I am building an application that displays information from a database on a website. The application is secured using Spring Security and my users can have different roles. The records shall be displayed depending on the roles of the current user. For example I want to display books from a database. Role X can see only some books and role Y, too. But role ADMIN can see all books.
Now I wonder where and how the authorization happens. I thought the service layer would be a good place, but how can I query for books the roles of the current user have access to.
My tables look like this:
book (id, name)
role (id, name)
role_book (id, role_id, book_id)
Thus a query for the books would be SELECT b.id, b.name FROM book b, role r role_book rb WHERE b.id = rb.book_id AND r.id = rb.role_id AND r.name IN (<roles of the current user>). When the current user has the ADMIN role I would simply select all books in the database.
But how do I execute these queries in a Spring service method? I think that this is a common authorization task. Are there any Spring mechanisms to do this?
Aucun commentaire:
Enregistrer un commentaire