spring quartz job - accessing spring-security secured bean methods

Question

I added cronjobs to spring app using quartz.

inside these jobs, I would like to access spring-security secured bean methods from another app.

This is my application structure.

| - core
| - webapp
| - jobs-app

both the webapp and jobsapp use core services. jobsapp is not a web application. It just has quartz jobs in it.

Inside a job if I try to access a bean that is secured using SpringSecurity global-method-security I get an exception {org.springframework.security.AuthenticationCredentialsNotFoundException}"org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext"

If I set the context using SecurityContextHolder.getContext().setAuthentication to a power user, it works.

But, I have to do this for all the jobs.

Is there a way I can make all the jobs runas a particular user? may be some configuration somewhere?

Answer 1

You have two choices:

• move @Secured annotation up, from service to web layer. If I understand correctly your Quartz jobs access service beans directly (bypassing the web layer) so you'll bypass the security as well

• implement Run-As functionality, just like you described. It doesn't have to be that manual. Try template method pattern or some AOP + annotations. It'll turn out to be rather clean.

We tried both approaches and moving security to web layer worked slightly better. This was possible because service layer was mapping nicely to Spring MVC controller methods.