Skip to content

Enumeration-based authority mapping

Enumeration-based authority mapping is a software design pattern that binds specific permission strings or authorities directly to values within an enum type.^[001-TODO__code-getway.md] This approach centralizes access control logic by treating the enumeration as the single source of truth for mapping functional resources or actions to their required security privileges^[001-TODO__code-getway.md].

Implementation

In a typical implementation, an enumeration class defines a field (often named authority) that holds the corresponding permission string required to access the resource represented by the enum value^[001-TODO__code-getway.md]. For example, a ReportType enum might define entries like PROXY and PROXY_DOMAIN, explicitly assigning specific authority strings (e.g., proxy:domain:edit) to each code constant^[001-TODO__code-getway.md].

This mapping is then utilized by security validators or method security expressions to check user permissions^[001-TODO__code-getway.md]. By passing the enum instance directly into a validation method (such as hasAuthority(ReportType reportType)), the system retrieves the specific authority string required for that operation and compares it against the user's granted authorities^[001-TODO__code-getway.md].

Benefits

  • Single Source of Truth: The mapping between business logic (report types) and security rules (authorities) is defined in one place, reducing the risk of discrepancy^[001-TODO__code-getway.md].
  • Type Safety: Using enums prevents typos and invalid values that might occur if raw strings were used throughout the codebase^[001-TODO__code-getway.md].
  • Maintainability: Adding new permissions involves simply adding a new value to the enum, rather than updating hardcoded strings in multiple controller methods^[001-TODO__code-getway.md].

Example Usage

In the provided source, ReportType is used to parameterize controller methods^[001-TODO__code-getway.md]. The @PreAuthorize annotation delegates the check to a validator bean, which uses the enum's authority field to verify if the authenticated user has the necessary permission^[001-TODO__code-getway.md].

Sources

  • 001-TODO__code-getway.md