This document is a brief description of the processing that occurs to authenticate and authorize an HTTP request using Acegi Spring Security and the SAIS Framework, highlighting features that are useful for application developers to know about.
The processing has two parts. One part is performed by AcegiSpring Security, and the other part is performed by SAIS Framework code.
...
Spring Security
Acegi Spring Security is a package that tries to abstract authentication and authorization processing in a manner that allows them to be customized for a particular set of requirements. For web applications, Acegi Spring Security is "plugged in" as a servlet filter. If the Acegi Spring Security servlet filter is configured in the web.xml then Acegi Spring Security will be called on each request to the servlet.
Acegi Spring Security processing is composed of parts that are assembled into what is called a "filter chain". Those parts are themselves customized by injection of service beans. The filters in an Acegi Spring Security filter chain are not the same as servlet filters, although the general concept is the same. The filter chain determines the sequence of authorization and authentication processing, and the inclusion of authentication protocols.
The end result of running the filter chain is that access is either granted or denied to the url requested. Granted access creates an Acegi Spring Security Security Context for the request, which an application may consult for roles and user information collected previously during the Acegi Spring Security processing. Denied access should cause an access denied message to be returned to the user.
...
The SAIS framework provides a wrapper around AcegiSpring Security, so that applications are not directly tied to a particular security framework implementation. It also provides services to the Acegi Spring Security filter chain that handle the specifics of authentication and authorization as are customary or required at MIT. For example, it provides services for SSO authentication, and the following services to obtain roles either separately or in combination :
...
It also provides local development environments a way to test different roles and users with an application.
The Filter Chain Proxy and the
...
Spring Security filters
Complexity is the price of flexibility. There are several interacting system artifacts, the components and their configurations.
Acegi Spring Security itself and the SAIS framework components are all configured using the Spring context. Configurations for Acegi Spring Security and framework components related to it are found in the applicationContext-common-security.xml of an application or in SAIS Common. Some configuration entries in web.xml and applicationContext-web.xml are also important. When you look at the entries in these files there are many more than what are described in this document, however, it is unusual to have to change entries not discussed.
...
mitsisRolesUserDetailsService bean: acts as an adapter between the Acegi Spring Security security system and the authorization classes in the SAIS framework.
...
It is not uncommon for applications to need access to roles information that may be collected by Acegi Spring Security and the SAIS framework. The SAIS framework attempts to provide facilities to make this easier. Lets take the example of an application that needs to display a list of sections for the user to choose, which will allow them to view the students assigned to the section, and there is a rule that the class lists are only to be shown to instructors of the section.
...
The InstructorAuthorizationService has a single method, getAuthorizationsByUser. This method uses the dao to fetch the user's instructor records as an AuthorizedInstructor object containing a collection of AuthorizedTeachingAssignment objects. This is wrapped in an InstructorRoleAuthorization object which is an adaptor for communicating with AcegiSpring Security. All of this is done merely by creating the configuration above.
...
Impersonation that is a regular part of an application's feature set delivered to MIT administrators is accomplished with an additional filter on the Acegi Spring Security filter chain called the switchProcessingUserFilter.This basically gives authorized users a "login" button or link that logs them in as another user. Once the switch is performed, the SecurityContext contains the credentials for a different user, but it also remembers the original user so impersonation may be exited and the original credentials restored.
...
| Code Block |
|---|
<bean id="filterSecurityInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="objectDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /**=IS_AUTHENTICATED_FULLY /sections.html=ROLE_INSTRUCTOR </value> </property> </bean> |
and the Acegi Spring Security framework would have invoked the access denied handler when a user who did not have this role tried to access the page. We could then write the access denied handler to show a page with a friendly message or perhaps redirect the user somewhere they are supposed to be instead.