This week's book giveaways are in the Refactoring and Agile forums.
We're giving away four copies each of Re-engineering Legacy Software and Docker in Action and have the authors on-line!
See this thread and this one for details.
Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security - authorization without authentication

 
Rohit Mehta
Ranch Hand
Posts: 79
Chrome Eclipse IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I need to do authorization only using spring security - authentication is taken care of already.
While there is little inputs on same I found - no clear guidelines I could trace.
Any help is appreciated.

Thanks.
 
Vijay Tidake
Ranch Hand
Posts: 148
Hibernate Java Tomcat Server
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

The link has a good explanation about spring user security(both Authentication and Authorization)

Although its given with JSF,hope this will help in getting your work done.

Thanks

 
Rohit Mehta
Ranch Hand
Posts: 79
Chrome Eclipse IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Vijay, this is helpful; but I am looking something closer to Spring MVC - & only for Authorization.
 
Craig Walls
author
Ranch Hand
Posts: 363
8
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

The question I'd have for you is: How is authentication performed for you already?

In a basic Spring Security scenario, Spring Security handles both authentication and authorization. But there are other cases where Spring Security delegates to something else for authentication. OpenID and CAS are a few examples of this. In those cases, Spring Security still participates in authentication (as if it were going to do the authentication itself), but ultimate hands off to something else to do the actual authentication.

Upon return from the actual authentication, Spring Security may be given a token or perhaps some identifying information about the user. It uses that to lookup authorization data for the user which it uses to enforce authorization rules.

I don't know the specifics of how security is already handled in your case. If it's not something that Spring Security already provides support for, I'd bet it's not hard to write an authentication provider implementation to plug your authentication mechanism into Spring Security. But again...I don't know the details of your authentication mechanism. I'd encourage you to look at how Spring Security's OpenID and CAS support is implemented to draw inspiration.
 
Rohit Mehta
Ranch Hand
Posts: 79
Chrome Eclipse IDE Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Here is something which might interest you, as we are trying to do this with OSGI bundles.. though with blurred lines.

Its a hybrid sort of architecture, the authentication process has been placed within a bundle which returning an authToken (of type - org.springframework.security.Authentication)
Now as this is working, we need to place just authorization - which I feel must go outside bundle - within spring MVC.
Thus I need to know how to authorize it & what are my options.
 
nirmal kc
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Why don't you try using pre-authentication filter.
something like this was already posted here:
http://forum.spring.io/forum/spring-projects/security/89136-need-help-on-spring-security-authorization-without-authentication
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic