CN115168836A - Data permission isolation method based on ORM framework - Google Patents

Data permission isolation method based on ORM framework Download PDF

Info

Publication number
CN115168836A
CN115168836A CN202210664890.0A CN202210664890A CN115168836A CN 115168836 A CN115168836 A CN 115168836A CN 202210664890 A CN202210664890 A CN 202210664890A CN 115168836 A CN115168836 A CN 115168836A
Authority
CN
China
Prior art keywords
data
user
authority
orm
owner field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210664890.0A
Other languages
Chinese (zh)
Inventor
王刚
崔乐乐
李仰允
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyuan Big Data Credit Management Co Ltd
Original Assignee
Tianyuan Big Data Credit Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyuan Big Data Credit Management Co Ltd filed Critical Tianyuan Big Data Credit Management Co Ltd
Priority to CN202210664890.0A priority Critical patent/CN115168836A/en
Publication of CN115168836A publication Critical patent/CN115168836A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms
    • G06F8/315Object-oriented languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data authority isolation method based on an ORM framework, and relates to the technical field of data security; configuring data authority of a user based on a java database persistent layer frame, marking a data owner field by using a custom annotation in a mapping class through an ORM frame, acquiring the data authority of the user and the data owner field of a data main table according to a data query request of the user through an ORM frame custom interceptor, modifying an SQL sentence which needs to be executed by a database and corresponds to the data authority of the user and the data owner field, executing the modified SQL sentence, and finishing data authority control.

