Chapter 7. Authorizing user requests

 

This chapter covers

  • Implementing authorization using Spring Security
  • Using authentication levels, roles, and permissions
  • Establishing access control lists

Authorization is the area of security that deals with protecting resources from users or systems—generically, principals—which aren’t allowed to view, modify, or otherwise access them. It generally builds on authentication. Authentication establishes the principal’s identity, and authorization decides what the principal is allowed to do. This chapter continues the treatment of Spring Security we began in chapter 6, this time exploring its authorization features.

Figure 7.1 shows the relationship between the types of authorization in Spring Security 3. On the one hand we have authorization targets, which correspond to what is being protected: methods, views, and web resources. On the other we have authorization styles, or how we’re protecting the targets: via authentication levels, roles, and access control lists (ACLs). Conceptually we’ll break authorization into the grid in table 7.1.

Figure 7.1. Relationship between the types of authorization in Spring Security 3
Table 7.1. Authorization combinations and their corresponding recipes

Authorization style

Authentication target

  Methods Views Web resources
Authentication-, role- and permission-based Recipe 7.1 Recipe 7.2 Recipe 7.3
ACL-based Recipe 7.4 Recipe 7.5 Unsupported

Each recipe addresses one of the cells in the table.

Authorization targets

 
 
 

Authorization styles

 
 
 

7.1. Authorizing Java methods using authentication levels, roles, and permissions

 
 
 

7.2. Authorizing JSP views using authentication levels, roles, and permissions

 
 
 

7.3. Authorizing web resources using authentication levels, roles, and permissions

 
 

7.4. Authorizing method invocations based on ACLs

 
 

7.5. Displaying web navigation and content based on ACLs

 
 
 
 

7.6. Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest