The WebLogic Server security system supports and extends Java EE security while providing a rich set of security providers that you can be customize to integrate with different security databases or security policies.
As described at the Spring Security Web site (http://www.acegisecurity.org/), Acegi Security is now Spring Security, the official security project of the Spring Portfolio. The Spring security (acegi) framework provides security to a Spring application and includes a rich set of security providers.
The question then becomes how to integrate the two security frameworks.
For a combined J2EE and Spring application, rather than require authentication with both security frameworks, WLS security and Spring security work together. WLS security handles the authentication via the default Authentication provider for the security realm, and converts WLS principals to Spring GrantedAuthority principals through a mapper class. Once authenticated by WLS security, a user is authenticated for Spring security. You can then decide how to secure the objects in the application. One common practice is to secure Java EE resource with Weblogic security and secure Spring resource with Spring security.
As described in the Spring Security Reference, Container Adapters enable Acegi Security to integrate directly with the containers used to host end user applications, in this case WebLogic Server.
The integration between a container and Acegi Security is achieved through an adapter. The adapter provides a container-compatible user authentication provider, and needs to return a container-compatible user object.
applicationContext-acegi-security.xml is the configuration file for Spring security. For WebLogic Server, WeblogicAuthenticationFilter is added to the list of filters in applicationContext-acegi-security.xml. This filter is responsible for converting the Weblogic principals to Spring GrantedAuthority subjects, based on the mapper. The mapper is configured as a property for the WeblogicAuthenticationFilter, and it is injected at creation time.
The following is an example of the mapper class.
public class MyAuthorityGranter implements AuthorityGranter {
public Set grant(Principal principal) {
Set rtnSet = new HashSet();
if (principal.getName().equals("fred@oracle.com")) {
rtnSet.add("ROLE_SUPERVISOR");
rtnSet.add("IS_AUTHENTICATED_ANONYMOUSLY");
}
return rtnSet;
}
}
In this example, user fred@oracle.com in the WebLogic domain is mapped to ROLE_SUPERVISOR and IS_AUTHENTICATED_ANONYMOUSLY.
The following code is added to web.xml to plug in the applicationContext-acegi-security.xml file:
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/main/secure/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-acegi-security.xml
</param-value>
</context-param>