简体繁体 English

Spring 基于安全用户的权限？（不基于角色）

[英]Spring security user based permission? (not role based)

原文 2020-08-29 12:17:16 9 1 spring/ spring-boot/ hibernate/ spring-security

Assume I have a database composed of user and projects.假设我有一个由用户和项目组成的数据库。 A user has a one to many relationship with projects.用户与项目具有一对多的关系。 The user can do operations using rest endpoints.用户可以使用 rest 端点进行操作。

The problem is: how can I verify that this user owns this resource?问题是：如何验证该用户是否拥有该资源？

I don't want a malicious user to change an id then suddenly he views another person's project details/images/etc.我不希望恶意用户更改 id 然后突然查看另一个人的项目详细信息/图像/等。 Think of it like a social media (my app is not a social media but trying to illustrate the issue): where you can view only your images but not another person's images despite having the same "status".把它想象成社交媒体（我的应用程序不是社交媒体，但试图说明问题）：尽管具有相同的“状态”，但您只能查看自己的图像而不能查看其他人的图像。

Most spring-security blogs online is using a role based approach.大多数 spring-security 在线博客都使用基于角色的方法。 I have no idea what to even search for in this case (tried multiple search queries to no avail).在这种情况下，我什至不知道要搜索什么（尝试了多个搜索查询无济于事）。

One option is to run some sort of multijoin query on every resource request/operation till I reach that resource id and check it's owning user to check if it is the logged in user.一种选择是对每个资源请求/操作运行某种多连接查询，直到我到达该资源 ID 并检查它的拥有用户以检查它是否是登录用户。 However, I am not sure if this way is efficient since there are multiple tables in a chain in the real app (could have a lot of joins if I go this way manually; example: user -> project -> tasklist->... -> Note; deleting a note would trigger a large chain) or how to make the "authorizer" use it.但是，我不确定这种方式是否有效，因为在真实应用程序中的链中有多个表（如果我手动 go 这种方式可能会有很多连接；示例：用户 -> 项目 -> 任务列表 -> .. . -> 注意；删除注释会触发大链）或如何让“授权者”使用它。

what are my options?我有什么选择？

In case it matters: I am using spring-boot + hibernate/JPA + spring-security以防万一：我正在使用 spring-boot + hibernate/JPA + spring-security

1 个解决方案

Spring Security has the following concepts: Spring Security有以下几个概念：

Authentication:验证：

Proving the an actor is who it vouches to be.证明演员是它所保证的人。 Authentication is done using credentials , where credentials can take any number of forms - username/password, token, hardware key, etc.身份验证是使用credentials完成的，其中 credentials 可以采用任意数量的 forms - 用户名/密码、令牌、硬件密钥等。

You can set up Spring Security with a set of acceptable authentication providers.您可以使用一组可接受的身份验证提供程序设置 Spring 安全性。

Authorization:授权：

Given an authenticated user, deciding if that user has access to a given resource.给定一个经过身份验证的用户，决定该用户是否可以访问给定的资源。 Where the resource can be:资源可以在哪里：

An HTTP endpoint.一个 HTTP 端点。
An Java Method. Java 方法。
A property of an object. object的一个属性。

What you want to do here is provide a custom authorization scheme.您在这里要做的是提供自定义授权方案。

You can read about Spring Security's authorization architecture here , including how to set up custom authorization.您可以在这里阅读 Spring Security 的授权架构，包括如何设置自定义授权。 Once you're ready you might ask specific questions as you go.准备就绪后，您可以在 go 中提出具体问题。