Spring Custom MVC Authentication
What I'm looking for is a filter (or similar) that would handle the authentication model for my Spring MVC application. My app is hosted on Google App Engine as well.
Authentication in this application can tend to be very dynamic and permissions are not something that fits perfectly into a predefined role structure. These permissions will be tied to various action methods on my controllers. Ideally, I would like to be able to comment on these permissions, but I am open to other suggestions.
I find there is not much information on how to do this. Ideally I would like to be able to intercept the call to my controller actions and be able to read annotations and process accordingly. I hope someone here has a little more knowledge about Spring MVC and where I can inject some custom code and could point me in the right direction.
source to share
I would still use Spring Security for this. It may not have a class that matches your login scheme 100%, but for this inheritance. Write your own. You can easily get rid of the ROLE based DecisionManager and make it fit your paradigm.
Based on your comments, have you checked out the MethodInterceptor in Spring? It creates a proxy that intercepts calls to any method in the proxy class and lets you trigger or deny the method based on whatever code you want. Spring Security has an AbstractSecurityInterceptor, but I find it very difficult to use and for most access decisions I think it is too much.
So I would use Spring Security to authenticate the user (and populate the SecurityContext) and then use interceptors to access the method access restrictions in your controllers that you want to protect.
source to share