Java –高效的数据库感知实例级授权? [英] Java – efficient, database-aware instance-level authorization?
问题描述
在JPA应用程序中,我有一个要应用程序的场景
列出给定用户有权提取的所有帐户
我有一个Account实体和一个多对多表,该表列出了每个用户对每个帐户具有的授权–为实现上述方案,该应用程序目前仅内部联接了这两个表–相当快. /p>
现在,我正计划添加一个显式的授权层(基于apache shiro/spring security/other),以将与授权相关的逻辑与其余代码隔离开来,但是...
数据库中有大约1万个帐户,普通"用户被授予存款",其中一半拥有查看"权限,仅有少数拥有"withraw"权限.
任何安全框架都可以有效地实施此方案吗?
即:他们中的任何一个都能够修饰"类型为从帐户a选择一个"的JPA查询(或等效的SQL),从而获得帐户列表,而无需从帐户中加载所有用户授权数据库,并且通过任何方式无需检索所有帐户?)
看看 Apache Shiro
它允许您一次提取用户授权并在会话持续时间内对其进行缓存.此外,如果所有用户都可以查看所有帐户,则无需显式定义此设置,这将显着减少开销.
如果您的解决方案需要实时访问处理程序,Shiro也可以在运行时动态重置权限.
Shiro允许您实现典型的RBAC并定义如下权限:
domain:action:instance
因此,在您的情况下,用户的权限可能看起来像这样:
account:deposit:* // deposit all accounts
account:view:1111
account:view:2222
account:view:3333 // view on these accounts
account:withdraw:5555
account:withdraw:6666 // withdraw on these accounts
然后,您可以在代码中执行以下操作:
if (SecurityUtils.getSubject().isPermitted("account:withdraw:"+account.getAccountNumber() ) {
// handle withdraw
}
Shiro还具有注释驱动的权限,可以进行其他抽象.
编辑
Shiro权限是最终结果,而不是您从哪里开始.我使用了一组表,这些表代表用户到角色和角色到权限的映射以及其他到实例的映射.在AuthN之后,通常是由用户PK索引的一组简单查询,以建立呈现权限所需的数据结构.
In a JPA app I have a scenario in which the app is to
list all accounts the given user is authorized to withdraw from
I have the Account entity and a many-to-many table that lists what authorizations each user has on each account – to implement the above scenario, the app currently just inner-joins the two tables – which is quite quick.
Now, I was planning to add an explicit authorization layer (based on apache shiro / spring security / other) to insulate authorization-related logic from the rest of the code, but...
There are some 10k Accounts in the database and the "average" user is granted "deposit" on all of them, "view" on one half of them and "withraw" on just a few.
Does any security framework allow to implement this scenario efficiently?
Ie: is any of them able to "decorate" a JPA query of the type "select a from Account a" (or the equivalent SQL) and thus get the list of accounts without loading all user grants from the database, and by all means, without having to retrieve all accounts?)
Have a look at Apache Shiro.
It allows you to pull in the User authorization once and cache it for the duration of the session. In addition, if all users can VIEW all ACCOUNTS then you wouldn't need to explicitly define this which would significantly reduce the overhead.
If your solution requires realtime access handlers Shiro has a way to reset the Permissions dynamically during runtime too.
Shiro allows you to implement a typical RBAC and define permissions like this:
domain:action:instance
So in your case permissions might look like this for a user:
account:deposit:* // deposit all accounts
account:view:1111
account:view:2222
account:view:3333 // view on these accounts
account:withdraw:5555
account:withdraw:6666 // withdraw on these accounts
In code you can then do something like this:
if (SecurityUtils.getSubject().isPermitted("account:withdraw:"+account.getAccountNumber() ) {
// handle withdraw
}
Shiro also has annotation driven permissions for additional abstraction.
EDIT
The Shiro permissions is the end result, not where you start. I used a set of tables representing mappings of the user-to-role and role-to-permission along with other mappings to instance. After AuthN its usually a simple set of queries indexed by the User PK to build up the data structures needed to render the permissions.
这篇关于Java –高效的数据库感知实例级授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
