Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security / Java EE solutions for hierarchy tree roles

I know Spring Security is good for standard role and permission based authorisation. What I'm not sure is this scenario:

There are 10,000 employees managed in the system, employees organised into an org chart (a tree of who reports to who across departments). Some of these employees are users. These users are only permitted to access employees in their line of responsibility (their branch in the tree / a descendant of their employee).

So I am wondering how do modern Java EE (or other) systems manage these checks? Can Spring Security (ACL) do this and How can it be modelled?

Our old implementation (many years ago) is when a user accesses an employee we can check whether the requested employee is a descendant by recursing up the tree. But this is not the ideal solution and we want to use a new solution.

like image 995
qtach Avatar asked Jul 10 '12 00:07

qtach


People also ask

What are roles in Spring Security?

The Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.

Why is WebSecurityConfigurerAdapter deprecated?

0-M2 we deprecated the WebSecurityConfigurerAdapter , as we encourage users to move towards a component-based security configuration. To assist with the transition to this new style of configuration, we have compiled a list of common use-cases and the suggested alternatives going forward.

What is the use of WebSecurityConfigurerAdapter?

WebSecurityConfigurerAdapter is a convenience class that allows customization to both WebSecurity and HttpSecurity. We can extend WebSecurityConfigurerAdapter multiple times (in distinct objects) to replicate the behavior of having multiple http elements.


2 Answers

As I've been working on this subject like for a month now, I can give you my answer to this question, however there might be a better answer.
There is something as Role Hierarchy in Spring Security and if you use ROLE_A > ROLE_B then ROLE_A will have all authorizations that ROLE_B has.
So there are two options here:

1. For every user and its descendants have a pair of roles like . ROLE_USERi for the user and ROLE_USERiDESC for its descendants. You will have
ROLE_USERi > ROLE_USERiDESC
But (as I don't know your org chart) this may be insufficient because there may be a lot of these pairs! It's, somehow, suitable if your tree has two or three levels (ROLE_USER has at most one or two ascendants) because the higher the role is, the more authorities it will have.

2. In my project (which by accident is so much similar) I did the other alternative. I have some basic roles for some basic actions. And I have a "caring group" in which a carer can observe its descendants data.
Why would I do that? Because I have to have roles for some action (like edit, delete, accessing to some sensitive data and ...) and caring groups to observe.
If A is a carer of B, it can observe B's data, but A cannot do anything beyond its authorities.

BTW, It's not yet completely tested and you may come to another possible solution.

See Also:

  • Spring Security 3.1.x Documentation
like image 142
Matin Kh Avatar answered Oct 01 '22 17:10

Matin Kh


When we talk about Spring Security there are two things that Spring provides. 1) Role management 2) ACL (Domain level permissions) I think what you need here is domain level permissions.

If you plan to use the Role management, by creating a corresponding role for every user, the data might grow. The second option is using domain level permissions(spring ACL) which is a good framework for runtime authorization. You can use this for annotation based authorization but the management APIs are very limited (BasicLookupStrategy) so go through the documentations before using it.

like image 23
Taher Avatar answered Oct 01 '22 16:10

Taher