ExtJS和页面授权(服务器端)
我正在寻找有关如何使用 ExtJS 4 实现安全页面的信息。我所说的安全页面是指用户将使用 Siteminder (SSO) 登录我们的网站,因此我们将拥有用户的身份。然后,我们将通过进行数据库/LDAP 调用来确定用户将具有哪些角色,并仅呈现用户有权访问的那些视图/组件。
我想到了几个问题:
1.)当然,我希望我们在服务器端渲染页面之前进行授权检查,那么在触发 Ext.onReady() 之前如何执行此操作?我需要让 ExtJS 等待服务器的响应吗?
2.) 在某人可以看到特定组件而其他人看不到的情况下,组织页面组件的最佳方式是什么?
3.) 如何将结果页面(即用户有权访问的部分)交付给客户端?
蒂亚!
I'm looking for information on how to implement secure pages using ExtJS 4. By secure pages I mean the user will log into our website using Siteminder (SSO) and so we will have the user's identity. Then we would determine what roles the user would have by making a database/LDAP call and only render those views/components that the user has access to.
Several questions come to mind:
1.) Of course I would expect we would do the authorization check prior to rendering the pages on the server-side, so how do you do this prior to firing Ext.onReady()? I need to have the ExtJS wait for the response from the server?
2.) What is the best way to organize a page's components where the case may be someone could see a particular component and another person cannot?
3.) How do I deliver the resulting page (i.e., the pieces the user has access to) to the client?
TIA!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果您有 Java 背景并且习惯使用 Spring,我编写了一种使用 Spring Security 的方法 此处。这将允许您插入任何您想要的身份验证机制。主要区别在于,我没有使用
index.html来引导应用程序,而是使用 JSP,以便 Spring Servlet Filter 将触发进行身份验证。 Ext JS 应用程序会阻塞,直到用户经过身份验证并提供用户的角色/权限。If you're working from a Java background and are comfortable using Spring, I wrote up an approach using Spring Security here. This will allow you to plug-in any authentication mechanism you want. The main difference is that instead of using an
index.htmlto bootstrap the application, I have a JSP so that the Spring Servlet Filter will fire for authentication. The Ext JS app blocks until the user is authenticated and the user's roles/permissions are provided.通过将 JS 应用程序启动脚本放入 JSP/GSP 中,使用服务器端技术来预处理授权。其作用是强制服务器端组件首先启动,然后将 HTML/JS/CSS 呈现给客户端。对于完整的 RIA 应用程序,请使用 index.gsp(或 jsp),并且您的 URL 保持“domain/contextroot”。
这两者都不是 100% 安全,因为客户端代码可以更改。当数据提交处理时,真正的安全实施必须在服务器端进行。
'3.简单的方法是根据上面的 2 隐藏/显示视图等。还有一些实验通过延迟(手动)初始化可能需要也可能不需要的控制器来模块化客户端 MVC 应用程序。
希望这有帮助。
数据库:)
Use a server side technology to pre-process authorization by putting your JS App launch script into a JSP/GSP. What this does is forces server side components to kick off first and then render the HTML/JS/CSS to the client. For full RIA app use index.gsp(or jsp) and the your URL stays "domain/contextroot" .
You can interrogate access privs to content via ajax request to server or alternatively you could set JS variables via again JSP technology that is processed first before the rest of the client response is returned.
Both of these are not 100% safe as client side code can be altered. The real security enforcement must be handled on server side when data is submitted for processing.
'3. Easy way would be to hide/show views etc based on 2. above. There are also some experimentation out there with modularizing the client side MVC application by lazy(manually) initializing controllers that may or may not be needed.
Hope this helps.
DB :)
我目前正在尝试以下解决方案。尽管它仅适用于具有相当简单用户集的应用程序,但它可能对您有一些帮助。
首先,用户身份验证是在没有 extjs 的情况下使用简单的 HTML/CSS 页面完成的。用户登录后,其详细信息(用户 ID、角色)将保存到 PHP 会话中。然后页面重定向到两个 extjs 应用程序之一。
一款面向普通用户(我将其称为客户端)的应用程序,这些人的客户端 JS 不包含任何管理功能。另一个应用程序适用于管理员。
这两个应用程序的类都继承自基类。例如,我们有base.mainMenu,admin.mainMenu 和clients.mainMenu 都继承自base.mainMenu。 app.js 脚本中的唯一区别是加载的控制器,并且每个 extJS 4 动态加载模块仅加载相关视图(即在客户端看到)。就我而言,无论如何,所有页面都会动态加载,因此我的用户只能在其主菜单中动态加载页面。
管理应用程序使用包含用户角色的全局 JS 变量来阻止某些功能。例如,一旦加载视图,就会对版主(权限较少的管理组)隐藏“编辑”按钮(实际上,这实际上是通过不加载允许在视图上进行编辑的插件来完成的)。
总而言之,对服务器的任何调用都会检查会话用户是否有权执行所请求的操作,因此无论客户端脚本如何,服务器操作都只能由具有适当权限的人员执行。
总而言之,您可以混合搭配 3 种不同的策略:
I am currently experimenting with the following solution. Although it will only work for apps with a rather simple set of users, it could be of some help to you.
To begin with, user authentication is done without extjs, using a simple HTML/CSS page. Once the user logs in, its details (user id, role) are saved into the PHP session. And then the page redirects to one of two extjs apps.
One app for normal users (I'll call them clients), these are people who's client side JS does not include any admin functionality. The other app is for admins.
Both apps have their classes inherit from base classes. So we have, for example, base.mainMenu from which both admin.mainMenu and clients.mainMenu inherit. The only difference in the app.js script is the controllers loaded, and per extJS 4 dynamic loading module, only the related views are loaded (ie, seen on the client side). In my case, all pages load dynamically anyway, so my users can only dynamically load pages in their mainmenu.
The admin app blocks certain features using a global JS variable that includes the user's role. So for example, the hiding of an 'edit' button from moderators (an admin group with less rights) is done once the view is loaded (in practice this is actually done by not loading a plugin that allows editing on the view).
To wrap it all up, any call to the server checks whether the session user has rights for the requested operation, so regardless of client side scripts, server operation can only be performed by people with the appropriate rights.
To summarise, you have 3 different strategies that you can mix-and-match:
查看基于角色的访问控制。我使用 Yii 的基于数据库的 RBAC,并且有一个 php 脚本,可以在 ext 启动时以 json 格式返回 rbac 规则
,最好的选择是简单地隐藏或禁用不允许的功能。
在服务器上,如果不允许用户,则应抛出 403 http 错误执行某项功能。处理 ext 中的 ajax 异常并检查 403。
check out Role-based access control. I use Yii's database-based RBAC, and have a php script that returns the rbac rules in json format when ext starts up
on the client, the best bet is to simply hide or disable functionality that is not allowed.
on the server, you should throw a 403 http error if the user is not allowed to perform a function. handle ajax exceptions in ext and check for 403s.