Software Programmer
asked on
Which one we need to choose on the following options for Spring Security
Need to implement Spring Security for a project.
Option1:
Structure: User table, Permission table, Module table and PermissionGroup table
User will have only one permission group.
Permission table will have read/write/update etc.,
Module will be product/sales/order
Permission group table will be product - read/write, sales - read/write/update
Option2:
Structure: User table, Roles table, Permission table,
User can have 1 role
Permission table will have as product_read, product_write, sales_read, sales_write
Comments on Option2:
We can able to use Spring hasRole() kind of configuration for each method and can associate a role to it.
Drawback: We cannot have dynamic roles as we can able to do it option1
Comments on Option1:
We can have dynamic groups however we cannot use spring hasRole(). Instead we need to get the manual decisions based on the http request - PUT/GET/POST and check for the permissions configured and decide whether to allow the URL or not in the interceptor.
Drawback:
This may not be a standard practice
What would be the best approach out of this two as well as preferable one?
Thanks.
Option1:
Structure: User table, Permission table, Module table and PermissionGroup table
User will have only one permission group.
Permission table will have read/write/update etc.,
Module will be product/sales/order
Permission group table will be product - read/write, sales - read/write/update
Option2:
Structure: User table, Roles table, Permission table,
User can have 1 role
Permission table will have as product_read, product_write, sales_read, sales_write
Comments on Option2:
We can able to use Spring hasRole() kind of configuration for each method and can associate a role to it.
Drawback: We cannot have dynamic roles as we can able to do it option1
Comments on Option1:
We can have dynamic groups however we cannot use spring hasRole(). Instead we need to get the manual decisions based on the http request - PUT/GET/POST and check for the permissions configured and decide whether to allow the URL or not in the interceptor.
Drawback:
This may not be a standard practice
What would be the best approach out of this two as well as preferable one?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry I cannot. The code we have is proprietary.
ASKER
Please help me with a relevant sample code snippet or any template for reference.
This is a valid answer.
ASKER