/
Spring Security
Edit

Spring Security

Apr 24, 2011


Fabric3 includes an extensible security framework that supports authentication and authorization. Authentication is typically specified as a policy intent on a binding to perform client, server, or mutual authentication. When a client is authenticated, a security subject is associated with request messages sent by the client. This security subject can then be used to authorize access to service operations based on roles.
The security provider varies by runtime. The Standalone, Maven, and Ant runtimes are configured by default to use a basic security provider. The Tomcat runtime is configured with a provider that delegates to Tomcat security realms. There is also a Fabric3 extension that uses Spring Security, which can be installed in any of the Fabric3 runtimes.

The Basic Security Provider


The Standalone runtime includes a basic security provider that allows users and roles to be statically defined in a configuration file, security.xml, located in the runtime /config directory. An example file is shown below:
<users>
<user>
<username>foo</username>
<password>bar</password>
<roles>
<role>role1</role>
<role>role2</role>
</roles>
</user>
</users>


In the Maven runtime, the same security information is configured using a systemConfig entry:
<systemConfig>
<![CDATA[
<config>
<users>
<user>
<username>foo</username>
<password>bar</password>
</user>
</users>
</config>
]]>
</systemConfig>

The Tomcat Realms Security Provider


Fabric3 integrates with Tomcat security realms in place of the basic Fabric3 provider. When using authentication and authorization policies in applications, Fabric3 will transparently delegate to Tomcat security.

The Spring Security Provider


Fabric3 includes integration with Spring Security that can be used in place of the basic security provider. The Spring Security extension supports LDAP and JDBC-based access control. Since it is dynamic in nature (users and roles can be added at runtime), it is much more powerful than the basic and Tomcat providers.

Installing the Spring Security Profile


The Spring Security provider is included in the Spring profile. When installing the profile in the standalone runtime, it is important to remove the fabric3-security-impl extension that is configured by default.

Enabling LDAP and JDBC Providers


The Spring Security provider is configured as part of the system configuration using the <spring.security> element. Configuration follows the standard Spring Security configuration format. The following illustrates how JDBC security is configured using a Fabric3 JDBC connection pool:
<datasources>
<datasource name="SecurityDS" .../>
</datasources>
<security>
<spring.security>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="SecurityDS"/>
</authentication-provider>
</authentication-manager>
</spring.security>
</security>
The next example demonstrates configuring LDAP-based security:
<security>
<spring.security>
<authentication-manager>
<ldap-server
url="ldap://localhost:1389/dc=example,dc=com"
manager-dn="cn=Directory Manager"
manager-password="password"/>
<ldap-authentication-provider
user-search-base="ou=people"
user-search-filter="uid={0}"
group-search-filter="member={0}"
group-search-base="ou=groups"/>
</authentication-manager>
</spring.security>
</security>