I need to do authorization only using spring security - authentication is taken care of already.
While there is little inputs on same I found - no clear guidelines I could trace.
Any help is appreciated.
The question I'd have for you is: How is authentication performed for you already?
In a basic Spring Security scenario, Spring Security handles both authentication and authorization. But there are other cases where Spring Security delegates to something else for authentication. OpenID and CAS are a few examples of this. In those cases, Spring Security still participates in authentication (as if it were going to do the authentication itself), but ultimate hands off to something else to do the actual authentication.
Upon return from the actual authentication, Spring Security may be given a token or perhaps some identifying information about the user. It uses that to lookup authorization data for the user which it uses to enforce authorization rules.
I don't know the specifics of how security is already handled in your case. If it's not something that Spring Security already provides support for, I'd bet it's not hard to write an authentication provider implementation to plug your authentication mechanism into Spring Security. But again...I don't know the details of your authentication mechanism. I'd encourage you to look at how Spring Security's OpenID and CAS support is implemented to draw inspiration.
Here is something which might interest you, as we are trying to do this with OSGI bundles.. though with blurred lines.
Its a hybrid sort of architecture, the authentication process has been placed within a bundle which returning an authToken (of type - org.springframework.security.Authentication)
Now as this is working, we need to place just authorization - which I feel must go outside bundle - within spring MVC.
Thus I need to know how to authorize it & what are my options.
subject: Security - authorization without authentication