Securing Application Methods
In this lab, you'll learn to use a different kind of security. You'll secure a method on a bean instead of a servlet. This type of security is still declarative, but it's a little more involved.
EJB security works by assigning users roles, giving permissions to
those roles, and then assigning permissions to individual methods. In
Spring, to use that model, you'll want to secure a
method on a bean in the context, instead. In most cases,
you'll want to secure the methods on your
façade layer—in your case, the
rentaBike
bean.
How do I do that?
Method-based security relies on user roles, just like servlet-based security does (Example 7-23). You have already established two users with different roles in the previous lab.
Example 7-23. RentABikeApp-Servlet.xml
<bean id="inMemoryDaoImpl" class="net.sf.acegisecurity.providers.dao.memory.InMemoryDaoImpl"> <property name="userMap"> <value> justin=gehtland,ROLE_USER,ROLE_ADMIN bruce=tate,ROLE_USER </value> </property> </bean>
To establish access rules for methods on a bean, you have to create
an instance of ACEGI's
MethodSecurityInterceptor
(Example 7-24). For this application, you will want to
secure methods on the façade layer that controls your data
model. The interceptor needs references to a
ProviderManager
and a
DecisionManager
, just like the
FilterSecurityInterceptor
in the previous lab did.
Similary, it will have a property called
objectDefinitionSource
that lists the methods on the beans that need to be secured, ...
Get Spring: A Developer's Notebook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.