I have a bunch of objects in my application (Organisations, Individuals, Orders, etC) and I need a nice clean way to decide which users can and can't view/edit these objects. User have a range of permissions such as 'Can edit own contacts' and 'Can view team's contacts' and can also be members of groups such as 'Account Manager' so various things need to be checked (Is this user an account manager? Is this contact managed by this users team? Can this user edit his teams contacts?) before it can be decided if they have access to the object.
我的应用程序中有一堆对象(组织,个人,订单,etC),我需要一个很好的干净方式来决定哪些用户可以查看/编辑这些对象。用户拥有一系列权限,例如“可以编辑自己的联系人”和“可以查看团队的联系人”,也可以是“客户经理”等组的成员,因此需要检查各种事项(该用户是否为客户经理?是此用户团队管理此联系人?此用户是否可以编辑他的团队联系人?),然后才能确定他们是否可以访问该对象。
Previously most of the logic was inline but as it becomes more complex I've decided that it's best to move it out to new classes such as OrganisationSecurity, OrderSecurity, etc and creating methods such as CanEdit on them.
以前大多数逻辑是内联的,但随着它变得越来越复杂,我决定最好将它移到新的类,如OrganisationSecurity,OrderSecurity等,并在它们上创建CanEdit等方法。
Is this the correct way to go? Any gotchas I should be careful of? How do you handle this?
这是正确的方法吗?我应该小心的任何陷阱?你怎么处理这个?
Thanks
3 个解决方案
#1
2
Check out Security Patterns, especially in the areas about authentication and authorization.
查看安全模式,尤其是有关身份验证和授权的区域。
#2
1
Make sure it is not "overdesigned", and carefully consider why you need to block access and how much you trust the user of your objects.
确保它没有“过度设计”,并仔细考虑为什么需要阻止访问以及您对对象用户的信任程度。
You can consider to write an aspect to block/allow access to certain methods: http://en.wikipedia.org/wiki/Aspect-oriented_programming
您可以考虑编写一个方面来阻止/允许访问某些方法:http://en.wikipedia.org/wiki/Aspect-oriented_programming
At my company we tried Acegi (on a Java project) but found it to be too heavy weight/overdesigned for our needs. Maybe it's a better fit to your case: http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
在我的公司,我们尝试了Acegi(在一个Java项目上),但发现它太重了/过度设计满足我们的需求。也许它更适合你的情况:http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
#3
0
Google for the term entitlements management and XACML. This will get you pointed in a better direction.
谷歌的权利管理和XACML一词。这将使您指向更好的方向。
#1
2
Check out Security Patterns, especially in the areas about authentication and authorization.
查看安全模式,尤其是有关身份验证和授权的区域。
#2
1
Make sure it is not "overdesigned", and carefully consider why you need to block access and how much you trust the user of your objects.
确保它没有“过度设计”,并仔细考虑为什么需要阻止访问以及您对对象用户的信任程度。
You can consider to write an aspect to block/allow access to certain methods: http://en.wikipedia.org/wiki/Aspect-oriented_programming
您可以考虑编写一个方面来阻止/允许访问某些方法:http://en.wikipedia.org/wiki/Aspect-oriented_programming
At my company we tried Acegi (on a Java project) but found it to be too heavy weight/overdesigned for our needs. Maybe it's a better fit to your case: http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
在我的公司,我们尝试了Acegi(在一个Java项目上),但发现它太重了/过度设计满足我们的需求。也许它更适合你的情况:http://www.javaworld.com/javaworld/jw-10-2007/jw-10-acegi2.html
#3
0
Google for the term entitlements management and XACML. This will get you pointed in a better direction.
谷歌的权利管理和XACML一词。这将使您指向更好的方向。