Jun 9th, 2010, 10:07 PM
Bypass Authorization (something akin to sudo)
I have a pretty standard web application that works well with Spring security. The UI ensures that the security context it setup and calls service methods protected by @PreAuthorize annotations and Spring Security does what it's meant to do. However I have two scenarios that I'm having a little trouble with.
The first scenario is a background (quartz) job that wants to call a service method that has been protected by the @PreAuthorize annotation. The background job obviously doesn't log in as anyone so there isn't a security context available and an exception is thrown.
The second scenario is a service method that's available to anonymous users. The service method performs some logic that includes a call to a service method that's protected by a @PreAuthorize annotation. So it's valid for the secured logic block to be called by anonymous users in this special case.
One solution would be to have two methods on the service; one with the @PreAuthorize annotation and one without but this seems less than ideal. Another solution could be to introduce a special root user that has permissions to do everything and create some code that provides elevation logic (e.g. sudo).
So I was wondering if anyone else has faced this issue and what approach you used to solve it?