[go: up one dir, main page]

CN115168836A - Data permission isolation method based on ORM framework - Google Patents

Data permission isolation method based on ORM framework Download PDF

Info

Publication number
CN115168836A
CN115168836A CN202210664890.0A CN202210664890A CN115168836A CN 115168836 A CN115168836 A CN 115168836A CN 202210664890 A CN202210664890 A CN 202210664890A CN 115168836 A CN115168836 A CN 115168836A
Authority
CN
China
Prior art keywords
data
user
authority
owner field
orm framework
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210664890.0A
Other languages
Chinese (zh)
Inventor
王刚
崔乐乐
李仰允
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyuan Big Data Credit Management Co Ltd
Original Assignee
Tianyuan Big Data Credit Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyuan Big Data Credit Management Co Ltd filed Critical Tianyuan Big Data Credit Management Co Ltd
Priority to CN202210664890.0A priority Critical patent/CN115168836A/en
Publication of CN115168836A publication Critical patent/CN115168836A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/31Programming languages or programming paradigms
    • G06F8/315Object-oriented languages
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2145Inheriting rights or properties, e.g., propagation of permissions or restrictions within a hierarchy

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Computing Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开一种基于ORM框架的数据权限隔离方法,涉及数据安全技术领域;基于java的数据库持久层框架,配置用户的数据权限,通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。

Figure 202210664890

The invention discloses a data authority isolation method based on an ORM framework, and relates to the technical field of data security; a Java-based database persistence layer framework configures a user's data authority, and uses a custom annotation to mark a data owner field in a mapping class through the ORM framework , through the ORM framework custom interceptor, according to the user's data query request, to obtain the user's data authority and the data owner field of the data master table, and modify the user's data authority and data The SQL statement corresponding to the owner field of the database needs to be executed , execute the modified SQL statement to complete the data permission control.

Figure 202210664890

Description

一种基于ORM框架的数据权限隔离方法A Data Privilege Isolation Method Based on ORM Framework

技术领域technical field

本发明公开一种方法,涉及数据安全技术领域,具体地说是一种基于ORM框架的数据权限隔离方法。The invention discloses a method, which relates to the technical field of data security, in particular to a data authority isolation method based on an ORM framework.

背景技术Background technique

在业务平台建设中,通常需要考虑各项权限的管控和隔离,例如页面权限、接口权限、数据权限等,在通用的RBAC权限模型中,对于页面权限和接口权限具有通用较好的支持,但是对于数据权限,例如对于某种数据,只有数据拥有者才能查看,或者与数据拥有者同部门的人员才能查看等场景,此场景实现过程通常使用硬编码方式,但修改硬编码较为复杂,且不够友好,又涉及重新编码、测试、发布等整个流程,费事费力。In the construction of the business platform, it is usually necessary to consider the control and isolation of various permissions, such as page permissions, interface permissions, data permissions, etc. In the general RBAC permission model, there is general and better support for page permissions and interface permissions, but For data permissions, for example, for a certain kind of data, only the data owner can view it, or people in the same department as the data owner can view it. The implementation process of this scenario usually uses hard coding, but modifying the hard coding is more complicated and insufficient. Friendly, and involves the entire process of recoding, testing, publishing, etc., which is time-consuming and labor-intensive.

发明内容SUMMARY OF THE INVENTION

本发明针对现有技术的问题,提供一种基于ORM框架的数据权限隔离方法,具有通用性强、实施简便等特点,具有广阔的应用前景。Aiming at the problems of the prior art, the present invention provides a data authority isolation method based on an ORM framework, which has the characteristics of strong versatility, easy implementation and the like, and has broad application prospects.

本发明提出的具体方案是:The concrete scheme proposed by the present invention is:

本发明提供一种基于ORM框架的数据权限隔离方法,基于java的数据库持久层框架,配置用户的数据权限,通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,The invention provides a data authority isolation method based on an ORM framework, a database persistence layer framework based on java, configures a user's data authority, and uses a custom annotation to mark the data owner field in the mapping class through the ORM framework,

通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。Through the ORM framework custom interceptor, according to the user's data query request, the user's data authority and the data owner field of the data master table are obtained, and the SQL statement to be executed by the database corresponding to the user's data authority and the data owner field is modified, Execute the modified SQL statement to complete data permission control.

进一步,所述的一种基于ORM框架的数据权限隔离方法中基于Mybatis,配置用户的数据权限,通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,Further, in the described ORM framework-based data authority isolation method, based on Mybatis, the user's data authority is configured, and the data owner field is marked with a custom annotation in the mapping class through the ORM framework,

通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。Through the ORM framework custom interceptor, according to the user's data query request, the user's data authority and the data owner field of the data master table are obtained, and the SQL statement to be executed by the database corresponding to the user's data authority and the data owner field is modified, Execute the modified SQL statement to complete data permission control.

