Security services in Seraph are used to analyse the roles required for any given request.

There are two security services bundled with Seraph - the Path service and the WebWork service.

Security services can use any meta-data associated with the incoming request, so other examples of services could be an IPService (to authenticate users based on IP) or a KeyService (to authenticate users based on their security keys).

The Path Service secures particular URL paths. It allows for extremely flexible path lookups (ie /admin/*, /admin/Setup*, /admin/Setup*Foo etc) and is configured via it's own XML configuration file, named security-paths.xml .

The Path service is configured in security-config.xml as follows:

        <service class="com.atlassian.seraph.service.PathService">
            <init-param>
                <param-name>config.file</param-name>
                <param-value>/security-paths.xml</param-value>
            </init-param>
        </service>

The security-paths.xml file contains the secured paths and the roles required for each. Here is a sample:

<security-paths>
    <!-- You can configure any number of path elements -->
    <path name="admin">
        <url-pattern>/admin/*</url-pattern>
        <!-- You can set multiple roles per path -->
        <role-name>myapp-administrators, myapp-owners</role-name>
    </path>
</security-paths>

The WebWork Service secures WebWork 1 actions. You must use actions.xml to configure your actions, and then just add a "roles-required" attribute to each action or command element.

Here is a snippet of actions.xml showing the roles-required attribute:

<action name="project.AddProject" roles-required="admin">
    <view name="input">/secure/admin/views/addproject.jsp</view>
</action>