Configuration File Security

This document provides the details of the security configuration elements.

• enabled
• loginPage
• roleVoter (affirmative vs unanimous)
• Custom roleValidator
• onLoginSucceeded
• onLoginFailed
• onLogout
• loginUrl
• logoutUrl

Requirements
Reference Framework 2.0 runs against Nexaweb Platform 4.5.33 or higher.

Security

An element containing information used to configure reference framework security.

Configuration

 <security>
         <enabled>true</enabled>
         <loginPage>/XAL/Nexaweb/Login.xal</loginPage>
         <roleValidator>test.TestRoleValidator</roleValidator>
 </security>

<enabled>

The <enabled> tag indicates whether or not security is enabled.

Valid values: true | false. The default value is false.
.

<loginPage>

xal file to use as login page.

<roleVoter>

The <roleVoter> tag represents how to validate roles assigned to a UI element (e.g. menus, toolbars, etc.) and component roles against the roles of the logged-in user.

Valid values:

      affirmative – only one assigned role has to match the user roles to be valid

      unanimous – all user roles have to match the assigned roles

The <roleVoter> tag is optional.  The default value is affirmative.

Example:

     For a button:

   <button text="execute" roleVislbe="ROLE_USER;DEPT_ENGINEERING"/>

     with roleVoter="affirmative"

     either ROLE_USER or DEPT_ENGINEERING must be present in the user roles

     with roleVoter="unanimous"

     both ROLE_USER or DEPT_ENGINEERING must be present in the user roles

<roleValidator>

This tag represents the class name for a custom role validator.

The class specified must implement the RoleValidator Interface.
 

<onLoginSucceeded>

This tag contains the mco method to execute to handle the onLoginSucceeded event.

This tag is optional.  The value must resolve to valid mco syntax.
 
The onLoginSucceeded event is fired after the username and password has been validated, and the UserDetails have been set within the security manager. The onLoginSucceeded event is fired before the application interface is loaded and before the onAppStartup event is fired.
 

<onLoginFailed>

This tag contains the mco method to execute to handle the onLoginFailed event.
This tag is optional.  The value must resolve to valid mco syntax.

The onLoginFailed event is fired after a failed validation of the username and password.

The username of the failed login, is passed to the onLoginFailed event as a parameter named “username”.

The method called to handle the onLoginFailed event, can return a Boolean value to control whether or not to continue with default failed login processing.   Returning a value of false, will prevent the default failed login process from executing.   If the method has not return (i.e void), or returns something other than a Boolean, then the default failed login processing will execute.

<onLogout>

This tag contains the mco method to execute to handle the onLoginSucceeded event.
This tag is optional.  The value must resolve to valid mco syntax.

The onLogout method is fired when processing the logout() method of the SecurityManager.

<loginUrl>

This tag specifies the URL to use to validate the username and password. The URL will be called using a POST, with the username and password passed as serialized parameters.
This tag is optional if using Spring 3.0 and the default login URL value is "/j_spring_security_check".

Note:If uisng Spring 2.5, you have to explicitly set the value to be "/j_acegi_security_check".
 

<logoutUrl>

This tag specifies the URL to use to logout.
The logoutUrl is optional if using Spring 3.0 and the default login URL value is "/j_spring_security_logout".

Note:If using Spring 2.5, you have to explicitly set the value to be "/j_acegi_security_logout".