Firstly, you can protect your controller as shown below.
Define the URLs to be protected in the ssoContext.xml file something like
<http auto-config="false" access-decision-manager-ref="springAccessDecisionManager"
once-per-request="true" create-session="ifRequired" entry-point-ref="MyAppAuthenticationEntryPoint">
<session-management invalid-session-url="/j_spring_security_logout" />
<!-- TODO: Would be cleaner if we didn't have to enumerate every role that can access some URL in the system. Consider hierarchical roles -->
<intercept-url pattern="/**/*.css*" filters="none" />
<intercept-url pattern="/**/*.js*" filters="none" />
<intercept-url pattern="/**/*.png*" filters="none" />
<intercept-url pattern="/**/codemapping.rpc" access="ROLE_admin,ROLE_viewer" />
<intercept-url pattern="/**/generalLedgerService.rpc" access="ROLE_admin" />
<intercept-url pattern="/**/MyAppAdjustment.html" access="ROLE_admin,ROLE_viewer" />
<intercept-url pattern="/**/CodeMapping.html" access="ROLE_admin,ROLE_viewer" />
<intercept-url pattern="/**/myapp_test.html" access="ROLE_admin" />
<custom-filter ref="siteminderFilter" position="PRE_AUTH_FILTER" />
<access-denied-handler ref="accessDeniedHandler"/>
In the Spring MVC controller, you can use the annotation as shown below.
"ROLE_viewer", "ROLE.standard", "ROLE_senior"
@RequestMapping(value = "/portfolio/{portfoliocd}/details.csv", method = RequestMethod.GET, produces = "text/csv")
public void getCashForecastCSV(
@PathVariable(value = "portfoliocd") String portfolioCode,
@RequestParam(value = "valuationDate", required = true) @DateTimeFormat(pattern = "yyyyMMdd") Date valuationDate,
HttpServletResponse response) throws Exception
The service class methods can be protected by declaring the following in your spring context file where the methods reside.
<!-- comment this line locally to bypass seurity access control in development. But don't check this in commented as security will be turned off -->
<security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled"/>
Once declared, you can protect your service class methods as shown below.
"ROLE_viewer", "ROLE_standard", "ROLE_senior"
public ReconciliationResult getReconciliations(ReconciliationCriteria criteria)