What is the best approach to create a role based web application?
I need to create a web application for a School and I need to have different roles such as:
- Student
- Professor
- Admin
I need to have a login at the beginning and then after entering the credentials the application needs to redirect to the home page.
The question here is: How should I handle the roles? Should I have a namespace for each role? i.e: students/index.jsp, professors/index.jsp, admin/index.jsp or have a common namespace for all roles? something like home/index.jsp? and then use decorator/composite pattern to have the menus have different options based on the role?
For this question I know that I must store the users and the roles, each on in it's own table, this question is more related abour handling presentation/navigation/permission roles and how to create the webapp structure, i.e have a directory under webapp folder called students, another folder admin, and another one students and about the point I mentioned above (decorator or composite pattern)
Of course I am not making an app this small but I wanted to simplify the issues I am facing in order to create a big role web based application, and I believe these are the main principles.
Thank you for your time and help.
Answer
You definitely do NOT want to have separate pages ("namespaces") for different roles as that would almost inevitably lead to code duplication.
You should have a page for each function and restrict access based on the roles of the users. (e.g. some menu items are not visible for a Student, but shown for Professors and Admins.)
You absolutely should not try re-inventing the wheel for managing role based permissions, as there are battle proven frameworks for that purpose: as others pointed out already, in Java world, Spring and Spring Security is the way to go.
I think JSP as technology is getting aged, so you should probably start learning Angular instead.
Since getting a working Spring / Angular project setup is not trivial, I would recommend you to use JHipster application generator that guides you through the whole process with a wizard (you have to just answer some questions -- when asked about the type select monolithic web application): it then creates a working project configuration with role based security in place following modern recommendations.
If you want to learn about proper role based access control in a modern web application, looking at the solutions used in a JHipster generated application is I believe the best and fastest solution:
- it uses Spring Security features to restrict calls in the Java
backend: look for the usages of
org.springframework.security.access.annotation.Securedannotation in the generated project - shows some custom frontend tricks to show/hide certain UI
parts based on roles, like this:
<h1 *jhiHasAnyAuthority="'ROLE_ADMIN'">Hello, admin user</h1>, which you could easily adopt to your own use case. - you can have a working project in like 2 minutes: ideal for learning (go for the most simple
monolithic web application!)