java - Spring RESTful API如何做到对象(资源)级别的权限控制

Question

比如"/api/v1/orders/{orderID}/action/cancel",这是一个对订单进行取消的API地址,很明显能进行这个操作的必须是订单交易双方用户,即用户只能操作orderID是属于自己的订单

1.spring security还有shiro这些安全框架都是基于角色(role)来做控制,没有精确到对象级别,虽然他们也有对象级别的权限控制,但是十分复杂不优雅,请教大家是怎么做的
2.如果在spring中的service层来做可以吗?在业务逻辑处理之前service自己判断用户是否有权限,这样就要求每个service层的方法参数中都要有当前用户的ID
3.如果在controller层调用service之前再独立一层专门做权限校验的是否可行

综上:请教大家在开发RESTful API时权限这方面是怎么做的,谢谢

Answer 1

Yours is a data-level permission, which cannot be solved by general authc and authz frameworks such as spring security and shiro.

So the control is still with you. You can write it in the controller or service. However, it is recommended to write it in service, because it is part of the business logic.

Answer 2

No permissions are required. When calling this API, it will be directly judged whether the user has the order ID passed in soon... You also said that this operation must be performed by both users of the order transaction, and the third party cannot have this order ID.

Answer 3

Wrap an interceptor yourself and authenticate based on parameters and roles. For example, according to user session, get userId. Get order based on orderId to determine whether it is a user

Answer 4

You should write a Validator, usually as an annotation of the controller, because a controller in restfull is a complete business and may call many services, and the service may also trigger other distributed requests, such as: jms messages, etc. , in fact, it is not the same as the controller in the ancient back-end jsp or freemarker. The ancient controller has functions such as parameter verification, formatting parameters, executing business, assembling corresponding parameters and jumping to the next page, etc., but now the restfull one is missing. The last step, so it should be added to the controller