Subscription design pattern : Spring

Question

I am building a cloud based applications using spring, spring security, hibernate and Oauth.

• It has different products and each product has multiple modules. Modules also have multiple functionality.
• Clients has to subscribe to each product independently to use them

• Each client can have multiple user and client will have to provide access their user to product.

• Client have to select packages(silver, gold, ..) while subscribing for each product

• Package will have modules details and No of users allowed for each product and client user will be able to access only to the modules(selected package) which client is subscribed to and user have access to.

I have to create Rest Api's for each functionality.

Problem : I am using Spring Oauth2 to secure my API's so only registered clients and their users can access them but they can access all the API's .I should allow clients to access only those API's which it has access to/subscribed to. How can I achieve that in Spring?

Currently I am planning to use inteceptors but it highly depends on URL pattern. So for each product and module i will be having different Interceptor

URL pattern : http://abc/rest/PRODUCT/MODULE/..

Is there a better way to implement it?

Answer 1

You can choose another way, which might be better as you don't have to write custom URL interceptors.

You can use Spring Security with it's @Secured({"ROLE"}) or @PreAuthorize annotations for which you can create roles for each product and you give the clients the roles for which they subscribed. You can find more information about this annotation and how it works here.

For @Secured and @PreAuthorize to work, you need to have the annotation @EnableGlobalMethodSecurity on the Spring Boot context class.

Hope it helps.