It is my understanding that in spring security you are able to have two secured methods. I may only have authorization to one method, but if I enter through a different method for which I DO have authorization, I am good... UNLESS it is to a different service. I would like to know if there is a way (through settings or annotations) to remain authorized even through calls to different services.

Here is the path for user with ROLE_READ:

Controller -> Svc1.getData -> sv2.lookupUser

Here is a different path ROLE_ADMIN:

ControllerB -> Sv2.lookupUser

Code Outline:

@Service
class Svc1 {
@Resource
Svc2 svc2
....
@Secured(["ROLE_READ"])
Iterable<Data> getData() {
    //do stuff here
    User user = svc2.lookupUser()
}


@Service
class Svc2 {
....
@Secured(["ROLE_ADMIN"])
User lookupUser() {
    //do stuff here
    user
}

Again, I understand that if these methods are in the same Service, it is all good. I know that if I create another lookupUserRestricted method with "ROLE_READ", I can delegate to the target method and thus fix the issue. Just curious if there is an alternative.

So Something like

Controller -> Svc1.getData -> ["ROLE_READ"]svc2.lookupUserRestricted -> sv2.lookupUser

0 Answers