Need to implement Spring Security for a project.
Structure: User table, Permission table, Module table and PermissionGroup table
User will have only one permission group.
Permission table will have read/write/update etc.,
Module will be product/sales/order
Permission group table will be product - read/write, sales - read/write/update
Structure: User table, Roles table, Permission table,
User can have 1 role
Permission table will have as product_read, product_write, sales_read, sales_write
Comments on Option2:
We can able to use Spring hasRole() kind of configuration for each method and can associate a role to it.
Drawback: We cannot have dynamic roles as we can able to do it option1
Comments on Option1:
We can have dynamic groups however we cannot use spring hasRole(). Instead we need to get the manual decisions based on the http request - PUT/GET/POST and check for the permissions configured and decide whether to allow the URL or not in the interceptor.
This may not be a standard practice
What would be the best approach out of this two as well as preferable one?