Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0
Wiki Markup
{scrollbar}

h1. 

Protecting

...

URLs

...

If

...

one

...

attempted

...

to

...

differentiate

...

between

...

web

...

resource

...

authorization

...

and

...

domain

...

object

...

authorization,

...

one

...

could

...

say

...

that

...

web

...

resource

...

authorization

...

is

...

more

...

coarse-grained.

...

It

...

protects

...

web

...

resources,

...

all

...

of

...

which

...

are

...

uniquely

...

identified

...

by

...

a

...

URL.

...

URLs

...

can

...

point

...

to

...

static

...

resources

...

like

...

images

...

or

...

they

...

can

...

point

...

to

...

dynamic

...

resources

...

such

...

as

...

the

...

pages

...

of

...

a

...

web

...

application.

...

Web

...

resource

...

authorization,

...

as

...

used

...

in

...

this

...

document,

...

deals

...

with

...

the

...

latter.

...

Web

...

security

...

is

...

referred

...

to

...

as

...

coarse-grained

...

since

...

web

...

resource

...

authorization

...

doesn't

...

enforce

...

security

...

on

...

methods

...

or

...

even

...

instances

...

that

...

are

...

involved

...

in

...

dynamically

...

creating

...

a

...

web

...

page.

...

That's

...

not

...

to

...

say

...

that

...

one

...

can't

...

have

...

finer

...

grain

...

control

...

using

...

domain

...

object

...

authorization--it's

...

just

...

that

...

web

...

resource

...

authorization

...

is

...

the

...

first

...

security

...

gate

...

through

...

which

...

a

...

user

...

must

...

pass.

...

Protecting

...

URLs

...

with

...

Spring

...

Security

...

The

...

Pentaho

...

BI

...

Platform

...

comes

...

out-of-the-box

...

using

...

a

...

configuration

...

setup

...

very

...

similar

...

to

...

the

...

Spring

...

Security

...

Contacts

...

Sample

...

Application.

...

This

...

sample

...

comes

...

with

...

the

...

Spring

...

Security

...

download.

...

The

...

platform

...

uses

...

a

...

standard

...

Spring

...

Security

...

setup

...

that

...

is

...

well-documented

...

in

...

the

...

Spring

...

Security

...

documentation.

...

Warning: All characters between the \A and \Z must be lowercase in order for a match to occur.

Below, a FilterSecurityInterceptor is defined along with an AccessDecisionManager. The two beans are associated through the accessDecisionManager property. The objectDefinitionSource property associates URL patterns with the role required to view pages that match the URL pattern. RoleVoter specifies that if any role on the right hand side of the equals is granted to the user, the user may view any page that matches that URL pattern.

}
Code Block
xml
titleapplicationContext-spring-security.xml
xml
<bean id="filterInvocationInterceptor"
  class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager">
    <ref local="authenticationManager" />
  </property>
  <property name="accessDecisionManager">
    <ref local="httpRequestAccessDecisionManager" />
  </property>
  <property name="objectDefinitionSource">
    <value>
      <![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
// some lines omitted
\A/login.*\Z=Anonymous,Authenticated
\A/admin.*\Z=Admin
// some lines omitted
\A/logout.*\Z=Anonymous
\A/.*\Z=Authenticated
        ]]>
      </value>
    </property>
  </bean>

<bean id="httpRequestAccessDecisionManager"
  class="org.springframework.security.vote.AffirmativeBased">
  <property name="allowIfAllAbstainDecisions" value="false" />
  <property name="decisionVoters">
    <list>
      <ref bean="roleVoter" />
    </list>
  </property>
</bean>
{code}

{code:xml|title=
}
Code Block
xml
titleapplicationContext-common-authorization.xml
xml
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
  <property name="rolePrefix" value="" />
</bean>
{code}