Spring security: Adding a new ROLE which supports authentication by IP

I'm a reasonably new user of Spring Security.

I previously configured Spring Security to perform form based authentication for my web app.

I've used Annotations to indication which Controllers/Methods require ROLE_USER vs anonymous, and implemented my own daoAuthenticationProvider to perform the authentication.

I am now implementing REST services which need to authentication on BasicAuthentication + do an IP verification to my DB.

So I have a new role ROLE_IP_AUTH which I开发者_Go百科've defined on the REST services controller.

I'm just a little overwhelmed at this point. Can someone give me a brief description of what next step I should take?

• Do I need to create a new <security:http> element for the new role?
• Should I be switching to this FilterChainProxy? If so what filters should I include?
• Should I just handle this in my existing daoAuthenticationProvider class?

Basically I just need to know what direction I'm going in. I think I know enough to get there, there's just 5 different ways to get anywhere in Spring it seems.

<security:http auto-config="false"
               entry-point-ref="authenticationEntryPoint" >
    <security:logout logout-url="/logout" />
    <security:anonymous enabled="false"/>
    <security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
    <security:custom-filter position="ANONYMOUS_FILTER" ref="anonymousAuthFilter" />
</security:http>

My remaining question is how I can implement my own IP validation. I can just add the BasicAuth filter using custom-filter and implement my own basic auth filter which checks the IP. But I'm fuzzy on how I make that filter only applicable for the ROLE_IP_AUTH being used by my REST services?

The answer by @Ritesh has been very helpful in re-framing this questing in a different way. Another great post that addresses this question is here:

Spring security - how to mention both form based and basic authentication

Ultimately my understanding is: do it via voters as @Ritesh suggests in 3.0.x, or use multiple <http ... /> elements as is now available in 3.1.0.RC1 (version as of 17mar2011) as discussed in the link above.

You can just add http-basic to your element.

<sec:http-basic/>

Also add create-session="never" cause you do not add a session for a REST service. Mao your services to a special url pattern will auso help.

<sec:intercept-url pattern="/service/**" access="ROLE_IP_AUTH" />