Description

Data permission isolation method based on ORM framework
Technical Field
The invention discloses a method, relates to the technical field of data security, and particularly relates to a data permission isolation method based on an ORM framework.
Background
In the construction of a service platform, management and control and isolation of various authorities, such as page authorities, interface authorities, data authorities and the like, are generally required to be considered, in a universal RBAC authority model, the page authorities and the interface authorities are generally and well supported, but for the data authorities, for example, for certain data, only a data owner can check the data authorities, or personnel in the same department with the data owner can check the data authorities and other scenes, and the scene implementation process generally uses a hard coding mode, but hard coding modification is complex and not friendly enough, and the whole process of recoding, testing, releasing and the like is involved, so that trouble and labor are wasted.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a data authority isolation method based on an ORM framework, which has the characteristics of strong universality, simple and convenient implementation and the like and has wide application prospect.
The specific scheme provided by the invention is as follows:
the invention provides a data authority isolation method based on an ORM frame, which is characterized in that a java-based database persistent layer frame is used for configuring the data authority of a user, a user-defined annotation is used for marking a data owner field in a mapping class through the ORM frame,
and acquiring the data authority of the user and the data owner field of the data main table through the ORM frame custom interceptor according to the data query request of the user, modifying the SQL sentences which need to be executed by the database and correspond to the data authority of the user and the data owner field, and executing the modified SQL sentences to finish data authority control.
Furthermore, in the data authority isolation method based on the ORM framework, the data authority of the user is configured based on Mybatis, the user-defined annotation is used for marking the data owner field in the mapping class through the ORM framework,
and acquiring the data authority of the user and the data owner field of the data main table through the ORM frame custom interceptor according to the data query request of the user, modifying the SQL sentences which need to be executed by the database and correspond to the data authority of the user and the data owner field, and executing the modified SQL sentences to finish data authority control.
Further, in the data authority isolation method based on the ORM frame, according to a data query request of a user, through Mybatis, SQL statements to be executed by a database are assembled and output, and through a custom interceptor, according to the data query request of the user, data authority of the user and a data owner field of a data main table are obtained, and the SQL statements to be executed by the database are modified.
Further, in the data authority isolation method based on the ORM frame, the modifying of the data authority of the user and the SQL statements to be executed by the database corresponding to the data owner field includes:
and adding SQL sentences screened and output by WHERE conditions.
The invention also provides a data authority isolation system based on the ORM framework, which comprises a persistence layer module and a mapping module,
the persistent layer module configures the data authority of a user based on a java database persistent layer framework, the mapping module marks a data owner field by using a self-defined annotation in a mapping class through an ORM framework,
and the mapping module acquires the data authority of the user and the data owner field of the data main table according to the data query request of the user through the ORM frame custom interceptor, modifies the SQL sentence which needs to be executed by the database and corresponds to the data authority of the user and the data owner field, executes the modified SQL sentence, and completes the data authority control.
Further, the persistent layer module in the data authority isolation system based on the ORM framework configures the data authority of the user based on Mybatis, the mapping module uses the custom annotation to mark the data owner field in the mapping class through the ORM framework,
and the mapping module acquires the data authority of the user and the data owner field of the data main table according to the data query request of the user through the ORM frame custom interceptor, modifies the SQL sentences to be executed by the database corresponding to the data authority and the data owner field of the user, executes the modified SQL sentences, and completes data authority control.
Furthermore, the persistent layer module in the data authority isolation system based on the ORM frame assembles and outputs SQL statements to be executed by the database through Mybatis according to a data query request of a user, and the mapping module acquires the data authority of the user and the data owner field of the data main table according to the data query request of the user through a custom interceptor, and modifies the SQL statements to be executed by the database.
Further, the mapping module in the data permission isolation system based on the ORM framework modifies the SQL statements to be executed by the database corresponding to the data permission and data owner field of the user, including:
and adding SQL sentences screened and output by WHERE conditions.
The invention has the advantages that:
the invention provides a data authority isolation method based on an ORM framework, which realizes data authority isolation under a general service scene based on the ORM framework, can realize control on data authority by non-intrusive service codes and hard coding, can change the data authority of a user in a configuration mode, and can modify and execute sql statements through an interceptor taking effect in real time, thereby improving the efficiency of coding and realizing service and reducing the cost of realizing service coding.
Drawings
In order to more clearly illustrate the embodiments or technical solutions of the present invention, the drawings used in the embodiments or technical solutions in the prior art are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic diagram of a prior art data rights isolation process.
FIG. 2 is a schematic diagram of the data permission isolation process of the present invention.
FIG. 3 is a schematic diagram of the application of the method of the present invention.
Detailed Description
The present invention is further described below in conjunction with the following figures and specific examples so that those skilled in the art may better understand the present invention and practice it, but the examples are not intended to limit the present invention.
The invention provides a data authority isolation method based on an ORM frame, which is characterized in that a java-based database persistent layer frame is used for configuring the data authority of a user, a user-defined annotation is used for marking a data owner field in a mapping class through the ORM frame,
