How to implement permission control in java?

Question

We developed a application, and need to implement permission control, which means someone can only search specific records in database:

1. staff can only search their own records.
2. supervisor can search records of his subordinate.
3. supervisor can see the "approve" button to approve the application
4. while staff can only submit application.

I know spring security, but actually how can we use the spring security to implement the function above?

We can implement the permission control with SQL, which means select his role first, and then select all his subordinate's records like this:

select * from table where staffid in (.......)   

But this method seems just too raw, and hard to maintain. So my question is: is there any framework and practice that we can use to implement a decent permission control mechanism? How do you implement permission control in your application?

Answer 1

1) staff can only search their own records. 2) supervisor can search records of his subordinate.

These seem like rules you'd have to implement at the DAO layer

3) supervisor can see the "approve" button to approve the application

--This can be accomplished through UI Role-based rendering in JSF

4) while staff can only submit application.

Spring Security Method Interceptors can be used here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/secure-object-impls.html