是否可以使用注释实现方法级访问检查？

发布于 2024-11-19 03:40:05 字数 1201 浏览 2 评论 0原文

考虑一些带有User和Group的基本授权框架，其中对方法的访问应该通过检查来保护，以确保用户或组具有必要的PrivilegeLevel 执行该方法，否则失败。

我的想象是这样的：

@AccessCheck(PriviledgeLevel.ADMINISTRATOR)
public static void secureMethod(){ ... }

代码检查基本上是这样的吗？

if(currentUser.getPriviledgeLevel >= PriviledgeLevel.ADMINISTRATOR ||
   currentUser.getGroup.priviledgeLevel >= PriviledgeLevel.ADMINISTRATOR)
  // Allow access
else
  // Deny access

可以这样实现吗？

我做了一些研究，指出了一些基于 AspectJ 的现有内容，主要是在安全注释框架 (SAF) 和春天安全。

我有点担心，因为 SAF 似乎不再很活跃，而且文档也不是那么好。

我不确定 Spring Security，但它似乎更关注与 Web 相关主题的安全问题。

Java 身份验证和授权服务似乎相关，但不使用注释方法。

尝试使用这种声明性方法定义这些安全要求是否有意义？

是否有另一个我缺少的库/框架，它已经实现了我想要的或一些与这里相关的技术？

或者是否有一个完全不同的解决方案（例如实现我自己的ClassLoader，...），它优于我的想象（就库用户的简洁性和可读性而言）？

原文

Consider some basic authorization framework with Users and Groups where access to methods should be guarded by checks which make sure that the user or the group have the necessary PriviledgeLevel to execute the method and fails otherwise.

What I imagine is something like this:

@AccessCheck(PriviledgeLevel.ADMINISTRATOR)
public static void secureMethod(){ ... }

Where the code checking basically does

if(currentUser.getPriviledgeLevel >= PriviledgeLevel.ADMINISTRATOR ||
   currentUser.getGroup.priviledgeLevel >= PriviledgeLevel.ADMINISTRATOR)
  // Allow access
else
  // Deny access

Would it be possible to implement it this way?

I did a bit of research which points to some existing things based on AspectJ, mostly on the Security Annotation Framework (SAF) and on Spring Security.

I'm a bit concerned because SAF doesn't seem very active anymore and the documentation isn't that great.

I'm not sure about Spring Security but it seems to be more focused on security problems in web-related topics.

The Java Authentication and Authorization Service seems to be related, but doesn't use the annotation approach.

Does it make sense trying to define these security requirements with this declarative approach?

Is there another library/framework I'm missing, which already implements what I want or some techonology which would be relevant here?

Or is there a completely different solution (like implementing my own ClassLoader, ...) which is superior to what I imagine (in terms of conciseness and readability for the library user)?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

深府石板幽径 2024-11-26 03:40:06

我认为 AspectJ 会做你想做的事。我们有一大堆方法，您需要某些访问权限，并且我们创建了一个 AspectJ 方面，它将检查并在用户没有这些权限时出错。

另外，由于 AspectJ 在编译时“编织”到类中，因此无法通过配置禁用它。

我们也使用Spring Security，两者可以和谐使用！

回复收藏 0 原文

失与倦＂ 2024-11-26 03:40:06

您可以通过使用动态代理自己轻松地完成此操作。

public interface MyInterface {
           @AccessCheck(Privilege.ADMIN)
           public void doSomething();
}

代理将在实现您的接口的类上创建，并且您将使用自定义注释来注释您的接口。

 MyInterface aInterface = (MyInterface) java.lang.reflect.Proxy.newProxyInstance(obj.getClass()
                .getClassLoader(), obj.getClass().getInterfaces(),
                new YourProxy(new Implementation());

在代理的 invoke() 方法中，您可以检查您的方法是否具有注释，如果不满足权限则抛出 SecurityException。

public YourProxy implements InvocationHandler {
         ....
         public Object invoke(Object proxy, Method method, Object[] args)
        throws Throwable {

              if ( method.isAnnotationPresent(AccessCheck.class) {
                    ....// do access check here and throw SecurityException()
         }
 }

You could do this fairly trivially yourself by using dynamic proxies.

public interface MyInterface {
           @AccessCheck(Privilege.ADMIN)
           public void doSomething();
}

The proxy would be created on the class that implements your interface and you would annotate your interface with your custom annotation.

 MyInterface aInterface = (MyInterface) java.lang.reflect.Proxy.newProxyInstance(obj.getClass()
                .getClassLoader(), obj.getClass().getInterfaces(),
                new YourProxy(new Implementation());

In the invoke() method of your proxy, you can check if your method has the annotation and throw a SecurityException if the privileges are not met.

public YourProxy implements InvocationHandler {
         ....
         public Object invoke(Object proxy, Method method, Object[] args)
        throws Throwable {

              if ( method.isAnnotationPresent(AccessCheck.class) {
                    ....// do access check here and throw SecurityException()
         }
 }

回复收藏 0 原文

风吹雨成花 2024-11-26 03:40:06

使用 Spring Security，您只需添加：

@Secured("ADMINISTRATOR")
public static void secureMethod(){ ... }

并正确配置它，方法是：

使用 < code>JdbcDaoImpl 作为您的 UserDetailsService< /一>
<一href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/core/userdetails/jdbc/JdbcDaoImpl.html#setEnableGroups%28boolean%29" rel ="nofollow">启用组支持
自定义查询（如果您正在使用数据库凭据存储）

如果您没有使用数据库凭据存储，只需配置您的首选UserDetailsService< /a> 将用户和组凭据添加到生成的 用户详细信息。

当然，如果不检查文档，但是 Spring Security 完全可以实现方法级别的访问检查，这是我最喜欢的技术。

With Spring Security, you just have to add:

@Secured("ADMINISTRATOR")
public static void secureMethod(){ ... }

And configure it properly, by:

use JdbcDaoImpl as your UserDetailsService
enable group support
customize the queries (if you are using database credential storage)

If you are not using database credential storage, just configure your preferred UserDetailsService to add both user and group credentials to the authorities of the generated UserDetails.

Of couse, it is hard to understand it without checking the concepts at the documentation, but method level access checks is perfectly possible with spring security and it's my prefered technology for it.

回复收藏 0 原文