| Wiki Markup |
|---|
{scrollbar}
h1. |
Protecting
...
URLs
...
If
...
one
...
attempted
...
to
...
differentiate
...
between
...
web
...
resource
...
authorization
...
and
...
domain
...
object
...
authorization,
...
one
...
could
...
say
...
that
...
web
...
resource
...
authorization
...
is
...
more
...
coarse-grained.
...
It
...
protects
...
web
...
resources,
...
all
...
of
...
which
...
are
...
uniquely
...
identified
...
by
...
a
...
URL.
...
URLs
...
can
...
point
...
to
...
static
...
resources
...
like
...
images
...
or
...
they
...
can
...
point
...
to
...
dynamic
...
resources
...
such
...
as
...
the
...
pages
...
of
...
a
...
web
...
application.
...
Web
...
resource
...
authorization,
...
as
...
used
...
in
...
this
...
document,
...
deals
...
with
...
the
...
latter.
...
Web
...
security
...
is
...
referred
...
to
...
as
...
coarse-grained
...
since
...
web
...
resource
...
authorization
...
doesn't
...
enforce
...
security
...
on
...
methods
...
or
...
even
...
instances
...
that
...
are
...
involved
...
in
...
dynamically
...
creating
...
a
...
web
...
page.
...
That's
...
not
...
to
...
say
...
that
...
one
...
can't
...
have
...
finer
...
grain
...
control
...
using
...
domain
...
object
...
authorization--it's
...
just
...
that
...
web
...
resource
...
authorization
...
is
...
the
...
first
...
security
...
gate
...
through
...
which
...
a
...
user
...
must
...
pass.
...
Protecting
...
URLs
...
with
...
Spring
...
Security
...
The
...
Pentaho
...
BI
...
Platform
...
comes
...
out-of-the-box
...
using
...
a
...
configuration
...
setup
...
very
...
similar
...
to
...
the
...
Spring
...
Security
...
Contacts
...
Sample
...
Application.
...
This
...
sample
...
comes
...
with
...
the
...
Spring
...
Security
...
download.
...
The
...
platform
...
uses
...
a
...
standard
...
Spring
...
Security
...
setup
...
that
...
is
...
well-documented
...
in
...
the
...
Spring
...
Security
...
documentation.
...
Warning: All characters between the
\Aand\Zmust be lowercase in order for a match to occur.
Below, a FilterSecurityInterceptor is defined along with an AccessDecisionManager. The two beans are associated through the accessDecisionManager property. The objectDefinitionSource property associates URL patterns with the role required to view pages that match the URL pattern. RoleVoter specifies that if any role on the right hand side of the equals is granted to the user, the user may view any page that matches that URL pattern.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| }||||||||
<bean id="filterInvocationInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref local="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref local="httpRequestAccessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
<![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
// some lines omitted
\A/login.*\Z=Anonymous,Authenticated
\A/admin.*\Z=Admin
// some lines omitted
\A/logout.*\Z=Anonymous
\A/.*\Z=Authenticated
]]>
</value>
</property>
</bean>
<bean id="httpRequestAccessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
{code}
{code:xml|title= |
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| }||||||||
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value="" />
</bean>
{code} |