如何获取用户可以使用ACL相关表访问的对象列表 [英] How to get a List of Objects that a user can access using ACLs related tables
问题描述
我正在设计一个对用户管理/权限有很多要求的系统,因此我决定使用Spring Security ACL在域对象级别上管理权限。
I'm designing a system that has a lot of requirements around user management/permissions, so I decided to use Spring Security ACL to manage the permissions at the Domain Objects level.
尽管使用ACL来维护用户和实体之间的关系,却迫使我们依靠它在UI上呈现数据。
Although, using ACLs to maintain the relations between Users and Entities force us to rely on that to present the data on the UI.
Spring Security提供的PostFilter解决方案很好地过滤了用户可以看到/看不到的对象,但是当我们处理具有成百上千个实体的实体时,它存在很大的性能问题条目,因为我们需要从数据库中加载所有内容,然后丢弃不允许用户查看的对象。
The PostFilter solution that is provided by Spring Security does a good job filtering the objects that a User can/cannot see but it has a big performance issue when we're dealing with an entity that has hundreds/thousands of entries, because we need to load everything from the database and then discard the objects that user isn't allowed to "see".
该问题在这里描述- SEC-2409 -但要使用该功能还需要一段时间。因此,我试图找到一种使用Spring Security ACL的解决方法,但可以避免性能问题。
That problem is described here - SEC-2409 - but it'll take some time until the feature is available. So, I'm trying to find a workaround to use Spring Security ACL but avoid the performance issue.
我考虑过要实现一些代码来检索用户可以访问的对象(在身份验证过程之后),并使该信息可用于每个请求,以允许开发人员可以使用该信息来执行查询,而不必依赖PostFilter。
I thought about implementing some code to retrieve the Objects that a User can access (after the authentication process) and keep that information available to be used on every request to allow the developers to use that info to perform the queries and not relying on the PostFilter.
为了实现这一点,我试图找到一种方法来检索给定的委托人/授予的权限的权限,但是我无法找到一种使用可用的AclService实现的方法。
In order to implement that, I'm trying to find a way to retrieve the list of permissions for a given principal/granted authority but I'm not able to find a way to do that with the available AclService implementations.
示例: aclService.getObjectIdentityList(< sid>,< acl_class>)
注意:该方法应使用继承结构,并包括从父项继承的所有ObjectIdentity
Note: The method should use the inheritance structure and include all the ObjectIdentities that are inherited from a parent entry
是否有人建议获取数据或其他解决此问题的方法?
Any suggestion to get the data or another approach to solve this problem?
更新
我已经找到一种方法来检索用户可以访问的对象列表。
I already found a way to retrieve the List of objects that a User can access.
List<ObjectIdentity> childObjects = aclService.findChildren(objectIdentity);
Map<ObjectIdentity, Acl> result = aclService.readAclsById(childObjects, sids);
这种方法对我们有用,因为我们只有几个实体,其访问权限由ACL控制,因此我们可以构造用户有权访问的ObjectsIdentities列表。
And this approach work for us, because we just have a few entities which the access is controlled by ACLs, so we can construct the list of ObjectsIdentities that a User has access.
尽管正在返回的Map正在返回所传递的ObjectIdentities的所有ACL,然后我需要检查用户是否有权访问每个
Although, the Map that is being return, is returning all the ACLs for the ObjectIdentities that are being passed and then I need to check the if the user has access to each ObjectIdentity that is being returned.
您是否有一种简单的方法可以简化或简化所有逻辑?
Do you have an easy way to do this or to simplify all of this logic?
推荐答案
当前处理较大数据集的方法是更新查询,以将当前登录的用户包括在查询中。例如,您可以使用Spring Security和Spring Data集成来更新查询以引用当前用户:
The current approach to handling larger data sets is to update your query to include the currently logged in user within your query. For example, you can use Spring Security and Spring Data integration to update your query to refer to the current user:
@Query("select d from MyDomain d where d.owner = #{principal.name}")
显然是不理想的,因为您需要手动管理权限。一旦我们解决了 SEC-2409 ,Spring就会自动为您完成很多繁重的工作。
Obviously this is not ideal because you need to manage the permissions manually. Once we resolve SEC-2409 Spring can do a lot of the heavy lifting for you automatically.
这篇关于如何获取用户可以使用ACL相关表访问的对象列表的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
