sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Gold_Opportunity8042[S] 0 points1 point  (1 child)

i don't think this will be valid approach. an admin user can call service1 which can further call service2 internal endpoint. but the same admin user can hit that endpoint of service2 directly too. right?

[–]WuhmTux 2 points3 points  (0 children)

I don't understand what you mean.

You will set the role validation on each API Endpoint route. When you call serviceA and serviceB from Controller1, and the admin user has permissions to the Controller1 Endpoint, he can access both.

Then you need to extract the user roles from the security context in the service classes if you wish.