Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the best approach to create a role based web application?

I need to create a web application for a School and I need to have different roles such as:

  • Student
  • Professor
  • Admin

I need to have a login at the beginning and then after entering the credentials the application needs to redirect to the home page.

The question here is: How should I handle the roles? Should I have a namespace for each role? i.e: students/index.jsp, professors/index.jsp, admin/index.jsp or have a common namespace for all roles? something like home/index.jsp? and then use decorator/composite pattern to have the menus have different options based on the role?

For this question I know that I must store the users and the roles, each on in it's own table, this question is more related abour handling presentation/navigation/permission roles and how to create the webapp structure, i.e have a directory under webapp folder called students, another folder admin, and another one students and about the point I mentioned above (decorator or composite pattern)

Of course I am not making an app this small but I wanted to simplify the issues I am facing in order to create a big role web based application, and I believe these are the main principles.

Thank you for your time and help.

like image 443
Diego Ramos Avatar asked Jan 26 '18 19:01

Diego Ramos


People also ask

What is role-based application?

Role-based access control (RBAC) allows users or groups to have specific permissions to access and manage resources. Typically, implementing RBAC to protect a resource includes protecting either a web application, a single-page application (SPA), or an API.

How do you develop role-based access control?

5 Steps to Implement Role-Based Access ControlCreate a mapping of roles to resources from step 1 such that each function can access resources needed to complete their job. Create security groups that represent each role. Assign users to defined roles by adding them to the relevant role-based groups.

What are the two types of role-based access control?

Technical – assigned to users that perform technical tasks. Administrative – access for users that perform administrative tasks.


1 Answers

You definitely do NOT want to have separate pages ("namespaces") for different roles as that would almost inevitably lead to code duplication.

You should have a page for each function and restrict access based on the roles of the users. (e.g. some menu items are not visible for a Student, but shown for Professors and Admins.)

You absolutely should not try re-inventing the wheel for managing role based permissions, as there are battle proven frameworks for that purpose: as others pointed out already, in Java world, Spring and Spring Security is the way to go.

I think JSP as technology is getting aged, so you should probably start learning Angular instead.

Since getting a working Spring / Angular project setup is not trivial, I would recommend you to use JHipster application generator that guides you through the whole process with a wizard (you have to just answer some questions -- when asked about the type select monolithic web application): it then creates a working project configuration with role based security in place following modern recommendations.

If you want to learn about proper role based access control in a modern web application, looking at the solutions used in a JHipster generated application is I believe the best and fastest solution:

  • it uses Spring Security features to restrict calls in the Java backend: look for the usages of org.springframework.security.access.annotation.Secured annotation in the generated project
  • shows some custom frontend tricks to show/hide certain UI parts based on roles, like this: <h1 *jhiHasAnyAuthority="'ROLE_ADMIN'">Hello, admin user</h1>, which you could easily adopt to your own use case.
  • you can have a working project in like 2 minutes: ideal for learning (go for the most simple monolithic web application!)
like image 198
Peter G. Horvath Avatar answered Oct 21 '22 10:10

Peter G. Horvath