...
The security provider varies by runtime. The Standalone, Maven, and Ant runtimes are configured by default to use a basic security provider. The Tomcat runtime is configured with a provider that delegates to Tomcat security realms. There is also a Fabric3 extension that uses Spring Security, which can be installed in any of the Fabric3 runtimes.
Configuring The Basic Security Provider
The Standalone runtime includes a basic security provider that allows users and roles to be statically defined in a configuration file, security.xml, located in the runtime /config directory. An example file is shown below:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
<systemConfig>
<\!\[CDATA\[
<config>
<users>
<user>
<username>foo</username>
<password>bar</password>
</user>
</users>
</config>
\]\]>
</systemConfig>
|
Using Authentication and Authorization in Application Code
Authentication is typically enabled on a binding configuration. Please refer to the binding chapters for specific examples.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
import org.fabric3.api.Fabric3RequestContext;
public class SecureRolesServiceImpl implements SecureService {
@Context
protected Fabric3RequestContext context;
public void call() \{
SecuritySubject context.getCurrentSubject();
String userName = context.getUsername();
// iterate roles
for (Role role: context.getRoles() {
String roleName = role.getName();
}
}
}
|
Simulating Authentication in Integration Tests
In integration test environments, it is often required to simulate authentication credentials. For example, a test client may need to supply credentials to authenticate with the secure service it tests. Fabric3 JUnit test components can be configured with authentication credentials, and those credentials propagated over a remote transport such as Web Services. The following shows how to simulate username/password credentials:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<component name="SecurityTest">
<f3:junit class="...">
<configuration>
<username>scott</username>
<password>wombat</password>
</configuration>
</f3:junit>
<reference name="service" target="SCASecureService"/>
</component>
|
Custom Security Providers
The basic provider can be replaced by a more capability (and dynamic) alternative by substituting the fabric3-security-impl.jar in the extensions repository. For details on implementing an alternative provider, see the Javadoc for the org.fabric3.spi.security package in fabric3-spi.