I am working on a web application (which happens to have a Java+Spring+postgres backend) and I am adding permission validation to my services to filter data access.
First, I was thinking about implementing my validations in Java and then annotate my services with something like org.springframework.security.access.prepost.PreAuthorize to have my validations invoked.
My main concert is about maintainability. As the project grows in size I have no guarantee that in the future all developers will remember or even care about permission enforcement when they add new features.
I turned to row level security but I have the following architectural problem:
Although RLS solves my maintainability problem, some of my services trigger asynchronous processes that write to the database but do not yield any session, which in turn yields the user permissions. This takes me back to preauthorisation and its maintainability problem.
Therefore I was wondering if there are other options besides these ones that I haven't considered yet?
Thank you for your time.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
