asked on
Which one we need to choose on the following options for Spring Security
Need to implement Spring Security for a project.
Option1:
Structure: User table, Permission table, Module table and PermissionGroup table
User will have only one permission group.
Permission table will have read/write/update etc.,
Module will be product/sales/order
Permission group table will be product - read/write, sales - read/write/update
Option2:
Structure: User table, Roles table, Permission table,
User can have 1 role
Permission table will have as product_read, product_write, sales_read, sales_write
Comments on Option2:
We can able to use Spring hasRole() kind of configuration for each method and can associate a role to it.
Drawback: We cannot have dynamic roles as we can able to do it option1
Comments on Option1:
We can have dynamic groups however we cannot use spring hasRole(). Instead we need to get the manual decisions based on the http request - PUT/GET/POST and check for the permissions configured and decide whether to allow the URL or not in the interceptor.
Drawback:
This may not be a standard practice
What would be the best approach out of this two as well as preferable one?
Thanks.
Option1:
Structure: User table, Permission table, Module table and PermissionGroup table
User will have only one permission group.
Permission table will have read/write/update etc.,
Module will be product/sales/order
Permission group table will be product - read/write, sales - read/write/update
Option2:
Structure: User table, Roles table, Permission table,
User can have 1 role
Permission table will have as product_read, product_write, sales_read, sales_write
Comments on Option2:
We can able to use Spring hasRole() kind of configuration for each method and can associate a role to it.
Drawback: We cannot have dynamic roles as we can able to do it option1
Comments on Option1:
We can have dynamic groups however we cannot use spring hasRole(). Instead we need to get the manual decisions based on the http request - PUT/GET/POST and check for the permissions configured and decide whether to allow the URL or not in the interceptor.
Drawback:
This may not be a standard practice
What would be the best approach out of this two as well as preferable one?
Thanks.
JavaProgrammingProgramming Languages-OtherProgramming Theory
Last Comment
girionis
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Can u share some code snippet ideas to achieve option 1 ?
Sorry I cannot. The code we have is proprietary.
ASKER
Please help me with a relevant sample code snippet or any template for reference.
This is a valid answer.