MVC 框架、API 层和身份验证/权限
我之前问了一个问题,但它可能太模糊或广泛以保证答案。从那时起,我重新考虑了我的方法和我的问题。
我正在开发一个考虑到特定应用程序的框架,但显然我将可重用性放在首位。该框架的关键要素是公开 API 层,用于 JSON 驱动的远程交互。
我在计划这个问题时遇到的问题是身份验证/权限。 如果我在设计时考虑了 MVC 风格的架构,但又想允许通过 API 层使用,那么身份验证/权限检查应该在哪里进行?
Web 访问层本质上与 API 相同层,唯一的区别是输出方法(HTML 与 JSON),因此我认为两者的通用业务逻辑层是有意义的。请求将被标准化为数据结构,并发送到业务逻辑。业务逻辑最终会产生一个结果数据结构(查询结果、失败、成功等),该结构要么馈送到模板引擎,要么序列化为 JSON。
在我看来,权限检查需要在公共业务逻辑层中执行,但是是否有更好的地方将其合并到 MVC/API 框架中?
我现在不知道还能在哪里详细说明,所以请随时询问更多详细信息,我会在想到后提供。
I asked a question earlier, however it may have been too vague or broad to warrant an answer. I've since reconsidered my approach and my question.
I'm working on a framework with specific application in mind, but obviously am keeping re-usability at the forefront. The key element of this framework is exposing an API layer, for JSON driven remote interaction.
My issue in planning this out comes with authentication/permissions. If I'm designing with an MVC style architecture in mind, yet want to permit usage via the API layer, where should the authentication/permissions check take place?
The web access layer is essentially the same as API layer, the only difference being the output method (HTML vs. JSON), so I figured a common business logic layer for the two would make sense. Requests would be normalized to a data structure, and sent to the business logic. The business logic ultimately kicks out a result data structure (query results, failure, success, etc.) that is either fed to the Template engine, or serialized to JSON.
It appears to me that the permissions check needs to be performed in the common business logic layer, but is there a better place to incorporate this into an MVC/API framework?
I don't know where else to elaborate at the moment, so feel free to ask for more details and I'll provide as I come up with them.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您打算如何允许用户访问 API?
以下是我如何进行基于角色的授权:
函数action_get($id)函数action_delete($id)before()方法在执行操作之前被触发。它根据 $access 列表进行授权检查。该系统可以轻松扩展以允许 API 调用。要么扩展该方法的输出部分,检测它是否是 API 请求,要么只是专门为 API 调用创建另一个操作。如果您选择后一种方法并希望保持代码干燥,请将数据结构的业务逻辑移至辅助方法(例如
受保护的函数_get())。可能还有更好的方法来提供对 API 的访问和处理 API。这实际上取决于您希望如何允许访问以及您希望使其变得多么灵活/干燥。How do you plan on allowing users to access the API?
Here's how I do role-based authorization:
function action_get($id)function action_delete($id)before()method is fired before executing an action. It does the authorization check based on the $access list.That system could easily be expanded to allow for API calls. Either expand on the output portion of the method, detecting if its an API request, or simply create another action specifically for the API call. If you choose the latter method and wish to keep your code DRY, move the business logic for the data structure to a helper method (e.g.
protected function _get()). There may be better ways of providing access to and handling the API as well.. it really depends on how you want to allow access and how flexible/dry you want to make it.一般来说,身份验证是在控制器级别执行的(通常在控制器类的构造函数中,因此该控制器中的每个方法都会调用它)。当然,模型中会有一些用户/角色数据,但控制器会将请求与权限等进行比较,并允许或不允许该方法(然后该方法将决定输出 html、json、或其他)。
In general, authentication is performed at the controller level (usually in a constructor of the controller class so it's called for every method in that controller). You would of course have some of the user/role data in models, but the controller is what would compare the request to the permissions, etc. and either allow the method or not (and then the method would decide to output html, json, or whatever).