Hello Together,
it is a long time but it is time for a new application.
I learned alot in the past projects and the new business application i want to start from scratch.
I am planning on integrating Sping Boot and JPA and thinking alot about security, because other third parties, like customer should have access to the application.
My main question/concern is the data security.
For example:
I have set up a new project with Spring and JPA for Login and automatic “database management”. Now i have set up roles like Admin, User, Customer etc.
The main security control on all tutorials and pages i read is to control the views, which are accessible by the roles.
For Example have a Role for UserManagement, which is only accessible by the Admin-Role. So far thats ok and i am fine with it.
More complex would be information based on the user, which is for example linked to a customer, which could be many users.
Then this user should only see entities for this customer, like an order of other users of the customer.
Then i cannot simply restrict to access to the view. Instead i have to restrict the data.
For example on an EditorForm with an Binder i would not show edit buttons, if you do dont have the rights to edit the item. But this feels to me only like disabling the button, but not the logic behind, which could somehow triggered by the user, even by accident because the form could be just show the button, because the UI designer has forgotten about a new role.
On something like an list to show for the user i got some more problems, which i done like this in the past:
My traditinal way of something like that would be:
class SomeSecuredController(){
....
public List<Order> getOrders(){
PreparedStatment stmt = getConnection().prepareStatement("Select * FROM orders JOIN customerPermissions ON orders.fk_customerid = customerPermissions WHERE customerPermissions.fk_userid = ?");
stmt.setInt(1, User.getID());
return executeQueryAndBuildOrders(stmt);
}
....
}
Which JPA i could set up the repository with a “global” where clause on the entity with hibernate:
@Entity
@Where(1 = "SELECT COUNT(ID) as c FROM customerPermissions WHERE fk_customerid = id and fk_userid = " + User.getID())
class Order{
...
}
But i don’t think thats a good idea, it looks awfull and sounds stupid.
I am just wondering if this is the best approach or if there is something better, i just can find.
I am thinking of some “simple” way to get “security” on all my data and simple use.
My goal would be to have an Simple to use backend, which only gives me the items the user has access to and only let me write, and save the items the user has access to.
Could you give me little example of how you would do this in your application or if there is some good API/Framework to use. I found for example ILAY in the Vaadin tutorials but there is restriction to Views/Routes only, as far as i found from the docs.
Thanks for your time.