16 Global method security: Pre- and postauthorizations

 

This chapter covers

  • Global method security in Spring applications

  • Preauthorization of methods based on authorities, roles, and permissions

  • Postauthorization of methods based on authorities, roles, and permissions

Up to now, we discussed various ways of configuring authentication. We started with the most straightforward approach, HTTP Basic, in chapter 2, and then I showed you how to set form login in chapter 5. We covered OAuth 2 in chapters 12 through 15. But in terms of authorization, we only discussed configuration at the endpoint level. Suppose your app is not a web application--can’t you use Spring Security for authentication and authorization as well? Spring Security is a good fit for scenarios in which your app isn’t used via HTTP endpoints. In this chapter, you’ll learn how to configure authorization at the method level. We’ll use this approach to configure authorization in both web and non-web applications, and we’ll call it global method security (figure 16.1).

Figure 16.1 Global method security enables you to apply authorization rules at any layer of your application. This approach allows you to be more granular and to apply authorization rules at a specifically chosen level.

16.1 Enabling global method security

16.1.1 Understanding call authorization

16.1.2 Enabling global method security in your project

16.2 Applying preauthorization for authorities and roles

16.3 Applying postauthorization

16.4 Implementing permissions for methods

Summary

sitemap