0

作为 JSF/JPA Web 应用程序项目的一部分,我需要实现一个完整的用户授权模块。我正在使用 Apache Shiro 进行身份验证,如果它符合要求,也可以将其用于授权。但是,现在我正在设计数据库模式模型并提出了下表。我不确定这是否是最好的方法并且需要一些反馈。

要求

根据用户的角色和组成员身份授权用户。角色可以分配给组或个人用户。数据分散在多个表中,但在这里我将仅举一个存储项目详细信息的表的示例。

授权表列表

Table:APP_USER : This table will store the user details along with hashed password
Columns: ID/Username/Password

Table:APP_ROLES : This table stores the roles definitions
Columns:ID/Rolename/Desc

Table: APP_PRIVILEGES : This table stores the actual privileges that are assigned to roles
Columns: ID/Privilege Name/Privilege Type/Role ID

Table: APP_GROUPS: This table stores the group definitions
Columns: ID/GroupName/

Table: APP_USER_GROUPS_MAPPING: This table stores mapping of users to groups and has references to APP_USERS & APP_Groups tables
Columns: USER_ID/Group ID

Table: APP_GROUP_ROLES_MAPPING: This table stores the mapping of groups to roles and has references to APP_ROLES and APP_GROUPS
Columns: Group_ID/Role_ID


Table: APP_USER_ROLE_MAPPING: This table stores the mapping of users to roles in case the role is directly assigned to users and has references to APP_USERS and APP_ROLES tables
Columns: USER_ID/ROLE_ID

Table: APP_PROJECTS_DETAILS: This is one of the many tables that store the data. This specific table holds project details
Columns: ID/PROJECT_NAME/DESC etc

Table: APP_GROUP_PROJECTS_MAPPING: This table stores the permission mapping of which groups has access to which projects.

授权示例:用户尝试删除项目 Test1

  1. 从 APP_GROUP_PROJECTS_MAPPING 检索项目 Test1 的项目/组映射
  2. 从 APP_USER_GROUPS_MAPPING 检索用户组
  3. 检查是否有任何用户组有权访问项目 Test1
  4. 假设用户有权限,通过分别查询 APP_USER_ROLE_MAPPING 和 APP_GROUP_ROLES_MAPPING 来检查用户是否直接或通过组有 DELETE_PROJECT 权限
  5. 删除项目Test1

我个人觉得这有点复杂,但不确定如何改进

4

2 回答 2

0

听起来像是一个不错的设计,但您可能正在重新发明轮子。Java EE 已经提供了声明式和编程式安全设施,这与您尝试实现的安全设施相似。

于 2013-07-29T05:02:49.647 回答
0 
## Prepare your database relation like this  ##

用户 - - 

@OneToMany(mappedBy = "User")
@XmlTransient
private List<GroupPermissions> groupPermissionsList;

@ManyToOne
@JoinColumn(name = "roleId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private Role role;
private static final long serialVersionUID = 5667633010066722654L;

组权限

private int userId;
private int groupId;

@ManyToOne
@JoinColumn(name = "userId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private User user;

@ManyToOne
@JoinColumn(name = "groupId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private ProjectGroup group;

项目组权限

private int groupId;
private int projectId;

@ManyToOne
@JoinColumn(name = "groupId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private ProjectGroup projectGroup;

@ManyToOne
@JoinColumn(name = "projectId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private Project project;

角色

  Define your filed in rile table

执行这些步骤

在加载方法中检查项目页面

1 如果具有角色(步骤 1),则检索用户分配角色 ex(删除、修改、查看)而不是检查第二步,否则在未经授权的访问上重定向 2 首先检索用户分配组--->项目

于 2013-07-29T06:00:49.497 回答