如何在java中实现权限控制？

Question

We developed a application, and need to implement permission control, which means someone can only search specific records in database:

1. staff can only search their own records.
2. supervisor can search records of his subordinate.
3. supervisor can see the "approve" button to approve the application
4. while staff can only submit application.

I know spring security, but actually how can we use the spring security to implement the function above?

We can implement the permission control with SQL, which means select his role first, and then select all his subordinate's records like this:

select * from table where staffid in (.......)   

But this method seems just too raw, and hard to maintain. So my question is: is there any framework and practice that we can use to implement a decent permission control mechanism? How do you implement permission control in your application?

Answer 1

1) staff can only search their own records. 2) supervisor can search records of his subordinate.

These seem like rules you'd have to implement at the DAO layer

3) supervisor can see the "approve" button to approve the application

--This can be accomplished through UI Role-based rendering in JSF

4) while staff can only submit application.

Spring Security Method Interceptors can be used here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/secure-object-impls.html

Answer 2

Using postgres databases, you can inherit tables from tables. ie:

CREATE TABLE access{
  admin bool default false,
  supervisor bool default false,
  staff_user_id bigint default null,
   ...
}
CREATE TABLE flower(
  flower_id serial,
  name varchar(24)
)inherits (access)

And then you can create an update/delete trigger, and differend connection-users.

This may be an solution.

Answer 3

正如您所说，实体“角色”和“业务数据”必须在数据库中保持独立 - 您可以加入角色表并仅选择适当的数据，而不是多次调用数据库。

Answer 4

如果您尚未确定它太复杂，您应该查看Spring Security ACL 。