servlet filter, httpheaders, conditional access settings

[Wlf2kme]

Hey,

I hope the title is somewhat clear, I'll clarify.

I'm developing an application that gets its initial data from a security service like a sideminder or something similar. It will be in the form of http headers. Depending on the content and type of the headers I will need to adjust the level of security.

For example, there is a user data page which does either a create or an update. But of course in case of a create will mean that the user is not in the system and cannot be authenticated. On the other hand, during an update the user is known and needs to update his/her userdata in a secure context. Of course I *could* write different pages on a different intercept-url but that would mean 99.9% redundancy.
Also, I'm unsure on how to simulate the http header input on my local tomcat appserver.

Any pointers, examples, or advice are surely appreciated.

[Rob Winch]

You can write a FilterInvocationSecurityMetadataSource that looks like DefaultFilterInvocationSecurityMetadataSource in Spring Security 3.1 (or use Spring Security 3.1). It allows you to use a request matcher to determine what security attributes are required for a request. Take a look at the source for an example.

[Wlf2kme]

I am looking at an approach of setting an anonymous user (authenticated anonymously) compared to a real user when no user is found.

Oh and I'm trying to simulate http headers using "modify headers"

I cannot use Spring security 3, I am using an internal architecture. Version choice is out of my hands.

But thanks!