How to implement network permission control

Coarse-grained URL level permission control

Permission control is mainly divided into coarse-grained URL level permission control and fine-grained Method level permission control. (Recommended learning: web front-end video tutorial)

Our operations in the background system, whether we click a button or click a menu item, are accessing a server-side resource, and what identifies the server resource is the URL. How to control users' operating permissions on server resources? There will be two tables in our database:

User table and permission control table. The users in the user table are associated with the relevant permissions in the permission control table. Filter is used to determine whether the current user has the permission corresponding to the URL address. If the user's corresponding permission list does not have the currently accessed URL address, it will prompt that the permissions are insufficient. If the user's corresponding permission list contains the URL address, the user is allowed to access.

Simply put, coarse-grained permission control based on URL is to store the corresponding relationship between users, permissions, and access URLs in the database. When the current user accesses a URL address, the database is queried to determine the user's current status. The permissions you have, whether it contains this URL, if it does, access is allowed, if it does not, it prompts that you have insufficient permissions.

Fine-grained method-level permission control

Fine-grained method-level permission control is more granular than coarse-grained permission control. Similarly, when you click a button or a menu item in the background system, you are accessing a URL resource on the server side, and this URL address will involve methods in the presentation layer, business layer, and DAO data layer. The coarse-grained one is to query the relevant permissions of the current user in the data table and compare them to determine whether to release the user. The difference is that the fine-grained permission control is implemented based on custom annotations.

For example: add an annotation @Permission ("custom permission name") to a method in the business layer. This annotation contains the permission information required to access the method, and is also created in the database. Two tables: user table and permission table. The permission name in the permission table must be consistent with the custom name in the annotation just added to the method. To put it bluntly, the permission information is described in the permission table, and then By adding annotations to the method, the purpose of permission control on the method is achieved. The permissions in the permission table corresponding to the user in the user table are also associated in the data table. Which methods and resources can the user access? It is controlled through data tables combined with annotations.

The underlying implementation principle is: spring manages the objects corresponding to the beans configured in applicationContext.xml. When the user accesses a URL address, spring can return the proxy object of the real object being accessed. When accessing each method of the real object, the proxy object will query the database to determine whether the current user has the permissions defined in the annotation. Because it is the proxy object of the real object, it can implement this series of operations, and finally determine whether Result with permissions to control user access.

Simply put, fine-grained permission control is achieved through proxy objects combined with custom annotations. When the user accesses the method of the target object, permission annotation information is added to the method, and a proxy object is created for the target object. , access the proxy object before accessing the real object, and the proxy object goes to the database to query the permission data to determine whether the user has the required permissions described in the annotation. If you have access rights, access will be allowed. If you don't have access rights, access will be blocked and a message indicating insufficient rights will be displayed.

The above is the detailed content of How to implement network permission control. For more information, please follow other related articles on the PHP Chinese website!