I’m a reasonably new user of Spring Security.

I previously configured Spring Security to perform form based authentication for my web app.

I’ve used Annotations to indication which Controllers/Methods require ROLE_USER vs anonymous, and implemented my own daoAuthenticationProvider to perform the authentication.

I am now implementing REST services which need to authentication on BasicAuthentication + do an IP verification to my DB.

So I have a new role ROLE_IP_AUTH which I’ve defined on the REST services controller.

I’m just a little overwhelmed at this point. Can someone give me a brief description of what next step I should take?

• Do I need to create a new
  <security:http> element for the new
  role?
• Should I be switching to this
  FilterChainProxy? If so what filters
  should I include?
• Should I just handle this in my existing daoAuthenticationProvider class?

Basically I just need to know what direction I’m going in. I think I know enough to get there, there’s just 5 different ways to get anywhere in Spring it seems.

Additional Information
My current implementation has the element configured as follows:

<security:http auto-config="false"
               entry-point-ref="authenticationEntryPoint" >
    <security:logout logout-url="/logout" />
    <security:anonymous enabled="false"/>
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
    <security:custom-filter position="ANONYMOUS_FILTER" ref="anonymousAuthFilter" />
</security:http>

My remaining question is how I can implement my own IP validation. I can just add the BasicAuth filter using custom-filter and implement my own basic auth filter which checks the IP. But I’m fuzzy on how I make that filter only applicable for the ROLE_IP_AUTH being used by my REST services?