I’m building a Web-application in java, with Spring (and spring security), struts2 and hibernate.
Every “User” belongs to a “Client”. And i need to design it so that when a User is logged in, he will only have access to the resources of his “Client”
Originally the web-app was built without “Clients”. Just Users with Roles that had ROLE-based access to certain modules of the web-app.
These Roles shall continue on. Only difference is that Users are to be limited to the Client resources only. Within the Client they have ROLE-based access that describe what they can and can not do.
Architecture-wise I have a pretty standard web-app, with Managers and Dao’s.
So what is the best architecture approach to this?
Thanks for any input!
I have something similar working. You can add “clientId” extra attribute, for example, to the default UserDetails (is you have not yet a customized one) so once user is logged, the applications knows the client you user belongs to.
When the user wants to perform an action, the application should get the “clientId” from the userDetails and perform the action according with this id. Problay, many of your DAO methods (and tables) should have the clientId as a parameter.
This solution doesn’t affect the Roles.