Announcement Announcement Module
Collapse
No announcement yet.
spring security without DelegatingFilterProxy Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring security without DelegatingFilterProxy

    Hi, I am new to spring security. All the examples that I have gone through use DelegatingFilterProxy, so that spring security sits between user and application. Is it possible to let the application decide with what all parameters call spring security. For ex, the controller decides what all actions are associated with the URL and calls security layer to authenticate/authorize and then passes them to business layer.

  • #2
    A lot of things can be done in your controller, but protecting resources based upon the URL is much better off in a Filter since it can intercept any request. Can I ask what you are trying to accomplish?

    Comment


    • #3
      1. Suppose the actions associated with the URL are not explicit. For ex, a URL request creates object A, but it can be created only if its parent exists and user does not have permission to create parent.
      2. Also, it makes a dependency on URL naming. If there are two applications, one uses REST and other normal strus type URL. If both are trying to do same actions then a common security service can be used to protect both of them.
      3. eventually security would be about allow/deny user from doing some action on protected objects. What if the URL does not give us that information explicitly and we need to do some pre/post processing of URL

      Comment


      • #4
        Need urgent help

        Can anyone please help me with this question.

        Comment


        • #5
          Originally posted by dineshpathak View Post
          1. Suppose the actions associated with the URL are not explicit. For ex, a URL request creates object A, but it can be created only if its parent exists and user does not have permission to create parent.

          2. Also, it makes a dependency on URL naming. If there are two applications, one uses REST and other normal strus type URL. If both are trying to do same actions then a common security service can be used to protect both of them.
          3. eventually security would be about allow/deny user from doing some action on protected objects. What if the URL does not give us that information explicitly and we need to do some pre/post processing of URL

          This sounds to me like you may want to take a look at global method security.

          Comment

          Working...
          X