Results 1 to 2 of 2

Thread: Different authorization logic across service methods

  1. Nov 5th, 2012, 08:53 AM #1
    Miko95
    Miko95 is offline Member
    Join Date
    Aug 2011
    Posts
    47

    Default Different authorization logic across service methods

    Hi,

    I would like to secure my services layer using Spring Security. As explained in the documentation, I need to use a MethodSecurityInterceptor that will check if the method invocation is allowed.

    To decide if a service method invocation is allowed for a given user, affecting a required role to the invoked method (using MethodSecurityMetadataSource) is not enough for me since it also depends on the parameters passed to the method. As suggested in the documentation, I can write a custom AccessDecisionManager and access the arguments though the secured object (MethodInvocation in this case).

    But, my authorization logic also depends on the invoked method. For example, the arguments may be different between multiple methods and the authorization logic will also be different. I can use conditional logic in the AccessDecisionManager to determine the invoked method and the authorization logic to use, but it seems to be an ugly solution.

    What are the alternatives?

    Thanks,
    Mickael
    Reply With Quote Reply With Quote
  2. Nov 12th, 2012, 04:19 AM #2
    Miko95
    Miko95 is offline Member
    Join Date
    Aug 2011
    Posts
    47

    Default

    Any idea? I thought about using AOP but I'm looking for a way to use Spring Security.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules