Read only access to certain logged in customer | Spring-MVC

Question

I know this seems to be a weird requirement, but when customer want it means we are left with no other choice. I am working on a web application (E-Commerce), and need to register a new customer, till now everything is working perfectly. However there is requirement with following cases

1. If customer register with certain email-id they will be approved instantly and will be allowed to browse, see everything and will be allowed to perform any transactions.
2. For other set of customers, they are allowed to log in, but they have read only access to there profile section as well can not see prices (discounted one) for products as well not allowed to do any transactions.

Since these use cases does not apply to certain category, but to entire web application, I am not sure how best we can achieve this. Few options coming to my mind

1. Add a new role under spring security, and for those who have read only access should have this new role.
2. create some kind of HandlerInterceptor which will check for customer role before executing actual request.

But not sure if I am thinking in right direction and how exactly we should enforce read only access to such type of customers.Since We have to stop such customer from

1. Update his/ her profile
2. Update password.
3. Any other updation in there profile
4. Not allow customer to checkout
5. Actual discounted prices should not be visible

Answer 1

The best approach is to employ a simple role-based access control mechanism (RBAC). This is well supported by Spring Security and easy to use.

You should create a new role (e.g. "FULL_ACCESS") and assign it to the correct users based on their email address. The role should cover users with full access, not those with read-only rights as your question suggested.

You typically determine roles for the current user in your implementation of UserDetailsService. You can use org.springframework.security.core.authority.SimpleGrantedAuthority as your GrantedAuthority implementation (in your context GrantedAuthority is the same thing as Role). The GrantedAuthorities returned from your UserDetailsService are stored inside the Authentication object of your user and available throughout user's session validity.

This approach also allows you to easily change user from read-only-mode to full-mode (e.g. after approval of the registration), by adding the "FULL_ACCESS" role during user's next login after the approval.

Once you've populated your GrantedAuthorities you can use both declarative and programmatic means of authorization. For programmatic authorization (authorization done directly in your code) use e.g.:

 if (request.isUserInRole("FULL_ACCESS")) {
      // Only for users with full acccess
 }

For declarative authorization (authorization declared in your configuration files or as annotations to code) you can use securing of method calls with aspects or annotations.

You could also declaratively secure URLs using expression-based access control, but the previous two approaches are more suitable. The same URL can be accessed by users with both full and read-only access rights, which makes this technique hard to use for your use-case.

Spring Security also provides a set of aurhorization JSP tags which might help you correctly render your UI for the different types of users.

You can use a combination of the above techniques to enforce all 5 business logic points mentioned in your question.