Java webapp API id-based security filter

49 Views Asked by At

We're building our API and looking for an organized way to grant users access based on what role and permission they have.

From the starting point, we have 3 roles

  • Admin: can get and edit everything in his organization
  • Team Admin: can get and edit only his team info and users' info
  • User: can get any edit his own information

Entity

  • Team
  • User

For Security Filters:

  1. We're using JAX-RS with Security Roles and @RoleAllowed to filter access to resources
  2. Id-based filter by if / then / else function. Example with a team admin access to a user.

    function isAllowAccess(teamAdminId, userId) {
        allowedUserIdsList = queryfor(teamAdminId);
        if (userId in allowedUserIdsList) then ... else BAD_REQUEST 
    }

This code is growing with the increase complexity of multiple roles and many entities. So my questions:

  1. What will be the best way to have an organized id-based filter, is there reputable library for this?

  2. Should we maintain a separate table containing accessible ids of each entity for each team_admin_id? Then every row updated or inserted will trigger the update of this table.

  3. Is there a formal or widely acceptable method to reduce database call overhead in each call just to check if the team_admin is allowed to access a particular user?

0

There are 0 best solutions below