Spring Security being called from different sources

Question

I want to run authentication/authorization only for the calls that come from HTTP requests.

The method on the controller I want to have authentication/authorization enabled is called from more than one source. In this case, it can be either called by another controller or by a direct HTTP request.

Can I turn off authentication/authorization for the calls that come from other Controllers?

Just read further if you haven't got this clear enough yet.

Let's say I have a method doIt() on a Controller A. I also have a Controller B, in which I inject controller A. At some point on Controller B, I call 'a.doIt()', but I can also call doIt() from an HTTP call to doIt.do. I want to test the call for authentication/authorization if the call comes from an HTTP call, but not if it comes from Controller B.

Answer 1

You are injecting in B the security proxied bean of A. Can't you inject A without the proxy?.
Bean A proxied:

<bean id="beanASecured" class="org.springframework.aop.framework.ProxyFactoryBean">
  <property name="targetName" value="beanA"/>
  <property name="interceptorNames">
    <value>securityInterceptor</value>
  </property>
</bean>

The secutiryInterceptor:

<bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
   ...
</bean>

Bean A not proxied:

<bean id="beanA" class="com.A"/>

Bean B injected with bean 'A not proxied':

<bean id="beanB" class="com.B">
   <constructor-arg ref="beanA"/>
</bean>

Answer 2

I don't see any way to do this, my guess is you'll just have to have a second method like doitDirectCall(..) that the actual other controller calls and doit(..) that get's called on an HTTP request.

Answer 3

You need to only configure the spring authentication on URL and not on the method invocation. This will work for you.