2014-02-26

Spring Security: authorization on controller methods

Spring Security offers three methods of authorization:
  • securing URLs using <intercept-url> or authorizeRequests() in XML/Java config (also called web security or URL security)
  • securing individual method invocations using <global-method-security> or @EnableGlobalMethodSecurity
  • securing domain objects using ACL
The first method is well-suited for securing servlets and controllers.
The second works (with a default configuration) for service layer components, but not for controllers. This is because you usually add Spring Security in root application context and, since controllers live in web application context, Spring Security cannot access them. Still, very often developers try to apply global method security to controller methods. Spring Security FAQ has even an answer to such question. Usually the solution is to move <global-method-security> to web application context.

I think that many of those developers actually don't need global method security on controller methods. For example see these four threads: [1], [2], [3] and [4] - they all require a simple "hasRole(XXX)" check. So I think that what they really need is to configure some authorization mechanism using annotations directly on controller methods (because it is more convenient than configuring it using URL patterns). It doesn't matter, if it's web security or global method security. However, they choose global method security, because it supports annotations.

In this post I would like to show an alternative approach - something that is between web security and global method security. It will use web security expressions, but will be configured by annotations applied to controller methods. Let's see how this can be implemented.

2014-02-13

How to create custom form property types in Activiti

Activiti BPM engine provides support for creating forms for user tasks. Out-of-the box the following form property types are supported: string, long, enum, date, boolean. In this post I would like to show you, how you can add custom form property type.