...
In a filter, create a caller's
Authenticationobject and put it in Spring Security'sSecurityContext(exactly like what we've been doing with our ownRequestContext, but we'd probably store the caller's permissions);Add authorization annotations to all of our controller methods.
Spring has many choices, including annotations that will take expression languages and security check methods that we can write ourselves. I like that option a lot. So we can basically do our security checks in these annotations, e.g.@PreAuthorize("permit('developer', #studyId)")- permit a developer for the study ID (taken from the method parameters) to access the controller method. But because we can implement that "permit" method, we could also allow app developers, admins, and superadmins to pass this test, as we do now.
Another approach is to create custom annotations that bundle complicated expression rules (e.g.@IsDevelopercould do all of the above).Remove our own static method call checks in
AuthUtils. Eventually consider if we can removeRequestContextsince it is 99% of the time being used to do authorization checks.
...