Nov 5th, 2012, 08:53 AM
Different authorization logic across service methods
I would like to secure my services layer using Spring Security. As explained in the documentation, I need to use a MethodSecurityInterceptor that will check if the method invocation is allowed.
To decide if a service method invocation is allowed for a given user, affecting a required role to the invoked method (using MethodSecurityMetadataSource) is not enough for me since it also depends on the parameters passed to the method. As suggested in the documentation, I can write a custom AccessDecisionManager and access the arguments though the secured object (MethodInvocation in this case).
But, my authorization logic also depends on the invoked method. For example, the arguments may be different between multiple methods and the authorization logic will also be different. I can use conditional logic in the AccessDecisionManager to determine the invoked method and the authorization logic to use, but it seems to be an ugly solution.
What are the alternatives?
Nov 12th, 2012, 04:19 AM
Any idea? I thought about using AOP but I'm looking for a way to use Spring Security.