As we know, one of the methods of accessing objects is using the spring security acl method. In this method, after performing a set of settings and storing the data needed, using the following method, we will check the user's access to do something in the method. Consider a project with the structure shown in the figure below. In this graph, each user has access to a single department, so if the information is create on the system, it should be based on this access. For example, the user should not be able to register a job for a worker who is not in his or her authorized department.
public class Department {
String departmentName;
List<Employee> employeeList;
}
public class Employee {
Department department;
List<Job> jobList;
}
public class Job {
String jobTitle;
Employee employee;
}
public class User {
String username;
List<Department> departmentList;
}
@Transactional
@PreAuthorize("hasPermission(#job.employee.department.id, ‘Department’, 'write')")
public void save(Job job) {
super.save(job);
//TODO
}
Consider that the information sent to the UI layer is sent as JSON. In this case, for the job insert, the JSON needs to be as follows.
{
jobTitle:”CTO”,
employee:{
id:1
}
}
This information is converted to the Job object in the controller layer, and then the save method is called in the service layer. In this case, the access given is not working, as job.employee.department.id is null. To determine what this should be, do I need to load this object in the controller based on id? Is there a way other than ACL?
