Dec 5th, 2011, 12:32 AM
spring security without DelegatingFilterProxy
Hi, I am new to spring security. All the examples that I have gone through use DelegatingFilterProxy, so that spring security sits between user and application. Is it possible to let the application decide with what all parameters call spring security. For ex, the controller decides what all actions are associated with the URL and calls security layer to authenticate/authorize and then passes them to business layer.
Dec 5th, 2011, 09:27 PM
A lot of things can be done in your controller, but protecting resources based upon the URL is much better off in a Filter since it can intercept any request. Can I ask what you are trying to accomplish?
Dec 6th, 2011, 02:59 AM
1. Suppose the actions associated with the URL are not explicit. For ex, a URL request creates object A, but it can be created only if its parent exists and user does not have permission to create parent.
2. Also, it makes a dependency on URL naming. If there are two applications, one uses REST and other normal strus type URL. If both are trying to do same actions then a common security service can be used to protect both of them.
3. eventually security would be about allow/deny user from doing some action on protected objects. What if the URL does not give us that information explicitly and we need to do some pre/post processing of URL
Dec 11th, 2011, 06:38 AM
Need urgent help
Can anyone please help me with this question.
Dec 12th, 2011, 08:08 AM
Originally Posted by dineshpathak
This sounds to me like you may want to take a look at global method security.