...
Spring security has nice support for annotation-based authorization constraints. I would suggest we switch to it and secure the system at a request level the controller tier by annotating our controller methods. Spring provides an expression language we can use to declare our constraints, and we can even implement new methods in that constraint language, and so that Spring will delegate delegates to our own code to answer authorization questions. But it It would allow new developers to work with a technology that they have seen before, and that is documented.
Using Spring security for authorization (not authentication, at least initially) we would do the following:
In a filter, create a caller's
Authenticationobject and put it in Spring Security'sSecurityContext(exactly like what we've been doing with our ownRequestContext; we’d store the user’s ID and app ID);Add authorization annotations to all of our controller methods.
We can basically do our security checks in these annotations, e.g.@PreAuthorize("permit('developer', #studyId)")- permit a developer for the study ID (taken from the method’s parameters) to access the controller method. Because we can implement the “permissions” “permit” method, we can carry over our specific business logic. Later we can hook in other authorization systems very cleanly this way.Remove our own static method call checks in
AuthUtils. Eventually consider if we can removeRequestContextsince it is 90% of the time being used to do authorization checks.
...