JAAS / JAAC、DROOLS 或定制

发布于 2024-09-06 20:27:53 字数 271 浏览 8 评论 0原文

我一直在使用自己的内部自定义授权模型,该模型评估用户是否有权查看、编辑、删除或创建项目。例如,我使用它的一个地方是确定用户是否有权查看资源。我有一些限制,例如项目是否已发布、用户是否属于必要的组/角色等。

我将所有这些信息存储在数据库中,在数据库中审核权限以及谁为给定实体更改了权限。为了评估用户是否拥有权限,我有一个 Hibernate 事件监听器,它获取当前用户和其他上下文信息,并根据实体对其进行评估。

这是一个很好的安全模型吗?JAAS / JAAC 或 DROOLS 在这里效果更好吗?

I have been using my own internal custom authorization model which evaluates whether a user has permission to view, edit, delete, or create an item. For instance, one place I use this is to determine if a user has permission to view a resource. I have some restrictions such as whether the item is published, whether the user belongs to the necessary group / role, etc.

I store all of that information in a database where I audit the permissions and who changed them for a given entity. To evaluate whether a user has permission, I have a Hibernate Event Listener that takes the current user and other contextual information and evaluates that against the entity.

Is this a good security model, would JAAS / JAAC or DROOLS work better here?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

很酷又爱笑 2024-09-13 20:27:53

Spring Security 和 Shiro 可能是使用最广泛的安全框架,我现在可能会将它们用于项目。然而,当应用程序服务器已经经过全面测试并内置集成安全性(JAAS)时,在应用程序服务器之上再有一个层似乎是一种耻辱。我期待看到 PicketBox 提供的内容,Seam Security 3.0 是在其上构建的,它似乎更自然地适合应用程序服务器已经提供的功能,只是具有一些不错的功能,例如开放 ID 支持。

Spring Security and Shiro are probably the most widely used security frameworks and I would probably use them for a project right now. However, it seems a shame to have a layer on top of an application server when and app server has fully tested and integrated security built in (JAAS). I am looking forward to seeing what PicketBox has to offer, Seam Security 3.0 is built on it, it seems to more naturally fit with what an app server already offers, just with some nice features such as open id support.

摘星┃星的人 2024-09-13 20:27:53

我会考虑使用 Apache Shiro (以前称为 JSecurity),而不是 JAAS 或基于规则引擎的解决方案可插入且灵活的身份验证和授权。看看 Shiro 是什么?

但如果你有一个可行的解决方案,如果它能完成工作,为什么不坚持下去呢?

Instead of JAAS or a rule engine based solution, I'd consider Apache Shiro (formerly JSecurity) for pluggable and flexible Authentication and Authorization. Have a look at What is Shiro?.

But if you have a working solution, why not stick with it if it gets the job done.

木格 2024-09-13 20:27:53

我意识到我来晚了一点,但是 Spring Security也是一个非常强大的选项,特别是它的 ACL 模块可以做很多你正在寻找的事情。

I realize I'm a little late to the party, but Spring Security is a pretty robust option as well, specifically it's ACL module can do a lot of what you're looking for.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文