Raible's Wiki

Raible Designs
Wiki Home
News
Recent Changes

AppFuse

Homepage
  - Korean
  - Chinese
  - Italian
  - Japanese

QuickStart Guide
  - Chinese
  - French
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish
  - Japanese

User Guide
  - Korean
  - Chinese

Tutorials
  - Chinese
  - German
  - Italian
  - Korean
  - Portuguese
  - Spanish

FAQ
  - Korean

Latest Downloads

Other Applications

Struts Resume
Security Example
Struts Menu

Set your name in
UserPreferences

Edit this page

Referenced by
AppFuseAcegiACL
AppFuseAcegiACLAddMa...




JSPWiki v2.2.33

[RSS]


Hide Menu

AppFuseAcegiACLAddACLBeans
Search Wiki:
Your trail:

Step V: Add new ACEGI Managers to secure all person objects

Finally we need some new bean definitions

Adding new beans

New Secure person manager

  • In order to secure objects, we need a new instance of the personManager, calles personManagerSecure
  • Add the following part to the applicationContext-service.xml: 
<bean id="personManagerSecure" class="org.springframework.aop.framework.ProxyFactoryBean">
       <property name="proxyInterfaces"><value>org.appfuse.service.PersonManager</value></property>
       <property name="interceptorNames">
           <list>
            <idref bean="personSecurity"/>
            <idref bean="personManager"/>
         </list>
       </property>
   </bean>

Adding new personSecurity bean

This bean is resonsible for all security relevant actions, such as securing methods and checking ACLS.
  • Add the following part to the applicationContext-service.xml: 
 <bean id="personSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
      <property name="authenticationManager"><ref bean="authenticationManager"/></property>
      <property name="accessDecisionManager"><ref bean="personAccessDecisionManager"/></property>
      <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
      <property name="objectDefinitionSource">
         <value>
            org.appfuse.service.PersonManager.getPerson*=user,admin,AFTER_ACL_READ
            org.appfuse.service.PersonManager.savePerson*=ACL_PERSON_WRITE
            org.appfuse.service.PersonManager.removePerson*=ACL_PERSON_DELETE,admin
            org.appfuse.service.PersonManager.getPersons*=ACL_PERSON_READ,AFTER_ACL_COLLECTION_READ
         </value>
      </property>
   </bean>
  • The part objectDefinitionSource makes sure that only users with correct permissions can call a certain methods.
  • This is done by rolenames (e.g. user or admin)
  • Or by checking, if the user has a sufficient permission on this object (e.g. ACL_PERSON_READ or ACL_PERSON_DELETE)
  • Additional, all methods returning a person or a collection of persons are redireted to a ACL based filter. This is indicated by AFTER_ACL_READ for methods returning sinlge person objects or AFTER_ACL_COLLECTION_READ for methods returning collections of persons.

Defining the decision voters

In this step we need to tell ACEGI, what permissions are described by our new variables (in this case ACL_PERSON_READ , ACL_PERSON_WRITE and ACL_PERSON_DELETE)
  • Add the following part to your applicationContext-service.xml:
  • For the bean 'personAccessDecisionManager' 
<!-- An access decision manager used by the business objects -->
   <bean id="personAccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions"><value>false</value></property>
      <property name="decisionVoters">
         <list>
            <ref bean="roleVoter"/>
            <ref local="aclPersonReadVoter"/>
            <ref local="aclPersonDeleteVoter"/>
            <ref local="aclPersonWriteVoter"/>
            <ref local="aclPersonAdminVoter"/>
         </list>
      </property>
   </bean>
  • For different decision voters: 
<!-- An access decision voter that reads ACL_PERSON_READ configuration settings -->
	   <bean id="aclPersonReadVoter" class="org.acegisecurity.vote.BasicAclEntryVoter">
	      <property name="processConfigAttribute"><value>ACL_PERSON_READ</value></property>
	      <property name="processDomainObjectClass"><value>org.appfuse.model.Person</value></property>
	      <property name="aclManager"><ref bean="aclManager"/></property>
	      <property name="requirePermission">
	        <list>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/>
	        </list>
	      </property>
	   </bean>
	
