Proper way to secure domain objects?_问答_开发者

开发者 https://www.devze.com 2023-01-25 07:14 出处：网络

If I have an entity Entity and a service EntityService and EntityServiceFacade with the following interfaces:

interface EntityService {

 Entity getEntity(Long id);

}

interface EntityServiceFacade {

 EntityDTO getEntity(Long id);

}

I can easily secure the read access to an entity by controlling access to the getEntity method at the service level. But once the facade has a reference to an entity, how can I control write access to it? If I have a saveEntity method and control access at the service (not facade) level like this (with Spring security annotations here):

class EntityServiceImpl implements EntityService {

 ...

 @PreAuthorize("hasPermission(#entity, 'write')")
 public void saveEntity(Entity entity) {

  repository.store(entity);
 }

}

class EntityServiceFacadeImpl implements EntityServiceFacade {

 ...

 @Transactional
 public void saveEntity(EntityDTO dto) {

  Entity entity = service.getEntity(dto.id);
  entity.setName(dto.name);
  service.save(entity);
 }

}

The problem here is that the access control check happens already after I have changed the name of the entity, so that does not suffice.

How do you guys do it? Do you secure the domain object methods instead?

Thanks

Edit:

If you secure your domain objects, fo开发者_开发知识库r example with annotations like:

@PreAuthorize("hasPermission(this, 'write')")
public void setName(String name) { this.name = name; }

Am I then breaking the domain model (according to DDD?)

Edit2

I found a thesis on the subject. The conclusion of that thesis says that a good way IS to annotate the domain object methods to secure them. Any thoughts on this?

I wouldn't worry about securing individual entity methods or properties from being modified.

Preventing a user from changing an entity in memory is not always necessary if you can control persistence.

The big gotcha here is UX, you want to inform a user as early as possible that she will probably be unable to persist changes made to that entity. The decision you will need to make is whether it is acceptable to delay the security check until persistence time or if you need to inform a user before (e.g. by deactivating UI elements).

If Entity is an interface, can't you just membrane it?

So if Entity looks like this:

interface Entity {
  int getFoo();
  void setFoo(int newFoo);
}

create a membrane like

final class ReadOnlyEntity implements Entity {
  private final Entity underlying;

  ReadOnlyEntity(Entity underlying) { this.underlying = underlying; }

  public int getFoo() { return underlying.getFoo(); }  // Read methods work

  // But deny mutators.
  public void setFoo(int newFoo) { throw new UnsupportedOperationException(); }
}

If you annotate read methods, you can use Proxy classes to automatically create membranes that cross multiple classes (so that a get method on a readonly Entity that returns an EntityPart returns a readonly EntityPart).

See deep attenuation in http://en.wikipedia.org/wiki/Object-capability_model for more details on this approach.