如何防止用户使用dotnet core和RESTful API访问其他用户的数据? [英] How to prevent users to access other user's data with dotnet core and RESTful APIs?
问题描述
我正在尝试找到一个未解决的简单问题的最佳解决方案.
I'm trying to find the best solution to a simple problem that is not largely discussed around.
我的应用程序有很多可以创建和编辑数据的用户.用户只能查看和编辑其数据,而不能查看和编辑其他人的数据.
My application have lots of users that can create and edit data. An user should only see and edit his data, not other's.
考虑一下拥有餐厅A和菜单MenuA的爱丽丝和拥有餐厅B和菜单MenuB的鲍勃.
Think about Alice, who has a Restaurant A with a Menu MenuA, and Bob, who has a Restaurant B and a Menu MenuB.
我有用于CRUD餐厅和菜单的API,我可以轻松地仅授权具有正确声明和角色的登录用户.我现在想做的是阻止Bob访问Alice的餐厅或菜单,反之亦然.
例如,鲍勃应被授权为PUT /api/restaurants/B,但应被授权为PUT /api/restaurants/A甚至是PUT /api/restaurants/A/menus/x
I have APIs to CRUD restaurants and menus and I can easily only authorize logged users with correct claims and roles. What I want to do now is prevent Bob to access Alice's restaurant or menu, and viceversa.
For instance, Bob should be authorize to PUT /api/restaurants/B but should be unauthorized to PUT /api/restaurants/A or even PUT /api/restaurants/A/menus/x
A possible solution is the one provided here ASP.NET MVC Attribute to only let user edit his/her own content. This solution requires to create a custom Authorize attribute to actively check if the logged user is the proprietary of the accessed entity. The entities have an userId field to check if the user making the request is the owner of the data. This solution is nice and clean but lacks some features. Every entity in the model should have an userId field and can only be accessed by the owner OR for each entity I need to navigate to the root entity of the authorization model (ex. accessing Menu i need to query for the parent entity Restaurant to check if MenuB is inside a Restaurant owned by the user). To achieve multiple owners (ex. the restaurant managers) the logic will be a lot more complex. I am also worried about the overhead here, since basically every call requires to do some queries to check data access, but it will probably not be an issue.
有最佳实践吗?
推荐答案
您要做的是实现基于属性的访问控制或 abac .
What you want do is implement attribute-based access control or abac.
在ABAC架构中,您具有策略执行点(PEP)的概念,该策略执行点会拦截API调用并确定该调用是否应通过. PEP将API调用转换为授权请求,然后将其发送到中央策略决策点(PDP).
In the ABAC architecture, you have the notion of a policy enforcement point (PEP) which intercepts the API call and determines whether the call should go through. The PEP converts the API call into an authorization request and sends it off to a central Policy Decision Point (PDP).
以下架构总结了流程.
PDP配置有一组策略,这些策略确定允许什么和拒绝什么.例如,您可以编写以下策略:
The PDP is configured with a set of policies that determine what is allowed and what is denied. For instance you can write policies such as:
- 餐厅老板可以查看餐厅页面
- 餐馆老板可以编辑该餐馆的菜单.
- 如果餐厅是公开的,则客户可以查看任何餐厅的菜单.
您可以使用以下两种语言编写策略: xacml 或 alfa 的问题.
There are two languages you can write policies in: xacml or alfa.
例如,在ALFA中,策略如下所示:
For instance, in ALFA, a policy would look like:
namespace restaurant{
attribute userId{
category = subjectCat
id = "restaurant.userId"
type = string
}
attribute owner{
category = resourceCat
id = "restaurant.resourceCat"
type = string
}
policy restaurant{
target clause objectType == "restaurant"
apply firstApplicable
rule ownerCanView{
target clause actionId == "view"
permit
condition userId == restaurant.owner
}
}
}
您需要做的就是使用XACML 3.0策略决策点.有Java和.NET以及商业实现.看看这个关于.Net授权的博客帖子.
All you need is to use a XACML 3.0 Policy Decision Point. There are Java and .NET implementations as well as commercial ones. Have a look at this blog post on .Net authorization.
这篇关于如何防止用户使用dotnet core和RESTful API访问其他用户的数据?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
