we have implemented a web application and use spring's pre-post-annotations to secure the access to some rights.
At the moment it is quite simple. We have companies. You can have read/write/admin permission on a company.
public class Company {
@Id
private Long id;
private String name;
}
So we have the database tables user, company and of course the spring security tables acl_class, acl_entry, acl_object_identity and acl_sid.
Now there are special entities underlying a company, let's say this is the employee.
public class Employee {
@Id
private Long id;
private String name;
private Company company;
}
One company can have many employees and a employee can only be employed at one company.
Now not every user may have read/right access onto a employee. The user must have a read/write/admin right to a company AND has to have a special right to read/write/admin the employee. So it is possible a user can have a write permission to company X but not even read access to company X's employees. A user may have only read access to company Y and write access to all employees of company Y.
There shall be no further limitations on specific employees. Just all employees of one company.
I actually don't want to manage dynamically all acl objects for every employee but be a little more dynamic. I'm thinking of something like a "permission flag", extending a base permission on a company-permission. Do you have an idea how I could solve this most elegant and easy?
I didn't find a good example in the spring security documentation. Is this a bad practice?
Thanks a lot for help :-)
Aucun commentaire:
Enregistrer un commentaire