So I'm currently using the WebSecurityConfig proposed in ch4mpy's repository - or just the package spring-addons-webmvc-jwt-resource-server.
A controller therefore can be annotated via a classical RBAC pattern approach such as the following small snippet:
@GetMapping("/admin")
@PreAuthorize("hasAuthority('ROOT')")
public MessageDto isAdmin() {
return new MessageDto("You are an admin!");
}
Now I'm looking to implement a mixed approach between RBAC and ABAC - sort of a hybrid as in some situations an employee on the same level in a system might have access to one or two endpoints more than another employee (same job e.g.)! Splitting the roles up hierarchically might be a choice if the hybrid solution turns out to be too complex.
I wasn't able to find anything from real significance to this issue (besides some outdated or over-complex solutions).
Can anyone help me implement this sort of hybrid using KeyCloak as an authorization server?