I'm not sure if Spring Security / Spring Cloud can be useful for my authorization needs. This is my use-case:
- I've a CMS-like application.
- A content can be assigned to one or more 'groups'
- A content can be viewed by a user if this user belongs to at least one of the groups.
- Important note: these groups are not hardcoded! Through the web application, the users can create (at run-time) new custom defined groups, so the groups and the users are inside DB tables.
Example: a content is assigned to the groups: 'Germany', 'Sweden', 'Programmers', 'Managers'.
- a Manager from Germany can read that content
- a Manager from France can read that content (he is a at least a Manager)
- a UX Designer from France cannot read that content.
In order to manage permission to access a single content, the check is quite simple!
My biggest issue is about listing contents that a user is allowed to see. Currently I manage this through SQL queries. I join the contents with their assigned groups, then I use this kind of SQL to filter the contents:
... WHERE ... group IN [[list of groups associated to the authenticated user]]
In order to prevent performance issue, these query results are cached.
The problems seems worse when I add 'data' to these contents, let's imagine this contents can be commented. I want to list just the comment a user is authorized to see.
The rule is quite simple, you can read a comment if you are allowed to see its parent content.
Again, if I want to check the user permissions to see a single comment, the check is very simple, but things are more difficult if I want to list comments.
And... finally, if I want to adopt a microservice based architecture, the comments will be managed by a different service (no?). But in order to list the comments a user is allowed to see I'd need again all the "users & groups" information, so a micro-service based architecture doesn't seem so appropriate.
Am I totally wrong in my design approach?
Thank you very much.
Aucun commentaire:
Enregistrer un commentaire