4

I'm working with spring in java and I'm trying to create a rest-API for my program. I have 3 entities to manage so I also have 3 DAO classes. my problem is that I have 2 types of users (player and admin). every one of them has different operations he can do on each of the entities/tables. My question is what is the best way to implement these requirements. should I have 3 services and 3 controllers for (one for each of my entities/tables) or should I create 2 services and 2 controllers (one for each type of users) Or maybe there is a better way than what I suggested?

EDIT: Another thing that may be important is that I need to verify the data in the service, the verification process checks for connections in tables so in each service, I will also need to have Dao objects for different entities (For Example checking if a new action has an element on which the action occurred.

Sean Goldfarb
  • 329
  • 6
  • 22
  • related: [Why use service layer?](https://stackoverflow.com/q/3688664/217324) – Nathan Hughes Apr 18 '19 at 17:33
  • Perhaps, you can use _Spring Security_! That would give you an advantage of the authorization principle associated with any specific role according to the requirement. You may wish to have a look here: https://www.baeldung.com/security-spring – Abhinav Apr 18 '19 at 17:38

2 Answers2

1

You can look into method level security with Spring Security. Baeldung has quite a nice guide about that topic. You basically annotate certain controller methods and then access to them is denied for users that do not fulfil the conditions of the annotation. E. g. Thymeleaf offers integration with Spring Security too, so you can make buttons unavailable in your HTML when the user does not have a certain privilege

tronski
  • 90
  • 1
  • 8
1

It sounds like you are probably going to have different functionality for the different types of user. It's kind of the point that admins can do things that players can't do. So there are going to be separate admin-specific service methods, the controllers used by the players don't need to have admin services wired into them.

Also it's the nature of transactions that they usually are not specific to an entity, usually you have different entities you want to deal with in the same transaction. If so then having a different service for each entity probably doesn't make sense.

On the controller level, use Spring Security to enforce who can call what endpoint. I would organize the controller endpoints into classes depending on what shared enough things in common, but how you break it up is not a huge deal.

For services, I would have one service implementing logic for normal players, and one service implementing administrator functionality. If there is a lot of code for either of these then I would think about breaking it up into separate services, keeping the distinction between services containing methods for normal players vs. for admins.

Nathan Hughes
  • 94,330
  • 19
  • 181
  • 276