Is there possibility to use Spring Security without it's authentification mechanism?

[kostepanych]

I only need to secure URLs and methods.

My application has own difficult authentification method, and I can simply set the SecurityContext in this method:

Code:

SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), authorities));

Securing methods I guess is possible with such configurations:

Code:

<b:bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
         <filter-chain-map path-type="ant">
            <filter-chain pattern="/**" filters="securityContextPersistenceFilter"/>
        </filter-chain-map>
    </b:bean>

    <b:bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>

(Without any other filters.)

But is there possibility to secure URLs without AuthenticationManager?

[pmularien]

Sure, you could do this, but at that point, what value is Spring Security bringing vs just writing your own SecurityContextHolder etc.?

Are you handling login, logout, redirect, and all the other security stuff yourself also?

[kostepanych]

Sure, you could do this, but at that point, what value is Spring Security bringing vs just writing your own SecurityContextHolder etc.?

As I mentioned earlier, I want only simple mechanism for seruring URLs and methods.

Are you handling login, logout, redirect, and all the other security stuff yourself also?

I handle login, logout myself.

I guess AuthenticationManager is used only for login? Or I mistake?

[Rob Winch]

It sounds like you are already handling all of your authentication needs already and just want to use Spring Security for authorization. If this is the case, you might consider looking at the PreAuthentication Scenarios.