对 Flex 中现有应用程序实施基于角色的授权的建议
我有一个应用程序,它在 UI 端使用 Flex 3 进行编码,在服务层使用 java @ 以及 BlazeDS 进行编码。现在我们需要根据数据库中为用户定义的角色来授权用户访问系统,例如:假设具有 guest 角色的用户不应该能够访问 ui 上的“管理”选项卡,也不应该能够执行任何操作除了查看仪表板上显示的数据之外,还可以进行其他操作。这里还需要注意的是,超级用户可以从 UI 动态创建角色。
我发现这个链接描述了如何执行 基于角色的身份验证和身份验证授权
使用这种方法,我需要在 service-config.xml 中定义角色,但由于我的角色没有预先定义,所以我不能这样做。
有没有人遇到过类似的情况。任何指示都会有很大帮助。
I have an application that is coded using Flex 3 on UI side and java @ the service layer, along with BlazeDS. Now we need to authorize the users accessing the system based on the roles that are defined for them in the database, eg : say a user with role guest should not be able to access Admin tab on ui and also should not be able to do any operations other than viewing the data displayed on dashboard.Also the point to note here is that roles can be created dynamically by Super users from UI.
I came across this link which describes how to perform Role Based Authentication & Authorization
With this approach i need to define the roles in service-config.xml but since my roles are not pre-defined i cannot go with this.
Has anybody encountered a similar situation. Any pointers will be of great help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,我也不喜欢服务配置的想法,不要怪你。
就弹性方面而言,您需要担心的只是定义权限,当然不是角色或用户。
良好的基于角色的安全性涉及定义用户、角色和权限。你可能知道这一点,但无论如何,带着问题大声说出来是件好事。
因此,在您的应用程序中,您定义特定的权限 - 依赖于安全性的应用程序的各个部分 - 可见/不可见/可以或不能执行等。我通常这样做的方法是使用字符串常量。因此,在订单管理情况下,我可能有
CanCreateOrder、CanViewOrder、CanCancelOrder、CanFlagOrder。在服务器端,角色将与这些权限绑定。可以这样说:
因此,在服务器端,作为管理员的用户 A 获取与分配给他们的角色相关的所有权限的列表,因此服务器发送返回像这样的字符串
CanCreateOrder,CanViewOrder,CanCancelOrder,CanFlagOrder在您的应用程序中,当用户通过身份验证并获取该列表时,它会存储到某处的静态全局变量中(或者您 .split()将其放入数组等)。
然后,在检查单个项目的可见性或访问权限时,您只需检查该数组或值字符串即可。
这提供了很大的灵活性,因为您正在定义的项目,最重要的是,您基本上是硬编码的权限 - 特定于它们所在的功能代码。因此,不需要来调整它们。
因此,如果您想让客户服务代表能够稍后取消订单,您只需将该权限与该角色绑定即可。完毕。不需要更改任何代码,因为它的权限只是与该功能相关联,而不是与用户或角色相关联。
我已经在许多应用程序中做到了这一点,这是一个可靠的设计。如果您需要与其他密钥绑定的权限,那就是一个稍微不同的故事,但无论如何这是一个很好的起点。
有道理吗?
**当然,您可以加密安全交换并通过 SSL 发送,确保交易安全不在讨论范围内;)
Yes, I don't like the service-config idea either, don't blame you.
As far as the flex side, all you need to worry about is defining permissions, not roles or users of course.
Good form roles based security involves defining users, roles and permissions. You probably know this, but good to say it out loud anyway with the question.
So, in your application, you define specific permissions - pieces of the app that are dependent on security - visible / invisible / can or cant execute, etc. The way I normally do this is with a string constant. So, in an order management situation, I might have
CanCreateOrder,CanViewOrder,CanCancelOrder,CanFlagOrder.On the server side, a role will be tied to those permissions. Lets say:
So on your server side, user A who is an admin, gets a list of all the permissions tied to the roles they are assigned, so the server sends back a string like this
CanCreateOrder,CanViewOrder,CanCancelOrder,CanFlagOrderInside your application, when the user is authenticated and gets that list, its stored into a static global variable somewhere (or you .split() it into an array etc).
Then, when checking visibility or access to individual items, you simply check that array or string of values.
This offers a lot of flexibility as the items you are defining, most importantly, the permissions you're basically hard coding - are specific to the functional code they exist in. Therefore, there isn't a need to adjust them.
So, if you want to make customer service reps the ability to cancel orders later, you simply tie that permission to that role. Done. No code needs to be changed because the permission it simply tied to that functionality, not users, not roles.
I've done this in numerous applications, its a solid design. If you need permissions tied off other keys, that's a mildly different story, but this is a good starting point regardless.
Make sense?
**Naturally you may encrypt the security exchange and send over SSL, securing that transaction is out of scope of the discussion ;)