Web Resource Authorization

Owned by Former user (Deleted)
Last updated: Sept 24, 2009Version comment
2 min read
Unknown macro: {scrollbar}

Protecting URLs

If one attempted to differentiate between web resource authorization and domain object authorization, one could say that web resource authorization is more coarse-grained. It protects web resources, all of which are uniquely identified by a URL. URLs can point to static resources like images or they can point to dynamic resources such as the pages of a web application. Web resource authorization, as used in this document, deals with the latter. Web security is referred to as coarse-grained since web resource authorization doesn't enforce security on methods or even instances that are involved in dynamically creating a web page. That's not to say that one can't have finer grain control using domain object authorization--it's just that web resource authorization is the first security gate through which a user must pass.

Protecting URLs with Spring Security

The Pentaho BI Platform comes out-of-the-box using a configuration setup very similar to the Spring Security Contacts Sample Application. This sample comes with the Spring Security download. The platform uses a standard Spring Security setup that is well-documented in the Spring Security documentation.

Warning: All characters between the \A and \Z must be lowercase in order for a match to occur.

Below, a FilterSecurityInterceptor is defined along with an AccessDecisionManager. The two beans are associated through the accessDecisionManager property. The objectDefinitionSource property associates URL patterns with the role required to view pages that match the URL pattern. RoleVoter specifies that if any role on the right hand side of the equals is granted to the user, the user may view any page that matches that URL pattern.

applicationContext-spring-security.xml
<bean id="filterInvocationInterceptor"
  class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager">
    <ref local="authenticationManager" />
  </property>
  <property name="accessDecisionManager">
    <ref local="httpRequestAccessDecisionManager" />
  </property>
  <property name="objectDefinitionSource">
    <value>
      <![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
// some lines omitted
\A/login.*\Z=Anonymous,Authenticated
\A/admin.*\Z=Admin
// some lines omitted
\A/logout.*\Z=Anonymous
\A/.*\Z=Authenticated
        ]]>
      </value>
    </property>
  </bean>

<bean id="httpRequestAccessDecisionManager"
  class="org.springframework.security.vote.AffirmativeBased">
  <property name="allowIfAllAbstainDecisions" value="false" />
  <property name="decisionVoters">
    <list>
      <ref bean="roleVoter" />
    </list>
  </property>
</bean>
applicationContext-common-authorization.xml
<bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
  <property name="rolePrefix" value="" />
</bean>