and acquiring the data authority of the user and the data owner field of the data main table through the ORM frame custom interceptor according to the data query request of the user, modifying the SQL sentences which need to be executed by the database and correspond to the data authority of the user and the data owner field, and executing the modified SQL sentences to finish data authority control.
The data permission isolation technology based on the Object Relational Mapping (ORM) is used for solving the problem of data permission isolation under a general service scene.
The method of the invention can complete the data authority management mode through configuration, does not invade service codes and has better practical effect.
In specific applications, in some embodiments of the method of the present invention, mybatis is taken as an example to describe a specific implementation process.
The authority control is realized based on Mybatis and a configuration mode, fields of a data owner, such as a data creator and the like, are marked by using custom notes through an ORM frame in a mapping class with a database table, and then the data authority of a user is configured in a configurable page through the Mybatis frame, such as the data owner can be configured to view the department, so that the user can initiate business operation after preparation of preposed preparation work is finished.
When a user initiates a data query request, the Mybatis framework assembles and outputs SQL sentences which need to be executed by a database, in the process, the data authority configuration of the current user is read through a Mybatis interceptor customized by the ORM framework, the data owner field of the current read data main table is read, the data owner field is marked in a code through annotation, the SQL sentences are modified according to the data authority configuration and the data owner field, and additional WHERE conditions are added to screen the output sentences, so that the purpose of data authority control is achieved.
Further, for example, there is a piece of data a in the database, the owner of the data is determined by the creator field, the owning department of the data is determined by the department field, and it is assumed that the piece of data can be viewed by the same person in the department, that is, taking the data authority of "viewing the data created by oneself" as an example, determining whether the "viewing person department is the same as the target data department" in the prior art is generally determined by hard coding, and if the determination mode is changed, the determination needs to be implemented by modifying a code, which is more complex and not friendly enough.
For example, in the "whether the viewer department is the same as the target data department" determination manner, the SQL code may be "SELECT × FROM TABLE WHERE depth = viewer department; "if the determination mode is changed to" view the data created by the person ", SQL needs to be modified to" SELECT × FROM TABLE WHERE createUser = view person; the whole process of recoding, testing, releasing and the like is needed, and the process is time-consuming and labor-consuming.
The SQL generated by Mybatis in the method of the invention is shown as follows:
SELECT*FROM TABLE;
the administrator configures the data authority of the user A as 'viewing the data created by the user';
the data owner field of TABLE data in the code is "createUser", and the code is shown as follows:
Figure BDA0003692581670000051
after a user A initiates a viewing request for TABLE data, SQL received by an ORM framework custom interceptor is selected FROM TABLE; "reading the data authority of the user A is" view the data created by the user ", the data owner field is" createUser ", and the SQL" SELECT × FROM TABLE "executed finally can be modified; "is" SELECT FROM TABLE WHERE createuse createUser = a; ", and execution returns the result.
Through the process, the management and control of the data authority can be realized by non-intruding business codes and hard coding, and if the data authority of the user needs to be modified, the data authority can be changed in a configuration mode, and the configuration can take effect in real time in the interceptor. If other data authority types need to be added, the method can be expanded in the above mode, and the principle is the same.
The above mentioned Mybatis is taken as an example to realize a specific data authority management model, and the realization principle of the rest ORM frameworks is the same.
The invention also provides a data authority isolation system based on the ORM framework, which comprises a persistence layer module and a mapping module,
the persistent layer module configures the data authority of a user based on a java database persistent layer framework, the mapping module marks a data owner field by using a self-defined annotation in a mapping class through an ORM framework,
and the mapping module acquires the data authority of the user and the data owner field of the data main table according to the data query request of the user through the ORM frame custom interceptor, modifies the SQL sentence which needs to be executed by the database and corresponds to the data authority of the user and the data owner field, executes the modified SQL sentence, and completes the data authority control.
The information interaction, execution process and other contents between the modules in the system are based on the same concept as the method embodiment of the present invention, and specific contents can be referred to the description in the method embodiment of the present invention, and are not described herein again.
Similarly, the system of the invention realizes data authority isolation under a general service scene based on an ORM framework, can realize the control of data authority by non-intruding service codes and hard codes, can change the data authority of a user in a configuration mode, and can take effect in real time through an interceptor to modify and execute sql statements, thereby improving the efficiency of coding and realizing services and reducing the cost of realizing service coding.
It should be noted that not all steps and modules in the above flows and system structures are necessary, and some steps or modules may be omitted according to actual needs. The execution sequence of the steps is not fixed and can be adjusted according to the needs. The system structures described in the above embodiments may be physical structures or logical structures, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by a plurality of physical entities separately, or some components may be implemented together in a plurality of independent devices.
The above-mentioned embodiments are merely preferred embodiments for fully illustrating the present invention, and the scope of the present invention is not limited thereto. The equivalent substitutions or changes made by the person skilled in the art on the basis of the present invention are all within the protection scope of the present invention. The protection scope of the invention is subject to the claims.

