4

I added cronjobs to spring app using quartz.

inside these jobs, I would like to access spring-security secured bean methods from another app.

This is my application structure.

| - core
| - webapp
| - jobs-app

both the webapp and jobsapp use core services. jobsapp is not a web application. It just has quartz jobs in it.

Inside a job if I try to access a bean that is secured using SpringSecurity global-method-security I get an exception {org.springframework.security.AuthenticationCredentialsNotFoundException}"org.springframework.security.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext"

If I set the context using SecurityContextHolder.getContext().setAuthentication to a power user, it works.

But, I have to do this for all the jobs.

Is there a way I can make all the jobs runas a particular user? may be some configuration somewhere?

Rajani Karuturi
  • 3,450
  • 3
  • 27
  • 40

1 Answers1

2

You have two choices:

  • move @Secured annotation up, from service to web layer. If I understand correctly your Quartz jobs access service beans directly (bypassing the web layer) so you'll bypass the security as well

  • implement Run-As functionality, just like you described. It doesn't have to be that manual. Try template method pattern or some AOP + annotations. It'll turn out to be rather clean.

We tried both approaches and moving security to web layer worked slightly better. This was possible because service layer was mapping nicely to Spring MVC controller methods.

Tomasz Nurkiewicz
  • 334,321
  • 69
  • 703
  • 674
  • yeah my jobs access the service beans directly. But, I cannot move them to web layer because I use osgi and annotations dont work if they are in different bundle. http://stackoverflow.com/questions/12158403 Will try the second approach. Thanks for the response. – Rajani Karuturi Sep 10 '12 at 12:52