Tell me where to start. Task: There is a list of users with roles (admin, operator, customer). The administrator has access to the editors of users, the Admin and Operator can edit products, the user can place an order. At this stage, while I have an authorization implementation for everyone:
@Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username); if (user == null) { //LOGGER.error("No user found with username: " + username); throw new UsernameNotFoundException("No user found with username: " + username); } Set<GrantedAuthority> roles = new HashSet(); roles.add(new SimpleGrantedAuthority("USER")); UserDetails userDetails = new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), roles); return userDetails; } Ie, it’s still static for everyone, but I’ll read roles from the base. On the front there is one html page with sections () where the pages are implemented, with the help of jQuery I show certain sections if the user is avtirized.
function loginUser(event) { event.preventDefault(); let userData = { username : $('#formLogin input[name=username]').val(), password : $('#formLogin input[name=passwd]').val() }; $.ajax({ method : "POST", url : "/login", data : userData, success : loginSuccess, error : handleAjaxError }); function loginSuccess(userData) { saveAuthInSession(userData); showHideMenuLinks(); showHomeView(); showInfo(LOGIN_SUCCESS); } function showHideMenuLinks() { $("#linkHome").show(); if (sessionStorage.getItem('authToken')) { // We have logged in user $("#linkLogin").hide(); $("#linkLogout").show(); } else { // No logged in user $("#linkLogin").show(); $("#linkLogout").hide(); } } Tell me, when we create different roles for different views, what is the approximate implementation by roles? Should I send the role ID in case of successful authorization and process it and show what is needed for the user depending on the role? If ADMIN -> showHomeView (); showUserView (); and so on? Tell me an example of implementation, or there are certain rules?
Modified a bit:
@Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username); if (user == null) { throw new UsernameNotFoundException("No user found with username: " + username); } List<GrantedAuthority> authorities = buildUserAuthority(user.getRole()); UserDetails userDetails = new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), authorities); return userDetails; } private List<GrantedAuthority> buildUserAuthority(RoleEnum roleEnum) { Set<GrantedAuthority> setAuths = new HashSet<GrantedAuthority>(); for (RoleEnum userRole : RoleEnum.values()) { setAuths.add(new SimpleGrantedAuthority(userRole.toString())); } List<GrantedAuthority> Result = new ArrayList<GrantedAuthority>(setAuths); return Result; } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/index.html", "/home.html", "/login.html", "/", "/css/**", "/js/**") .permitAll().anyRequest().fullyAuthenticated(); http.csrf().disable(); http.formLogin().usernameParameter("username").passwordParameter("password"); http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint); http.formLogin().successHandler(authenticationSuccessHandler); http.formLogin().failureHandler(authenticationFailureHandler); } @Autowired public void registerGlobalAuthentication(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService); } Tell me how to return the role to the client now?
@Override public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException { clearAuthenticationAttributes(request); } 