堆栈内存溢出
  简体   繁体   English

JAX-RS和资源所有权限制

[英]JAX-RS and resource ownership restrictions

 原文  2015-11-13 11:01:22       java/ web-services/ rest/ jax-rs

问题描述

There are many good resources and literature on how to set up aa JAX-RS API. 关于如何设置JAX-RS API,有很多好的资源和文献。 However, I have yet to find any resource that properly describes how to do security restrictions towards specific resources and methods. 但是,我尚未找到任何能正确描述如何对特定资源和方法进行安全限制的资源。 For example, given a resource PictureResource , only the uploader of the picture (and an admin) should be able to delete or change properties related to the picture, while anyone should be able to view the picture. 例如,给定资源PictureResource ,只有图片的上传者(和管理员)应该能够删除或更改与图片相关的属性,而任何人都可以查看图片。 The admin restriction is fine as it can be solved by roles , however the uploader would depend on the context of the call. 管理员限制很好,因为可以通过角色解决,但是上载者将取决于调用的上下文。 A token identifying the user would then describe who is making the call. 然后,标识用户的令牌将描述谁在拨打电话。 This can be solved through a ContainerRequestFilter . 这可以通过ContainerRequestFilter解决。 

@Path("pictures/{pictureId}")
public class PictureResource {

    @GET
    public Response getPicture(@PathParam("pictureId") final int pictureId) {
        // Get the picture, available for all users.
    }

    @DELETE
    public Response deletePicture(@PathParam("pictureId") final int pictureId) {
        // Delete the picture, only available for the uploader of the picture and admins.
    }

    // ...
}

What would be the JAX-RS way of solving this issue? 解决此问题的JAX-RS方法是什么? I'm assuming this can be solved by annotations, but is is rather vague to me how to do this. 我假设这可以通过注释来解决,但是对我来说却很模糊。 Would another approach be to dynamically assign the user a pictureOwnerRole depending on the context of the call? 另一种方法是根据调用的上下文为用户动态分配一个pictureOwnerRole吗?

1 个解决方案

解决方案1
 2  2016-09-13 17:53:26

The problem is discrete resource access control. 问题是离散资源访问控制。 You need a standard way to describe the resource being accessed in terms of ownership. 您需要一种标准的方式来按照所有权描述正在访问的资源。 Who owns the resource, and who has been granted scoped authority over it. 谁拥有资源,以及谁被授予对该资源的范围内的权限。

The problem is that this is very domain specific. 问题在于这是非常特定于域的。 Resource grouping and ownership requires the ability to lookup a resource instance or associated metadata and determine ownership/access requirements. 资源分组和所有权要求具有查找资源实例或关联的元数据并确定所有权/访问要求的能力。

I don't know of any security frameworks that provide a standard framework or annotation for this. 我不知道有任何安全框架为此提供标准框架或注释。

You could place pictures into a directory structure and use directory access control to determine what users have what access to the resources. 您可以将图片放入目录结构中,并使用目录访问控制来确定哪些用户可以对资源进行什么访问。

Something like @Secured("ownerDecider=PictureInspector.class") would be how I would approach it. @Secured("ownerDecider=PictureInspector.class")这样的东西将是我的处理方式。 The AccessDecisionVoter or AfterInvocationProvider in spring security could then use the provided strategy for discerning ownership, and restrict access accordingly. 然后, AfterInvocationProvider中的AccessDecisionVoterAfterInvocationProvider可以使用提供的策略来识别所有权,并相应地限制访问。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 什么是 JAX-RS 资源? - What is a JAX-RS resource? JAX-RS:服务资源顺序 - JAX-RS: Service Resource order JAX-RS:每个资源的选项 - JAX-RS: OPTIONS for every Resource 如何在JAX-RS资源中注入ConnectionFactory? - How to inject a ConnectionFactory in a JAX-RS resource? JAX-RS资源方法签名 - JAX-RS resource method signatures Jax-RS过滤器将对象传递给资源 - Jax-RS Filter pass object to resource JAX-RS资源生命周期性能影响 - JAX-RS Resource Lifecycle Performance Impact Jax-RS没有使用@provider注释注册资源 - Jax-RS not registering resource with @provider annotation 请求的资源不可用 jax-rs 服务 - Requested resource not available jax-rs service 在JAX-RS资源中结合@Context和@RolesAllowed? - Combining @Context and @RolesAllowed in a JAX-RS resource?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM