简体繁体 English

如何管理大量权限？

[英]How to manage a large number of permissions?

原文 2011-04-21 14:35:47 4 2 java/ security/ java-ee/ acl

I am working on a large Java EE web-app with CRM functionalit and we are looking for a security approach/library/solution/anything. 我正在开发一个具有CRM功能的大型Java EE Web应用程序，我们正在寻找安全方法/库/解决方案/任何东西。 Basic role-based security won't work since access control must be based on both role and hierarchy, but must be optionally customisable per document. 基本的基于角色的安全性将不起作用，因为访问控制必须基于角色和层次结构，但必须可选择根据文档进行自定义。 Because there will be confidential and proprietary information stored, it is a requirement that the security works properly. 由于存储了机密和专有信息，因此要求安全性正常运行。

Example: To use department store, shelf ~~stalkers~~ stockers can create reports that other stockers can read only if they are in the same department. 示例：要使用百货商店，货架~~追踪者~~可以创建其他储料商只有在同一部门才能阅读的报告。 Now their department manager can read/write/update/delete all reports written by stockers and write reports that all others department managers can read but not see reports of store managers, etc, whom the district managers can r/w/u/d etc. Now, the complications: people at higher levels can make things visible to people at lower levels, either to individuals (department writes document to several specific stockers) users or everyone below them (store manager writes a memo to the entire store) or any permutation you can imagine. 现在，他们的部门经理可以读/写/更新/删除由储存者撰写的所有报告，并编写所有其他部门经理可以阅读的报告，但不会看到商店经理等的报告，地区经理可以使用他/她/她/等等现在，复杂性：较高层次的人可以让较低级别的人看到事物（个人（部门写入文件给几个特定的储存者）用户或他们下面的每个人（商店经理给整个商店写一份备忘录）或任何你可以想象的排列。 Also, individuals can create reports that their peers cannot see or they can choose grant access to store stockers in other districts etc. 此外，个人可以创建他们的同事看不到的报告，或者他们可以选择授权访问其他地区的商店储存者等。

We are considering an ACL with one permission per entity, but are worried about the large number of records that would create. 我们正在考虑一个ACL，每个实体有一个权限，但是担心会创建大量记录。 Even if only a report was readable to everyone else in a department of 30 and every person above them [in the chain of command], creating a single report would require ~40 records! 即使只有一个报告对30个部门的每个人以及他们之上的每个人[在命令链]中都是可读的，创建一个报告就需要大约40个记录！ With 1 report per week per user that is 2000 permissions per user per year. 每个用户每周有1个报告，即每个用户每年2000个权限。 1,500 users means over 3,000,000 permissions per year. 1,500名用户意味着每年超过3,000,000个权限。

It seems like a rule-engine based approach would be nice, but I have not seen any blogs or articles mentioning that approach so we're hesitant to that approach. 看起来像基于规则引擎的方法会很好，但我没有看到任何博客或文章提到这种方法，所以我们对这种方法犹豫不决。

We are also considering some ACL/rule home-brew hybrid where you could grant permission to a department id with a discriminator of "manager" or "stockers" etc to subselect, but are worried that checking for all possible permissions (you could be granted permission specifically by another user, you have permission as a memeber of your department, you could have permission as a member of a store, or of district) sounds like an error-prone tedious nightmare. 我们也正在考虑一些ACL /规则家酿混合，你可以授权部门ID与“经理”或“储存器”等鉴别器进行subselect，但担心检查所有可能的权限（你可以被授予特别是其他用户的许可，你有权作为你所在部门的成员，你可以作为商店或地区的成员获得许可，听起来像是一个容易出错的繁琐噩梦。

What is the best approach for our application? 我们的应用程序的最佳方法是什么？

2 个解决方案

You could look at using Spring Security and ACL's - the nice thing about Springs ACL implementation is it is implemented with AoP it should be easier to integrate. 你可以看看使用Spring Security和ACL - 关于Springs ACL实现的好处是它是用AoP实现的，它应该更容易集成。

It sounds like your security requirements are quite complicated - off the top of my head I dont know how you'd implement this.. but you can reduce the number of records required by creating ACL's against your object hierarchy and having objects 'inherit' permissions from parent objects. 这听起来像你的安全要求非常复杂 - 我不知道你是如何实现这个...但你可以减少创建ACL对你的对象层次结构和对象'继承'权限所需的记录数来自父对象。 You grant a user read permissions to the parent Department of a Report - so they would inherit read access to the child reports of that department. 您授予用户对报告的父部门的读取权限 - 因此他们将继承对该部门的子报告的读取权限。 Alternatively a Manager might have read and update permissions on the Department. 或者，Manager可能具有对部门的读取和更新权限。 The key to all this is how your java object model has been structured. 这一切的关键是你的java对象模型是如何构建的。

I have had a similar situation in a system where there were thousands of articles in an object hierarchy of Business Unit -- Publication -- Issue -- Article . 我在一个系统中遇到了类似的情况，其中在业务部门 - 出版物 - 问题 -文章的对象层次结构中有数千篇文章。 You can have hierarchys of ACL's - so in my system - users that had C/R/W permissions to a particular business unit, inherited permissions on all child objects in the hierarchy. 您可以拥有ACL的层次结构 - 在我的系统中 - 对特定业务单位具有C / R / W权限的用户，对层次结构中所有子对象的继承权限。