Open jasonjoo2010 opened 5 years ago
@jasonjoo2010 , I think creating custom annotation based security is the best approach and spring security provide an way include our annotation. You can refer my implementation here. https://github.com/thiyagu06/auth-manager/blob/master/src/main/java/com/izettle/authmanagement/controller/LoginAttemptsController.java#L44
I would like to contribute on this one.
@thiyagu06 Right.
@sczyh30 And what do you think about this issue, should this design go further?
Brief:
@thiyagu06 Right.
@sczyh30 And what do you think about this issue, should this design go further?
Brief:
- Action/Controller level annotations to declare permission requirements.
- More simple way to get the user authorized.
+1 for the idea of annotations of auth control. It's more elegant and convenient than function integrating. Contributions are welcomed.
For the design of authTarget
, what do you think of it? @CarpenterLee
So any updated?
What's the conclusion?
And kindly @thiyagu06 Thiyagugk are you working on it?
But i don't think it's a good idea throwing an exception because we have a boolean value returned already to mark it success or fail.
I agree with this. Using the return value is enough. And it's better to have controller/handler level annotations to declare permission restrictions.
@thiyagu06 Any progress on this?
But i don't think it's a good idea throwing an exception because we have a boolean value returned already to mark it success or fail.
I agree with this. Using the return value is enough. And it's better to have controller/handler level annotations to declare permission restrictions.
@thiyagu06 Any progress on this?
@sczyh30 , I have started to work on it.. Will let you the progress in few days.
But i don't think it's a good idea throwing an exception because we have a boolean value returned already to mark it success or fail.
I agree with this. Using the return value is enough. And it's better to have controller/handler level annotations to declare permission restrictions. @thiyagu06 Any progress on this?
@sczyh30 , I have started to work on it.. Will let you the progress in few days.
@AuthAuction(PrivilegeType.READ)
During each call to the service an filter will intercept the requests and create AuthUser. AuthUser Object will have the app the user has access i.e priviligeTypes.
Before Will executing the each method, will verify the access and thrown an error if the user has access to the method?
correct me if i'm wrong.
But i don't think it's a good idea throwing an exception because we have a boolean value returned already to mark it success or fail.
I agree with this. Using the return value is enough. And it's better to have controller/handler level annotations to declare permission restrictions. @thiyagu06 Any progress on this?
@sczyh30 , I have started to work on it.. Will let you the progress in few days.
- We will have custom Auth annotation on the method/class level
@AuthAuction(PrivilegeType.READ)
- During each call to the service an filter will intercept the requests and create AuthUser. AuthUser Object will have the app the user has access i.e priviligeTypes.
- Before Will executing the each method, will verify the access and thrown an error if the user has access to the method?
correct me if i'm wrong.
Things sounds correctly and i suggest we can mainly restructure logic by introducing new annotations based on current implementations. We mainly make it easy to use/read.
And more don't forget we should make it easy to understand for action level AuthUser fetching.
@sczyh30 Any suggestion?
@thiyagu06 Any progress on this? :)
@thiyagu06 Friendly ping :)
authTarget 返回值居然没有用作权限判断?那返回值的意义是啥?而且接口的文档上也不注明必须抛异常,或者抛哪个异常,前端页面接收到异常也只会显示【失败】,而不是我写的message。
This will be improved in #1042. Further contributions are welcomed!
Issue Description
Version 1.6.0 introduces authorization and it's an awesome feature. That helps
dashboard
to be more complete.My discussion here is focused on the actual authorizing design.
Interface Design
First i think here is a little fuzzy on
AuthUser. authTarget
.If throwing an exception is an option it's better to include in declaration like:
But i don't think it's a good idea throwing an exception because we have
a boolean value returned
already to mark it success or fail.Integrating
For function integrating we can find following lines everywhere:
It includes two intents:
But it's a little inconvenient. I have a proposal on it like:
or
or even a parent privilege like
When you want user information we can inject it by
Spring Argument Resolver
like:I think we can make more discussions.