Ask questions and see you at April, 4th, 8.PM. CET: youtube.com/c/bienadam
Also checkout recent episode:
Please keep the questions Jakarta EE-stic. Means: as short and as concise as only possible. Feel free to ask several, shorter questions. Upcoming airhacks.tv events are also going to be announced at meetup.com/airhacks
Hi Adam,
another question ;), is about security in an application with REST architecture and web frontend.
The initial approach is to use the groups of a JWT token and the @RolesAllowed annotation in the backend, but if I want to make it dynamic I have chosen to have a database table to configure the permissions and a RequestFilter where to perform the validations.
The first problem is maintenance, it would have to have the allowed groups/roles for each endpoint.
The second, that due to functional requirements, the possibility of a menu option being read-only is requested, the problem is the navigation between screens since it has to be inherited between screens, but being a REST architecture (stateless) I do not see how to do it without compromising security, I don't know if I explained myself well.
In the end, the goal is that a user, even if authenticated, cannot call all the endpoints, only those that have permissions, but without the management being so complicated, the only way I can think of is to put security per endpoint although it is difficult to maintain, is there any other approach?