tags:

views:

159

answers:

3
+1  Q: 

Spring Security being called from different sources

I want to run authentication/authorization only for the calls that come from HTTP requests.

The method on the controller I want to have authentication/authorization enabled is called from more than one source. In this case, it can be either called by another controller or by a direct HTTP request.

Can I turn off authentication/authorization for the calls that come from other Controllers?

Just read further if you haven't got this clear enough yet.

Let's say I have a method doIt() on a Controller A. I also have a Controller B, in which I inject controller A. At some point on Controller B, I call 'a.doIt()', but I can also call doIt() from an HTTP call to doIt.do. I want to test the call for authentication/authorization if the call comes from an HTTP call, but not if it comes from Controller B.

A: 

You need to only configure the spring authentication on URL and not on the method invocation. This will work for you.

Bhushan  2009-07-16 05:13:32
This is a problem for me, as our current Voter uses annotations on the method to check for the required authorization level for that method. Changing this to URLs (probably with xml mappings) will probably be a lot of work. Although, if I can't find another solution, this will have to do the trick. Thanks!
Rodrigo Gama  2009-07-16 05:21:16
If method level authorization is used then there is no way you can get away with that. URL authorization will use the same setup just some config you need to do, so not much of a work.
Bhushan  2009-07-16 06:12:57
A: 

I don't see any way to do this, my guess is you'll just have to have a second method like doitDirectCall(..) that the actual other controller calls and doit(..) that get's called on an HTTP request.

Gandalf  2009-07-16 16:25:43
+1  A: 

You are injecting in B the security proxied bean of A. Can't you inject A without the proxy?.
Bean A proxied:

<bean id="beanASecured" class="org.springframework.aop.framework.ProxyFactoryBean">
  <property name="targetName" value="beanA"/>
  <property name="interceptorNames">
    <value>securityInterceptor</value>
  </property>
</bean>

The secutiryInterceptor:

<bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
   ...
</bean>

Bean A not proxied:

<bean id="beanA" class="com.A"/>

Bean B injected with bean 'A not proxied':

<bean id="beanB" class="com.B">
   <constructor-arg ref="beanA"/>
</bean>
rodrigoap  2009-07-18 19:55:58
Is there a way to do it? I don't think so. But this would be the best solution for me, actually.
Rodrigo Gama  2009-07-19 00:10:02
It all depends on how are you proxing the beans. I edited my post to add an example.
rodrigoap  2009-07-20 15:15:38
Happens that I inject them using the @Autowire annotation, along with the '<context:component-scan' tag. Is there a way to refer to the bean unintercepted using this method?
Rodrigo Gama  2009-07-21 18:02:07
Yes, use de @Qualifier annotation.
rodrigoap  2009-07-21 19:30:42
Just to make sure I got it right:I would have to declare two separate beans(annotated classes, in this case), one with security enabled and another with it disabled (possibly one inheriting from the other), Qualify each one with a different qualifier, and be explicit when autowiring, right?
Rodrigo Gama  2009-07-21 21:15:15

related questions

Acegi/Spring Security Grails plug-in not seeing changes to a User instance
different DelegatingFilterProxy and FilterToBeanProxy
How to immediately enable the authority after update user authority in spring security?
springdoclet usage?
Grails Security Problem and Search Engine optimization
Spring Security: Advice needed on how to handle GrantedAuthority
Why is my (Spring Security) servlet filter getting called twice?
Grails Acegi Plugin springsecurity.GrailsDaoImpl - User [admin] has no GrantedAuthority
Spring Security: What is the UserDetailsManager interface used for? And more!
Combining namespace based configuration with different authentication methods in spring-security
Spring Security: Custom Authentication Provider for 'one time password' and 'securit questions'
Spring Security: How to get the initial target url
Permissions checking in server-side API
Cannot locate 'org.springframework.security.annotation.Jsr250MethodDefinitionSource'
How to grant access for all authenticated users?
Spring embedded ldap server in unit tests
What are some good sample applications using Spring and Hibernate?
Problem migrating Spring Web App from tomcat 5.5 to tomcat 6.0
How to throw an informative exception from AccessDecisionManager that uses voters
How can I determine what roles are required to access a URL with Spring Security?
Creating a custom authentication with Acegi/Spring Security
Unit testing with Spring Security
Securing Remote Access over JMXMP with Spring Security
When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
Spring security: adding "On unsuccessful login event listener"