In my current project we have a set of service classes that are secured by method-based security.
now in some cases the “system” needs to call secured methods on its own. (for example: a user leaves a channel and the channel is implicitly closed because its empty. normaly ‘close’ is protected).
How do i provide access to a service class in a secured and an unsecured way at the same time?
EDIT – short example
during auhentication the system checks if here is an active ban against the user.
public User authenticate(String name, String token) throws BadCredentialsException, RuntimeException {
User user = get(name);
if (user == null || !user.getToken().equals(token)) {
throw new BadCredentialsException("Invalid Project/Username/Password");
}
Ban userBan = banService.getBanForUser(user);
if (userBan != null) {
throw new UserBannedException("User was baned", userBan);
}
return user
}
BUT access to any bans is protected by method-based security so not every user can “get” them.
@PreAuthorize("isAuthenticated()")
public Ban getBanForUser(User user) {
return ...
}
so basicly i need two ways to access this method. one that is protected by the spring-security inteceptor (for “users”) and one that is not (for the “system”).
is this possible without wrapper classes, inheritance magic, …
it would be great if i could define two spring beans that have the same class one with spring-security and one whithout.
A solution (nothing close to something elegant, of course) would be simulate the authentication of a super user right before you call the protected methods. Something like this: