<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:util="http://www.springframework.org/schema/util"
  xmlns:sec="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
    http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-4.3.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.8.xsd">
  <!-- The Spring Schemas are the latest available schemas with pinned version numbers -->
  <!--
    The session authentication strategy is responsible for initializing the session after
    successful authentication (but before the success handler is invoked). Note that the order of
    the strategies is important. We first execute the session fixation protection strategy which
    creates a new session and migrates the attributes. We then execute the Appian session
    initialization class which may store additional attributes in the session.
  -->
  <bean id="portalSessionAuthenticationStrategy" class="com.appiancorp.suiteapi.common.spring.security.CompositeSessionAuthenticationStrategy">
    <constructor-arg>
      <list>
        <ref bean="maintWindowSessionAuthenticationStrategy"/>
        <ref bean="sessionFixationProtectionStrategy"/>
        <ref bean="concurrentSessionControlStrategy"/>
        <ref bean="allowedMobileClientStrategy"/>
        <ref bean="appianPortalSessionAuthenticationStrategy"/>
        <ref bean="registerSessionAuthenticationStrategy"/>
      </list>
    </constructor-arg>
  </bean>

  <bean id="sessionFixationProtectionStrategy" class="org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy">
    <property name="migrateSessionAttributes" value="true"/>
  </bean>

  <bean id="appianPortalSessionAuthenticationStrategy" class="com.appiancorp.security.auth.AppianPortalSessionAuthenticationStrategy">
    <constructor-arg ref="appianAuthenticationEventPublisher"/>
  </bean>

  <bean id="appianWebApiSessionAuthenticationStrategy" class="com.appiancorp.security.auth.AppianWebApiSessionAuthenticationStrategy">
    <constructor-arg ref="appianAuthenticationEventPublisher"/>
    <constructor-arg ref="adminServicesProvider"/>
  </bean>

  <bean id="webApiSessionAuthenticationStrategy" class="com.appiancorp.suiteapi.common.spring.security.CompositeSessionAuthenticationStrategy">
    <constructor-arg>
      <list>
        <ref bean="maintWindowSessionAuthenticationStrategy"/>
        <ref bean="appianWebApiSessionAuthenticationStrategy"/>
      </list>
    </constructor-arg>
  </bean>

  <bean id="concurrentSessionControlStrategy" class="com.appiancorp.security.auth.session.AppianConcurrentSessionControlStrategy">
    <constructor-arg ref="userActivityService"/>
    <constructor-arg ref="appianAuthenticationEventPublisher"/>
  </bean>

  <bean id="registerSessionAuthenticationStrategy" class="org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy">
    <constructor-arg ref="appianSessionRegistry"/>
  </bean>

  <bean id="appianSessionInformationExpiredStrategy" class ="com.appiancorp.security.auth.session.AppianSessionInformationExpiredStrategy">
    <constructor-arg ref="appianRedirectStrategy"/>
    <constructor-arg ref="webApiRequestMatcher"/>
  </bean>

  <bean id="allowedMobileClientStrategy" class="com.appiancorp.security.auth.mobile.AllowedMobileClientStrategy">
    <constructor-arg ref="featureToggleClient"/>
  </bean>

</beans>
