Search code examples
javaspringbankingrole-basedrole-base-authorization

Roles/Priviledges in a Spring/Hibernate application


In a banking or similar application there are usually several roles defined and associated privileges required (for example a normal user could only do transactions but not post it while a supervisor can verify and post them, sort of maker/checker). We also need to add new roles and privileges in the system (not sure about the latter).

How do you achieve this Role Based access in a Spring/Hibernate application? Especially in terms of scaling up to add new roles/privileges. Can Acegi (I never used it) help? Any other idea would be appreciated that can help me achieve the above.

Thanks,


Solution

  • As duffymo mentioned, Acegi has been renamed to "Spring Security" and it's what I would recommend if you're already working with Spring.

    There's more documentation online for Acegi than Spring Security, so if in doubt you can find useful information in the Acegi docs/tutorials as well as the more recent Spring stuff.

    If you can design your user table to fit with Spring Security's concept (user name, password, roles, each with certain specified types and names) then you can use Spring Security's DAO classes right out of the box; if not, you build a tiny adapter class to hook up Spring Security to your database for the user query.

    You can specify required roles per servlet/URL or even at the method level. It took me a day or two to wrap my head around the concepts involved, but after that configuring it was reasonably easy, and I was happy that they've already solved most of the kinds of problems that arise in connection with Web security.