Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

The RoleBasedAccessProtocol aspect has two abstract pointcuts that needs to be defined in the aspect XML definition:

  • authenticationPoints - picks out all points in the code where you want authentication to take place
  • authorizationPoints - picks out all points in the code where you want authorization to take place

Example on how to define the security aspect (f.e. authenticate on facade methods and authorize on service methods):

Code Block
xml
xml
<aspect class="security.RoleBasedAccessProtocol" 
        container="org.codehaus.aware.container.SpringAspectContainer">
    <pointcut name="authenticationPoints" 
              expression="execution(* *..facade.*.*(..))"/>
    <pointcut name="authorizationPoints" 
              expression="execution(* *..service.*.*(..))"/>
</aspect>

AspectWerkz supports passing in parameters to aspects but since the definition of roles and permissions is hierachical it is hard to handle with key:value pairs only. Therefore this is a great showcase for the SpringAspectContainer in which we can define the security permissions using Spring.

Simply add something like this to your aware-config.xml and put it on the classpath:

Code Block
xml
xml
<bean id="org.codehaus.aware.security.RoleBasedAccessProtocol"
    class="org.codehaus.aware.security.RoleBasedAccessProtocol"
    singleton="false"
    init-method="intialize">

    <property name="type">
        <value>JAAS</value>
    </property>

    <property name="roles">
        <list>
            <value>admin</value>
            <value>jboner</value>
        </list>
    </property>

    <property name="permissions">
        <list>
            <bean class="org.codehaus.aware.security.Permission">
                <property name="role">
                    <value>jboner</value>
                </property>
                <property name="className">
                    <value>org.codehaus.aware.security.SecurityHandlingTest</value>
                </property>
                <property name="methodName">
                    <value>authorizeMe1</value>
                </property>
            </bean>

            <bean class="org.codehaus.aware.security.Permission">
                <property name="role">
                    <value>jboner</value>
                </property>
                <property name="className">
                    <value>org.codehaus.aware.security.SecurityHandlingTest</value>
                </property>
                <property name="methodName">
                    <value>authorizeMe2</value>
                </property>
            </bean>
        </list>
    </property>

</bean>

So what is all this? If we take it step by step:

In the first section:

Code Block
xml
xml
<bean id="org.codehaus.aware.security.RoleBasedAccessProtocol"
    class="org.codehaus.aware.security.RoleBasedAccessProtocol"
    singleton="false"
    init-method="intialize">

we are telling mapping the security aspect class to a name (in this case it is the same), then we tell Spring to use the prototype pattern and not instantiate the aspect as a singleton, finally the method that we should use to initialize the aspect.

In the next section:

Code Block
xml
xml
<property name="type">
    <value>JAAS</value>
</property>

we tell the aspect to use the JAAS security scheme.

Then we define the roles that we want to use:

Code Block
xml
xml
<property name="roles">
    <list>
        <value>admin</value>
        <value>jboner</value>
    </list>
</property>

And finally we define the permissions. This is similar to how it is done in EJB: We define one permission by specifying which method in which class we want authorization to take place, then we bind this to a role (one of the roles
previously define):

Code Block
xml
xml
<property name="permissions">
    <list>
        <bean class="org.codehaus.aware.security.Permission">
            <property name="role">
                <value>jboner</value>
            </property>
            <property name="className">
                <value>foo.bar.Baz</value>
            </property>
            <property name="methodName">
                <value>authorizeMe1</value>
            </property>
        </bean>

        <bean class="org.codehaus.aware.security.Permission">
            <property name="role">
                <value>jboner</value>
            </property>
            <property name="className">
                <value>foo.bar.Baz</value>
            </property>
            <property name="methodName">
                <value>authorizeMe2</value>
            </property>
        </bean>
    </list>
</property>