Spring Security Plugin
Apache CXF Fediz ships three different plugins for Spring Security - supporting Spring Security 2, 3
...
and 4.
This page describes how to enable Federation for a Spring Security based Web Application. Spring Security provides more authorization capabilities than defined in the Java Servlet specification. Beyond authorizing web requests Spring Security supports authorizing whether methods can be invoked and authorizing access to individual domain object instances.
Spring Security supports two deployment options. On the one hand, authentication and authorization is enforced by the underlying Servlet Container or on the other hand by Spring Security embedded with the application. The former ensures that the application is only called if authentication is successful. This can be controlled by an administrator/operator. This option is called Pre-Authentication. The latter gives all the control to the application developer and removes the dependency to security configuration in the Servlet Container. This simplifies deploying an application into different Serlvet Container environments.
...
The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example springPreAuthWebapp.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<bean id="preAuthenticatedUserDetailsService"
class="org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService"/>
<bean id="j2eePreAuthFilter" class="org.apache.cxf.fediz.spring.preauth.FederationPreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource">
<bean class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
<property name="mappableRolesRetriever">
<bean class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever" />
</property>
<property name="userRoles2GrantedAuthoritiesMapper">
<bean class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="true"/>
</bean>
</property>
</bean>
</property>
</bean>
<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadataSource">
<sec:filter-invocation-definition-source>
<sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/>
<sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/>
<sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/>
<sec:intercept-url pattern="/secure/fedservlet" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED"/>
</sec:filter-invocation-definition-source>
</property>
</bean>
|
...
The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Authentication obj = SecurityContextHolder.getContext().getAuthentication();
|
...
The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example springWebapp.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<sec:http entry-point-ref="federationEntryPoint" use-expressions="true">
<sec:intercept-url pattern="/" access="permitAll"/>
<sec:intercept-url pattern="/fediz" access="permitAll"/>
<sec:intercept-url pattern="/index.html" access="permitAll"/>
<sec:intercept-url pattern="/secure/fedservlet" access="isAuthenticated()"/>
<sec:intercept-url pattern="/secure/manager/**" access="hasRole('ROLE_MANAGER')"/>
<sec:intercept-url pattern="/secure/admin/**" access="hasRole('ROLE_ADMIN')"/>
<sec:intercept-url pattern="/secure/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_MANAGER')"/>
<sec:custom-filter ref="federationFilter" after="BASIC_AUTH_FILTER" />
<sec:session-management session-authentication-strategy-ref="sas"/>
</sec:http>
<sec:authentication-manager alias="authManager">
<sec:authentication-provider ref="federationAuthProvider" />
</sec:authentication-manager>
<bean id="fedizConfig" class="org.apache.cxf.fediz.spring.FederationConfigImpl" init-method="init"
p:configFile="WEB-INF/fediz_config.xml" />
<bean id="federationEntryPoint"
class="org.apache.cxf.fediz.spring.web.FederationAuthenticationEntryPoint"
p:federationConfig-ref="fedizConfig" />
<bean id="federationFilter"
class="org.apache.cxf.fediz.spring.web.FederationAuthenticationFilter"
p:authenticationManager-ref="authManager">
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" />
</property>
</bean>
<bean id="federationAuthProvider" class="org.apache.cxf.fediz.spring.authentication.FederationAuthenticationProvider"
p:federationConfig-ref="fedizConfig">
<property name="authenticationUserDetailsService">
<bean class="org.apache.cxf.fediz.spring.authentication.GrantedAuthoritiesUserDetailsFederationService"/>
</property>
</bean>
|
...
The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user and to the Federation releated information like claims and login token.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
Authentication obj = SecurityContextHolder.getContext().getAuthentication();
FederationAuthenticationToken fedAuthToken = (FederationAuthenticationToken)auth;
for (GrantedAuthority item : fedAuthToken.getAuthorities()) {
...
}
ClaimCollection claims = ((FederationUser)fedAuthToken.getUserDetails()).getClaims();
for (Claim c: claims) {
...
}
|
...