...
The Fediz related configuration is done in a Servlet Container independent configuration file which is described here.
Spring Security Configuration
The following configuration snippets illustrate the Fediz related configuration. The complete configuration file can be found in the example springPreAuthWebapp.
Code Block | |||||||
---|---|---|---|---|---|---|---|
|
Web Application deployment
...
| |
<bean id="preAuthenticatedUserDetailsService"
class="org.apache.cxf.fediz.spring.preauth.PreAuthenticatedGrantedAuthoritiesUserDetailsFederationService"/>
<bean id="j2eePreAuthFilter" class="org.apache.cxf.fediz.spring.preauth.FederationPreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationDetailsSource">
<bean class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">
<property name="mappableRolesRetriever">
<bean class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever" />
</property>
<property name="userRoles2GrantedAuthoritiesMapper">
<bean class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">
<property name="convertAttributeToUpperCase" value="true"/>
</bean>
</property>
</bean>
</property>
</bean>
<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="securityMetadataSource">
<sec:filter-invocation-definition-source>
<sec:intercept-url pattern="/secure/manager/**" access="ROLE_MANAGER"/>
<sec:intercept-url pattern="/secure/admin/**" access="ROLE_ADMIN"/>
<sec:intercept-url pattern="/secure/user/**" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER"/>
<sec:intercept-url pattern="/secure/fedservlet" access="ROLE_USER,ROLE_ADMIN,ROLE_MANAGER,ROLE_AUTHENTICATED"/>
</sec:filter-invocation-definition-source>
</property>
</bean>
|
The beans preAuthenticatedUserDetailsService and j2eePreAuthFilter are required to provide the Fediz related security information (claims, login token) to the Spring Security Context. The bean fsi defines the authorization for the web requests which looks similar to security constraints definition in web.xml
.
The following code snippet of the FederationServlet example illustrates how to get access to the Spring Security Context of the current user.
Code Block | ||||
---|---|---|---|---|
| ||||
Authentication obj = SecurityContextHolder.getContext().getAuthentication();
|
The Authentication
object can be casted to the FederationAuthentiationToken
which provides access to Claims, login token, etc.
Web Application deployment
Federation Metadata document
...