16 Global Method Security – Pre/Post Authorization

 

This chapter covers

  • Enabling global method security in Spring applications.
  • Using pre-authorization on methods based on authorities, roles, and permissions.
  • Using post-authorization on methods based on authorities, roles, and permissions.

Up to now, we discussed various ways of configuring authentication. We started from the most straightforward approach – HTTP Basic in chapter 2, and then I showed you how to set Form Login in chapter 5, and we have, of course, covered OAuth 2 in chapters 12 to 15. But in terms of authorization, we only discussed the configurations at the endpoint level. Say you don’t have a web application. Wouldn’t you use Spring Security anymore for authentication and authorization? Spring Security is a good fit as well for scenarios in which your app isn’t used via HTTP endpoints.

In this chapter, you’ll learn how to configure authorization at the method level. We use this approach to configure authorization in both web and non-web applications, and we name it the Global Method Security.

Figure 16.1 Global Method Security enables you to apply authorization rules at any layer of your application. This approach allows you to be more granular and apply the authorization rules specifically to the subject to which they apply.

16.1  Enabling global method security

16.1.1    Understanding call authorization

16.1.2    Enabling global method security in your project

16.2  Applying pre-authorization for authorities and roles

16.3  Applying post-authorization

16.4  Implementing permissions for methods

16.5  Summary

sitemap