mule security - authorization using spring security
TRANSCRIPT
![Page 1: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/1.jpg)
MULE –Component Authorization Using Spring
Security
![Page 2: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/2.jpg)
2
Component Authorization Using Spring Security
This page describes how you can configure method-level authorization
using Spring Security on your components so that users with different roles
can only invoke certain methods.
![Page 3: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/3.jpg)
3
Securing Flow Components
To secure MethodInvocations, you must add a properly configured MethodSecurityInterceptor into the application context. The beans requiring security are chained into the interceptor. This chaining is accomplished using Spring’s ProxyFactoryBean or BeanNameAutoProxyCreator. Alternatively, Spring Security provides a MethodDefinitionSourceAdvisor, which you can use with Spring’s DefaultAdvisorAutoProxyCreator to automatically chain the security interceptor in front of any beans defined against the MethodSecurityInterceptor.
![Page 4: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/4.jpg)
4
In addition to the daoAuthenticationProvider and inMemoryDaoImpl beans (see Configuring Security), the following beans must be configured:
MethodSecurityInterceptor
AuthenticationManager
AccessDecisionManager
AutoProxyCreator
RoleVoter
![Page 5: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/5.jpg)
5
The MethodSecurityInterceptor
The MethodSecurityInterceptor is configured with a reference to the following:
AuthenticationManager
AccessDecisionManager
![Page 6: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/6.jpg)
6
Following is a security interceptor for intercepting calls made to the methods of a component myComponent, which defines two methods: delete and writeSomething. Roles are set on these methods as seen below in the property securityMetadataSource.
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:mule="http://www.mulesource.org/schema/mule/core" xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security" ...cut... <bean id="myComponentSecurity" class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager" ref="accessDecisionManager"/> <property name="securityMetadataSource"> <value> com.foo.myComponent.delete=ROLE_ADMIN com.foo.myComponent.writeSomething=ROLE_ANONYMOUS </value> </property> </bean>
![Page 7: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/7.jpg)
7
The AuthenticationManager
This bean is responsible for passing requests through a chain of AuthenticationProvider objects.
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager"> <property name= "providers"> <list> <ref local="daoAuthenticationProvider"/> </list> </property></bean>
![Page 8: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/8.jpg)
8
The AccessDecisionManager
This bean specifies that a user can access the protected methods if they have any one of the roles specified in the securityMetadataSource.
<bean id="accessDecisionManager" class='org.springframework.security.access.vote.AffirmativeBased'> <property name="decisionVoters"> <list> <ref bean="roleVoter"/> </list> </property></bean>
![Page 9: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/9.jpg)
9
The AutoProxyCreator
This bean defines a proxy for the protected bean. When an application asks Spring for a myComponent bean, it will get this proxy instead.
<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator"> <property name="interceptorNames"> <list> <value>myComponentSecurity</value> </list> </property> <property name="beanNames"> <list> <value>myComponent</value> </list> </property> <property name='proxyTargetClass' value="true"/></bean>
![Page 10: Mule security - authorization using spring security](https://reader034.vdocuments.site/reader034/viewer/2022042513/588223c71a28ab52368b4929/html5/thumbnails/10.jpg)