Spring MVC + Hibernate列表对象并检查权限

Question

I'm using Spring MVC and Hibernate.

Let's say we have got controller action

@GetMapping("/user/remove")
public String removeAction(@ModelAttribute(value = "user_id") User user, RedirectAttributes redirectAttributes) {
    ...
}

Is there possible to apply some rules that check if user can delete that user? For example user with role ROLE_ADMIN can delete all users, and user with role ROLE_USER can delete that users that were created by them self.

And second question when user with role ROLE_USER is listing all users it it possible to filter that list on Hibernate level without iterating over all users and checking who created that user?

Last question. To removeAction I'm passing user_id. It is possible to retrieve that User from DB without calling UserService, and if all permission are OK then would like that User object is available in that removeAction.

Answer 1

Spring has a annotation type security that could be used for your first question, albeit that you have your users set up for roles, see a link for the method @Secured("ROLE_ADMIN") Annotation Type Secured

You might need to set some additional logic to your database entries to show who created the users, you could have this done already this would allow you to separate out the list depending on who created it maybe username and roles could be option, this might help question 2. Question 3 you could use Jstl to connect to your database or even JQuery, tell us a little bit more about your environment set up, hopefully this gives you some direction to proceed. Happy coding

Answer 2

One option would be to use the @RolesAllowed or the @Secured annotations. Both essentially do the same thing According to this post

They can be applied either at the class level or the method level.