Acegi Security in one hour

A concise guide to securing your Java Web applications

1 2 3 4 5 6 7 Page 4
Page 4 of 7

Adding authorization services

Authorization in Acegi Security is performed mainly by the FilterSecurityInterceptor filter. This filter identifies a user-role relationship for a URL. The URL patterns and their associated roles are defined with the objectDefinitionSource property. Any user can access the URLs belonging to the ROLE_ANONYMOUS role. For other URLs you define different roles. Listing 11 shows the sample application's authorization configuration.

Listing 11. Authorization configuration

<bean id="filterInvocationInterceptor"
  class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
  <property name="authenticationManager">
    <ref bean="authenticationManager" />
  </property>
  <property name="accessDecisionManager">

    <ref local="httpRequestAccessDecisionManager" />
  </property>
  <property name="objectDefinitionSource">
    <value>
      PATTERN_TYPE_APACHE_ANT 
    /index.jsp=ROLE_ADMIN,ROLE_TECHNICIAN
    /order/createOrder.jsp=ROLE_TECHNICIAN
    /order/authorizeOrder.jsp=ROLE_ADMIN
    /login.jsp=ROLE_ANONYMOUS,ROLE_TECHNICIAN,ROLE_ADMIN 
    </value>
  </property>

</bean>

In Listing 11, a user with the ROLE_TECHNICIAN role can access the "Create Order" Web page, but not the "Authorize Order" Web page. The reverse is true for a user with the ROLE_ADMIN role.

If a user doesn't have authorization privileges for a secured resource, the AbstractSecurityInterceptor (base class of FilterSecurityInterceptor) throws an exception, which ExceptionTranslationFilter then captures. AccessDeniedHandlerImpl, a collaborator of exceptionTranslationFilter (shown in Listing 12), then forwards the request to an "Access Denied" error page.

Listing 12. exceptionTranslationFilter

<bean id="exceptionTranslationFilter"
    class="org.acegisecurity.ui.ExceptionTranslationFilter">
    <property name="authenticationEntryPoint">
      <ref local="authenticationProcessingFilterEntryPoint" />
    </property>

    <property name="accessDeniedHandler">
      <bean
        class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
        <property name="errorPage" value="/accessDenied.jsp" />
      </bean>
    </property>
  </bean>


FilterSecurityInterceptor calls AccessDecisionManager to make access-control decisions. AccessDecisionManager polls a series of AccessDecisionVoter implementations for making authorization decisions. The example implementation uses RoleVoter as the concrete implementation of AccessDecisionVoter.

RoleVoter votes if ConfigAttribute begins with ROLE_. As you can see in Listing 11, all roles begin with ROLE_ and so can be voted on by RoleVoter. If you have different naming conventions for authorization roles, you can implement a new AccessDecisionVoter. If RoleVoter doesn't find an exact match to any ConfigAttribute starting with ROLE_, it votes to deny access. If no ConfigAttribute begins with ROLE_, the voter abstains from voting. Listing 13 shows the bean definition of httpRequestAccessDecisionManager (referenced in Listing 11's accessDecisionManager property) and its relationship with a series of AccessDecisionVoter implementations.

Listing 13. httpRequestAccessDecisionManager

<bean id="httpRequestAccessDecisionManager"
    class="org.acegisecurity.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions">
      <value>false</value>

    </property>
    <property name="decisionVoters">
      <list>
        <ref bean="roleVoter" />
      </list>
    </property>

  </bean>
  <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter" />

Logout functionality

Logout functionality is performed by LogoutFilter. You use a constructor argument to provide the URL that LogoutFilter redirects to after successful logout. Another constructor argument specifies a list of handlers that execute as a part of logout functionality. Listing 14 specifies SecurityContextLogoutHandler, which invalidates the httpSession. You can add more handlers to perform extra functionality if required.

Listing 14. logoutFilter definition

<bean id="logoutFilter"
  class="org.acegisecurity.ui.logout.LogoutFilter">
  <constructor-arg value="/index.jsp" />
  <!-- URL redirected to after logout -->
  <constructor-arg>

    <list>
      <bean
        class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
    </list>
  </constructor-arg>
</bean>

Et voilà! You've completed the environment and system configuration required to implement Acegi Security for your application. All that remains is to code the application's Web pages.

1 2 3 4 5 6 7 Page 4
Page 4 of 7