简体繁体 English

Spring abac 数据过滤 vs Spring @PostFilter

[英]Spring abac data filtering vs Spring @PostFilter

原文 2020-08-27 17:22:26 1 1 java/ spring-security/ spring-el/ xacml/ abac

I am using ABAC model for securing access to some entities in project.我正在使用 ABAC 模型来保护对项目中某些实体的访问。 According to https://dzone.com/articles/simple-attribute-based-access-control-with-spring , I can easily define some policy rules for updating/deleting entities in project.根据https://dzone.com/articles/simple-attribute-based-access-control-with-spring ，我可以轻松定义一些用于更新/删除项目中实体的策略规则。 After many hours of searching, I came across the only normally documented way to filter data available to the user: using Spring security @PostFilter .经过数小时的搜索，我遇到了唯一一种通常记录在案的过滤用户可用数据的方法：使用 Spring security @PostFilter 。 The problem is the performance of this approach.问题在于这种方法的性能。 What are the available ways to shift the responsibility for filtering data to the database, while not mixing business and the logic of the role model?有哪些可用的方法可以将过滤数据的责任转移到数据库，同时又不混合业务和角色模型的逻辑？

So far I have tried only coding up the JPA Specification: the module responsible for the role model takes into account the user's parameters (id, group_id / organization_id) to compose logical expressions, and all the parameters by which the business needs to filter are added to composed of such Specification expressions.到目前为止我只尝试过编写JPA规范：负责角色模型的模块考虑到用户的参数（id，group_id/organization_id）来组成逻辑表达式，并添加业务需要过滤的所有参数由这样的规范表达式组成。 But this solution forces to use only specification for data retrieval.但是该解决方案强制仅使用规范进行数据检索。 Moreover, it is not very clear how to store these expressions in the policy store.而且，如何将这些表达式存储在策略存储中也不是很清楚。

1 个解决方案

You're hitting an aspect that has to do with types of authorization.您遇到了与授权类型有关的方面。 I like to break it down into 3 types:我喜欢把它分解成 3 种类型：

functional authorization (can I print?)功能授权（我可以打印吗？）
transactional authorization (can I print doc #123?)交易授权（我可以打印 doc #123 吗？）
data-centric authorization (list the docs I can print)以数据为中心的授权（列出我可以打印的文档）

The first 2 types are binary yes/no questions and they scale well ie you ask about one item / record and you get one answer.前两种类型是二元是/否问题，它们可以很好地扩展，即您询问一个项目/记录，您会得到一个答案。

The third type is trickier because it's about filtering more so than authorization.第三种类型更棘手，因为它更多地涉及过滤而不是授权。 Imagine you have a million records.假设您有一百万条记录。 You're not going to iteratively ask whether you can view / edit / print the given record.您不会反复询问是否可以查看/编辑/打印给定的记录。 It wouldn't scale.它不会扩展。 What you need to do is reverse the process and use what's known as a partial evaluation or a reverse query.您需要做的是反转该过程并使用所谓的部分评估或反向查询。

Some database vendors (Informatica...) and authorization vendors (Axiomatics...) provide the ability to dynamically filter data to achieve scalable authorization.一些数据库供应商（Informatica...）和授权供应商（Axiomatics...）提供动态过滤数据以实现可扩展授权的能力。 I would look down that path.我会往下看那条路。