I’m getting started at building REST APIs with Spring annotated controllers.
My question is very simple: how to perform authentication/authorization in a common place rather than the APIs?
Being an expert C# developer I usually create a custom FilterAttribute for my controllers in order to implement any required authentication code.
I’m not going to use @Secured attribute because I work on custom REST authorization based on custom HTTP headers. I have understood that @Secured works with predefined roles, or perhaps I didn’t understand its usage well.
Does Spring offer annotations to perform early filtering of Controllers working on the HttpRequest?
There is a filter-based authentication and authorization plugin at the web container level, provided by Spring Security. However, you can also apply security annotations to the controllers. . . Behind the scenes this uses Aspect Oriented programming to modularize the security concern. Take a look at Spring Security and AOP.
Once you understand a little about the AOP side of things you can customize the authorization however you like – role-based, time of day, whatever – this can be driven by custom annotations.