Login/Register
Spring Security / Java EE solutions for hierarchy tree roles
Asked Answered
Solved javaspringjakarta-eespring-securitysecurity-roles
L

2

15

I know Spring Security is good for standard role and permission based authorisation. What I'm not sure is this scenario:

There are 10,000 employees managed in the system, employees organised into an org chart (a tree of who reports to who across departments). Some of these employees are users. These users are only permitted to access employees in their line of responsibility (their branch in the tree / a descendant of their employee).

So I am wondering how do modern Java EE (or other) systems manage these checks? Can Spring Security (ACL) do this and How can it be modelled?

Our old implementation (many years ago) is when a user accesses an employee we can check whether the requested employee is a descendant by recursing up the tree. But this is not the ideal solution and we want to use a new solution.

Lakendra answered 10/7, 2012 at 0:7 Comment(4)
Can you add roles to users and Spring security can work based of roles??Cycle
yes we can, but the problem is how can we organize the roles as a hierarchy tree?Lakendra
In fact, that's exactly what I'm working on!Caput
Not sure if Spring Security can do much. But you can check out apache's Shiro, more information @ shiro.apache.org. CheersCycle
C
6

As I've been working on this subject like for a month now, I can give you my answer to this question, however there might be a better answer.
There is something as Role Hierarchy in Spring Security and if you use ROLE_A > ROLE_B then ROLE_A will have all authorizations that ROLE_B has.
So there are two options here:

1. For every user and its descendants have a pair of roles like . ROLE_USERi for the user and ROLE_USERiDESC for its descendants. You will have
ROLE_USERi > ROLE_USERiDESC
But (as I don't know your org chart) this may be insufficient because there may be a lot of these pairs! It's, somehow, suitable if your tree has two or three levels (ROLE_USER has at most one or two ascendants) because the higher the role is, the more authorities it will have.

2. In my project (which by accident is so much similar) I did the other alternative. I have some basic roles for some basic actions. And I have a "caring group" in which a carer can observe its descendants data.
Why would I do that? Because I have to have roles for some action (like edit, delete, accessing to some sensitive data and ...) and caring groups to observe.
If A is a carer of B, it can observe B's data, but A cannot do anything beyond its authorities.

BTW, It's not yet completely tested and you may come to another possible solution.

See Also:

Caput answered 10/7, 2012 at 5:8 Comment(3)
Hi Matin, thanks for your answer. Role Hierarchy is really good for this situation. Just wondering how is the performance if there are many levels of the trees? Also the project is a SaaS, the hierarchy must be configurable for each client.Lakendra
As roles can be managed dynamically, there would be no problem using Spring Security for your project. If your tree has many levels, there may be a time consuming task to assign roles. But once you did it, you will have no worry about the performance. (just wondering, are you from Austria? ;-) )Caput
Australia, how about you? nice to meet youLakendra
S
1

When we talk about Spring Security there are two things that Spring provides. 1) Role management 2) ACL (Domain level permissions) I think what you need here is domain level permissions.

If you plan to use the Role management, by creating a corresponding role for every user, the data might grow. The second option is using domain level permissions(spring ACL) which is a good framework for runtime authorization. You can use this for annotation based authorization but the management APIs are very limited (BasicLookupStrategy) so go through the documentations before using it.

Snapback answered 22/4, 2015 at 10:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.