...
In a filter, create a caller's
Authenticationobject and put it in Spring Security'sSecurityContext(exactly like what we've been doing with our ownRequestContext; we’d store the user’s ID and app ID);Add authorization annotations to all of our controller methods.
We can basically do our security checks in these annotations, e.g.@PreAuthorize("permit('developer', #studyId)")- permit a developer for the study ID (taken from the method’s parameters) to access the controller method. Or@PostAuthorize("returnedObject.ownerId == authentication.orgMembership")to check rules against the object being returned from the method. Because we can implement the “permit” methodcustom functions in the evaluation language, we can carry over our specific business logic. Later we can hook in other authorization systems very cleanly this way.Remove our own static method call checks in
AuthUtils. Eventually consider if we can removeRequestContextsince it is 90% of the time being used to do authorization checks.
...