Access Control Lists
Restrict access to services and resources with the ACL feature of Membrane API Gateway. An ACL file allows a fine-grained configuration of permissions.
- Fine grained access control
- XML based configuration
- Access control based on IP address, hostname or URI
Two steps are required to set up access control using Membrane.
1. Write an ACL File
The following sample declares permissions for some resources:
<!-- Access to resources under /open-source/ is permitted only for clients within the IP range from 192.168.2.0 to 192.168.2.255 --> <resource uri="/open-source/*"> <clients> <ip>192.168.2.*</ip> </clients> </resource> <!-- The resources under /contact/ can only be accessed by localhost. --> <resource uri="/contact/*"> <clients> <hostname>localhost</hostname> </clients> </resource> <!-- Unrestricted access is granted to all clients for any other resource. --> <resource uri="*"> <clients> <any/> </clients> </resource>
The access control file is processed from top to bottom, therefore the order of the resource elements is important. Save the document to a file e.g. conf/acl.xml.
2. Engage the ACL Feature
Access control is activated by engaging the AccessControlInterceptor using the accessControl element. Only the aclFilename property pointing to your access control list file must be set. The interceptor bean definition looks like this:
<spring:beans xmlns="http://membrane-soa.org/proxies/1/" xmlns:spring="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://membrane-soa.org/proxies/1/ http://membrane-soa.org/schemas/proxies-1.xsd"> <router> <transport> <ruleMatching /> <exchangeStore /> <dispatching /> <accessControl file="conf/acl.xml" /> <userFeature /> <httpClient /> </transport> <serviceProxy port="8080"> [...] </serviceProxy> </router> </spring:beans>
Within the Membrane Service Proxy distribution under the examples/acl directory you can find an ACL sample showing how to setup ACL. It is preconfigured and uses it's own bean and rules configuration files. For a detailed explanation about this example please consult the README.txt file there.