Bookshelf Home | Contents | Index | PDF | ![]() ![]() |
Implementation Guide for Oracle Self-Service E-Billing > Customizing User Management > Customizing Spring SecurityOracle Self-Service E-Billing uses the Spring Security framework for authentication and user access control. You can customize the Spring Security configuration for your implementation. Spring Security settings are maintained in the spring-security.xml file. The following code defines the <security:http access-decision-manager-ref="accessDecisionManager"> <security:logout logout-success-url="/nonAuth/logout.action"/> <security:access-denied-handler error-page="/accessDenied.action"/> <security:form-login login-page="/nonAuth/login.action" default-target-url="/reporting/reportStart.action" authentication-failure-url="/nonAuth/login.action?login_error=1"/> Spring Security maintains a filter chain internally where each filter has a particular responsibility and filters can be added or removed from the configuration depending on which services are required. The ordering of the filters is important as there are dependencies between them. If you are using namespace configuration, then the filters are configured automatically. The form-login element invokes the DaoAuthenticationProvider from Spring Security is implemented for authentication. DaoAuthenticationProvider leverages a UserDetailsService in order to lookup the username, password and Customizing AuthorizationAuthorization in Oracle Self-Service E-Billing is based on roles and permissions. Each user is assigned a role. Authorization to access a particular resource is determined by the permissions for a user's role. These permissions are defined in the azpolicy file. Permission is represented by an object called User roles are grouped to form high-level roles, called azPolicyRoles, and permissions are assigned to the azPolicyRoles. Role mapping is defined in the The following examples show how to map azPolicyRoles:
com.edocs.common.security.rolemappers.secrole.MANAGER=Manager com.edocs.common.security.rolemappers.secrole.SUBSCRIBER=Subscriber com.edocs.common.security.rolemappers.secrole.CSR=CSR com.edocs.common.security.rolemappers.secrole.CSR_ADMIN=CSRAdministrator Once user roles are mapped to Example of sample permission code: <name>perm_company_tab</name> <cpath>com.edocs.common.security.authorize.az.permissions.EBillingPermission</ cpath> <name>admin</name> <!--Defines the name of the rule --> <type>SecurityRole</type> <!-- Type of the rule --> <values>ADMIN</values> <!-- The role(s) which can access this resource, comma separated. Note it can be an alias defined in azcfg.properties --> A permission called perm_company_tab is defined to control the company UI tab. This permission specifies that the company tab is accessible for the azPolicyRole ADMIN. ADMIN is mapped to a user role administrator, making company tab accessible for users whose role is administrator. After permissions are defined, the code or resources that must be authorized are surrounded by a tag called This example shows how to use this tag: <authz:authorize ifAnyGranted="perm_company_tab"> <li class="sts"><span ><a href="companyProfile.action" title="<bean:message key="global.myAccount.subNavTab3"/>"><bean:message key="global.myAccount.subNavTab3"/></a></span></li> You can have a list of permissions separated by commas in the The
Customizing Authentication URLsYou can customize the default URLs for the authentication pages listed in Table 4. To customize Spring Security default URLs
Authentication Request ProcessingThe preconfigured If authentication is successful, Spring Security places the resulting Authentication object into the Security Context Holder and redirects the browser to the If authentication fails, Spring Security places |
![]() |
![]() ![]() |
Implementation Guide for Oracle Self-Service E-Billing | Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices. | |