授权逻辑应该集中还是分散? [英] Should authorization logic be centralized or decentralized?
问题描述
我们有一个用于验证用户身份的 SSO 系统.
We have an SSO system for authenticating users.
我们对这两个选项进行了辩论:
We have a debate between these 2 options:
我们是否应该将每个应用程序的授权集中到一个数据库(或任何其他单一解决方案)并检索 SSO 请求中的信息
Should we centralize the authorization of each application to one database (or any other single solution) and retrieve the information within the SSO request
每个 Web 应用程序客户端都应该在本地数据库/方案中管理自己的授权逻辑.
Each web application client should manage it's own authorization logic in it's a local database / scheme.
推荐答案
您应该努力将您的业务逻辑与非功能性需求(例如身份验证、日志记录,当然还有授权)分离.
You should strive to decouple your business logic from non functional requirements such as authentication, logging, and of course authorization.
您已经实施了 SSO,并且您肯定会使用用户目录作为 SSO 的后端来存储用户身份.这表明您已经成功地从您保护的应用程序中外部化了身份验证.您会考虑为每个应用程序建立一个用户名/密码数据库吗?你有没有考虑过编写逻辑来管理密码、哈希等......?当然不是!这同样适用于授权.
You already implemented SSO and surely you use a user directory as the backend for the SSO to store user identities. This shows you've successfully externalized authentication from the applications you protect. Would you ever consider having a username/password database per app? Would you ever consider writing logic to manage passwords, hashes, etc...? Of course not! The same applies to authorization.
分析公司 Gartner 将您考虑的领域定义为外部化授权管理.如果您是 Gartner 客户,您可以在此处找到更多信息.
Gartner, the analyst firm, defines the area you are considering as Externalized Authorization Management. You can find more here if you are a Gartner customer.
实现外部化授权有两种主要模型:要么使用基于角色的访问控制模型 (RBAC),要么争取基于属性的访问控制 (ABAC).NIST 为两者提供了定义和更多内容:
There are 2 main models to achieve externalized authorization: either you use a role-based access control model (RBAC) or you strive for attribute-based access control (ABAC). NIST provides definitions and more for both:
许多应用程序框架提供某种形式的外化.以 Java Spring 为例:它带有 Spring Security 和 Access Decision Managers(有关 Spring 架构的更多信息 此处).PHP、Ruby、Python 和 .NET 不胜枚举,但其中一些也有自己的方法.
Many application frameworks provide some form of externalization. Take Java Spring: it comes with Spring Security and Access Decision Managers (more on the Spring architecture here). PHP, Ruby, Python, and .NET to name but a few all have their own ways too.
因此,如果可以,请不要在应用程序中实现授权逻辑,而是利用所提供的框架.
So, if you can, do not implement authorization logic within the app but rather leverage the frameworks you are being given.
更进一步,您甚至可以考虑标准化您的外化授权.就像 SSO 有其标准 (SAML) 一样,外部化授权也有 XACML(eXtensible Access Control MarkupLanguage),OASIS 定义的一个标准,很像 SAML,并得到 IBM、Oracle 和 Axiomatics 等公司的支持 - 这就是我工作的地方.
Going further, you can even consider standardizing your externalized authorization. Much like SSO has its standard (SAML), externalized authorization has XACML (eXtensible Access Control Markup Language), a standard defined by OASIS much like SAML and backed by the likes of IBM, Oracle, and Axiomatics - which is where I work.
XACML 为您提供了一种基于策略的外化、细粒度授权方法.您可以编写策略并将其应用于任意数量的应用程序.当然,您可以使用 XACML 扩展您的 SSO 层.
XACML gives you a policy-based approach to externalized, fine-grained authorization. You can write policies and apply them to any number of applications. And of course you can extend your SSO layer with XACML.
使用外部授权的好处 - 特别是在 XACML 上标准化 - 是:
The benefits of using externalized authorization - and in particular standardized on XACML - are:
- 授权逻辑的整合:维护起来更容易、成本更低
- 更好的安全性:XACML 更具表现力,您现在可以去一个地方检查是否正确实施了安全性.
- 展示新业务的能力:与我打交道的一些客户希望将应用程序展示给网络/第 3 方.使用细粒度授权让他们可以控制谁可以做什么以及在什么情况下可以做.
- 合规性:看看我们今天生活的世界.根据我们的工作领域(银行、保险、医疗……),我们必须遵守许多法规.这些规定很难在代码中实现,但很容易表达为策略,而这正是 XACML 提供的内容.
如果您想了解更多,我在 JavaZone 2013 上发表了关于 Java 和 XACML 的演示文稿.幻灯片是 此处.
If you want to know some more, I delivered a presentation on Java and XACML at JavaZone 2013. The slides are here.
您使用什么 SSO 解决方案?SiteMinder 为您提供了一个授权 API(ActivePolicy)来实现更细粒度的授权.看看那个.
What SSO solution do you use? SiteMinder gives you an authorization API (ActivePolicy) to implement finer-grained authorization. Have a look at that.
我希望这会有所帮助!
这篇关于授权逻辑应该集中还是分散?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
