Menu
i intend to make group based permission scheme but i am confused about the following:
i have some questions:
User > Group > Roles > Permissions or
User > Roles > Permissions@PreAutorize hasPermission(#, '') or hasRole or what ?
436
To design a security model is not a simple task itself, and without detailed knowledge of the domain, you're trying to secure it's close to impossible. Having said that any advice you can get here will be as general your question is.
1) In most applications the User -> Roles is enough. In more complex ones the User -> Roles -> Permissions could be used, but it all depends on how you'll define the scope of each. Often fine-grained roles and assigning a couple of them to the user is just what you'll need. I'd say putting another level be adding Groups in the middle is a bit too much. Imagine it as a file system - flat-file systems exist and are way less complicated as it may seem. Take your time while deciding this as this is one of the most important decisions and will have many implications that are not always easy to predict.
2) The authentication and remember-me mechanisms are already implemented in Spring Security - all you need to do is choose the implementation that best suits you and configure it using the security namespace support. Do take a look at Petclinic example app, if you haven't already.
3) If you decide on using permissions, you should always check for permissions. Keep the gain level you chose. Be consistent. Always.
4) Depending on the view technology you use, the JSP taglib may come in handy (as mentioned by Ralph). There is a non-such thing for JSF - but it's relatively simple to write something similar.
5) As Ralph said, if you hide something it doesn't mean it doesn't exist any more - it still can be called by an unprivileged user.
83
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
