具有对象粒度的java安全框架

发布于 2024-08-10 00:24:57 字数 362 浏览 6 评论 0原文

我正在寻找一个具有对象粒度的 Java Web 应用程序安全框架。

这意味着我不仅想按 url 或角色进行过滤,还想按系统内域对象的特定用户所有权进行过滤。

例如,如果有一个 Message 对象,它有一个 Sender 用户和 Receiver 用户,我希望能够对其进行配置,以便每个消息都可以由其发送者进行 RW 操作,并由其接收者进行 RO 操作。

或者例如,所有用户配置文件可供所有用户查看,但只能由所有者编辑。

当然,这个规则我想用元数据(注释、xml 文件等)来定义它们,而不是嵌入到我的业务逻辑中。

天底下还有这样的野兽吗?最好是开源的。

I am looking for a security framework for Java web application with Object granularity.

What it means is that I don't just want to filter by urls or by roles, but by specific user ownership of domain objects inside the system.

For example, if there is a Message object that has a Sender user and a Receiver user I would like to be able to configure it so that every Message can be RW by its sender and RO by its receiver.

Or for example, all user profiles are viewable by all users but editable only by the owner.

This rules, of course, I would like to define them with meta data (annotations, xml files, whatever) and not embedded in my business logic.

Is there such a beast out there? Preferably open source.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

飘落散花 2024-08-17 00:24:57

您正在寻找访问控制列表 (ACL)。与其他受访者一样,我认为 Spring Security 值得一试——Acegi 正是 Spring Security 在重命名之前的名称。 Spring Security 确实明确支持 ACL(除了基于 URL、基于角色和基于组的访问控制)。它支持 XML 和基于注释的配置。您可以将 ACL 过滤应用到视图(使用 taglib 来决定在 JSP 中呈现或抑制什么)、返回单个域对象的方法(决定是否允许方法调用成功)以及返回集合(决定在返回集合之前从集合中过滤出哪些对象)。

您也许可以通过滚动自己的 ACL 代码来满足简单的需求,但在我看来,ACL 很快就会变得棘手。特别是如果您有大量域对象并且您必须开始认真对待性能管理。

You're looking for access control lists (ACLs). Like the other respondents I think Spring Security is worth checking out here--Acegi is just what Spring Security used to be called before they renamed it. Spring Security does have explicit support for ACLs (in addition to URL-based, role-based and group-based access controls). It supports both XML and annotation-based configuration. And you can apply ACL filtering to the view (using taglibs to decide what to render or suppress in the JSP), to methods that return a single domain object (decide whether to allow the method call to succeed), and to methods that return a collection (decide which objects to filter out of the collection before returning it).

You might be able to get away with rolling your own ACL code for simple requirements, but in my opinion ACLs can get tricky pretty quickly. Especially if you have lots of domain objects and you have to start taking performance management seriously.

逆光飞翔i 2024-08-17 00:24:57

查看此链接Acegi 安全基础知识 - 它有点过时,但仍然为您提供了 Spring Security 对象级授权机制的主要概念。

Check out this link Acegi Security Fundementals - it's slightly outdated but still gives you the main concepts of Spring Security's object level authorization mechanisms.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文