Java Reference
In-Depth Information
• All authenticated users should have the appropriate roles/authority to access
secure system resources.
• Authentication and authorization mechanisms should be encapsulated as inde-
pendent components and applied transparently by configuration.
Solution
Implement a pluggable
authentication and authorization enforcer
to verify a user's iden-
tity and allow access to secured resources.
Strategies with the Spring Framework
Spring Security implements the Authentication and Authorization Enforcer pattern as a
set of two distinct yet very closely linked components. The authentication and authoriza-
tion enforcer components work together and transparently apply authentication and
authorization support both in the presentation tier of the Java EE web application and in
the business tier. These components are highly configurable and extensible, as you will
see in subsequent sections.
The authentication enforcer's primary responsibility is validating a user's identity. It
also checks for authentication whenever any request reaches the web application. If the
user is authenticated, it allows the request to pass on to the authorization enforcer. If the
authentication fails, the user will be redirected to the sign-on page.
Authentication enforcers are generally pluggable, which helps to quickly adapt to
any new authentication mechanism such as OpenID. The core component sits behind
protocol-independent interceptors and uses helpers to delegate the actual authentica-
tion process. All user actions must go through these interceptors to apply authentication.
Once the authentication core components are done, the authorization enforcer picks
up the request. It checks to see whether the user who has initiated this action has enough
privileges to access a particular web page or execute a certain method. If the user is try-
ing to access a resource without validating his identity, the authorization enforcer will
force him out to the sign-on page or access-denied page. Figure 6-1 shows the basic
architecture of the authentication and authorization enforcer.
