问题描述
我目前正在评估身份验证/授权框架。
I am currently evaluating authentication / authorization frameworks.
Apache Shiro似乎非常好但我缺少行级安全性功能。
Apache Shiro seems to be very nice but I am missing row-level security features.
例如数据库中可能存在特殊行,只有具有特殊权限的用户才能看到和访问这些行。
为避免不必要的往返,我们目前修改SQL查询以加入我们的授权数据,以便只获取当前用户的可见行。
E.g. there might be special rows in a database which should only visible and accessible by users with special privileges.To avoid unnecessary round-trips, we currently modify the SQL queries to join with our authorization data to get only the visible rows for the current user.
但这个概念对我来说并不合适,因为我们将业务代码与安全相关的代码混合,这些代码应该是正交的并且彼此独立。
But this concepts doesn't feel 'right' to me, because we mix business code with security related code which should be orthogonal and independent from each other.
- 有哪些/可能的解决方案?
- 如何实现行级安全性 (特别是与jpa结合使用)?
- What solutions are available/possible?
- How do you implement row-level security (especially in combination with jpa)?
更新:
目标数据库主要是Oracle 10g / 11g
- 但如果没有大的缺点,将首选独立于数据库的解决方案
Target database is mostly Oracle 10g/11g
- but a database independent solution would be preferred if there are no big drawbacks
推荐答案
行级安全性最好在数据库本身中完成。在获取连接时,必须告知数据库您的用户上下文是什么。该用户与一个或多个安全组相关联。然后,数据库会自动将过滤器附加到用户提供的查询,以过滤掉安全组中无法看到的内容。这当然意味着这是一个每个数据库类型的解决方案。
Row level security is really best done in the database itself. The database has to be told what your user context is when you grab a connection. That user is associated with one or more security groups. The database then automatically appends filters to user supplied queries to filter out what can't be seen from the security groups. This of course means that this is a per database-type solution.
Oracle具有非常好的行级安全性支持,请参阅作为示例。
Oracle has pretty good Row Level Security support, see http://www.orafusion.com/art_fgac.htm as an example.
这篇关于如何在Java中实现行级安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!