Files
spring-integration/src/reference/docbook/security.xml
Artem Bilan e3f8ef534b INT-3331: Add ChannelSecurityInterceptorFB
JIRA: https://jira.spring.io/browse/INT-3331

INT-3331: PR comments and others

* Register `ChannelSecurityInterceptorBeanPostProcessor` as a `BeanDefinition` (not `BPP`)
* Get `ChannelSecurityInterceptor`s from `ChannelSecurityInterceptorBeanPostProcessor#afterPropertiesSet()`
* Make `ChannelSecurityInterceptor` `final` to disallow to subclass it for unexpected issues
* Provide more convenience to the `ChannelSecurityInterceptorFactoryBean` - to allow to use it from xml configuration

Doc Polishing
2014-03-27 14:06:35 -04:00

97 lines
5.3 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<appendix xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="security"
xmlns:xlink="http://www.w3.org/1999/xlink">
<title>Security in Spring Integration</title>
<section id="security-intro">
<title>Introduction</title>
<para>
Spring Integration builds upon the
<ulink url="http://static.springframework.org/spring-security/site/">Spring Security project</ulink>
to enable role based security checks to be applied to channel send and receive invocations.
</para>
</section>
<section id="securing-channels">
<title>Securing channels</title>
<para>
Spring Integration provides the interceptor <classname>ChannelSecurityInterceptor</classname>, which extends
<classname>AbstractSecurityInterceptor</classname> and intercepts send and receive calls on the channel. Access decisions
are then made with reference to a <classname>ChannelSecurityMetadataSource</classname> which provides the metadata describing
the send and receive access policies for certain channels. The interceptor requires that a valid <interfacename>SecurityContext</interfacename>
has been established by authenticating with Spring Security. See the Spring Security reference documentation for details.
</para>
<para>
Namespace support is provided to allow easy configuration of security constraints. This consists of the secured channels tag which allows
definition of one or more channel name patterns in conjunction with a definition of the security configuration for send and receive. The pattern
is a <interfacename>java.util.regexp.Pattern</interfacename>.
<programlisting language="xml"><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:int="http://www.springframework.org/schema/integration"
xmlns:int-security="http://www.springframework.org/schema/integration/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/integration
http://www.springframework.org/schema/integration/spring-integration.xsd
http://www.springframework.org/schema/integration/security
http://www.springframework.org/schema/integration/security/spring-integration-security.xsd">
<int-security:secured-channels>
<int-security:access-policy pattern="admin.*" send-access="ROLE_ADMIN"/>
<int-security:access-policy pattern="user.*" receive-access="ROLE_USER"/>
</int-security:secured-channels>]]>
</programlisting>
By default the secured-channels namespace element expects a bean named <emphasis>authenticationManager</emphasis> which implements
<interfacename>AuthenticationManager</interfacename> and a bean named <emphasis>accessDecisionManager</emphasis> which implements
<interfacename>AccessDecisionManager</interfacename>. Where this is not the case references to the appropriate beans can be configured
as attributes of the <emphasis>secured-channels</emphasis> element as below.
<programlisting language="xml"><![CDATA[<int-security:secured-channels access-decision-manager="customAccessDecisionManager"
authentication-manager="customAuthenticationManager">
<int-security:access-policy pattern="admin.*" send-access="ROLE_ADMIN"/>
<int-security:access-policy pattern="user.*" receive-access="ROLE_USER"/>
</int-security:secured-channels>]]>
</programlisting>
</para>
<para>
Starting with <emphasis>version 4.0</emphasis>, the same configuration is available when using
<code>@Configuration</code> classes, by declaring a
<classname>ChannelSecurityInterceptorFactoryBean</classname>. This class delegates all options for
the <classname>ChannelSecurityInterceptor</classname> with a <emphasis>builder</emphasis> pattern:
</para>
<programlisting language="java"><![CDATA[@Configuration
@EnableIntegration
public class ContextConfiguration {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private AccessDecisionManager accessDecisionManager;
@Bean
public ChannelSecurityInterceptorFactoryBean channelSecurityInterceptor() {
return new ChannelSecurityInterceptorFactoryBean()
.authenticationManager(this.authenticationManager)
.accessDecisionManager(this.accessDecisionManager)
.accessPolicy("admin.*", "ROLE_ADMIN")
.accessPolicy("user.*", null, "ROLE_USER");
}
}]]></programlisting>
<note>
The <classname>@EnableIntegration</classname> annotation is required to provide the Spring Integration
infrastructure (including Security) to the Application Context. In addition this <interfacename>FactoryBean</interfacename>
falls back to <interfacename>AuthenticationManager</interfacename> and <interfacename>AccessDecisionManager</interfacename>
beans with names <code>authenticationManager</code> and <code>accessDecisionManager</code> respectively, if they aren't provided
in the <classname>ChannelSecurityInterceptorFactoryBean</classname> bean definition.
</note>
</section>
</appendix>