where to implement rbac and abac in a dynamic web project in java

a doubt in handling rbac and abac ... in the context of a banking application

on considering the endpoint /api/customers....post method


it is accessible to both employee and manager (for adding customers)----handled via authorization filter

but

an employee can add a customer if both their branches are going to be same(employee's existing branch id and the branch id of the customer to be added are same) ...which can be inferred from the request body
whereas
the manager can add customers to any branch

where to handle this type of splitting ...inside filters / can bypass the filter and handle some where else

Welcome to the Ranch, Arockiya!

Role-based access control doesn't require a given user to be limited to only one role. A user can participate in multiple roles.

Some example roles and uses:

manager - can do anything
clerk       - can enter data and view it
auditor  - can only view data and not change it

In this case, I can define a servlet that displays a report and allows all 3 roles and another servlet that is used for data entry and allows only the manager and clerk roles.

Another thing that you can do is temporarily "promote" a clerk by adding the manager role to their role set while the actual manager is out of the office or something, then "demote" them when the actual manager returns, all without having to make a program change.

Thank you, Tim Holloway.

As you mentioned — "I can define a servlet that displays a report and allows all 3 roles, and another servlet that is used for data entry and allows only the manager and clerk roles" — I have implemented a similar setup.

In my case, I’ve written a separate layer to handle the Attribute-Based Access Control (ABAC) checks, distinct from the Role-Based Access Control (RBAC) logic handled in the  authorization filter. This ABAC layer evaluates conditions like whether an employee can add a customer only to their own branch, while a manager can add customers to any branch, based on request body data.

Yes, the container-based security provided by JEE is not very fine-grained, and it's common to supplement it with finer-grained restrictions.

You can use the "isUserInRole()" method to restrict logic in a servlet so that, for example the same servlet could display data for auditors but also allow editing for clerks.

When it comes to things like matching clerks to branches and stuff like that, there's no JEE support and you have to do that as part of your business logic, but the container security system's virtue is that unauthorized users cannot access application logic at all and thus cannot exploit possible  weaknesses in the application logic.

Think of RBAC is the guard at the front gate of a military base and your logic-based access rules as the front-desk persons at individual offices on the base.