简体繁体 English

保护多租户SaaS应用程序

[英]Securing a Multi tenant SaaS application

原文 2012-05-09 09:55:25 7 2 java/ security/ saas/ multi-tenant

I'm multing a multi-tenant SaaS web-application in Java, Spring, Struts2 and Hibernate. 我正在用Java，Spring，Struts2和Hibernate集成一个多租户SaaS Web应用程序。 After a bit of research, i choose to implement multi-tenancy in a shared db, shared schema, shared table approach. 经过一些研究，我选择在共享数据库，共享模式，共享表方法中实现多租户。 And tagging each db-line with a tenantId. 并用tenantId标记每个数据库行。

I have rewritting my application, so Managers and Dao's will take the tenantId as a parameter to only serve the correct db-resources. 我已经重新编写了应用程序，因此Manager和Dao将把tenantId作为参数仅提供正确的db-resources。

This works perfect for all view's when getting information. 当获取信息时，此功能非常适合所有视图。 And also for creating new stuff (using the logged in users tenantId to store the info). 并且还用于创建新内容（使用登录的用户tenantId来存储信息）。

However, for updating and deleting stuff I am not sure how to secure my application. 但是，对于更新和删除内容，我不确定如何保护我的应用程序。 For example: When a user want to edit an object, the url will be: /edit?objectId=x And this is mapped to an action that will retrieve this object by Id. 例如：当用户想要编辑一个对象时，该URL将为： /edit?objectId=x并且此映射到一个操作，该操作将通过ID检索此对象。 Meaning any logged in user can by url-modification view any object. 意味着任何登录的用户都可以通过url修改来查看任何对象。 This i can solve by adding the tenantId to the Dao so if the User tries to view an object outside his tenancy he will get nothing. 我可以通过将tenantId添加到Dao来解决，因此，如果用户尝试查看其租期之外的对象，他将一无所获。

Ok thats ok then, but about when sending in the edit-form? 好的，那就可以了，但是发送编辑表单时呢？ What if the user modifies the request, messing with the hidden field objectId so the action will receive a request to alter an object not belonging to the users tenancy. 如果用户修改了请求，将其与隐藏字段objectId那么该操作将收到一个请求，要求更改不属于用户租用的对象。

Or if the users url-modifies a delete action /delete?objectId=x 或者，如果用户通过url修改删除操作/delete?objectId=x

Basicly I need some way of assure that the logged in user has access to whatever he is trying to do. 基本上，我需要某种方式来确保已登录的用户可以访问他尝试执行的操作。 For all get's its easy. 所有人都容易上手。 Just putting the tenantId in the where clause. 只需将tenantId放在where子句中。 But for updates and deletes i'm not sure what direction to go. 但是对于更新和删除，我不确定该往哪个方向发展。

I could query the db for every update and delete to see if the users has access to the object, but i'm trying to keep db-interaction to the minimum. 我可以查询每次更新和删除的数据库，以查看用户是否有权访问该对象，但是我正在尝试将数据库交互保持在最低水平。 So i find it impractical to make an extra db-call for every such action. 因此，我发现为每个此类操作进行额外的数据库调用是不切实际的。

Does anyone have any hints or tips to my issues? 有人对我的问题有任何提示或提示吗？

2 个解决方案

The same for reading applies to writing/updating: user can only see/access/change what they own. 阅读同样适用于写入/更新：用户只能看到/访问/更改其拥有的内容。 Your question is more about database that about anything else. 您的问题更多是关于数据库，而不是其他。 The same constraints you apply to viewing data must also apply to writing data. 您应用于查看数据的相同约束也必须适用于写入数据。

In this case, you don't want to wear the performance of a query first then an update. 在这种情况下，您不想先查询查询再更新。 That's fine, since you can update the database with conditions. 可以，因为您可以使用条件更新数据库。 Since this seems likely to be database-level in your case you need to know what your database is capable of (to do it in one go). 因为在您的情况下，这似乎是数据库级别的，所以您需要知道数据库的功能（一次性完成）。 For example, oracle has the merge statement. 例如，oracle具有merge语句。

I am quite late to this thread and maybe you have already built the solution you were asking here about. 我对这个话题很晚了，也许您已经构建了您在此处询问的解决方案。 Anyway, I have implemented a database-per-tenant multitenant web application using Spring Boot 2 and secured the web access using Spring Security 5. The data access is via Spring JPA (with Hibernate 5 as the JPA provider). 无论如何，我已经使用Spring Boot 2实现了每个租户的数据库多租户Web应用程序，并使用Spring Security 5保护了Web访问。通过Spring JPA（将Hibernate 5作为JPA提供程序）来进行数据访问。 Do take a look here . 请在这里看看。