I’m trying to get Spring Security to handle authorization via GET variables. All the examples I’ve been able to find focus pretty much entirely on role-based authorization, which doesn’t really work for my application. The way the authentication/authorization process needs to work is as follows:
- User authenticates through external system, gets a session ID.
- User passes two GET parameters to my application, sessionId and objectId.
- Application verifies that session is valid (already figured this part out)
- Application verifies that the object is visible to the user (need help here)
- Application returns object information to the user
All the examples I’ve seen have been demonstrating how powerfully Spring Security can check a granted authority on a URL pattern or a Java method. But I need to implement a custom check on step 4 to make sure that the user has the correct permissions in the backend (users can be granted object-specific rights, so a role approach won’t work here).
I am new to Spring Security, so it could be that my thought process is just all sorts of wrong. If I am, feel free to correct me!
I think you need to look at the Pre-Authentication Scenarios section in the documentation. In particular, you will probably need to implement a AbstractPreAuthenticatedProcessingFilter to pre-authenticate the user based on the GET parameters.