Apex“安全模块”?
我的经理一直在谈论我将如何“开发”Application Express“安全模块”,但是从她告诉我我们需要的内容来看,我不知道需要开发什么,因为 Apex 已经获得了授权/允许不同群体的人看到不同内容的群组。
我有什么遗漏的吗?她所说的“模块”是什么意思,或者只是一般性的措辞?
My manager keeps talking about how I will be "developing" an Application Express "security module", however from what she told me we need to have, I don't see what there would be to develop, seeing as Apex already has authorization/groups which allow for various groups of people to see various content.
Is there something that I am missing? What does she mean by a "module", or is it just general wording?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
APEX 提供了多种不同的方式来验证用户身份。一种方法是使用“Application Express”身份验证方案并仅创建 APEX 用户。另一种方法是使用“数据库帐户”身份验证方案并创建 Oracle 用户。第三个选项是创建自定义身份验证方案并实现您自己的用户管理功能。
对于小型应用程序来说,Application Express 身份验证往往是最容易部署的,但随着时间的推移往往会变得笨拙。例如,很难赋予应用程序管理员创建 APEX 帐户的能力。您无法将 APEX 帐户绑定到单点登录解决方案。与其他应用程序使用的权限管理系统集成并不容易。如果您在一家大公司中部署应用程序,安全部门最不需要的就是多一个地方来创建用户帐户、管理权限、在某人离开或更改角色时停用帐户等。
数据库身份验证往往比 APEX 身份验证更具可扩展性,因为 Oracle 数据库帐户配置可能已经是您组织的身份验证和授权基础架构的一部分。另一方面,这仍然意味着您要为要在应用程序中创建的每个用户创建一个 Oracle 数据库用户,这可能涉及对 DBA 的调用(从技术上讲,您可以从应用程序创建数据库用户,但大多数 DBA将会担心其安全影响)。如果您打算创建一个拥有数万用户的面向互联网的应用程序,数据库帐户可能会变得笨重。
我敢打赌,绝大多数中型到大型 APEX 应用程序都使用自定义身份验证方案。这可能涉及创建一个
USER表,您可以在其中存储用户名和密码。密码的哈希值或针对 LDAP/AD 存储库的查询。这种方法提供了最大的灵活性,因为您可以将任何您想要的内容编码到身份验证系统中。您可以连接到组织使用的任何自定义身份验证/单点登录解决方案。它可能使得在应用程序内创建新用户变得更加容易(显然取决于身份验证系统的设计方式)。我的假设是,您的经理希望您为 APEX 应用程序编写自定义身份验证方案。
APEX provides several different ways to authenticate users. One approach is to use the "Application Express" authentication scheme and just to create APEX users. Another approach is to use the "Database Account" authentication scheme and to create Oracle users. A third option is to create a custom authentication scheme and to implement your own user management functionality.
Application Express authentication tends to be the easiest to deploy for a small application but tends to get unwieldy over time. It's hard, for example, to give an application administrator the ability to create APEX accounts. You can't tie an APEX account in to a single sign-on solution. It's not easy to integrate with the permission management systems that other applications use. If you're deploying an application in a large company, the last thing the security department needs is one more place where they need to create user accounts, manage privileges, de-activate accounts when someone leaves or changes roles, etc.
Database authentication tends to be more scalable than APEX authentication since Oracle database account provisioning is likely already part of your organization's authentication and authorization infrastructure. On the other hand, that still means that you're creating an Oracle database user for every user you want to create in your application which probably involves a call to a DBA (technically, you could create database users from your application, but most DBAs are going to be concerned about the security implications of that). If you intend to create an internet-facing application with tens of thousands of users, database accounts may get unwieldy.
I'd wager that the vast majority of medium to large-scale APEX applications use a custom authentication scheme. That may involve creating a
USERtable where you store the username & the hash of the password or a query against an LDAP/ AD repository. That sort of approach provides the most flexibility since you can code whatever you'd like into the authentication system. You can hook into whatever custom authentication/ single sign-on solution the organization happens to use. It probably makes creating new users from within the application much easier (obviously depending on how the authentication system is designed).My assumption is that your manager is expecting that you'll be writing a custom authentication scheme for your APEX applications.