Securing the Admin UI

Owned by Shaun Forbes
Last updated: 05 Mar, 2021
1 min read

This page applies to sites using the Acegi security provider but should be easily adapted for Spring Security

The Administration GUI can be accessed from the /weave/admin.html URL once the Weave instance is running.

To secure access to the GUI you need to edit the security.xml file and add three entries to the list of paths that need to be secure.
Three new entries for the resources used by the admin UI need to be added to the filterInvocationInterceptor.

In a default Weave installation the final entry in this list should be:
/**=IS_AUTHENTICATED_ANONYMOUSLY

To secure the administration GUI you need to add three new entries before that one.
/admin.html=ROLE_ADMIN
/admin/**=ROLE_ADMIN
/services/admin/**=ROLE_ADMIN

Note that ROLE_ADMIN may need to change depending upon how you've updated the authentication in the rest of the security.xml file.
The role represents a group that the user must belong to before they can access the Administration GUI. For example, if you're using the default users.properties file then the following entries will grant access to Bob and Ted, but not Alice:
bob=password,ROLE_ADMIN
ted=password,ROLE_ADMIN,ROLE_USER,ROLE_GIS,ROLE_PLANNING
alice=password,ROLE_USER,ROLE_GIS,ROLE_PLANNING

If you're using LDAP, Active Directory or some other authentication mechanism then the role you need to set will be based on the groups the user is granted based on those authentication sources. These roles are the same ones that you would use when creating an ACL within Weave itself.