If you have read previous tutorial about Spring Security and JSF you would have noticed that all this time we have been speaking about securing our web layer. What about business layer ? In this post we will go through few ways of securing our business layer, and then in subsequent post we will see practical examples how do we accomplish our goal.
Before we begin, first question is why do we bother about business layer security ? Multiple answers can be given for this question:
- Business layer can be exposed via webserive
- Any security break on web layer will expose business layer
and like wise. When we speak about security it’s better to be over secured instead of exposing weakness and later trying to secure the application.
With this much of background let’s try to explore what Java EE and Spring has to offer as far as business layer security is concerned.
Java EE provides JSR-250 which provides basic annotation for Java EE application. For security you have :
- RunAs – Given a method this annotation allows you to execute a method as a given user, for e.g run a method as ADMIN, definitely the security realm should have ADMIN configured
- RolesAllowed – A comma delimited value which specifies which all roles have access to a given method
- PermitAll – This allows everyone to run a given method
- DenyAll – No one has access to this method, cannot be executed
Now let’s see what Spring has to offer. Spring allows two versions xml or annotation, alongside Spring also allows JSR-250 annotations.
- intecept-method (XML configuration)- This is very similar to RolesAllowed only difference is that this is xml configuration other one is annotated
- PreAuthorize (Annotation) – This is also similar to RolesAllowed but this also allows us to use Spring’s Expression Language
- PostAuthorize (Annotation) – This seems redundant if you have a PreAuthorize but there can be instances where even after processing you would like to know if caller is still authorize, seems okay when security is concerned.
- Secure (Annotation)- You won’t be finding this in the new code, but in earlier code you can come across this. This is exactly as RolesAllowed
- With use of Spring PostAuthorize you can remove elements from say a Collection( remember this will modify your collection permanently) which may be useful in many cases
This post has just given some ways in which business layer can be secured, in next few weeks we will see how exactly we can accomplish this.