Security authorizationusingspringsecurity-sathyaraj
Download as PPT, PDF1 like199 views
This document describes how to configure method-level authorization in Spring Security to restrict which users with certain roles can invoke methods on components. It explains that a MethodSecurityInterceptor must be configured and chained to the components needing security via a proxy. The MethodSecurityInterceptor is configured with an AuthenticationManager and AccessDecisionManager, and security roles can be defined for each method.
Security authorizationusingspringsecurity-sathyaraj
- 1. MULE –Component Authorization Using Spring Security
- 2. 2 Component Authorization Using Spring Security This page describes how you can configure method-level authorization using Spring Security on your components so that users with different roles can only invoke certain methods.
- 3. 3 Securing Flow Components To secure MethodInvocations, you must add a properly configured MethodSecurityInterceptor into the application context. The beans requiring security are chained into the interceptor. This chaining is accomplished using Spring’s ProxyFactoryBean or BeanNameAutoProxyCreator. Alternatively, Spring Security provides a MethodDefinitionSourceAdvisor, which you can use with Spring’s DefaultAdvisorAutoProxyCreator to automatically chain the security interceptor in front of any beans defined against the MethodSecurityInterceptor.
- 4. 4 In addition to the daoAuthenticationProvider and inMemoryDaoImpl beans (see Configuring Security), the following beans must be configured: MethodSecurityInterceptor AuthenticationManager AccessDecisionManager AutoProxyCreator RoleVoter
- 5. 5 The MethodSecurityInterceptor The MethodSecurityInterceptor is configured with a reference to the following: AuthenticationManager AccessDecisionManager
- 6. 6 Following is a security interceptor for intercepting calls made to the methods of a component myComponent, which defines two methods: delete and writeSomething. Roles are set on these methods as seen below in the property securityMetadataSource. <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule="http://www.mulesource.org/schema/mule/core" xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security" ...cut... <bean id="myComponentSecurity" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="securityMetadataSource"> <value> com.foo.myComponent.delete=ROLE_ADMIN com.foo.myComponent.writeSomething=ROLE_ANONYMOUS </value> </property> </bean>
- 7. 7 The AuthenticationManager This bean is responsible for passing requests through a chain of AuthenticationProvider objects. <bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <property name= "providers"> <list> <ref local="daoAuthenticationProvider"/> </list> </property> </bean>
- 8. 8 The AccessDecisionManager This bean specifies that a user can access the protected methods if they have any one of the roles specified in the securityMetadataSource. <bean id="accessDecisionManager" class='org.springframework.security.access.vote.AffirmativeBased'> <property name="decisionVoters"> <list> <ref bean="roleVoter"/> </list> </property> </bean>
- 9. 9 The AutoProxyCreator This bean defines a proxy for the protected bean. When an application asks Spring for a myComponent bean, it will get this proxy instead. <bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> <property name="interceptorNames"> <list> <value>myComponentSecurity</value> </list> </property> <property name="beanNames"> <list> <value>myComponent</value> </list> </property> <property name='proxyTargetClass' value="true"/> </bean>