-
Notifications
You must be signed in to change notification settings - Fork 88
guide access control schema
With release 3.0.0
the access-control-schema.xml
has been deprecated. You may still use it and find the documentation in this section. However, for new devonfw applications always start with the new approach described in access control config.
The file access-control-schema.xml
is used to define the mapping from groups to permissions (see example from sample app). The general terms discussed above can be mapped to the implementation as follows:
Term | devon4j-security implementation | Comment |
---|---|---|
Permission |
|
|
Group |
|
When considering different levels of groups of different meanings, declare |
Role |
|
With |
Access Control |
|
Super type that represents a tree of |
<?xml version="1.0" encoding="UTF-8"?>
<access-control-schema>
<group id="ReadMasterData" type="group">
<permissions>
<permission id="OfferManagement_GetOffer"/>
<permission id="OfferManagement_GetProduct"/>
<permission id="TableManagement_GetTable"/>
<permission id="StaffManagement_GetStaffMember"/>
</permissions>
</group>
<group id="Waiter" type="role">
<inherits>
<group-ref>Barkeeper</group-ref>
</inherits>
<permissions>
<permission id="TableManagement_ChangeTable"/>
</permissions>
</group>
...
</access-control-schema>
This example access-control-schema.xml
declares
-
a group named
ReadMasterData
, which grants four different permissions, e.g.,OfferManagement_GetOffer
-
a group named
Waiter
, which-
also grants all permissions from the group
Barkeeper
-
in addition grants the permission
TableManagement_ChangeTable
-
is marked to be a
role
for further application needs.
-
The devon4j-security module automatically validates the schema configuration and will throw an exception if invalid.
Unfortunately, Spring Security does not provide differentiated interfaces for authentication and authorization. Thus we have to provide an AuthenticationProvider
, which is provided from Spring Security as an interface for authentication and authorization simultaneously.
To integrate the devon4j-security provided access control schema, you can simply inherit your own implementation from the devon4j-security provided abstract class AbstractAccessControlBasedAuthenticationProvider
and register your ApplicationAuthenticationProvider
as an AuthenticationManager
. Doing so, you also have to declare the two Beans AccessControlProvider
and AccessControlSchemaProvider
, which are precondition for the AbstractAccessControlBasedAuthenticationProvider
.
As state of the art devon4j will focus on role-based authorization to cope with authorization for executing use case of an application.
We will use the JSR250 annotations, mainly @RolesAllowed
, for authorizing method calls against the permissions defined in the annotation body. This has to be done for each use-case method in logic layer. Here is an example:
public class OrdermanagementImpl extends AbstractComponentFacade implements Ordermanagement {
@RolesAllowed(Roles.WAITER)
public PaginatedListTo<OrderCto> findOrdersByPost(OrderSearchCriteriaTo criteria) {
return findOrderCtos(criteria);
}
}
Now this method can only be called if a user is logged-in that has the permission FIND_TABLE
.
This documentation is licensed under the Creative Commons License (Attribution-NoDerivatives 4.0 International).