The RoleBasedAccessProtocol aspect has two abstract pointcuts that needs to be defined in the aspect XML definition:
authenticationPoints- picks out all points in the code where you want authentication to take place
authorizationPoints- picks out all points in the code where you want authorization to take place
Example on how to define the security aspect (f.e. authenticate on facade methods and authorize on service methods):
AspectWerkz supports passing in parameters to aspects but since the definition of roles and permissions is hierachical it is hard to handle with key:value pairs only. Therefore this is a great showcase for the SpringAspectContainer in which we can define the security permissions using Spring.
Simply add something like this to your
aware-config.xml and put it on the classpath:
So what is all this? If we take it step by step:
In the first section:
we are telling mapping the security aspect class to a name (in this case it is the same), then we tell Spring to use the prototype pattern and not instantiate the aspect as a singleton, finally the method that we should use to initialize the aspect.
In the next section:
we tell the aspect to use the JAAS security scheme.
Then we define the roles that we want to use:
And finally we define the permissions. This is similar to how it is done in EJB: We define one permission by specifying which method in which class we want authorization to take place, then we bind this to a role (one of the roles