This page last changed on Oct 06, 2006 by ross.

This section describes how you can configure method level authorization on your components so that users with different roles can only invoke certain service methods.

Securing Services Components

To secure MethodInvocations, developers need to add a properly configured MethodSecurityInterceptor into the application context. The beans requiring security are chained into the interceptor. This chaining is accomplished using Spring's ProxyFactoryBean or BeanNameAutoProxyCreator. Alternatively, Acegi Security provides a MethodDefinitionSourceAdvisor which may be used with Spring's DefaultAdvisorAutoProxyCreator to automatically chain the security interceptor in front of any beans defined against the MethodSecurityInterceptor.

Apart from the daoAuthenticationProvider and inMemoryDaoImpl beans configured above, the following beans must be configured:

  • MethodSecurityInterceptor
  • AuthenticationManager
  • AccessDecisionManager
  • AutoProxyCreator
  • RoleVoter

The MethodSecurityInterceptor

 The MethodSecurityInterceptor is configured with a reference to an:

  • AuthenticationManager
  • AccessDecisionManager

The following is a Security Interceptor for intercepting calls made to the methods of a component called myComponent. myComponent has an interface (myComponentIfc) that defines two methods: delete and writeSomething. Roles are set on these methods as seen below in the property objectDefinitionSource.

<bean id="myComponentSecurity" class='org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor'>
      <property name="authenticationManager">
            <ref bean="authenticationManager"/>
      </property>
      <property name="accessDecisionManager">
            <ref bean="accessDecisionManager"/>
      </property>
      <property name="objectDefinitionSource">
            <value>
                  com.foo.myComponentIfc.delete=ROLE_ADMIN
                  com.foo.myComponentIfc.writeSomething=ROLE_ANONYMOUS
            </value>
      </property>
</bean>

 The AuthenticationManager

An AuthenticationManager is responsible for passing requests through a chain of AuthenticationProviders.

<bean id="authenticationManager" class='org.acegisecurity.providers.ProviderManager'>
      <property name= "providers">
            <list>
                 <ref local="daoAuthenticationProvider"/>
            </list>
      </property>
</bean>

 The AccessDecisionManager

This bean specifies that a user can access the protected methods if they have any one of the roles specified in the objectDefinitionSource.

<bean id="accessDecisionManager" class='org.acegisecurity.vote.AffirmativeBased'>
      <property name="decisionVoters">
            <list>
                  <ref bean="roleVoter"/>
            </list>
      </property>
</bean>

The AutoProxyCreator

This bean defines a proxy for the protected bean. When an application asks Spring for a myComponent bean it will get this proxy instead.

<bean id="autoProxyCreator" class='org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator'>
      <property name='interceptorNames'>
            <list>
                  <value>myComponentSecurity</value>
            </list>
      </property>
      <property name='beanNames'>
            <list>
                  <value>myComponent</value>
            </list>
      </property>
      <property name='proxyTargetClass' value="true"/>
</bean>

When using BeanNameAutoProxyCreator to create the required proxy for security, the configuration must contain the property proxyTargetClass set to true. Otherwise, the method passed to MethodSecurityInterceptor.invoke is the proxy's caller, not the proxy's target.

The RoleVoter

The RoleVoter class will vote if any ConfigAttribute begins with ROLE_. The RoleVoter is case sensitive on comparisons as well as the ROLE_ prefix.

  • It will vote to grant access if there is a GrantedAuthority which returns a String representation (via the getAuthority() method) exactly equal to one or more ConfigAttributes starting with ROLE_.
  • If there is no exact match of any ConfigAttribute starting with ROLE_, the RoleVoter will vote to deny access.
  • If no ConfigAttribute begins with ROLE_, the voter will abstain.
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"/>

Setting Security Properties on the Security Provider

We can put any additional properties we may wish to add to the Security Provider in the securityProperties map. For instance this map can be used to change Acegi's default security strategy into one of the following...

MODE_THREADLOCAL which allows the authentication to be set on the current thread (this is the defualt strategy used by Acegi).
MODE_INHERITABLETHREADLOCAL which allows authentication to be inherited from the parent thread
MODE_GLOBAL which allows the authentication to be set on all threads

Securing Components in Asynchronous Systems

The use of Acegi's security strategies is particularly useful when using an asynchronous system since we have to add a property on the Security Provider in order for the authentication to be set on more than one thread.

In this case we would use the MODE_GLOBAL as seen in the example below.

<security-provider name="memory-dao" className="org.mule.extras.acegi.AcegiProviderAdapter">
        <properties>
                <container-property name="delegate" reference="daoAuthenticationProvider"/>
	       <map name="securityProperties">
	                <property name="securityMode" value="MODE_GLOBAL"/>
	       </map>
        </properties>
</security-provider>
Document generated by Confluence on Nov 27, 2006 10:27