Feb 21st, 2013, 08:57 AM
Question Regarding: Limiting Data Visibility by User
Hey everyone I'm new to spring, coming from the .NET world.
I have a table where I would like each user to see only the data that that user had entered. It seems that spring security is primarily concerned with authorization at the controller level, so who has access to which crud operations for each controller. Can someone give me a high-level strategy for controlling access at the row-level? I have a table where I would like an admin to see all rows, and an non-admin can see only the rows that he/she created.
What's a good strategy here? I was thinking that I would save the user login for each record, and then modify the controller on the table to query for only rows where the current user matches the login saved on those rows. That would work but I'm not sure it's the best approach for spring.
Is there a better approach that leverages the spring security paradigm?