From 0510de6ab87f0bdba6fbdfa877bcf1dd8cbe915c Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Sat, 12 Apr 2008 13:33:09 +0000 Subject: [PATCH] SEC-624: Added basic method security namesapce overview --- src/docbkx/authorization-common.xml | 7 +-- src/docbkx/namespace-config.xml | 70 ++++++++++++++++++++++++++--- 2 files changed, 68 insertions(+), 9 deletions(-) diff --git a/src/docbkx/authorization-common.xml b/src/docbkx/authorization-common.xml index 2aa13f70fe..0adde6829f 100644 --- a/src/docbkx/authorization-common.xml +++ b/src/docbkx/authorization-common.xml @@ -1,7 +1,8 @@ -Common Authorization Concepts - + + Common Authorization Concepts -
Authorities +
+ Authorities As briefly mentioned in the Authentication section, all Authentication implementations are required to diff --git a/src/docbkx/namespace-config.xml b/src/docbkx/namespace-config.xml index a6c8ab8be2..8b1c607e5d 100644 --- a/src/docbkx/namespace-config.xml +++ b/src/docbkx/namespace-config.xml @@ -162,7 +162,12 @@ Which says that we want all URLs within our application to be secured, requiring the role ROLE_USER - to access them. To add some users, you can define a set of test data directly in the + to access them. + You can use multiple <intercept-url> elements to define + different access requirements for different sets of URLs, but they will be evaluated in the + order listed and the first match will be used. So you must put the most specific matches at the top. + + To add some users, you can define a set of test data directly in the namespace: @@ -401,9 +406,9 @@ during initialization. The standard filters each have an alias in the namespace: Standard Filter Aliases and Ordering - + - AliasFilter Class + AliasFilter Class CHANNEL_FILTERChannelProcessingFilter @@ -437,13 +442,66 @@ that you want your filter to appear before or after the entire stack, respectively. -
- Namespace Support for Method Security + Method Security + + + Spring Security 2.0 has improved support substantially for adding security to your service layer methods. If you are + using Java 5 or greater, then support for JSR-250 security annotations is provided, as well as the framework's native + @secured annotation. You can apply security to a single bean, using the intercept-methods + element to decorate the bean declaration, or you can secure multiple beans across the entire service layer using the + AspectJ style pointcuts. + - TODO +
+ The <literal><global-method-security></literal> Element + + This element is used to enable annotation based security in your application (by setting the appropriate + attributes on the element), and also to group together security pointcut declarations which will be applied across your + entire application context. You should only declare one <global-method-security> element. + The following declaration would enable support for both types of annotations: + + ]]> + + +
+ Adding Security Pointcuts using <literal>protect-pointcut</literal> + + The use of protect-pointcut is particularly powerful, as it allows you to + apply security to many beans with only a simple declaration. Consider the following example: + + + +]]> + + This will protect all methods on beans declared in the application context whose classes + are in the com.mycompany package and whose class names end in "Service". + Only users with the ROLE_USER role will be able to invoke these methods. + As with URL matching, the most specific matches must come first in the list of pointcuts, as the + first matching expression will be used. + +
+ +
+ Customizing the AccessDecisionManager + + The default namespace-registered AccessDecisionManager will be used automatically to + control method access. For more complex requirements you can specify another instance + using the access-decision-manager-ref attribute: + + + ... + +]]> + +
+
+
\ No newline at end of file