Go to new doc!

+49 228 5552576-0


info@predic8.com

Access Control Lists

Restrict access to services and resources with the ACL feature of Membrane API Gateway. An ACL file allows a fine-grained configuration of permissions.

Features

Installation

Two steps are required to set up access control using Membrane.

1. Write an ACL File

The following sample declares permissions for some resources:

    <!-- Access to resources under  /open-source/ is permitted only for clients 
    within the IP range from 192.168.2.0 to 192.168.2.255 -->
    <resource uri="/open-source/*">
      <clients>
        <ip>192.168.2.*</ip>
      </clients>
    </resource>
    
    <!-- The resources under /contact/ can only be accessed by localhost. -->
    <resource uri="/contact/*">
      <clients>
        <hostname>localhost</hostname>
      </clients>
    </resource>
  
    <!-- Unrestricted access is granted to all clients for any other resource. -->
    <resource uri="*">
      <clients>
        <any/>
      </clients>
    </resource>
Listing 1: An ACL Sample File

The access control file is processed from top to bottom, therefore the order of the resource elements is important. Save the document to a file e.g. conf/acl.xml.

2. Engage the ACL Feature

Access control is activated by engaging the AccessControlInterceptor using the accessControl element. Only the aclFilename property pointing to your access control list file must be set. The interceptor bean definition looks like this:

				<spring:beans xmlns="http://membrane-soa.org/proxies/1/"
					xmlns:spring="http://www.springframework.org/schema/beans"
					xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
					xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
									    http://membrane-soa.org/proxies/1/ http://membrane-soa.org/schemas/proxies-1.xsd">
									    
					<router>
					
						<transport>
							<ruleMatching />
							<exchangeStore />
							<dispatching />
							<accessControl file="conf/acl.xml" />
							<userFeature />
							<httpClient />
						</transport>
						
						<serviceProxy port="8080">
							[...]
						</serviceProxy>
						
					</router>
					
				</spring:beans>
Listing 2: Applying global AccessControl

ACL Example

Within the Membrane Service Proxy distribution under the examples/acl directory you can find an ACL sample showing how to setup ACL. It is preconfigured and uses it's own bean and rules configuration files. For a detailed explanation about this example please consult the README.txt file there.

See also