I am build a web application,and there are some operations is protected for identified people.
I use the sping security for access control,however I have no idea how to control them when deep to the data level.
For exmaple,there are two operation list and edit operation.
Both the administrator of the company and the administrator of one department can access these operations,but the data they can 'list' or 'edit' are not the same.
administrator of the company can get access to all the data of the company while administrator of one department can only get access to the data of his/her department.
So I wonder what is the best practice to implement these requirements?
Most easy method - use PostFilter annotation on service layer.
@Transactional(readonly=true)
@PostFilter("hasPermission(filterObject, 'edit')")
List<DepartamentData> getDepartamenData();
@Transactional
@PreAuthorize("hasPermission(#data, 'edit')")
List<DepartamentData> editDepartamenData(DepartamentData data);
Or another example:
@Transactional(readonly=true)
@PostFilter(
" hasRole('company_admin')" +
"|| (hasRole('departament_admin') && filterObject.departament.equals(principal.departament))")
List<DepartamentData> getDepartamenData();