Authority control, or access control, is widely used in various systems. Abstractly speaking, it is a subject that needs to perform a certain operation on a certain object, and the system's restriction on this operation is permission control.
In the network, in order to protect the security of network resources, access control based on IP and ports is generally established through routing equipment or firewalls.
In the operating system, access to files must also be controlled. For example, in the Linux system, the operations that a file can perform are divided into three types: "read", "write", and "execute". These three operations correspond to three subjects at the same time: the file owner and the user group where the file owner belongs. , Other users, the correspondence between the subject, the object, and the operation constitute the access control list.
In Web applications, according to the different access objects, common access control can be achieved by solving the following target problems:
Who is he?
He can only access the interface for which he has been granted permission!
He cannot view other people's data!
Let's take an example of our previous back-end separation project to explain how to solve these target problems:
Who is he?
In the front-end separation project, the back-end service will issue a token to the front-end user after logging in, such as the well-known JWT (JSON Web Token), and every time the front-end requests the back-end interface will bring this token. Since the JWT will carry user information, what we have to do at this time is to verify whether the user corresponding to this token is a legitimate user of the system.
He can only access the interface for which he has been granted permission!
It is not enough to know that he is a legitimate user of the system. The web application must ensure that the current user can only access the interface he has permission.
For example, there is an interface for salary query, and only department leaders are allowed to access it in business. If the system does not control, and Zhang San knows the salary query interface, he will call this interface with his token and then he can know the salary of all employees. This problem is called "unauthorized access".
One method that is widely used to deal with this problem is "Role-Based Access Control (RBAC: Role-Based Access Control)", also known as "vertical authority management."
RBAC will define different roles in the system in advance. Different roles have different permissions. A role is actually a collection of permissions. All users of the system will be assigned to different roles, and a user may have multiple roles.
When a user brings a token to request back-end services, we have to query the role of the current user through the token, and then query all the permissions that the user has based on the role. Rights framework Spring Securityand Shirovery good support for RBAC control.
He cannot view other people's data!
Both Zhang San and Li Si are department leaders, and they can inquire about the authority of employees' salary. But they are only allowed to view the salaries of employees in their own department. After Zhang San knows the interface call rules, he can obtain the salaries of the employees of Li's fourth department by modifying the call parameters. Of course, this situation is not allowed.
Under the RBAC model, the system only verifies whether user A belongs to the role RoleX, but does not judge whether user A can access the data DataB that only belongs to user B, so unauthorized access occurs. We call this kind of problem "horizontal authority management problem".
At present, there is no universal solution for data-level authority management, and it is generally to solve specific problems.
The simple method is to add a secret key to the interface request, encrypt and send it to the back-end service through the interface parameters + the current system login person. After the back-end receives the request, the encrypted content is decrypted, and the user information is parsed according to the agreed rules. Match with the logged-in user, normal access is matched, and access is denied if the match fails.
Above, I hope to help you!
End
Dry goods sharing
Here is a small gift for everyone, follow the official account, enter the following code, you can get the Baidu network disk address, no routines!
001: "A must-read book for programmers"
002: "Building back-end service architecture and operation and maintenance architecture for small and medium-sized Internet companies from scratch"
003: "High Concurrency Solutions for Internet Enterprises"
004: "Internet Architecture Teaching Video"
006: " SpringBoot Realization of
Ordering System" 007: "SpringSecurity actual combat video"
008: "Hadoop actual combat teaching video"
009: "Tencent 2019 Techo Developer Conference PPT"
010: WeChat exchange group
Recent hot articles top
1. Solutions for automatic renewal of JWT Token
2. SpringBoot development cheats-asynchronous event processing
3. The road of architects-server hardware literacy
4. Monitoring platform based on Prometheus and Grafana-environment setup
5. RocketMQ Advanced-Transaction Message
I knew you were "watching"