Security and Interceptors

Hi folks,

I have handlers which need to be security by two different security schemes.

Handler one is currently secured by a Security interceptor which does some validation then executes appropriately. Handler two needs to be locked down to requests coming from a specific host name. What would be the best approach for this? Add logic to the current security interceptor to detect the incoming hostname and force the requests to Handler 2 (after authentication) or would it better to create another interceptor to handle those requests independently?

thanks in advance.


I handle that kind of stuff with within the Event Handler in the preProcess() event. I try and use interceptors for situations or dependencies of “many” areas of the application. Since the Event Handler has discrete and unique needs, it makes sense to me to keep the security within the Event Handler.

You may however, want to make a custom interception point for “failedSecurityCheck” that the handler and the Security Interceptor can throw since they have a common bound with that need.

Just one man’s opinion.


Hi Aaron,

Thanks, that makes sense. My issue then becomes that currently my Security interceptor preProcess runs for all handlers. In this case I want to bypass that security check and let the request go down to the handler where I can run the security check in the PreHandler(). To bypass security check one would I just do a check for the current Route/event and if it matches “hostname X” bypass and let the request funnel down to the the other handler?



In similar situations, I setup a list/array of events (per environment) that I want to evaluate access for. Then, if the current event is in the list, the security interceptor continues to validate; otherwise, the request is passed through.