Java permission Design Discussion-releasing user privileges (Part 1)

Source: Internet
Author: User
Permission design is a resource defense system for the system to avoid unauthorized use of different user types. I have read some permission design designs over the past few days, but I still feel that they are still a little lacking. First of all, I pay more attention to RBAC, which provides three permission design modes.
First, let's take a look at the first rbac0. rbac0 defines the smallest element set that can constitute an RBAC control system. This mode is a very common model in the early industry that allows users to associate roles, A role combines multiple permission resources. However, the current business is becoming more and more humane, and the design is more reasonable. To add users, they need to expand other permissions beyond their own roles, it will bring about a lot of difficult expansion.
Rbac1 and rbac1 introduce the inheritance relationship between roles. This Breakthrough Leads to the inheritance relationship between roles, so that a user can assume multiple roles. It can be said that this is a trend in the history of permission development.
But in general, RBAC does not allow users to integrate roles and permissions. Most of them are still stuck here. Imagine that if a role owned by a user can actually act as a medium license, A user can have multiple licenses. This is a matter of course. Can I use a special license for a specified resource? This means that the user in my opinion can have a role, but can also have some specified permissions. In this way, the assigned permissions can be the privileges of this user (note that they are not roles, because the extended role privilege is granted to other users who own this role at the same time, this is not the extension I will discuss ). Well, if such a relationship is formed, the strong binding between users and roles can be released.
However, I still think it is reasonable to do this. One module and multiple operations form a resource, which is protected. If a module is added, it is necessary to configure these resources, however, the added module may not have all the actions in the operation table name. In this way, you need to add the operation type. During permission verification, you need to check in the relational database. In fact, I think the operations corresponding to a module should not be determined by the module table and the operation type table configuration, because they may be unique to a module, which may include the permission inheritance relationship, for example, a user module has the read, add, modify, delete, query, and all permissions. Note that once this all permission is used, it will include all of its operations. If it is deleted, it will read data, in this way, when we grant the delete permission, the read permission is actually included. Now there is an administrator management module with the permission to read, add, modify, delete, query, reset_password, modify_password, all, these operations should be designed for administrator-related operations. We can see that this module has two more permissions than the user module, and these special permissions The limit should be configuration. This permission inheritance relationship should also be customized. A set composed of N Integers of 2 published on the Internet, and prime number decomposition are all good permission inheritance methods. Is it possible for us to extend these classes to columns in the system? Yes, the benefits of doing so are: 1. avoid permission verification errors caused by background resource configuration errors; 2. obtain all administrator permissions and then verify the permissions on the web layer. 3. you can design your own permission inheritance algorithms.
Speaking of this, why is this problem? Because my topic is Java permission, Java has provided the sucrity package. Don't forget there is annotation. It can help us determine which custom permission class to use for verification in the specified method. In this way, the permission problem can be flexibly expanded. It may not be complete at the moment, but I have already begun to design this Java permission design, after the design, we hope to continue with the discussion.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.