用于层次结构树角色的Spring Security / Java EE解决方案 [英] Spring Security / Java EE solutions for hierarchy tree roles
问题描述
我知道Spring Security适用于标准角色和基于权限的授权。我不确定的是这种情况:
I know Spring Security is good for standard role and permission based authorisation. What I'm not sure is this scenario:
系统中管理着10,000名员工,员工组织成一个组织结构图(一个向各部门报告的人员树) )。其中一些员工是用户。这些用户只被允许访问其职责范围内的员工(他们在树中的分支/员工的后代)。
There are 10,000 employees managed in the system, employees organised into an org chart (a tree of who reports to who across departments). Some of these employees are users. These users are only permitted to access employees in their line of responsibility (their branch in the tree / a descendant of their employee).
所以我想知道现代Java如何做EE(或其他)系统管理这些检查? Spring Security(ACL)可以做到这一点吗?如何建模?
So I am wondering how do modern Java EE (or other) systems manage these checks? Can Spring Security (ACL) do this and How can it be modelled?
我们的旧实现(多年前)是用户访问员工时我们可以检查是否请求的员工是递归树的后代。但这不是理想的解决方案,我们希望使用新的解决方案。
Our old implementation (many years ago) is when a user accesses an employee we can check whether the requested employee is a descendant by recursing up the tree. But this is not the ideal solution and we want to use a new solution.
推荐答案
因为我一直在研究这个问题就像现在一个月一样,我可以给你这个问题的答案,但是可能会有更好的答案。
Spring Security中有一些角色层次结构,如果你使用ROLE_A> ROLE_B那么ROLE_A会拥有ROLE_B拥有的所有授权。
所以这里有两个选项:
1。对于每个用户及其后代都有一对像。用户的ROLE_USERi和后代的ROLE_USERiDESC。您将拥有
ROLE_USERi> ROLE_USERIDESC
但是(因为我不知道您的组织结构图)这可能是不够的,因为可能有很多这些对!不知何故,如果你的树有两个或三个级别(ROLE_USER最多只有一个或两个优先级),那么它是合适的,因为角色越高,它拥有的权限就越大。
2.在我的项目中(偶然相似)我做了另一种选择。我有一些基本行为的基本角色。我有一个关心小组,护理人员可以在其中观察其后代数据。
为什么我会这样做?因为我必须有某些动作的角色(比如编辑) ,删除,访问一些敏感数据和......)以及关心群体观察。
如果A是B的看护者,它可以观察B的数据,但A不能做任何超出其权限的事情。 br>
BTW,尚未完全测试,您可能会找到另一种可能的解决方案。
As I've been working on this subject like for a month now, I can give you my answer to this question, however there might be a better answer.
There is something as Role Hierarchy in Spring Security and if you use ROLE_A > ROLE_B then ROLE_A will have all authorizations that ROLE_B has.
So there are two options here:
1. For every user and its descendants have a pair of roles like . ROLE_USERi for the user and ROLE_USERiDESC for its descendants. You will have
ROLE_USERi > ROLE_USERiDESC
But (as I don't know your org chart) this may be insufficient because there may be a lot of these pairs! It's, somehow, suitable if your tree has two or three levels (ROLE_USER has at most one or two ascendants) because the higher the role is, the more authorities it will have.
2. In my project (which by accident is so much similar) I did the other alternative. I have some basic roles for some basic actions. And I have a "caring group" in which a carer can observe its descendants data.
Why would I do that? Because I have to have roles for some action (like edit, delete, accessing to some sensitive data and ...) and caring groups to observe.
If A is a carer of B, it can observe B's data, but A cannot do anything beyond its authorities.
BTW, It's not yet completely tested and you may come to another possible solution.
参见:
- Spring Security 3.1.x Documentation
这篇关于用于层次结构树角色的Spring Security / Java EE解决方案的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