进一步,所述的一种基于ORM框架的数据权限隔离方法中根据用户的数据查询请求,通过Mybatis组装并输出数据库需要执行的SQL语句,通过自定义拦截器根据所述用户的数据查询请求获取用户的数据权限及数据主表的数据拥有方字段,修改所述的数据库需要执行的SQL语句。Further, according to the data query request of the user, in the described data authority isolation method based on the ORM framework, the SQL statement that needs to be executed by the database is assembled and output by Mybatis, and the user is obtained according to the data query request of the user through the custom interceptor. The data authority and the data owner field of the data master table, modify the SQL statement that the database needs to execute.

进一步,所述的一种基于ORM框架的数据权限隔离方法中所述修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,包括:Further, in the described data authority isolation method based on ORM framework, the SQL statement that the database corresponding to the data authority of the user and the data owner field needs to be executed, including:

增加WHERE条件筛选输出的SQL语句。Added WHERE condition to filter the output SQL statement.

本发明还提供一种基于ORM框架的数据权限隔离系统,包括持久层模块和映射模块,The present invention also provides a data authority isolation system based on the ORM framework, comprising a persistence layer module and a mapping module,

持久层模块基于java的数据库持久层框架,配置用户的数据权限,映射模块通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,The persistence layer module is based on the Java database persistence layer framework to configure the user's data permissions. The mapping module uses the ORM framework to mark the data owner field with custom annotations in the mapping class.

映射模块通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。The mapping module obtains the user's data authority and the data owner field of the data master table according to the user's data query request through the ORM framework custom interceptor, and modifies the SQL that the database corresponding to the user's data authority and the data owner field needs to execute statement, execute the modified SQL statement to complete data permission control.

进一步,所述的一种基于ORM框架的数据权限隔离系统中持久层模块基于Mybatis,配置用户的数据权限,映射模块通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,Further, the persistent layer module in the described ORM framework-based data authority isolation system is based on Mybatis, configures the user's data authority, and the mapping module uses the ORM framework to use custom annotations in the mapping class to mark the data owner field,

映射模块通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。The mapping module obtains the user's data authority and the data owner field of the data master table according to the user's data query request through the ORM framework custom interceptor, and modifies the SQL that the database corresponding to the user's data authority and the data owner field needs to execute statement, execute the modified SQL statement to complete data permission control.

进一步,所述的一种基于ORM框架的数据权限隔离系统中持久层模块根据用户的数据查询请求,通过Mybatis组装并输出数据库需要执行的SQL语句,映射模块通过自定义拦截器根据所述用户的数据查询请求获取用户的数据权限及数据主表的数据拥有方字段,修改所述的数据库需要执行的SQL语句。Further, in the described data authority isolation system based on the ORM framework, the persistent layer module assembles and outputs the SQL statement that the database needs to execute according to the user's data query request, and the mapping module uses the custom interceptor according to the user's data query request. The data query request obtains the user's data authority and the data owner field of the data master table, and modifies the SQL statement to be executed by the database.

进一步,所述的一种基于ORM框架的数据权限隔离系统中所述映射模块修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,包括:Further, in the described data authority isolation system based on the ORM framework, the mapping module modifies the SQL statement that the database corresponding to the data authority of the user and the data owner field needs to execute, including:

增加WHERE条件筛选输出的SQL语句。Added WHERE condition to filter the output SQL statement.

本发明的有益之处是:The benefits of the present invention are:

本发明提供一种基于ORM框架的数据权限隔离方法,基于ORM框架实现通用业务场景下的数据权限隔离,可实现不侵入业务代码和硬编码来对数据权限的管控,可通过配置的方式改变用户的数据权限,并通过拦截器实时生效,修改执行sql语句,提高了编码和实现业务的效率,降低了业务编码实现的成本。The invention provides a data authority isolation method based on the ORM framework. Based on the ORM framework, the data authority isolation in a general business scenario can be realized, and the data authority can be controlled without invading business codes and hard codes, and users can be changed through configuration. The data authority can be implemented in real time through the interceptor, and the SQL statement can be modified and executed, which improves the efficiency of coding and business implementation, and reduces the cost of business coding implementation.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are For some embodiments of the present invention, for those of ordinary skill in the art, other drawings can also be obtained according to these drawings without any creative effort.

图1是现有技术数据权限隔离流程示意图。FIG. 1 is a schematic diagram of a data rights isolation process in the prior art.

图2是本发明数据权限隔离流程示意图。FIG. 2 is a schematic diagram of the data rights isolation flow of the present invention.

图3是本发明方法应用示意图。3 is a schematic diagram of the application of the method of the present invention.

具体实施方式Detailed ways

下面结合附图和具体实施例对本发明作进一步说明,以使本领域的技术人员可以更好地理解本发明并能予以实施,但所举实施例不作为对本发明的限定。The present invention will be further described below with reference to the accompanying drawings and specific embodiments, so that those skilled in the art can better understand the present invention and implement it, but the embodiments are not intended to limit the present invention.

