ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Separation of Concerns in Web Service Implementations
Pages: 1, 2, 3, 4

Acegi Security Configuration

Now we'll discuss how to configure Acegi security in the Spring configuration file. As explained earlier, we configured the business logic bean so that method invocations are intercepted by the securityInterceptor bean to perform security checks. Now let's look at how this bean is configured. Shown below is the fragment from the Spring configuration file for the securityInterceptor bean. The securityInterceptor bean is provided by a class from Acegi called the MethodSecurityInterceptor. As the name implies, this class is used to enforce security on method invocations by intercepting the invocations and checking that the invoker is authenticated and authorized.



<beans>
  . . .
  <bean id="securityInterceptor"
    class="org.acegisecurity.intercept.method.
      aopalliance.MethodSecurityInterceptor">
    <property name="authenticationManager">
      <bean class="org.acegisecurity.
        providers.ProviderManager">
        <property name="providers">
          <list>
            <bean
              class="org.acegisecurity.
                providers.anonymous.
                AnonymousAuthenticationProvider">
              <property
                name="key"
                value="changeThis"/>
            </bean>
          </list>
        </property>
      </bean>
    </property>

    <property name="accessDecisionManager">
      <bean
        class="org.acegisecurity.vote.
          UnanimousBased">
        <property name="decisionVoters">
          <list>
            <bean
              class="org.acegisecurity.
                vote.RoleVoter"/>
          </list>
        </property>
      </bean>
    </property>

    <property
      name="objectDefinitionSource">
      <value>
        com.mybank.bizlogic.AccountMgr.
          transferFunds=ROLE_MANAGER
      </value>
    </property>
  </bean>
  . . .
</beans>

We need to configure the securityInterceptor bean with an authenticationManager property to specify what kind of authentication to use. Since our design relies on the Axis handler to perform authentication, we don't need authentication here, so we just configure it with the AnonymousAuthenticationProvider. Plus, the way we create the authentication token in the Axis handler will let Acegi know that it's already been authenticated, so it won't try to authenticate again. We'll explain this in more detail later when we discuss the Axis handler.

Next, we need to configure the bean with an accessDecisionManager property to specify how it will decide whether or not to grant somebody access to invoke a method. Acegi comes with three concrete implementations of an access decision manager: AffirmativeBased, ConsensusBased, and UnanimousBased. Acegi makes an access decision by relying on voters to vote whether or not to grant somebody access to perform a particular action. It tallies up the votes to decide whether or not access should be granted. We've chosen the UnanimousBased access decision manager, which requires that all voters vote to grant access in order for the client to be able to perform the action. You should read the Acegi documentation for a more in-depth explanation of how this works. Next, we have to configure the accessDecisionManager with a list of voters. Here, we'll just use one voter called the RoleVoter. This is a class from Acegi that votes whether or not to grant access based on role-based access control. Again, you should consult the Acegi documentation for more details on how the RoleVoter works.

The final property that needs to be configured is the objectDefinitionSource. This is how we specify what permissions are required to access the various methods on the object that's being secured. Here, we only want to secure the transferFunds() method, and we want to only allow access to managers. We do this by listing the fully qualified class name and method name and the required role for accessing it:

com.mybank.bizlogic.AccountMgr.transferFunds=
  ROLE_MANAGER

Pages: 1, 2, 3, 4

Next Pagearrow