combining spring security 3 with jersey rest api

Question

I have a scenario where I am trying to combine spring security with jersey for my REST API.

My need is rather complicated (I think) and it is as follows:

Spring security is being used to intercept urls and forcing basic authentication in order to access a REST resource. This seems to be ok as I am using http client to test this.

However what I want to do is somehow access the User object that is loaded to check some additional permissions that hang off the user (a map object with boolean flags to indicate if object properties are visible or not). The code that does the loading works, but after spring authenticates how do I then access the User object in the actual REST Resource method itself?? Is this possible?

So the steps are:

1) Client makes a REST API call 2) Spring intercepts URL checks username and password supplied in the http header 3) The rest resource method is then accessed if valid credentials are present

But before step 3, I want to somehow pass on the loaded User object to the actual Resource method itself so I can further apply some logic to restrict what the user can see based on the permissions that I have loaded??? Is this possible? I think I have seen some code somewhere that checks for User Roles before a method is accessed using Spring and REST but if anyone has any links or ideas that would be excellent.

Please help if you can. thank you so much.

Answer 1

I solved this by using a request-scoped proxy which was constructed by a bean factory.

This allows you to simply inject your currently authenticated user into any spring managed bean, and in my case my Jersey Resources fell into that category. I injected my user into the tier below the resources, but it's all the same.

Someone else elegantly blogged the full solution here.