64 lines
3.7 KiB
XML
64 lines
3.7 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<chapter id="security">
|
|
<title>Security in Spring Integration</title>
|
|
|
|
<section id="security-intro">
|
|
<title>Introduction</title>
|
|
<para>
|
|
Spring Integration provides integration with the
|
|
<ulink url="http://static.springframework.org/spring-security/site/">Spring Security project</ulink>
|
|
to allow role based security checks to be applied to channel send and receive invocations.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="securing-channels">
|
|
<title>Securing channels</title>
|
|
<para>
|
|
Spring Integration provides the interceptor <classname>ChannelSecurityInterceptor</classname>, which extends
|
|
<classname>AbstractSecurityInterceptor</classname> and intercepts send and receive calls on the channel. Access decisions
|
|
are then made with reference to <classname>ChannelInvocationDefinitionSource</classname> which provides the definition of
|
|
the send and receive security constraints. The interceptor requires that a valid <interfacename>SecurityContext</interfacename>
|
|
has been established by authenticating with Spring Security, see the Spring Security reference documentation for details.
|
|
</para>
|
|
<para>
|
|
Namespace support is provided to allow easy configuration of security constraints. This consists of the secured channels tag which allows
|
|
definition of one or more channel name patterns in conjunction with a definition of the security configuration for send and receive. The pattern
|
|
is a <interfacename>java.util.regexp.Pattern</interfacename>.
|
|
<programlisting language="xml"><![CDATA[<?xml version="1.0" encoding="UTF-8"?>
|
|
<beans:beans xmlns="http://www.springframework.org/schema/integration"
|
|
xmlns:si-security="http://www.springframework.org/schema/integration/security"
|
|
xmlns:beans="http://www.springframework.org/schema/beans"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:security="http://www.springframework.org/schema/security"
|
|
xsi:schemaLocation="http://www.springframework.org/schema/beans
|
|
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
|
|
http://www.springframework.org/schema/security
|
|
http://www.springframework.org/schema/security/spring-security-2.0.xsd
|
|
http://www.springframework.org/schema/integration
|
|
http://www.springframework.org/schema/integration/spring-integration-1.0.xsd
|
|
http://www.springframework.org/schema/integration/security
|
|
http://www.springframework.org/schema/integration/security/spring-integration-security-1.0.xsd">
|
|
|
|
<si-security:secured-channels>
|
|
<si-security:access-policy pattern="admin.*" send-access="ROLE_ADMIN"/>
|
|
<si-security:access-policy pattern="user.*" receive-access="ROLE_USER"/>
|
|
</si-security:secured-channels>]]>
|
|
</programlisting>
|
|
|
|
By default the secured-channels namespace element expects a bean named <emphasis>authenticationManager</emphasis> which implements
|
|
<interfacename>AuthenticationManager</interfacename> and a bean named <emphasis>accessDecisionManager</emphasis> which implements
|
|
<interfacename>AccessDecisionManager</interfacename>. Where this is not the case references to the appropriate beans can be configured
|
|
as attributes of the <emphasis>secured-channels</emphasis> element as below.
|
|
<programlisting language="xml"><![CDATA[<si-security:secured-channels access-decision-manager="customAccessDecisionManager"
|
|
authentication-manager="customAuthenticationManager">
|
|
<si-security:access-policy pattern="admin.*" send-access="ROLE_ADMIN"/>
|
|
<si-security:access-policy pattern="user.*" receive-access="ROLE_USER"/>
|
|
</si-security:secured-channels>]]>
|
|
</programlisting>
|
|
|
|
</para>
|
|
</section>
|
|
|
|
|
|
</chapter> |