Claims (8)

1. A data authority isolation method based on an ORM frame is characterized in that a java-based database persistent layer frame is used for configuring data authority of a user, a user-defined annotation is used for marking a data owner field in a mapping class through the ORM frame,
and acquiring the data authority of the user and the data owner field of the data main table through the ORM frame custom interceptor according to the data query request of the user, modifying the SQL sentences which need to be executed by the database and correspond to the data authority of the user and the data owner field, and executing the modified SQL sentences to finish data authority control.
2. The ORM framework-based data permission isolation method as claimed in claim 1, wherein the user's data permission is configured based on Mybatis, the data owner field is marked by using a custom annotation in the mapping class through the ORM framework,
and acquiring the data authority of the user and the data owner field of the data main table through the ORM frame custom interceptor according to the data query request of the user, modifying the SQL sentences which need to be executed by the database and correspond to the data authority of the user and the data owner field, and executing the modified SQL sentences to finish data authority control.
3. The ORM framework-based data permission isolation method as claimed in claim 2, wherein the SQL statements to be executed by the database are assembled and output through Mybatis according to the data query request of the user, and the SQL statements to be executed by the database are modified by the custom interceptor acquiring the data permission of the user and the data owner field of the data main table according to the data query request of the user.
4. The ORM framework-based data permission isolation method according to any one of claims 1-3, wherein the modifying of the SQL statement to be executed by the database corresponding to the data permission and data owner field of the user comprises:
and adding SQL sentences screened and output by WHERE conditions.
5. A data authority isolation system based on an ORM framework is characterized by comprising a persistence layer module and a mapping module,
the persistent layer module configures the data authority of a user based on a java database persistent layer framework, the mapping module marks a data owner field by using a self-defined annotation in a mapping class through an ORM framework,
and the mapping module acquires the data authority of the user and the data owner field of the data main table according to the data query request of the user through the ORM frame custom interceptor, modifies the SQL sentence which needs to be executed by the database and corresponds to the data authority of the user and the data owner field, executes the modified SQL sentence, and completes the data authority control.
6. The ORM framework-based data permission isolation system as claimed in claim 5, wherein the persistence layer module configures the user's data permission based on Mybatis, the mapping module marks the data owner field with a custom annotation in the mapping class through the ORM framework,
and the mapping module acquires the data authority of the user and the data owner field of the data main table according to the data query request of the user through the ORM frame custom interceptor, modifies the SQL sentences to be executed by the database corresponding to the data authority and the data owner field of the user, executes the modified SQL sentences, and completes data authority control.
7. The ORM framework-based data permission isolation system according to claim 6, wherein the persistence layer module assembles and outputs SQL statements to be executed by the database through Mybatis according to a data query request of a user, and the mapping module acquires data permission of the user and data owner fields of the data master table according to the data query request of the user through a custom interceptor, and modifies the SQL statements to be executed by the database.
8. The ORM framework-based data permission isolation system according to any one of claims 5-7, wherein the mapping module modifies SQL statements to be executed by the database corresponding to the data permission and data owner field of the user, and comprises:
and adding SQL sentences screened and output by WHERE conditions.
CN202210664890.0A 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework Pending CN115168836A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210664890.0A CN115168836A (en) 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210664890.0A CN115168836A (en) 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework

Publications (1)

Publication Number Publication Date
CN115168836A true CN115168836A (en) 2022-10-11

Family

ID=83484644

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210664890.0A Pending CN115168836A (en) 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework

Country Status (1)

Country Link
CN (1) CN115168836A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024098858A1 (en) * 2022-11-08 2024-05-16 杭州趣链科技有限公司 Database access system and method, computer device, and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024098858A1 (en) * 2022-11-08 2024-05-16 杭州趣链科技有限公司 Database access system and method, computer device, and storage medium

Similar Documents

Publication Publication Date Title
US20200356688A1 (en) Data access authority management method, apparatus, terminal device and storage medium
US9390395B2 (en) Methods and apparatus for defining a collaborative workspace
US8954479B2 (en) End-to-end interoperability and workflows from building architecture design to one or more simulations
AU2014201599B2 (en) Mobile reports
US20140129457A1 (en) An interactive organizational decision-making and compliance facilitation portal
EP3850504A1 (en) Private and public media data in a decentralized system
US10089371B2 (en) Extensible extract, transform and load (ETL) framework
US9613067B2 (en) Defining and transforming entity relationship-XML hybrid data models
CN109299074A (en) A kind of data verification method and system based on templating data base view
CN103198141A (en) Data record access control method and device in hierarchical relationship
CN104573041A (en) Generating method and device of electronic license template and electronic license generation method
CN115168836A (en) Data permission isolation method based on ORM framework
CN102469083A (en) User authentication method and apparatus thereof, and enterprise system
US7519570B2 (en) Localization of generic electronic registration system
Chellappan et al. MongoDB Recipes: With Data Modeling and Query Building Strategies
Matheus Declaration and enforcement of fine-grained access restrictions for a service-based geospatial data infrastructure
CN101000618A (en) Method and device for set-up disconnection data programmed model and its application
CN112596711A (en) Personalized authority management setting method and system based on Web system
CN114124977B (en) Cross-tenant data sharing method and device and electronic equipment
CN107426137A (en) Right management method and system
CN101976381A (en) Method and system for managing application assets
CN102193947B (en) Data access processing method and system
Cadenhead et al. Design and implementation of a cloud-based assured information sharing system
CN105844403A (en) Enterprise management system information global searching and tracing method
CN113656724B (en) Method and system for dynamically configuring webpage function based on web page

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination