May 15, 2013

Spring security pre-authentication scenario - Part2

In Part 1, I covered configuring Spring security. Here we will see how we can protect the controller and the service class methods by defining what roles are allowed.

Firstly, you can protect your controller as shown below.

Define the URLs to be protected in the ssoContext.xml file something like

<http auto-config="false" access-decision-manager-ref="springAccessDecisionManager" 
  once-per-request="true" create-session="ifRequired" entry-point-ref="MyAppAuthenticationEntryPoint">
  <session-management invalid-session-url="/j_spring_security_logout" />
  <!-- TODO: Would be cleaner if we didn't have to enumerate every role that can access some URL in the system. Consider hierarchical roles -->
  <intercept-url pattern="/**/*.css*" filters="none" />
  <intercept-url pattern="/**/*.js*" filters="none" />
  <intercept-url pattern="/**/*.png*" filters="none" />
  <intercept-url pattern="/**/codemapping.rpc" access="ROLE_admin,ROLE_viewer" /> 
  <intercept-url pattern="/**/generalLedgerService.rpc" access="ROLE_admin" />
  <intercept-url pattern="/**/MyAppAdjustment.html" access="ROLE_admin,ROLE_viewer" />
  <intercept-url pattern="/**/CodeMapping.html" access="ROLE_admin,ROLE_viewer" />
  <intercept-url pattern="/**/myapp_test.html" access="ROLE_admin" />
  <custom-filter ref="siteminderFilter" position="PRE_AUTH_FILTER" />
  <access-denied-handler ref="accessDeniedHandler"/> 

In the Spring MVC controller, you can use the annotation as shown below.

        "ROLE_viewer", "ROLE.standard", "ROLE_senior"
    @RequestMapping(value = "/portfolio/{portfoliocd}/details.csv", method = RequestMethod.GET, produces = "text/csv")
    public void getCashForecastCSV(
            @PathVariable(value = "portfoliocd") String portfolioCode,
            @RequestParam(value = "valuationDate", required = true) @DateTimeFormat(pattern = "yyyyMMdd") Date valuationDate,
            HttpServletResponse response) throws Exception

The service class methods can be protected by declaring the following in your spring context file where the methods reside.

 <!-- comment this line locally to bypass seurity access control in development. But don't check this in commented as security will be turned off -->
 <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled"/>

Once declared, you can protect your service class methods as shown below.

        "ROLE_viewer", "ROLE_standard", "ROLE_senior"
    public ReconciliationResult getReconciliations(ReconciliationCriteria criteria)

Labels: , ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home