a user has. -->
  <rolemapper class="com.atlassian.myapp.auth.MyRoleMapper"/>

  <!-- A controller is not required. If not specified, security will always be on
  <controller class="com.atlassian.myapp.setup.MyAppSecurityController" />
  -->

  <!-- Logs in users. Must be overridden for SSO apps -->
  <authenticator class="com.atlassian.seraph.auth.DefaultAuthenticator"/>


  <services>
    <!-- Specifies role requirements for accessing specified URL paths -->
    <service class="com.atlassian.seraph.service.PathService">
      <init-param>
        <param-name>config.file</param-name>
        <param-value>/seraph-paths.xml</param-value>
      </init-param>
    </service>

    <!-- Specifies role requirements to execute Webwork actions -->
    <service class="com.atlassian.seraph.service.WebworkService">
      <init-param>
        <param-name>action.extension</param-name>
        <param-value>jspa</param-value>
      </init-param>
    </service>
  </services>

  <interceptors>
    <!-- <interceptor class="com.atlassian.myapp.SomeLoginInterceptor"/> -->
  </interceptors>
</security-config>

Filters

There are two filters associated with Seraph, and a servlet, that must be added to your WEB-INF/web.xml file as follows: 

<filter>
    <filter-name>login</filter-name>
    <filter-class>com.atlassian.seraph.filter.LoginFilter</filter-class>
</filter>

<filter>
    <filter-name>security</filter-name>
    <filter-class>com.atlassian.seraph.filter.SecurityFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>login</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter-mapping>
    <filter-name>security</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
    <servlet-name>logout</servlet-name>
    <servlet-class>com.atlassian.seraph.logout.LogoutServlet</servlet-class>
</servlet>

<servlet-mapping>
    <servlet-name>logout</servlet-name>
    <url-pattern>/logout</url-pattern>
</servlet-mapping>
Make sure to conform to the web.xml DTD when adding this.