Spring security pre authentication scenario Part2

In Part 1, I covered configuring Spring security. Here we will see how we can protect the controller and the service class methods by defining what roles are allowed.


Firstly, you can protect your controller as shown below.


Define the URLs to be protected in the ssoContext.xml file something like

<http auto-config="false" access-decision-manager-ref="springAccessDecisionManager" 
once-per-request="true" create-session="ifRequired" entry-point-ref="MyAppAuthenticationEntryPoint">

<session-management invalid-session-url="/j_spring_security_logout" />
<!-- TODO: Would be cleaner if we didnt have to enumerate every role that can access some URL in the system. Consider hierarchical roles -->
<intercept-url pattern="/**/*.css*" filters="none" />
<intercept-url pattern="/**/*.js*" filters="none" />
<intercept-url pattern="/**/*.png*" filters="none" />
<intercept-url pattern="/**/codemapping.rpc" access="ROLE_admin,ROLE_viewer" />
<intercept-url pattern="/**/generalLedgerService.rpc" access="ROLE_admin" />
<intercept-url pattern="/**/MyAppAdjustment.html" access="ROLE_admin,ROLE_viewer" />
<intercept-url pattern="/**/CodeMapping.html" access="ROLE_admin,ROLE_viewer" />
<intercept-url pattern="/**/myapp_test.html" access="ROLE_admin" />
<custom-filter ref="siteminderFilter" position="PRE_AUTH_FILTER" />
<access-denied-handler ref="accessDeniedHandler"/>

....

</http>


In the Spring MVC controller, you can use the annotation as shown below.

   @RolesAllowed(
{
"ROLE_viewer", "ROLE.standard", "ROLE_senior"

})
@RequestMapping(value = "/portfolio/{portfoliocd}/details.csv", method = RequestMethod.GET, produces = "text/csv")
@ResponseBody
public void getCashForecastCSV(
@PathVariable(value = "portfoliocd") String portfolioCode,
@RequestParam(value = "valuationDate", required = true) @DateTimeFormat(pattern = "yyyyMMdd") Date valuationDate,
HttpServletResponse response) throws Exception
{


//..............................

}




The service class methods can be protected by declaring the following in your spring context file where the methods reside.

 <!-- comment this line locally to bypass seurity access control in development. But dont check this in commented as security will be turned off -->
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled"/>


Once declared, you can protect your service class methods as shown below.

    @RolesAllowed(
{
"ROLE_viewer", "ROLE_standard", "ROLE_senior"

})
@Override
public ReconciliationResult getReconciliations(ReconciliationCriteria criteria)
{
//........................
}



Related Posts by Categories

0 komentar:

Posting Komentar