0

We have a complex maven dependency hierarchy whereby our individual web modules are held by a parent web module. The parent web module depend upon a service module which itself depend upon a dao module.

I want my users to authenticate from the web. I have therefore placed a spring security configuration file in the web module.

The issue I have is that the jdbc-user-service needs a datasource and I can't just import the spring config file from the dao module from my web.xml: it is not clean nor even feasible as I would need for the web module to depend directly upon the dao module...

What is the best course of action?

Can I create as separate and independent spring security module with maven? I have not found any documentation of clue about that on the web.

Do I need to split the web-related spring security config from the authentication provider/manager/user service config?

Any clue or pointer welcome...

balteo
  • 23,602
  • 63
  • 219
  • 412
  • Normally if you have spring-datasource.xml in dao module and security-context.xml in web module you can import spring-datasource.xml without problems ('') even if there is indirect dependecy between modules – Maksym Demidas Jun 03 '13 at 09:29
  • Good point... However, the architect responsible for the app has named all spring config files in all modules with the same name i.e. "spring-config.xml" Therefore the solution you kindly suggest would import all files from all modules which is not what I want... – balteo Jun 03 '13 at 09:49
  • May be you can rename them and apply some more suitable naming convention? I suppose that even find right file to do some change is not trivial when you have multiple files with the same name... – Maksym Demidas Jun 03 '13 at 09:58
  • Even if I could rename the config files, it is still creating a direct dependency of the web layer upon the dao layer which should be avoided. Rather, do you (or someone else) have any clue as to how to create a separate spring security module or doing the split referred to in my question above? – balteo Jun 03 '13 at 10:52

1 Answers1

0

Ok, so I have read through your question a few times now and think I got the problem right. (Correct me if I am wrong). The main goal is to keep the layering intact and not introduce a direct dependency from the web to the dao layer?

Depending on what is in the service layer. You could implement an API there that either

  • authenticates the user based on the credentials handed from spring security
  • get the user details you need in for authentication from the service layer and process them in your spring security

Both times you might probably be best of to implement your own Authenticaton Provider.

Let me know if that is what you need or if I am entirely misguided. Also ask if you need more pointers for a concrete implementation.

Carsten
  • 1,511
  • 2
  • 13
  • 24