Announcement Announcement Module
No announcement yet.
Question about authentication best practices via spring-security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Question about authentication best practices via spring-security


    My goal is to have specific channels secured by spring-security. I realize that the spring-integration-security module provides the namespace integration for spring-security which provides method-level, role based authorizations. But before the authorizations can be used, a principal must have been logged in and a suitable SecurityContext set into the Thread's SecurityContextHolder.

    I have two questions.

    What's the best way to go about authenticating the principal before the flow of execution arrives at the method-level authorizations? Two ways pop into my head, but I would like feedback:

    1) Set up a global channel interceptor which would perform this authentication well before getting to the channel that is secured by the authorizations check?
    2) Create a service activator bean and connect the integration flow up to this and do the authentication within the bean

    Are there other/better ways?

    I could do #1, but then other channels that are unrelated to authorization would be included. There is one channel that I would like to have both authentication and authorization on, and the rest don't matter or don't need to know there is authentication going on.

    #2 is possible also, but I'd like to keep cross cutting concerns like this orthogonal to the integration flow.

    I can't add a channel interceptor to the channel in question because those actually run AFTER the method-level interception performed by spring-security.

    Any thoughts?