Applying spring security - is this usage correct?

1
votes

I am applying spring security to a web application where i need to do the following:

  • Limit access to certain pages for certain roles/authorities

  • Limit access to certain data based on user access and user role (for
    example admin can see all data, a user can see only data on which the admin granted access for the user)

  • Allow actions on data based on the access right the user has (read,
    manage, etc)

So, i was thinking:

  • Limit access to certain pages for certain roles/authorities -> use hasRole
  • Limit access to certain data -> filter directly in the queries getting the principal from the security context
  • Allow actions on data based on the access right the user has -> use my custom PermissionEvluator's hasPermission method

Now this is a setup i came up with, but would like to know if this makes sens and if it is according to a good use of the spring security framework or am i simply twisting it too much.

1
springspring-security

1 Answers

0
votes

Spring security provides all these features and makes implementing these features simple. Yes your approach is right. you can add below cases.

  • security none: allow unauthenticated users access to certain pages.(login, public pages) authenticated: allow access to
  • authenticated users.. (general access to all registered users)
  • restrict based on role: readonly, editor/manager, based on
  • permissionEvaluator on the data user has access to

You can also use spring security to protect your web application against malicious users with features like - CSRF protection (enabled by default) - XSS protection for further detail read: spring security manual