5.7. Secure invoicing: JBoss-preauthenticated security

The invoicing module also illustrates the usage of JBoss-based preauthentication and interaction with Spring Security. Access to the invoicing module is secured using the Java EE security mechanisms, as described in web.xml:
<security-constraint>
    <web-resource-collection>
        <web-resource-name>All resources</web-resource-name>
        <description>Protects all resources</description>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>sportsclub-invoicing</realm-name>
</login-config>
<security-role>
    <role-name>ADMINISTRATOR</role-name>
</security-role>
<security-role>
    <role-name>EMPLOYEE</role-name>
</security-role>
In this scenario, the security domain is set up externally (for example, for multiple applications) and linked to the web application by the definition in jboss-web.xml
<jboss-web>
    <security-domain>java:/jaas/employees</security-domain>
</jboss-web>
In the scenario implemented by this application, the concept of an 'employee who can access the application' is external to the application itself (perhaps multiple applications can use the same security domain) and defined globally in the standalone configuration file or domain configuration (deployed in the server setup phase).

<security-domain name="employees">
    <authentication>
        <login-module code="Database" flag="required">
            <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
            <module-option name="principalsQuery" value="select passwd from SPORTSCLUB_USERS where username=?"/>
            <module-option name="rolesQuery" value="select userRoles,'Roles' from SPORTSCLUB_ROLES where username=?"/>
        </login-module>
    </authentication>
</security-domain>
Essentially, the login will be performed based on the data contained in the SPORTSCLUB_USERS and SPORTSCLUB_ROLES tables defined during database import (however, it is not the application that accesses the database directly, but the JaaS login module):
INSERT INTO SPORTSCLUB_USERS VALUES ('admin','adminPass')
INSERT INTO SPORTSCLUB_USERS VALUES ('employee','employeePass')
INSERT INTO SPORTSCLUB_ROLES VALUES ('admin','ADMINISTRATOR')
INSERT INTO SPORTSCLUB_ROLES VALUES ('admin','EMPLOYEE')
INSERT INTO SPORTSCLUB_ROLES VALUES ('employee','EMPLOYEE')
The two users, admin and employee are used to illustrate the different authorization levels in the application. The application uses Spring Security for authorizing access to the invoicing application's components (web pages and methods) as described in /WEB-INF/spring-security-context.xml. Of specific interest to this application is the filterSecurityInterceptor bean definition, which contains the access security metadata definitions:

<bean id="fsi" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
    <property name="securityMetadataSource">
        <sec:filter-invocation-definition-source>
            <sec:intercept-url pattern="/generateInvoice.do" access="ROLE_ADMINISTRATOR"/>
            <sec:intercept-url pattern="/**" access="ROLE_EMPLOYEE"/>
        </sec:filter-invocation-definition-source>
    </property>
</bean>
Anyone who is an employee can access any section of the site, but only administrators (the admin user) can generate invoices.
A similar provision is made for payments. Application classes are scanned for security annotations, as requested by the following bean definition:
<sec:global-method-security secured-annotations="enabled"/>