Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

Acegi Security allows you to specify a role prefix in its configuration. Where the role prefix is used in the configuration varies according to your security back-end. There are modifications that will need to be completed regardless of security back-end. Those are covered first. The remaining sections cover specific security back-ends and should be used where applicable. In the examples that follow, MY_ROLE_PREFIX_ is the prefix that will be used.

For All Security Back-ends

In order for RoleVoter to determine if it "supports" a particular type of decision, it references its rolePrefix property. Be sure to set this to your prefix or use value="" if no prefix is used.

Code Block
xml
xml
titleapplicationContext-common-authorization.xml
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
  <property name="rolePrefix" value="MY_ROLE_PREFIX_" />
</bean>

Roles are referenced by name in pentaho.xml.

Code Block
xml
xml
titlepentaho.xml
<acl-publisher>
  <default-acls>
    <acl-entry role="MY_ROLE_PREFIX_ADMINAdmin" acl="ADMIN_ALL" />
    <acl-entry role="MY_ROLE_PREFIX_CTOcto" acl="ADMIN_ALL" />
    <acl-entry role="MY_ROLE_PREFIX_DEVdev" acl="EXECUTE_SUBSCRIBE" />
    <acl-entry role="MY_ROLE_PREFIX_AUTHENTICATEDAuthenticated" acl="EXECUTE" />
  </default-acls>
</acl-publisher>

<acl-voter>

  <admin-role>MY_ROLE_PREFIX_ADMIN<Admin</admin-role>

</acl-voter>

<anonymous-authentication>
  <anonymous-user>anonymous</anonymous-user>
  <anonymous-role>MY_ROLE_PREFIX_ANONYMOUS<Anonymous</anonymous-role>
</anonymous-authentication>

Again, roles are referenced by name when allowing anonymous users and when specifying authorization rules for URLs.

Code Block
xml
xml
titleapplicationContext-acegi-security.xml
<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
  <property name="key" value="foobar" />
  <property name="userAttribute" value="anonymousUser,MY_ROLE_PREFIX_ANONYMOUSAnonymous" />
</bean>

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">

  <!-- omitted -->

  <property name="objectDefinitionSource">
    <value>
    <![CDATA[
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    PATTERN_TYPE_APACHE_ANT
    \A/login.*\Z=MY_ROLE_PREFIX_ANONYMOUSAnonymous,MY_ROLE_PREFIX_AUTHENTICATEDAuthenticated

    ...omitted...

    /**\A/.*\Z=MY_ROLE_PREFIX_AUTHENTICATEDAuthenticated
    ]]>
    </value>
  </property>
</bean>

Memory

The type of security back-end specifies role names in Spring XML files.

Code Block
xml
xml
titleapplicationContext-acegi-security-memory.xml
<bean id="userMap" class="java.lang.String">
  <constructor-arg type="java.lang.String">
    <value>
    <![CDATA[
    joe=password,MY_ROLE_PREFIX_CEOceo,MY_ROLE_PREFIX_ADMINAdmin,MY_ROLE_PREFIX_USERUser,MY_ROLE_PREFIX_AUTHENTICATEDAuthenticated

    ...omitted...

    </value>
  </constructor>
</bean>
Code Block
xml
xml
titleapplicationContext-pentaho-security-memory.xml
<bean id="inMemoryUserRoleListService" class="comorg.pentaho.platform.plugin.services.security.userrole.memory.InMemoryUserRoleListService">

<!-- omitted -->

  <property name="allAuthorities">
    <list>
      <bean class="org.acegisecurity.GrantedAuthorityImpl">
        <constructor-arg value="MY_ROLE_PREFIX_AUTHENTICATEDAuthenticated" />
      </bean>

      <!-- omitted -->

    </list>
  </property>

  <!-- omitted -->

</bean>

Relational Database (JDBC)

There is no additional configuration required to use role prefixes. However, be sure that your roles are stored in your database with the prefixes! In other words, assuming your role names are stored in the ROLE column of the ROLES table, if you executed a SELECT ROLE FROM ROLES, you would see:

ROLE

MY_ROLE_PREFIX_AUTHENTICATEDAuthenticated

MY_ROLE_PREFIX_CEOceo

...omitted...

Directory (LDAP)

The configuration below assumes that your role entries are NOT stored with the prefix. The prefixes are added when the roles are fetched.

Code Block
xml
xml
titleapplicationContext-acegi-security-ldap.xml
<bean id="populator" class="com.pentaho.security.ldap.FixedDefaultLdapAuthoritiesPopulator">


  ="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">

  <!-- omitted -->

  <property name="rolePrefix" value="MY_ROLE_PREFIX_" />

  <!-- omitted -->

</bean>
Code Block
xml
xml
titleapplicationContext-pentaho-security-ldap.xml

<bean id="allAuthoritiesSearch"
 class="org.pentaho.platform.plugin.services.security.userrole.ldap.search.GenericLdapSearch">

  <!-- omitted -->
  
  <constructor-arg index="2">
    <bean class="org.apache.commons.collections.functors.ChainedTransformer">
      <constructor-arg index="0">
        <list>

          <!-- omitted -->
          
          <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.transform.StringToGrantedAuthority">
            <property name="rolePrefix" value="MY_ROLE_PREFIX_" />

            <!-- omitted -->

          </bean>
        </list>
      </constructor-arg>
    </bean>
  </constructor-arg>
</bean>