This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Spring and the fly likes Security - authorization without authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "Security - authorization without authentication " Watch "Security - authorization without authentication " New topic
Author

Security - authorization without authentication

Rohit Mehta
Ranch Hand

Joined: Mar 11, 2005
Posts: 79

Hi,

I need to do authorization only using spring security - authentication is taken care of already.
While there is little inputs on same I found - no clear guidelines I could trace.
Any help is appreciated.

Thanks.


- Rohit
Vijay Tidake
Ranch Hand

Joined: Nov 04, 2008
Posts: 146

Hi,

The link has a good explanation about spring user security(both Authentication and Authorization)

Although its given with JSF,hope this will help in getting your work done.

Thanks


The important thing is not to stop questioning.Curiosity has its own reason for existing.
Rohit Mehta
Ranch Hand

Joined: Mar 11, 2005
Posts: 79

Thanks Vijay, this is helpful; but I am looking something closer to Spring MVC - & only for Authorization.
Craig Walls
author
Ranch Hand

Joined: Sep 19, 2003
Posts: 301

The question I'd have for you is: How is authentication performed for you already?

In a basic Spring Security scenario, Spring Security handles both authentication and authorization. But there are other cases where Spring Security delegates to something else for authentication. OpenID and CAS are a few examples of this. In those cases, Spring Security still participates in authentication (as if it were going to do the authentication itself), but ultimate hands off to something else to do the actual authentication.

Upon return from the actual authentication, Spring Security may be given a token or perhaps some identifying information about the user. It uses that to lookup authorization data for the user which it uses to enforce authorization rules.

I don't know the specifics of how security is already handled in your case. If it's not something that Spring Security already provides support for, I'd bet it's not hard to write an authentication provider implementation to plug your authentication mechanism into Spring Security. But again...I don't know the details of your authentication mechanism. I'd encourage you to look at how Spring Security's OpenID and CAS support is implemented to draw inspiration.


Spring in Action - Unleash POJO power in your applications!
Modular Java - Discover the secret weapon to modularity on the Java platform!
XDoclet in Action - Your complete guide to code generation with XDoclet.
Rohit Mehta
Ranch Hand

Joined: Mar 11, 2005
Posts: 79

Here is something which might interest you, as we are trying to do this with OSGI bundles.. though with blurred lines.

Its a hybrid sort of architecture, the authentication process has been placed within a bundle which returning an authToken (of type - org.springframework.security.Authentication)
Now as this is working, we need to place just authorization - which I feel must go outside bundle - within spring MVC.
Thus I need to know how to authorize it & what are my options.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Security - authorization without authentication
 
Similar Threads
How to make this safe
another SCEA -- after waiting for 13 weeks
Declarative security in Struts2
declarative authentication and authorization
How to get login page when session is expired?