MULE –Component Authorization Using Spring

Security

2

Component Authorization Using Spring Security

This page describes how you can configure method-level authorization

using Spring Security on your components so that users with different roles

can only invoke certain methods.

3

Securing Flow Components

To secure MethodInvocations, you must add a properly configured MethodSecurityInterceptor into the application context. The beans requiring security are chained into the interceptor. This chaining is accomplished using Spring’s ProxyFactoryBean or BeanNameAutoProxyCreator. Alternatively, Spring Security provides a MethodDefinitionSourceAdvisor, which you can use with Spring’s DefaultAdvisorAutoProxyCreator to automatically chain the security interceptor in front of any beans defined against the MethodSecurityInterceptor.

4

In addition to the daoAuthenticationProvider and inMemoryDaoImpl beans (see Configuring Security), the following beans must be configured:

MethodSecurityInterceptor

AuthenticationManager

AccessDecisionManager

AutoProxyCreator

RoleVoter

5

The MethodSecurityInterceptor

The MethodSecurityInterceptor is configured with a reference to the following:

AuthenticationManager

AccessDecisionManager

6

Following is a security interceptor for intercepting calls made to the methods of a component myComponent, which defines two methods: delete and writeSomething. Roles are set on these methods as seen below in the property securityMetadataSource.

<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule="http://www.mulesource.org/schema/mule/core" xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security" ...cut... <bean id="myComponentSecurity" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="securityMetadataSource"> <value> com.foo.myComponent.delete=ROLE_ADMIN com.foo.myComponent.writeSomething=ROLE_ANONYMOUS </value> </property> </bean>

7

The AuthenticationManager

This bean is responsible for passing requests through a chain of AuthenticationProvider objects.

<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <property name= "providers"> <list> <ref local="daoAuthenticationProvider"/> </list> </property></bean>

8

The AccessDecisionManager

This bean specifies that a user can access the protected methods if they have any one of the roles specified in the securityMetadataSource.

<bean id="accessDecisionManager" class='org.springframework.security.access.vote.AffirmativeBased'> <property name="decisionVoters"> <list> <ref bean="roleVoter"/> </list> </property></bean>

9

The AutoProxyCreator

This bean defines a proxy for the protected bean. When an application asks Spring for a myComponent bean, it will get this proxy instead.

<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> <property name="interceptorNames"> <list> <value>myComponentSecurity</value> </list> </property> <property name="beanNames"> <list> <value>myComponent</value> </list> </property> <property name='proxyTargetClass' value="true"/></bean>