Acegi Security allows you to specify a role prefix in its configuration. Where the role prefix is used in the configuration varies according to your security back-end. There are modifications that will need to be completed regardless of security back-end. Those are covered first. The remaining sections cover specific security back-ends and should be used where applicable. In the examples that follow, MY_ROLE_PREFIX_
is the prefix that will be used.
For All Security Back-ends
In order for RoleVoter
to determine if it "supports" a particular type of decision, it references its rolePrefix
property. Be sure to set this to your prefix or use value=""
if no prefix is used.
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"> <property name="rolePrefix" value="MY_ROLE_PREFIX_" /> </bean>
<acl-publisher> <default-acls> <acl-entry role="MY_ROLE_PREFIX_ADMIN" acl="ADMIN_ALL" /> <acl-entry role="MY_ROLE_PREFIX_CTO" acl="ADMIN_ALL" /> <acl-entry role="MY_ROLE_PREFIX_DEV" acl="EXECUTE_SUBSCRIBE" /> <acl-entry role="MY_ROLE_PREFIX_AUTHENTICATED" acl="EXECUTE" /> </default-acls> </acl-publisher> <acl-voter> <admin-role>MY_ROLE_PREFIX_ADMIN</admin-role> </acl-voter> <anonymous-authentication> <anonymous-user>anonymous</anonymous-user> <anonymous-role>MY_ROLE_PREFIX_ANONYMOUS</anonymous-role> </anonymous-authentication>
<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="key" value="foobar" /> <property name="userAttribute" value="anonymousUser,MY_ROLE_PREFIX_ANONYMOUS" /> </bean> <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <!-- omitted --> <property name="objectDefinitionSource"> <value> <![CDATA[ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /login*=MY_ROLE_PREFIX_ANONYMOUS,MY_ROLE_PREFIX_AUTHENTICATED ...omitted... /**=MY_ROLE_PREFIX_AUTHENTICATED ]]> </value> </property> </bean>
Memory
<bean id="userMap" class="java.lang.String"> <constructor-arg type="java.lang.String"> <value> <![CDATA[ joe=password,MY_ROLE_PREFIX_CEO,MY_ROLE_PREFIX_ADMIN,MY_ROLE_PREFIX_USER,MY_ROLE_PREFIX_AUTHENTICATED ...omitted... </value> </constructor> </bean>
<bean id="inMemoryUserRoleListService" class="com.pentaho.security.memory.InMemoryUserRoleListService"> <!-- omitted --> <property name="allAuthorities"> <list> <bean class="org.acegisecurity.GrantedAuthorityImpl"> <constructor-arg value="MY_ROLE_PREFIX_AUTHENTICATED" /> </bean> <!-- omitted --> </list> </property> <!-- omitted --> </bean>
Relational Database (JDBC)
There is no additional configuration required to use role prefixes. However, be sure that your roles are stored in your database with the prefixes! In other words, assuming your role names are stored in the ROLE
column of the ROLES
table, if you executed a SELECT ROLE FROM ROLES
, you would see:
ROLE |
---|
MY_ROLE_PREFIX_AUTHENTICATED |
MY_ROLE_PREFIX_CEO |
...omitted... |
Directory (LDAP)
<bean id="populator" class="com.pentaho.security.ldap.FixedDefaultLdapAuthoritiesPopulator"> <!-- omitted --> <property name="rolePrefix" value="" /> <!-- omitted --> </bean>