	   <!-- An access decision voter that reads ACL_PERSON_DELETE configuration settings -->
	   <bean id="aclPersonDeleteVoter" class="org.acegisecurity.vote.BasicAclEntryVoter">
	      <property name="processConfigAttribute"><value>ACL_PERSON_DELETE</value></property>
	      <property name="processDomainObjectClass"><value>org.appfuse.model.Person</value></property>
	      <property name="aclManager"><ref bean="aclManager"/></property>
	      <property name="requirePermission">
	        <list>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.DELETE"/>
	        </list>
	      </property>
	   </bean>
	   
	   <!-- An access decision voter that reads ACL_PERSON_DELETE configuration settings -->
	   <bean id="aclPersonWriteVoter" class="org.acegisecurity.vote.BasicAclEntryVoter">
	      <property name="processConfigAttribute"><value>ACL_PERSON_WRITE</value></property>
	      <property name="processDomainObjectClass"><value>org.appfuse.model.Person</value></property>
	      <property name="aclManager"><ref bean="aclManager"/></property>
	      <property name="requirePermission">
	        <list>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.WRITE"/>
	        </list>
	      </property>
	   </bean>
	
	   <!-- An access decision voter that reads ACL_PERSON_ADMIN configuration settings -->
	   <bean id="aclPersonAdminVoter" class="org.acegisecurity.vote.BasicAclEntryVoter">
	      <property name="processConfigAttribute"><value>ACL_PERSON_ADMIN</value></property>
	      <property name="processDomainObjectClass"><value>org.appfuse.model.Person</value></property>
	      <property name="aclManager"><ref bean="aclManager"/></property>
	      <property name="requirePermission">
	        <list>
	          <ref bean="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
	        </list>
	      </property>
	   </bean>
  • These bean definitions require some new beans, so add the next content also to your applicationContext-service.xml:
  • Permission mask definitions: 
   <!-- ACL permission masks used by this application -->
   <bean id="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
      <property name="staticField"><value>org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION</value></property>
   </bean>
   <bean id="org.acegisecurity.acl.basic.SimpleAclEntry.READ" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
      <property name="staticField"><value>org.acegisecurity.acl.basic.SimpleAclEntry.READ</value></property>
   </bean>
   <bean id="org.acegisecurity.acl.basic.SimpleAclEntry.DELETE" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
      <property name="staticField"><value>org.acegisecurity.acl.basic.SimpleAclEntry.DELETE</value></property>
   </bean>
    <bean id="org.acegisecurity.acl.basic.SimpleAclEntry.WRITE" class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean">
      <property name="staticField"><value>org.acegisecurity.acl.basic.SimpleAclEntry.WRITE</value></property>
   </bean>
  • The ACL Manager ('aclManager'): 
  <bean id="aclManager" class="org.acegisecurity.acl.AclProviderManager">
      <property name="providers">
         <list>
            <ref local="basicAclProviderManager"/>
         </list>
      </property>
   </bean>
   
   <bean id="basicAclProviderManager" parent="txProxyTemplate">
        <property name="target">
            <bean class="org.appfuse.service.acl.impl.BasicAclProviderManagerImpl" autowire="byName" />
        </property>
    </bean>

Defining the afterInvocationManager

This manager is used to filter returns values and remove objects a user has no sufficient rights.
  • Add the folloing part: 
 <bean id="afterInvocationManager" class="org.acegisecurity.afterinvocation.AfterInvocationProviderManager">
      <property name="providers">
         <list>
            <ref local="afterAclRead"/>
            <ref local="afterAclCollectionRead"/>
         </list>
      </property>
   </bean>
   
	   <!-- Processes AFTER_ACL_COLLECTION_READ configuration settings -->
	   <bean id="afterAclCollectionRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationCollectionFilteringProvider">
	      <property name="aclManager"><ref local="aclManager"/></property>
	      <property name="requirePermission">
	        <list>
	          <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
	          <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/>
	        </list>
	      </property>
	   </bean>
   
	   <!-- Processes AFTER_ACL_READ configuration settings -->
	   <bean id="afterAclRead" class="org.acegisecurity.afterinvocation.BasicAclEntryAfterInvocationProvider">
	      <property name="aclManager"><ref local="aclManager"/></property>
	      <property name="requirePermission">
	        <list>
	          <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.ADMINISTRATION"/>
	          <ref local="org.acegisecurity.acl.basic.SimpleAclEntry.READ"/>
	        </list>
	      </property>
	   </bean>

Next step:

Step VI. Change all references to the old manager to the new manager


Go to top   Edit this page   More info...   Attach file...
This page last changed on 06-Nov-2006 13:53:00 MST by PeterSchneider-Manzell.