I am currently building a Java financial application that I need to add entitlements to, and was wondering what approaches people have taken to solve this problem, and whether there are any third party Java libraries that people would recommend.
Currently I have a number of users that can be broadly categorised into roles (e.g. "trader"). Each role can have zero or more permissions associated with it (e.g. "create trade").
Design Decisions:
Is it better to have more general permissions (e.g. "trade") plus accompanying actions ("create", "update", "delete") or more descriptive permissions ("e.g. "create trade")?
What's a good way to model the fact that some permissions are parameterised (e.g. User X has permission "create trade" but only for stocks traded on the LSE)? I've seen this done as name-value pairs before, but that seems fairly ugly. My only thought idea here is to implement Permission as a visitor (see example code below) but am concerned the interface could become unwieldy (as the #business objects increases).
public interface Permission {
void checkPermission(Trade trade) throws SecurityPermission;
void checkPermission(AnotherBusinessObject obj) throws SecurityPermission;
}
public class ExchangePermission implements Permission {
private final Exchange exchange;
public void checkPermission(Trade trade) {
if (!exchange.equals(trade.getExchange())) {
throw new SecurityException();
}
}
}
Any ideas / suggestions are more than welcome. Thanks in advance.