Announcement Announcement Module
Collapse
No announcement yet.
Authorization: Best Layer/Tier to specify logged in user Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Authorization: Best Layer/Tier to specify logged in user

    Hello- My question is rather basic:

    Company A is divided into three Divisions. Each Division has two or more Departments. Each Department has 'n' number of employees.

    When Company A's President logs in he needs to see the total employees under him (All Employees in all Departments in all Divisions).
    When a Divisional Head logs in he should see all employees under him (All Employees in all Departments under his Division).
    When a Department Head logs in he should see all employees under him (All Employees in his Department)

    The application follows a three layered design and I have the following method chain:

    Code:
    @Controller
    class EmployeeController  {
    	@RequestMapping("Blah")
    	public List<Employee> getEmployees() {
    		return employeeService.getEmployees();
    		
    	}
    }
    
    
    @Service
    class EmployeeServiceImpl implements EmployeeService {
    	public List<Employee> getEmployees() {
    		return employeeDao.getEmployees();
    	}
    }
    
    @Repository
    class EmployeeDAO {
    	public List<Employee> getEmployee() {
    	
    	}
    }
    Let's say There is a class Util:

    Code:
    class Util {
    	public User getCurrentUser() {
    		return SecurityContextHolder.getContext()
    				.getAuthentication().getPrincipal();
    	}
    }
    My Question is:

    What is right place to specify the currently logged in user? Which of the following is preferable?

    EmployeeController.getEmployee() should acquire the current user (through the Util.getCurrentUser()) and pass it as an argument to the Service? The Service and Repository's signatures now include a reference to the currently logged in user:

    Code:
    EmployeeService.getEmployee(User user) 
    EmployeeRepository.getEmployee(User user)
    Or

    The Service should acquire the currently logged in user (using Util) and pass it to the Repository. The repository's signature now becomes:

    Code:
    EmployeeDAO.getEmployee(User user)
    Or the DAO itself should acquire (using Util) the currently logged in user and implicitly filter the SQL based on it?

    Code:
    @Repository
    class EmployeeDAO {
    	public List<Employee> getEmployee() {
    		User user = Utils.getCurrentUser();
    	}
    }

    Are there any established best practices/patterns around this general authorization problem?
    Thank you.
Working...
X