Java,处理对象权限
[英]Java, dealing with Objects permissions
问题描述
A few days ago I got an assignment to make (amateur) model of my universities course and student management system (just core program, no gui) . 
几天前,我被分配去制作大学课程和学生管理系统的(业余)模型(只是核心程序,没有gui)。 I was successful in creating almost everything, except one part, permission. 我成功地创建了几乎所有的东西,除了一部分,许可。 I have no idea where to even start this. 我什至不知道从哪里开始。 So class Course has tons of methods, but each of them should work differently. 因此,课程课程有很多方法,但是每种方法都应该以不同的方式工作。 For example if student wants to enroll in a course, whose enroll deadline has passed, he can only enroll if Professor adds him manually. 例如,如果学生想报名已超过报名截止日期的课程,则只有在教授手动添加他的情况下他才能报名。 I set up the method, which checks dates and returns error if student tries to enroll too late. 我设置了该方法,该方法可以检查日期并在学生尝试注册太晚时返回错误。 But, if object professor would to call that method, he could 'override the rules'. 但是,如果对象教授要调用该方法,则他可以“替代规则”。 My professor told me to think about using interfaces, but I've been banging my head against the wall for a while now, and I still have no idea how to use interfaces to set permissions. 我的教授告诉我考虑使用接口,但是我已经将头撞墙了一段时间,而且我仍然不知道如何使用接口来设置权限。
EDIT: my apologies, I forgot the question. 编辑:抱歉,我忘记了这个问题。 What is the best way in java to create and control permissions. Java中创建和控制权限的最佳方法是什么? If it happens to be interface, how exactly could I use interface to do this? 如果碰巧是接口,我究竟该如何使用接口来做到这一点?
4 个解决方案
解决方案1
2 2011-11-07 13:29:38
What if you had an interface the method 如果有接口该怎么办
public void studentEnroll(Student s);
and another interface on the processors can access which is 处理器上的另一个接口可以访问
public void professorEnroll(Student s);
There are so many ways you could do this. 您可以通过多种方式执行此操作。 I suggest you try thinking about what the simplest solution would be. 我建议您尝试考虑最简单的解决方案。
解决方案2
2 已采纳 2011-11-07 13:33:09
You might need to provide more information for how the system knows who is executing each method in your system. 您可能需要提供更多信息,以了解系统如何知道谁在执行系统中的每个方法。 I'll assume you pass the User object that represents who is calling a method (there are other ways, but this illustrates the point without talking about a lot of architecture you might or might not use/need). 我假设您传递了代表谁正在调用方法的User对象(还有其他方法,但这仅说明了这一点,而没有讨论您可能会或可能不会使用/需要的许多体系结构)。
public class Course {
public void enroll( User user, Student student ) {
if( user.hasPermission( Permission.OVERRIDE_COURSE_RULES ) ) {
add( student );
} else if( hasEnrollmentDatePassed() ) {
throw new CourseException( "Enrollment date has passed." );
} else if( isClassFull() ) {
throw new CourseException( "Course is full" );
} else {
add( student );
}
}
}
Few things to note: User doesn't depend on Professor, Student, etc. User could be a concrete class or an interface that Professor, Student, etc implement. 没什么要注意的:用户不依赖教授,学生等。用户可以是教授,学生等实现的具体课程或接口。 You don't want to tie your permission system to Professor and Student because your permission mappings cannot change if you do that. 您不想将您的权限系统绑定到Professor and Student,因为如果这样做,您的权限映射就无法更改。 That means if you later want to allow say a TA or Grad Student to override the rules for adding students you can't change those permission mappings without modifying code. 这意味着如果您以后想允许某个TA或Grad Student覆盖添加学生的规则,则您不能在不修改代码的情况下更改这些权限映射。 So always use 'verbs' or actions for permissions. 因此,请始终使用“动词”或操作来获取权限。 Map a set of permissions to a User then don't check User types use those verbs to enable functionality. 将一组权限映射到用户,然后不要检查用户类型使用这些动词来启用功能。
解决方案3
1 2011-11-07 13:30:56
You could have a design like: 您可以设计如下:
class Course
{
public void enroll(Person actionGenerator, Student student)
{
if ( actionGenerator instanceof Professor )
{
//bypass verification
}
else
{
}
}
}
interface Person
{
/*....*/
}
class Student implements Person
{
public void registerStudent(Course c)
{
c.enroll(this,this);
}
}
class Professor implements Person
{
public void registerStudent(Course c, Student s)
{
c.enroll(this,s);
}
}
解决方案4
0 2011-11-07 17:15:48
I find that people often confuse the classes/actors inside the system with the people/actors outside the system: They'll say that "We can't trust the Student class to hold the student's cash balance because we can't trust (human) students with that; they could lie!" 我发现人们经常将系统内部的类/参与者与系统外部的人员/参与者混淆:他们会说:“我们不能信任学生类来持有学生的现金余额,因为我们不能信任(人类)的学生;他们可以撒谎!” Remember: You control the code you put in the Student class, and what it does. 切记:您可以控制输入到Student类中的代码及其作用。 The actual students do not program the instances that represent them. 实际的学生不会编写代表他们的实例的程序。 Same for the Professor class. 教授课也一样。
So, generally speaking, you impose security and permissions based on the process you design. 因此,通常来说,您将根据设计流程施加安全性和权限。 IE: How you define and use the methods of your classes. IE:如何定义和使用类的方法。
Your system needs to know if a student is enrolling in a class directly, or if the class' professor is enrolling them. 您的系统需要知道学生是否正在直接注册课程,或者班级的教授是否正在注册课程。 This would generally imply that the system must know if the person currently logged into the system is a student or a professor. 这通常意味着系统必须知道当前登录系统的人是学生还是教授。 It might make sense to provide professors with different screens which call different methods. 为教授提供不同的屏幕,调用不同的方法可能是有意义的。
In production code, I would probably use Thread Local Storage to track the current user's permissions. 在生产代码中,我可能会使用线程本地存储来跟踪当前用户的权限。 But that's probably a bit much for a student assignment. 但这对于学生作业来说可能有点多。
Honestly, I don't see how introducing Java interfaces would help. 老实说,我不认为引入Java接口有什么帮助。 Thinking carefully about the interfaces (methods) that you use and when you use them would probably help. 仔细考虑所使用的接口(方法)以及何时使用它们可能会有所帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.