ItEr39S15ArquitecturaServidorItEr38S17: Security added to REST services.

HTTP Basic Autentication is used for securing REST services. Two roles (ROLE_WS_READER and ROLE_WS_WRITER) and two users (wsreader/wsreader [with the first role] and wswriter/wswriter [with the two roles]) have been added for accesing REST services. REST services can be accessed by GET by users with rol ROLE_WS_READER (e.g wsreader and wswriter) and by POST by users with rol ROLE_WS_WRITER (e.g. wswriter).
2009-12-14 20:22:53 +01:00 · 2009-12-14 20:22:53 +01:00 · 1010948160
commit 1010948160
parent 78020a5190
3 changed files with 11 additions and 7 deletions
--- a/navalplanner-business/src/main/java/org/navalplanner/business/users/entities/UserRole.java
+++ b/navalplanner-business/src/main/java/org/navalplanner/business/users/entities/UserRole.java
@ -30,7 +30,9 @@ import static org.navalplanner.business.i18n.I18nHelper._;
 public enum UserRole {

    ROLE_BASIC_USER(_("Basic user")),
-    ROLE_ADMINISTRATION(_("Administration"));
+    ROLE_ADMINISTRATION(_("Administration")),
+    ROLE_WS_READER(_("Web service reader")),
+    ROLE_WS_WRITER(_("Web service writer"));

    private final String displayName;

--- a/navalplanner-webapp/src/main/java/org/navalplanner/web/users/bootstrap/MandatoryUser.java
+++ b/navalplanner-webapp/src/main/java/org/navalplanner/web/users/bootstrap/MandatoryUser.java
@ -36,7 +36,10 @@ public enum MandatoryUser {

    USER(Arrays.asList(UserRole.ROLE_BASIC_USER)),
    ADMIN(Arrays.asList(UserRole.ROLE_BASIC_USER,
-        UserRole.ROLE_ADMINISTRATION));
+        UserRole.ROLE_ADMINISTRATION)),
+    WSREADER(Arrays.asList(UserRole.ROLE_WS_READER)),
+    WSWRITER(Arrays.asList(UserRole.ROLE_WS_READER,
+        UserRole.ROLE_WS_WRITER));

    private Set<UserRole> initialRoles;

--- a/navalplanner-webapp/src/main/resources/navalplanner-webapp-spring-security-config.xml
+++ b/navalplanner-webapp/src/main/resources/navalplanner-webapp-spring-security-config.xml
@ -7,12 +7,11 @@
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

-    <global-method-security secured-annotations="enabled"/>
-
-    <http auto-config="true" >
+    <http auto-config="true" realm="Naval Planner Web Application" >

        <!-- Web services -->
-        <intercept-url pattern="/ws/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
+        <intercept-url pattern="/ws/rest/**" access="ROLE_WS_READER" method="GET" />
+        <intercept-url pattern="/ws/rest/**" access="ROLE_WS_WRITER" method="POST" />

        <!--  Web application -->
        <intercept-url pattern="/common/img/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
@ -24,7 +23,7 @@
        <intercept-url pattern="/calendars/**" access="ROLE_ADMINISTRATION" />
        <intercept-url pattern="/labels/**" access="ROLE_ADMINISTRATION" />
        <intercept-url pattern="/common/configuration.zul" access="ROLE_ADMINISTRATION" />
-        <intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
+        <intercept-url pattern="/**" access="ROLE_BASIC_USER" />
        <form-login login-page="/common/layout/login.zul" authentication-failure-url="/common/layout/login.zul?login_error=x"/>

    </http>