...
Available as of Camel 2.3
Spring Security is a poplar security framework to provides the authentication and authorization for the Spring application. It allows together with Camel to provide authorization support for the camel process by configuring the authorizationPolicy.
Using SpringSecurityAuthorizationPolicy
camel-spring-security component can take the authentication token which is set by Spring Security or other security framework, and check authentication token with the access information which is configured by SpringSecurityAuthorizationPolicy. If the authentication token is authorized, the camel exchange will be passed to the next processor, otherwise CamelAuthorizationException will be thrown with the exchange.
You can configure the SpringSecurityAuthorizationPolicy with normal Spring bean's configuration, and you can also configure it with the customer authorizationPolicy element.
authorizationPolicy element has below attributes:
Attribut | Type | Description |
---|---|---|
| String | The bean id which is common used for the bean which is managed by Spring |
| String | The access policy that you want to use authorization |
| String | The id of the authentication manager which is used for reauthentication within the SpringSecurityAuthorizationPolicy. If you don't specify it, SpringSecurityAuthorizationPolicy will set it value with "authenticationManager" |
| String | The id of the access decision manager which is used for checking the access attribute with authentication token. If you don't specify it, SpringSecurityAuthorizationPolicy will set it value with "accessDecisionManager" |
| String | SpringSecurityAuthorizationPolicy will try to get the authentication token from exchange, if it can't get it and the this attribute is true, it will try to get authentication from SecurityContextHolder (the thread local context). The default value of this attribute is true. |
| String | If this attribute is true, SpringSecurityAuthorizationPolicy will aways reauthenticate the authentication token. The default value of this attribute is false. |
Using SpringSecurityAuthorizationPolicy in Spring XML
In this example we want to make sure exchange send to mock:end should be authenticated with the role of admin.
The camel-spring-security component provides role-based authorization for Camel routes. It leverages the authentication and user services provided by Spring Security (formerly Acegi Security) and adds a declarative, role-based policy system to control whether a route can be executed by a given principal.
If you are not familiar with the Spring Security authentication and authorization system, please review the current reference documentation on the SpringSource web site linked above.
Creating authorization policies
Access to a route is controlled by an instance of a SpringSecurityAuthorizationPolicy
object. A policy object contains the name of the Spring Security authority (role) required to run a set of endpoints and references to Spring Security AuthenticationManager
and AccessDecisionManager
objects used to determine whether the current principal has been assigned that role. Policy objects may be configured as Spring beans or by using an <authorizationPolicy>
element in Spring XML.
The <authorizationPolicy>
element may contain the following attributes:
Name | Default Value | Description |
---|---|---|
|
| The unique Spring bean identifier which is used to reference the policy in routes (required) |
|
| The Spring Security authority name that is passed to the access decision manager (required) |
|
| The name of the Spring Security |
|
| The name of the Spring Security |
| DefaultAuthenticationAdapter | Camel 2.4 The name of a camel-spring-security |
|
| If a |
|
| If set to true, the |
Controlling access to Camel routes
A Spring Security AuthenticationManager
and AccessDecisionManager
are required to use this component. Here is an example of how to configure these objects in Spring XML using the Spring Security namespace:
...
...
The spring security configure looks like this
...
Now that the underlying security objects are set up, we can use them to configure an authorization policy and use that policy to control access to a route:
...
Dependencies
To use Spring Security in your camel routes you need to add the a dependency on camel-spring-security.
If you use maven you could just add the following to your pom.xml, substituting the version number for the latest & greatest release (see the download page for the latest versions).
...
In this example, the endpoint mock:end
will not be executed unless a Spring Security Authentication
object that has been or can be authenticated and contains the ROLE_ADMIN
authority can be located by the admin SpringSecurityAuthorizationPolicy
.
Authentication
The process of obtaining security credentials that are used for authorization is not specified by this component. You can write your own processors or components which get authentication information from the exchange depending on your needs. For example, you might create a processor that gets credentials from an HTTP request header originating in the Jetty component. No matter how the credentials are collected, they need to be placed in the In message or the SecurityContextHolder
so the Camel Spring Security component can access them:
...
The SpringSecurityAuthorizationPolicy
will automatically authenticate the Authentication
object if necessary.
There are two issues to be aware of when using the SecurityContextHolder
instead of or in addition to the Exchange.AUTHENTICATION
header. First, the context holder uses a thread-local variable to hold the Authentication
object. Any routes that cross thread boundaries, like seda or jms, will lose the Authentication
object. Second, the Spring Security system appears to expect that an Authentication
object in the context is already authenticated and has roles (see the Technical Overview section 5.3.1 for more details).
The default behavior of camel-spring-security is to look for a Subject
in the Exchange.AUTHENTICATION
header. This Subject
must contain at least one principal, which must be a subclass of org.springframework.security.core.Authentication
. You can customize the mapping of Subject
to Authentication
object by providing an implementation of the org.apache.camel.component.spring.security.AuthenticationAdapter
to your <authorizationPolicy>
bean. This can be useful if you are working with components that do not use Spring Security but do provide a Subject
. At this time, only the CXF component populates the Exchange.AUTHENTICATION
header.
Handling authentication and authorization errors
If authentication or authorization fails in the SpringSecurityAuthorizationPolicy
, a CamelAuthorizationException
will be thrown. This can be handled using Camel's standard exception handling methods, like the Exception Clause. The CamelAuthorizationException
will have a reference to the ID of the policy which threw the exception so you can handle errors based on the policy as well as the type of exception:
...
Dependencies
Maven users will need to add the following dependency to their pom.xml
for this component:
...
This dependency will also pull in org.springframework.security:spring-security-core:3.0.3.RELEASE
and org.springframework.security:spring-security-config:3.0.3.RELEASE
.
...