Question about authentication best practices via spring-security
My goal is to have specific channels secured by spring-security. I realize that the spring-integration-security module provides the namespace integration for spring-security which provides method-level, role based authorizations. But before the authorizations can be used, a principal must have been logged in and a suitable SecurityContext set into the Thread's SecurityContextHolder.
I have two questions.
What's the best way to go about authenticating the principal before the flow of execution arrives at the method-level authorizations? Two ways pop into my head, but I would like feedback:
1) Set up a global channel interceptor which would perform this authentication well before getting to the channel that is secured by the authorizations check?
2) Create a service activator bean and connect the integration flow up to this and do the authentication within the bean
Are there other/better ways?
I could do #1, but then other channels that are unrelated to authorization would be included. There is one channel that I would like to have both authentication and authorization on, and the rest don't matter or don't need to know there is authentication going on.
#2 is possible also, but I'd like to keep cross cutting concerns like this orthogonal to the integration flow.
I can't add a channel interceptor to the channel in question because those actually run AFTER the method-level interception performed by spring-security.