The original address: the service side guide | access control based on the data
Blog: blog.720uenterp rise
Role-based access control validates only the roles that access the data, but does not break down the users within the roles. For example, both user A and user B have the same role, but if only role-based access control is established, user A can manipulate user B’s data arbitrarily, resulting in unauthorized access. Therefore, it is not enough to use role-based access control in business scenarios, but also to introduce data-based access control. If role-based access control is considered as vertical access control, then data-based access control is horizontal access control. In business scenarios, data-based access control is often ignored. For example, the comment function is a very common function. Users can initiate, reply to, view, and delete comments on the client. Generally, only users can delete their own comments. If data access control is not established at the service level, user A can bypass the client, guess the comment ID, and modify the comment ID to delete others’ comments. In fact, this is a very serious overreach. In addition, there is often some private data between users, and this private data is normally accessible only by the users themselves.
Data based access control needs to be handled at the business level, but it is also the most frequently left out security point, which needs to be paid attention to. Here, again using the case of deleting comments, through the Java language. In this case, the core code snippet is to determine whether the current user is the creator of the comment, pass it if it is, and report an error code indicating no permission if it is not. So, this is a good way to prevent unauthorized manipulation of data.
@RestController
@RequestMapping(value = {"/v1/c/apps"})
public class AppCommentController{
@Autowired
private AppCommentService appCommentService;
@RequestMapping(value = "/{appId:\\d+}/comments/{commentId:\\d+}", method = RequestMethod.DELETE) public void deleteAppCommentInfo(@PathVariable Long appId, @PathVariable Long commentId, @AuthenticationPrincipal UserInfo userInfo) { AppComment appComment = this.appCommentService.checkCommentInfo(commentId); // Determine if the current user is the creator of the comment, if so, pass, no permission error code is displayed.if(!appComment.getUserId().equals(Long.valueOf(userInfo.getUserId()))){
throw new BusinessException(ErrorCode.ACCESS_DENIED);
}
this.appCommentService.delete(commentId);
}
}
Copy the code
In summary, role-based access control is a kind of vertical permission control. By establishing the mapping relationship between users and roles, different roles are distinguished from each other. Users perform operations and access resources based on their roles. Data-based access control is a kind of horizontal permission control. It subdivides users in roles to ensure that users’ data cannot be manipulated beyond their rights. Data based access control needs to be handled at the business level, but it is also the most frequently left out security point, which needs to be paid attention to.
Read more:
The service side guide | role based access control
The service side guide | authorization and authentication of actual combat
(after)
More wonderful articles, all in the “server-side thinking” wechat public account!