dis*_*ame 5 java hibernate access-control spring-security
我不确定我是否能正确使用Spring Security的功能.
我的问题是,我想阻止登录用户向我的服务器发送任意ID,从而访问不属于他的数据.但我能找到的每个教程都是关于一个简单的登录程序.但是我怎么能用它来摆脱它
if(item .getStore().getId() == store.getId()) { /* .. */ }
在这个例子中:
// StoreService.java
@Transactional
public ItemDTO deleteItem(String sessionId, Long storeId, ItemDTO itemDto) {
// sessionId is the cookie I have placed in my database
// This way I want to ensure that I am only accessing a store
// that is associated with the logged in store owner (the user basically)
Store store = this.storeOwnerRepository.getStore(sessionId, storeId);
Item item = ConvertDTO.convertItem(store, itemDto);
// THIS CHECK IS WHAT I WANT TO GET RID OF:
// Check if the store ID that I got using the cookie is the
// same ID as the store ID from the item that should be deleted
if(item.getStore().getId() == store.getId()) {
item = this.storeOwnerRepository.deleteItem(item);
} else {
// If this didn't work we have a potentially hostile user:
throw new RuntimeException("Is somebody trying to delete items from a store he doesn't own?");
}
itemDto = ConvertEntity.convertItem(item);
return itemDto;
}
使用Spring Annotations?Spring Security是否可以实现这一点?
可能有用的另一件事是Hibernate Filters,但我不确定我是否希望我的数据库知道我的数据的安全方面.
所以我对如何正确地做到这一点感到很困惑.有任何想法吗?
我们已经使用Spring的ACL API在域对象上实现了这种安全性.这包括:
org.springframework.security.acls.model.AclService接口的实现,该接口知道如何返回给定主体对给定域对象的权限.例如,如果主体与此域对象具有关系foo,则授予READ和WRITE权限; 如果是关系栏,则授予READ,WRITE和DELETE权限.org.springframework.security.access.prepost.PreAuthorize以及org.springframework.security.access.prepost.PreAuthorize定义要强制执行的访问控制断言.例如,此方法要求当前经过身份验证的用户对类型X的参数具有"WRITE"权限,或者该方法要求当前经过身份验证的用户对返回对象具有"READ"权限.如果任一断言失败,AccessDeniedException将抛出一个.global-method-security在Spring Security的XML命名空间中使用了该元素.需要考虑很多细节,但我们在几个Web应用程序中使用这种方法才能产生良好的效果.它允许您将who-gets-what-permissions-on-objects-objects逻辑与what-permissions-needs-to-perform-this-action逻辑分开,并使它们远离数据库查询.
当然,在某些情况下,您需要在查询中强制实施访问控制,而不是先查询,然后过滤结果.我已经看到术语"早期绑定"用于描述数据库查询中访问控制的执行,而"后期绑定"用于描述对查询结果的访问控制.Spring Security ACL API是一种非常好的,强大的后期绑定解决方案.
您最终会得到以下业务服务方法:
@PostAuthorize("hasPermission(returnObject, 'READ')")
public MyItem getMyItem(Long id) {
return dao.getMyItem(id);
}
@PreAuthorize("hasPermission(#toDelete, 'DELETE')")
public void deleteMyItem(MyItem toDelete) {
dao.delete(toDelete);
}
和一个方法如下的AclService:
public Acl readAclById(ObjectIdentity objectIdentity, List<Sid> sids) throws NotFoundException {
/*
examines objectIdentity which identifies domain object in question, and sids which identifies the principal who wants permissions on the domain object, then returns an ACL instance with permission grants on that domain object for that/those principals
*/
return new AclImpl(...);
}
以下是您的applicationContext-security.xml:
<beans:bean id="permissionEvaluator"
class="org.springframework.security.acls.AclPermissionEvaluator">
<beans:constructor-arg ref="aclServiceImpl" />
</beans:bean>
<beans:bean id="expressionHandler"
class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
<beans:property name="permissionEvaluator" ref="permissionEvaluator" />
</beans:bean>
<global-method-security pre-post-annotations="enabled">
<expression-handler ref="expressionHandler" />
</global-method-security>
| 归档时间: |
|
| 查看次数: |
4015 次 |
| 最近记录: |