I am new to spring security. I am trying to implement ACL. Have created required tables. Now, I have to put READ permission on a method which returns a Page. The method fetches a list of candidates and their details from DB and displays in the front end. In this scenario, which one should be used - @PreAuthorize(hasPermission) or @PreAuthorize(hasRole)?

I am not sure how to set permission for a Page(containing details of candidates), I am only able to put permission on the individual candidate. The permission of the user must be modifiable in the future - Like, two users under the same role might be granted different permissions on the same object. Will hasRole work in this scenario? The requirement seems straightforward, but I am not sure of the solution. What am I missing here?

0 Answers