Java Forum

Ask Question   UnAnswered
Home » Forum » Java       RSS Feeds

Server Side Authorization with Spring & AOP

  Asked By: Diane    Date: Aug 01    Category: Java    Views: 2030

I'm working on an app written using spring & axis web services, now I
want to add server side authorization to the app, but I dont want to
add a line of code at the first of every method, so I decided to use
spring aop, as you know service objects are created outside spring
container, I wanted to know is this possible to intercept an object
that is created outside spring container? (without using aspectj
compiler) I've heared it could be done in spring 2?
We are using spring 1.2.4, have you had compatibility issues with
spring 2?(As you know spring 2 has backward compatibility with 1.x
And the last question, do you know a better way to do server side
authorization ?



5 Answers Found

Answer #1    Answered By: Guadalupe Rogers     Answered On: Aug 01

I think the best way to doing server  side authorization is JAAS (Java Authentication and Authorization Service). The service  support by spring  and you have not any consider about authorization.

Answer #2    Answered By: Gustavo Taylor     Answered On: Aug 01

I think the best way for web  services authentication/authorization is WS Security standardized by W3C. It is distributed with axis  2 but you can add  it to your axis 1.x. just google it for details.

I don’t know how to intercept external objects  into Spring but there is ACGI Security developed for Spring that as I remember has URL based authorization which may help you to some extent.

Answer #3    Answered By: Velma Adams     Answered On: Aug 01

You can use spring  2.0 aspectJ pointcut language without using aspectJ although Spring 2.0 isn't officially released(rc3 at the moment). You can also use Spring 1.2.x BeanNameAutoProxyCreator class to reach for your pointcut. Spring 2.0 is backward compatible to 1.2.x but I remember that I once migrated from 1.2.3 to 2.0-m2 a few month ago and spring MVC upload mechanism couldn't work but as far as I can see, Spring team has worked alot upon this backward compatibility. And I think you must face no major problem. In order not to reinvent the wheel, I suggest that you'd better take a look at Acegi as well...

Answer #4    Answered By: Wilbur Hall     Answered On: Aug 01

Involvement of Spring and AOP aside, I'd like to highlight two patterns that are used for web-tier and business-tier components. In general (as it applies to your application) once there are multiple entry points to an application and once all of them require authentication and authorization, you can centralize AA enforcement and encapsulate security mechanisms using a facade or a controller in order to enforce the AA logic across all components and operation within your application.

encapsulating AA logic behind a common interface will make it lot easier to migrate this to any part of the enterprise.

there are different strategies to implementation of AA enforcement pattern and
I wish I had an electronic version of my catalog but anyway following could highlight some aspects of authentication and authorization enforcement patterns


Note that customized implementation of such mechanisms introduces risks and issues  such not being aligned with J2EE standards while the spec recommends prevention from customized and developed implementation of security control mechanism as much as possible and leave the functionality to the framework. At the same time JAAS is highly recommended due to its alignment with standards.

Also when you define you own security control there is a high chance of leaving the application open to attacks.

if you decided to apply this approach, make sure you review the pattern completely and choose the best of that fulfills your application requirements.

Answer #5    Answered By: Chione Massri     Answered On: Aug 01

I think you can look at acegi-security at following address

Didn't find what you were looking for? Find more on Server Side Authorization with Spring & AOP Or get search suggestion and latest updates.