File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Spring and the fly likes Security - authorization without authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Security - authorization without authentication " Watch "Security - authorization without authentication " New topic

Security - authorization without authentication

Rohit Mehta
Ranch Hand

Joined: Mar 11, 2005
Posts: 79


I need to do authorization only using spring security - authentication is taken care of already.
While there is little inputs on same I found - no clear guidelines I could trace.
Any help is appreciated.


- Rohit
Vijay Tidake
Ranch Hand

Joined: Nov 04, 2008
Posts: 146


The link has a good explanation about spring user security(both Authentication and Authorization)

Although its given with JSF,hope this will help in getting your work done.


The important thing is not to stop questioning.Curiosity has its own reason for existing.
Rohit Mehta
Ranch Hand

Joined: Mar 11, 2005
Posts: 79

Thanks Vijay, this is helpful; but I am looking something closer to Spring MVC - & only for Authorization.
Craig Walls
Ranch Hand

Joined: Sep 19, 2003
Posts: 335

The question I'd have for you is: How is authentication performed for you already?

In a basic Spring Security scenario, Spring Security handles both authentication and authorization. But there are other cases where Spring Security delegates to something else for authentication. OpenID and CAS are a few examples of this. In those cases, Spring Security still participates in authentication (as if it were going to do the authentication itself), but ultimate hands off to something else to do the actual authentication.

Upon return from the actual authentication, Spring Security may be given a token or perhaps some identifying information about the user. It uses that to lookup authorization data for the user which it uses to enforce authorization rules.

I don't know the specifics of how security is already handled in your case. If it's not something that Spring Security already provides support for, I'd bet it's not hard to write an authentication provider implementation to plug your authentication mechanism into Spring Security. But again...I don't know the details of your authentication mechanism. I'd encourage you to look at how Spring Security's OpenID and CAS support is implemented to draw inspiration.

Spring in Action - Unleash POJO power in your applications!
Modular Java - Discover the secret weapon to modularity on the Java platform!
XDoclet in Action - Your complete guide to code generation with XDoclet.
Rohit Mehta
Ranch Hand

Joined: Mar 11, 2005
Posts: 79

Here is something which might interest you, as we are trying to do this with OSGI bundles.. though with blurred lines.

Its a hybrid sort of architecture, the authentication process has been placed within a bundle which returning an authToken (of type -
Now as this is working, we need to place just authorization - which I feel must go outside bundle - within spring MVC.
Thus I need to know how to authorize it & what are my options.
nirmal kc

Joined: Oct 14, 2015
Posts: 1
Why don't you try using pre-authentication filter.
something like this was already posted here:
I agree. Here's the link:
subject: Security - authorization without authentication
It's not a secret anymore!