数据库级ACL过滤 [英] db level ACL filtering
问题描述
我正在为此寻找Spring-security 3.0,Spring的ACL过滤是在post(api call)操作时发生的.有两个问题:-
I am looking at Spring-security 3.0 for this, spring's ACL filtering happens as post(api call) operation. There are 2 issues with that :-
- 它将中断分页查询
- 即使我在api获取结果上方的层上进行分页(我在这里使用spring-hibernate),每次db查询也是浪费的,因为它获取并填充所有结果,即使大多数结果注定要被过滤在Java级别
我见过这样的解决方案,其中每个查询都附加了acl查询,该查询在db级进行过滤,但是由于它污染了与授权相关的业务逻辑,因此看起来很丑陋,是否有任何方法/框架可以执行db级acl透明过滤?我喜欢通过配置/注释以声明方式强制执行安全性的spring-securitys总体方法,因此可以直接从安全性相关的逻辑中节省代码,但是我认为在性能方面,它会因此而失败
I have seen solutions where each query is appended with the acl queries which does the filtering at the db level , but that looks ugly as it pollutes business logic with authorization concern, are there any ways/frameworks that does db-level acl filtering transparently ? I like spring-securities overall approach of enforcing security declaratively through config/annotations thus sparing the code from security related logic directly, but i think it loses out on this on performance concerns
推荐答案
对于您提到的问题,对我而言,只有#1是真正的问题.
For the issues that you mentioned , only the #1 one is the real issue to me .
对于第二个问题,如果我理解正确,则该查询将返回没有分页行为的结果列表.因此,应该假定结果的大小是有限的,并且不会增长到返回结果变得非常慢的程度.否则,您需要使此查询成为可分页的查询,并返回到第一问题.给定有限的结果列表,我怀疑使用@PostFilter在应用程序级别的筛选是否会比在数据库级别的筛选明显变慢.
For the #2 issue if I understand correctly , it is the query that return a result list without any pagination behaviour. Because of that , it is supposed to assume that size of the result is finite and will not grow to the point that it will become very slow to return the result . Otherwise you need to make this query to be pageable and go back to the #1 issue. Given the finite result list , I doubt that filtering at the application level using @PostFilter will become noticeably slower than filtering at the database level.
我已经看到了将每个查询附加到acl的解决方案 查询在db级别进行过滤的查询,但是看起来很丑 因为它会污染与授权相关的业务逻辑, 数据库级acl透明地进行过滤的任何方式/框架?一世 像春季安全性执行安全性的整体方法 通过配置/注释进行声明,从而节省了代码 与安全性直接相关的逻辑,
I have seen solutions where each query is appended with the acl queries which does the filtering at the db level , but that looks ugly as it pollutes business logic with authorization concern, are there any ways/frameworks that does db-level acl filtering transparently ? I like spring-securities overall approach of enforcing security declaratively through config/annotations thus sparing the code from security related logic directly,
因此对于#1问题,如果您使用的是Hibernate,则可以签出
So for the #1 issue , if you are using Hibernate , you can check out @Filter which allows you to declaratively define a where clause that will be appended to the select SQL when querying certain entity. The filter is by default turned off and required to be enabled per transaction .The where clause can also be parameterised .
这意味着您可以简单地使用Spring AOP定义注释来注释您要启用授权的查询方法.然后在此注释支持的建议中,打开此过滤器并为where子句配置参数基于当前用户信息(如有必要).对于未使用此注释注释的查询方法,过滤器将关闭并且不知道授权问题.
That means you can simply use Spring AOP to define an annotation to annotate the query method that you want to enable the authorization .Then in the advice that backed by this annotation , turn on this filter and configure the parameters for the where clause based on the current user information if necessary. For the query method that is not annotated with this annotation , the filter is turned off and not aware of the authorization concern.
基本上,与将授权逻辑添加到查询中相同,但是借助AOP和@Filter的性质,业务逻辑不知道任何授权逻辑.
Basically it is the same as appending the authorization logic to the query , but with the help of AOP and the nature of the @Filter , the business logic is not aware of any authorization logic.
如果Hibernate过滤器不适合您的要求,则可以查看哪些数据访问技术可通过向其添加授权逻辑来轻松修改查询.例如,也可以使用JPA Criteria API,因为它提供了表示查询的对象模型,因此向查询添加授权逻辑等同于调整查询对象.
If Hibernate filter is not suitable for your requirements, you can then look into which data access technologies allow you to modify the query easily by adding the authorization logic to it. For example , using JPA Criteria API is also possible as it provides the object model to represent a query ,and hence adding the authorization logic to the query is just equivalent to tweaking the query object.
这个想法是,您需要对数据访问层进行适当的设计,以便可以使用AOP来配置基础技术,以轻松,一致地应用授权问题.并使用AOP将授权逻辑与业务逻辑分开.
The idea is that you need to have a proper design of the data access layer such that you can use AOP to configure the underlying technology to apply the authorization concern easily and in a consistent way. And use AOP to separate the authorization logic from the business logic.
这篇关于数据库级ACL过滤的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
