Oct 31st, 2011, 07:58 AM
Jersey/REST Authentication/Authorization and ... business logic?
Have an interesting situation that I personally haven't encountered with Spring before. On our team it is a debate as to whether this is Spring Security's job or not.
We are using Basic Authentication to secure Jersey services within out app. That is working fine and without any problems. We pass in a Basic Auth Header is a user "testuser" and a password "testpassword". We give them an appropriate response if they aren't logged in. Where the question comes in though is we pass in parameters on the url: http://localhost:8080/rest/volserve/compAbc/123456
We want to see if compAbc has their account suspended (mind you we are authenticated with a look up username/password already) and if they aren't suspended return order 123456.
This seems to me to be business logic, but others on my team think it is still security. What is your take and if this is a Spring Security role, how would you go about implementing it?