授权的数据库模型

时间:2013-07-29 01:12:31

标签: java database-design jpa jsf-2 authorization

作为JSF / JPA Web应用程序项目的一部分,我需要实现一个完整的用户授权模块。我正在使用Apache Shiro进行身份验证,如果它符合要求,也可以将其用于授权。但是,现在我正在设计数据库模式模型,并提出了下表。我不确定这是否是最佳方法,需要一些反馈。

要求

根据用户的角色和群组成员身份授权用户。可以将角色分配给组或单个用户。数据分散在多个表中,但在这里我只举一个存储项目详细信息的表的示例。

授权表格列表

Table:APP_USER : This table will store the user details along with hashed password
Columns: ID/Username/Password

Table:APP_ROLES : This table stores the roles definitions
Columns:ID/Rolename/Desc

Table: APP_PRIVILEGES : This table stores the actual privileges that are assigned to roles
Columns: ID/Privilege Name/Privilege Type/Role ID

Table: APP_GROUPS: This table stores the group definitions
Columns: ID/GroupName/

Table: APP_USER_GROUPS_MAPPING: This table stores mapping of users to groups and has references to APP_USERS & APP_Groups tables
Columns: USER_ID/Group ID

Table: APP_GROUP_ROLES_MAPPING: This table stores the mapping of groups to roles and has references to APP_ROLES and APP_GROUPS
Columns: Group_ID/Role_ID


Table: APP_USER_ROLE_MAPPING: This table stores the mapping of users to roles in case the role is directly assigned to users and has references to APP_USERS and APP_ROLES tables
Columns: USER_ID/ROLE_ID

Table: APP_PROJECTS_DETAILS: This is one of the many tables that store the data. This specific table holds project details
Columns: ID/PROJECT_NAME/DESC etc

Table: APP_GROUP_PROJECTS_MAPPING: This table stores the permission mapping of which groups has access to which projects.

授权示例:用户尝试删除项目Test1


  1. 从APP_GROUP_PROJECTS_MAPPING
  2. 检索项目Test1的项目/组映射
  3. 从APP_USER_GROUPS_MAPPING
  4. 中检索用户组
  5. 检查是否有任何用户组有权访问项目Test1
  6. 假设用户具有访问权限,请通过分别查询APP_USER_ROLE_MAPPING和APP_GROUP_ROLES_MAPPING来直接或通过组检查用户是否具有DELETE_PROJECT权限
  7. 删除项目Test1
  8. 我个人认为这有点复杂但不确定如何改进

2 个答案:

答案 0 :(得分:0)

听起来像是一个好的设计,除非你可能重新发明轮子。 Java EE already provides both declarative and programmatic security facilities与您尝试实施的内容类似。

答案 1 :(得分:0)

## Prepare your database relation like this  ##

用户----

@OneToMany(mappedBy = "User")
@XmlTransient
private List<GroupPermissions> groupPermissionsList;

@ManyToOne
@JoinColumn(name = "roleId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private Role role;
private static final long serialVersionUID = 5667633010066722654L;

GroupPermissions

private int userId;
private int groupId;

@ManyToOne
@JoinColumn(name = "userId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private User user;

@ManyToOne
@JoinColumn(name = "groupId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private ProjectGroup group;

ProjectGroup权限

private int groupId;
private int projectId;

@ManyToOne
@JoinColumn(name = "groupId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private ProjectGroup projectGroup;

@ManyToOne
@JoinColumn(name = "projectId", referencedColumnName = "id", insertable = false, updatable = false)
@XmlTransient
private Project project; 

作用

  Define your filed in rile table

执行以下步骤

在加载方法中检查项目页面

1如果有角色,则返回用户分配角色ex(删除,修改,查看)(步骤1)           比检查第二步其他明智的重定向未授权访问 2首先审核用户分配组---&gt;项目