We're building a Java web application. We're using EJB containers and JPA with Wildfly 9.2.
Now we want to integrate a permission system in which a user has a certain role, but this role is only granted in combination with a certain entity. I'll name this access resource Department.
So we would have a list of permission for the user stored in such a table:
| User ID | Department | Role |
| ------- | ---------- | ------- |
| 1 | A | MANAGER |
| 1 | B | ADMIN |
| 2 | B | MANAGER |
In addition we have global roles. A user has a set of global roles that will be applied should there not be an entry in the table above with the deparment in question.
| User ID | Role |
| ------- | ------- |
| 1 | VIEWER |
| 3 | MANAGER |
How can we easily check if a user is in a certain role, given a department?
By just using the annotation @RolesAllowed we can check for a certain role, but not restricted to a department.
Turns out EJB does not have the features we wanted. We migrated to Apache Shiro Security and are super happy with it.
Resource based permissions always have to be checked programmatically. Static role and permission based checks can be annotations.