As you may have noticed, when it comes to generated code, JHipster doesn't provide much in terms of role-based security, authorization management, and so on. This is intentional, as these heavily depend on the use case and most often associated with the business logic of the application. So, it would be better if this was hand-coded by the developers as part of the business code.
Normal users have ROLE_USER and admin users have ROLE_ADMIN assigned in user management. For our use case there are few security holes that we need to take care of:
- Normal users should only have access to view the product listing, product order, order item, invoice, and shipment
- Normal users should not have access to create/edit/delete entities via the CRUD API
- Normal users should not be able to access the product order, order item, invoice, and shipment of other users
We could overcome these issues using features provided by Spring Security.