Spring Integration builds upon the Spring Security project to enable role based security checks to be applied to channel send and receive invocations.
Spring Integration provides the interceptor ChannelSecurityInterceptor, which extends
AbstractSecurityInterceptor and intercepts send and receive calls on the channel. Access decisions
are then made with reference to a ChannelSecurityMetadataSource which provides the metadata describing
the send and receive access policies for certain channels. The interceptor requires that a valid SecurityContext
has been established by authenticating with Spring Security. See the Spring Security reference documentation for details.
Namespace support is provided to allow easy configuration of security constraints. This consists of the secured channels tag which allows
definition of one or more channel name patterns in conjunction with a definition of the security configuration for send and receive. The pattern
is a java.util.regexp.Pattern.
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns:int="http://www.springframework.org/schema/integration" xmlns:int-security="http://www.springframework.org/schema/integration/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd http://www.springframework.org/schema/integration http://www.springframework.org/schema/integration/spring-integration.xsd http://www.springframework.org/schema/integration/security http://www.springframework.org/schema/integration/security/spring-integration-security.xsd"> <int-security:secured-channels> <int-security:access-policy pattern="admin.*" send-access="ROLE_ADMIN"/> <int-security:access-policy pattern="user.*" receive-access="ROLE_USER"/> </int-security:secured-channels>
By default the secured-channels namespace element expects a bean named authenticationManager which implements
AuthenticationManager and a bean named accessDecisionManager which implements
AccessDecisionManager. Where this is not the case references to the appropriate beans can be configured
as attributes of the secured-channels element as below.
<int-security:secured-channels access-decision-manager="customAccessDecisionManager" authentication-manager="customAuthenticationManager"> <int-security:access-policy pattern="admin.*" send-access="ROLE_ADMIN"/> <int-security:access-policy pattern="user.*" receive-access="ROLE_USER"/> </int-security:secured-channels>
Starting with version 4.0, the same configuration is available when using
@Configuration classes, by declaring a
ChannelSecurityInterceptorFactoryBean. This class delegates all options for
the ChannelSecurityInterceptor with a builder pattern:
@Configuration @EnableIntegration public class ContextConfiguration { @Autowired private AuthenticationManager authenticationManager; @Autowired private AccessDecisionManager accessDecisionManager; @Bean public ChannelSecurityInterceptorFactoryBean channelSecurityInterceptor() { return new ChannelSecurityInterceptorFactoryBean() .authenticationManager(this.authenticationManager) .accessDecisionManager(this.accessDecisionManager) .accessPolicy("admin.*", "ROLE_ADMIN") .accessPolicy("user.*", null, "ROLE_USER"); } }
![[Note]](images/note.png) | Note |
|---|---|
The @EnableIntegration annotation is required to provide the Spring Integration
infrastructure (including Security) to the Application Context. In addition this FactoryBean
falls back to AuthenticationManager and AccessDecisionManager
beans with names authenticationManager and accessDecisionManager respectively, if they aren't provided
in the ChannelSecurityInterceptorFactoryBean bean definition.
|