Component Authorization Using Acegi
|
Deprecated Module The Acegi module is deprecated. Upgrade to the Spring Security module instead, which is a drop-in replacement. As of Mule 3.2 the Acegi module is removed from the distribution. |
This page describes how you can configure method-level authorization on your components so that users with different roles can only invoke certain service methods.
Securing Service Components
To secure MethodInvocations, developers must add a properly configured MethodSecurityInterceptor into the application context. The beans requiring security are chained into the interceptor. This chaining is accomplished using Spring’s ProxyFactoryBean or BeanNameAutoProxyCreator. Alternatively, Acegi security provides a MethodDefinitionSourceAdvisor, which you can use with Spring’s DefaultAdvisorAutoProxyCreator to automatically chain the security interceptor in front of any beans defined against the MethodSecurityInterceptor.
In addition to the daoAuthenticationProvider and inMemoryDaoImpl beans (see Configuring Security), the following beans must be configured:
-
MethodSecurityInterceptor -
AuthenticationManager -
AccessDecisionManager -
AutoProxyCreator -
RoleVoter
The MethodSecurityInterceptor
The MethodSecurityInterceptor is configured with a reference to an:
-
AuthenticationManager -
AccessDecisionManager
Following is a security interceptor for intercepting calls made to the methods of a component that has an interface myComponentIfc, which defines two methods: delete and writeSomething. Roles are set on these methods as seen below in the property objectDefinitionSource.
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:acegi="http://www.mulesoft.org/schema/mule/acegi"
xmlns:https="http://www.mulesoft.org/schema/mule/https"
xmlns:http="http://www.mulesoft.org/schema/mule/http"
xsi:schemaLocation="
http://www.mulesoft.org/schema/mule/acegi http://www.mulesoft.org/schema/mule/acegi/3.1/mule-acegi.xsd
http://www.mulesoft.org/schema/mule/https http://www.mulesoft.org/schema/mule/https/3.1/mule-https.xsd
http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/3.1/mule-http.xsd
http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/3.1/mule.xsd">
...
<bean id="myComponentSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="objectDefinitionSource">
<value>
com.foo.myComponentIfc.delete=ROLE_ADMIN
com.foo.myComponentIfc.writeSomething=ROLE_ANONYMOUS
</value>
</property>
</bean>
</mule>The AuthenticationManager
An AuthenticationManager is responsible for passing requests through a chain of AuthenticationProvider objects.
<bean id="authenticationManager" class='org.acegisecurity.providers.ProviderManager'>
<property name= "providers">
<list>
<ref local="daoAuthenticationProvider"/>
</list>
</property>
</bean>The AccessDecisionManager
This bean specifies that a user can access the protected methods if they have any one of the roles specified in the objectDefinitionSource.
<bean id="accessDecisionManager" class='org.acegisecurity.vote.AffirmativeBased'>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>The AutoProxyCreator
This bean defines a proxy for the protected bean. When an application asks Spring for a myComponent bean, it will get this proxy instead.
<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>myComponentSecurity</value>
</list>
</property>
<property name="beanNames">
<list>
<value>myComponent</value>
</list>
</property>
<property name='proxyTargetClass' value="true"/>
</bean>When using BeanNameAutoProxyCreator to create the required proxy for security, the configuration must contain the property proxyTargetClass set to true. Otherwise, the method passed to MethodSecurityInterceptor.invoke is the proxy’s caller, not the proxy’s target.
The RoleVoter
The RoleVoter class will vote if any ConfigAttribute begins with ROLE_. The RoleVoter is case sensitive on comparisons as well as the ROLE_ prefix.
-
It will vote to grant access if there is a
GrantedAuthority, which returns a String representation (via thegetAuthority()method) exactly equal to one or moreConfigAttributesstarting withROLE. -
If there is no exact match of any
ConfigAttributestarting withROLE_, theRoleVoterwill vote to deny access. -
If no
ConfigAttributebegins withROLE_, the voter will abstain.
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>Setting Security Properties on the Security Provider
You can add any additional properties to the security provider in the securityProperties map. For example, this map can be used to change Acegi’s default security strategy into one of the following:
-
MODE_THREADLOCAL, which allows the authentication to be set on the current thread (this is the default strategy used by Acegi) -
MODE_INHERITABLETHREADLOCAL, which allows authentication to be inherited from the parent thread -
MODE_GLOBAL, which allows the authentication to be set on all threads
Securing Components in Asynchronous Systems
The use of Acegi’s security strategies is particularly useful when using an asynchronous system, since we have to add a property on the security provider for the authentication to be set on more than one thread.
In this case, we would use MODE_GLOBAL as seen in the example below.
<acegi:security-manager>
<acegi:delegate-security-provider name="memory-dao" delegate-ref="daoAuthenticationProvider">
<acegi:security-property name="securityMode" value="MODE_GLOBAL"/>
</acegi:delegate-security-provider>
</acegi:security-manager>