Roles vs. Permissions
Explore the distinctions between roles, permissions, and groups within Java Enterprise security. Understand their practical implications for application authorization and how frameworks like Apache Shiro enhance permission management. This lesson helps you grasp why permissions offer finer control than roles and introduces common security frameworks related to authorization.
We'll cover the following...
Overview
Roles, groups, and permissions have been part of the Java Enterprise world for a long time. Let’s examine these concepts more closely and see which of them can be used. Roles are probably familiar to a lot of people, but they aren’t the best choice when it comes to authorization.
To demonstrate the problem with roles, consider the following example:
An example of role limitations and permissions
Our code is in production, and everything seems to be going well until we receive the message that some parts of the application are now available for employees and no longer for managers. In this case, we have to go into the code and replace the checks with a version verifying whether the current user is an employee. Another option may be to remove the checks if we want everyone to be able to perform a certain action. After that, we must rebuild our application and put it into production.
Do we risk ...