This document describes how to configure method-level authorization in Spring Security to restrict which users with certain roles can invoke methods on components. It explains that a MethodSecurityInterceptor must be configured and chained to the components needing security via a proxy. The MethodSecurityInterceptor is configured with an AuthenticationManager and AccessDecisionManager, and security roles can be defined for each method.

1. MULE –Component Authorization
Using Spring Security

2. 2
Component Authorization Using Spring Security
This page describes how you can configure method-level authorization
using Spring Security on your components so that users with different roles
can only invoke certain methods.

3. 3
Securing Flow Components
To secure MethodInvocations, you must add a properly configured
MethodSecurityInterceptor into the application context. The beans requiring
security are chained into the interceptor. This chaining is accomplished
using Spring’s ProxyFactoryBean or BeanNameAutoProxyCreator.
Alternatively, Spring Security provides a MethodDefinitionSourceAdvisor,
which you can use with Spring’s DefaultAdvisorAutoProxyCreator to
automatically chain the security interceptor in front of any beans defined
against the MethodSecurityInterceptor.

4. 4
In addition to the daoAuthenticationProvider and inMemoryDaoImpl beans
(see Configuring Security), the following beans must be configured:
MethodSecurityInterceptor
AuthenticationManager
AccessDecisionManager
AutoProxyCreator
RoleVoter

5. 5
The MethodSecurityInterceptor
The MethodSecurityInterceptor is configured with a reference to the
following:
AuthenticationManager
AccessDecisionManager

6. 6
Following is a security interceptor for intercepting calls made to the
methods of a component myComponent, which defines two methods:
delete and writeSomething. Roles are set on these methods as seen below
in the property securityMetadataSource.
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mule="http://www.mulesource.org/schema/mule/core"
xmlns:mule-ss="http://www.mulesource.org/schema/mule/spring-security"
...cut...
<bean id="myComponentSecurity"
class="org.springframework.security.access.intercept.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="accessDecisionManager"/>
<property name="securityMetadataSource">
<value>
com.foo.myComponent.delete=ROLE_ADMIN
com.foo.myComponent.writeSomething=ROLE_ANONYMOUS
</value>
</property>
</bean>

7. 7
The AuthenticationManager
This bean is responsible for passing requests through a chain of AuthenticationProvider objects.
<bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name= "providers">
<list>
<ref local="daoAuthenticationProvider"/>
</list>
</property>
</bean>

8. 8
The AccessDecisionManager
This bean specifies that a user can access the protected methods if they
have any one of the roles specified in the securityMetadataSource.
<bean id="accessDecisionManager"
class='org.springframework.security.access.vote.AffirmativeBased'>
<property name="decisionVoters">
<list>
<ref bean="roleVoter"/>
</list>
</property>
</bean>

9. 9
The AutoProxyCreator
This bean defines a proxy for the protected bean. When an application
asks Spring for a myComponent bean, it will get this proxy instead.
<bean id="autoProxyCreator"
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>myComponentSecurity</value>
</list>
</property>
<property name="beanNames">
<list>
<value>myComponent</value>
</list>
</property>
<property name='proxyTargetClass' value="true"/>
</bean>