如何防止用户使用 dotnet core 和 RESTful API 访问其他用户的数据? [英] How to prevent users to access other user's data with dotnet core and RESTful APIs?
问题描述
我正在尝试为一个没有被广泛讨论的简单问题找到最佳解决方案.
我的应用程序有很多可以创建和编辑数据的用户.用户只能查看和编辑他的数据,而不是其他人的数据.
想想 Alice,她有一个餐厅 A 和一个 MenuA,Bob 有一个餐厅 B 和一个 MenuB.
我有 CRUD 餐厅和菜单的 API,我可以轻松地只授权具有正确声明和角色的登录用户.我现在想要做的是阻止 Bob 访问 Alice 的餐厅或菜单,反之亦然.例如,Bob 应该被授权 PUT/api/restaurants/B 但应该被授权 PUT/api/restaurants/A 甚至 PUT/api/餐厅/A/menus/x
这里提供了一种可能的解决方案
PDP 配置了一组确定允许和拒绝的策略.例如,您可以编写如下策略:
- 餐厅老板可以查看餐厅页面
- 餐厅老板可以编辑该餐厅的菜单.
- 客户可以查看任何公开的餐厅菜单.
例如,在 ALFA 中,策略如下所示:
命名空间餐厅{属性用户 ID{类别 = 主题猫id = "餐厅.userId"类型 = 字符串}属性所有者{类别 = 资源猫id = "restaurant.resourceCat"类型 = 字符串}政策餐厅{目标子句 objectType == 餐厅"先申请适用规则 ownerCanView{目标子句 actionId == "view"允许条件 userId == restaurant.owner}}}您所需要的只是使用 XACML 3.0 策略决策点.有 Java 和 .NET 实现以及商业实现.看看这个 关于 .Net 授权的博文.
I'm trying to find the best solution to a simple problem that is not largely discussed around.
My application have lots of users that can create and edit data. An user should only see and edit his data, not other's.
Think about Alice, who has a Restaurant A with a Menu MenuA, and Bob, who has a Restaurant B and a Menu MenuB.
I have APIs to CRUD restaurants and menus and I can easily only authorize logged users with correct claims and roles. What I want to do now is prevent Bob to access Alice's restaurant or menu, and viceversa.
For instance, Bob should be authorize to PUT /api/restaurants/B but should be unauthorized to PUT /api/restaurants/A or even PUT /api/restaurants/A/menus/x
A possible solution is the one provided here ASP.NET MVC Attribute to only let user edit his/her own content. This solution requires to create a custom Authorize attribute to actively check if the logged user is the proprietary of the accessed entity. The entities have an userId field to check if the user making the request is the owner of the data. This solution is nice and clean but lacks some features. Every entity in the model should have an userId field and can only be accessed by the owner OR for each entity I need to navigate to the root entity of the authorization model (ex. accessing Menu i need to query for the parent entity Restaurant to check if MenuB is inside a Restaurant owned by the user). To achieve multiple owners (ex. the restaurant managers) the logic will be a lot more complex. I am also worried about the overhead here, since basically every call requires to do some queries to check data access, but it will probably not be an issue.
Is there a best practice?
What you want do is implement attribute-based access control or abac.
In the ABAC architecture, you have the notion of a policy enforcement point (PEP) which intercepts the API call and determines whether the call should go through. The PEP converts the API call into an authorization request and sends it off to a central Policy Decision Point (PDP).
The following architecture summarizes the flow.
The PDP is configured with a set of policies that determine what is allowed and what is denied. For instance you can write policies such as:
- The owner of a restaurant can view the restaurant page
- The owner of a restaurant can edit that restaurant's menu.
- A customer can view any restaurant's menu if it is public.
There are two languages you can write policies in: xacml or alfa.
For instance, in ALFA, a policy would look like:
namespace restaurant{
attribute userId{
category = subjectCat
id = "restaurant.userId"
type = string
}
attribute owner{
category = resourceCat
id = "restaurant.resourceCat"
type = string
}
policy restaurant{
target clause objectType == "restaurant"
apply firstApplicable
rule ownerCanView{
target clause actionId == "view"
permit
condition userId == restaurant.owner
}
}
}
All you need is to use a XACML 3.0 Policy Decision Point. There are Java and .NET implementations as well as commercial ones. Have a look at this blog post on .Net authorization.
这篇关于如何防止用户使用 dotnet core 和 RESTful API 访问其他用户的数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