本发明提供一种基于ORM框架的数据权限隔离方法,基于java的数据库持久层框架,配置用户的数据权限,通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,The invention provides a data authority isolation method based on an ORM framework, a database persistence layer framework based on java, configures a user's data authority, and uses a custom annotation to mark the data owner field in the mapping class through the ORM framework,

通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。Through the ORM framework custom interceptor, according to the user's data query request, the user's data authority and the data owner field of the data master table are obtained, and the SQL statement to be executed by the database corresponding to the user's data authority and the data owner field is modified, Execute the modified SQL statement to complete data permission control.

基于ORM框架(Object Relational Mapping,对象关系映射,简称ORM)的数据权限隔离技术,用于解决通用业务场景下的数据权限隔离问题。The data permission isolation technology based on the ORM framework (Object Relational Mapping, ORM for short) is used to solve the problem of data permission isolation in general business scenarios.

本发明方法数据权限管理方式可以通过配置化完成,不侵入业务代码,具有比较好的实用效果。The data authority management mode of the method of the present invention can be completed through configuration, does not invade business codes, and has relatively good practical effects.

具体应用中,在本发明方法的一些实施例中,以Mybatis为例描述了具体实现过程。In specific applications, in some embodiments of the method of the present invention, the specific implementation process is described by taking Mybatis as an example.

基于Mybatis和配置的方式来实现上述权限控制,通过ORM框架在与数据库表的映射类中,使用自定义注解标记数据拥有方的字段,例如数据创建人等,其次通过Mybatis框架在可配置化的页面中配置用户的数据权限,例如可配置为查看本部门,至此前置准备工作准备完毕,用户即可发起业务操作。The above permission control is implemented based on Mybatis and configuration. In the mapping class with the database table through the ORM framework, the fields of the data owner, such as the data creator, are marked with custom annotations. Secondly, the Mybatis framework is used in the configurable The user's data permission is configured on the page, for example, it can be configured to view the department. At this point, the preparatory work is completed, and the user can initiate business operations.

当用户发起数据查询请求后,Mybatis框架组装并输出数据库需要执行的SQL语句,在此过程中会经过ORM框架自定义的Mybatis拦截器,读取当前用户的数据权限配置,并读取当前读取数据主表的数据拥有方字段,数据拥有方字段已通过注解在代码中标记,根据数据权限配置和数据拥有方字段对SQL语句进行修改,增加额外的WHERE条件筛选输出的语句,从而达到数据权限控制的目的。When the user initiates a data query request, the Mybatis framework assembles and outputs the SQL statements that the database needs to execute. During this process, the Mybatis interceptor customized by the ORM framework reads the data permission configuration of the current user, and reads the current read The data owner field of the main data table, the data owner field has been marked in the code through annotations, the SQL statement is modified according to the data permission configuration and the data owner field, and additional WHERE conditions are added to filter the output statement, so as to achieve data permission purpose of control.

进一步地,例如数据库中有一条数据A,数据的拥有者通过创建人字段确定,数据的拥有部门通过部门字段确定,假定本条数据可以由部门相同的人员查看,即以“查看本人创建的数据”的数据权限为例,现有技术中确定“查看人部门与目标数据部门是否相同”一般通过硬编码来确定,如果判定方式发生改变,则需要通过修改代码来实现,较为复杂,且不够友好。Further, for example, there is a piece of data A in the database, the owner of the data is determined by the creator field, and the department that owns the data is determined by the department field. It is assumed that this piece of data can be viewed by people in the same department, that is, "View data created by me". For example, in the prior art, the determination of “whether the viewer department is the same as the target data department” is generally determined by hard coding. If the determination method changes, it needs to be implemented by modifying the code, which is complicated and not friendly enough.

例如在“查看人部门与目标数据部门是否相同”判定方式下,SQL代码可能为“SELECT*FROM TABLE WHERE dept=查看人部门;”,如果判定方式改为“查看本人创建的数据”,则需要修改SQL为“SELECT*FROM TABLE WHERE createUser=查看人;”,需要涉及到重新编码、测试、发布等整个流程,费事费力。For example, in the judgment method of "whether the viewing department is the same as the target data department", the SQL code may be "SELECT*FROM TABLE WHERE dept=viewing person department;", if the judgment method is changed to "view the data created by me", you need to Modifying the SQL to "SELECT*FROM TABLE WHERE createUser=Viewer;" involves the entire process of recoding, testing, and publishing, which is time-consuming and labor-intensive.

而本发明方法中Mybatis初步生成的SQL示意如下:And the SQL that Mybatis initially generates in the method of the present invention is shown as follows:

SELECT*FROM TABLE;SELECT*FROM TABLE;

管理员对用户A配置的数据权限为“查看本人创建的数据”;The data permission configured by the administrator for user A is "view data created by me";

代码中TABLE数据的数据拥有方字段为“createUser”,代码示意如下:The data owner field of TABLE data in the code is "createUser", and the code is as follows:

Figure BDA0003692581670000051
Figure BDA0003692581670000051

用户A发起对TABLE数据的查看请求后,ORM框架自定义拦截器接收到的SQL为“SELECT*FROM TABLE;”,读取用户A的数据权限为“查看本人创建的数据”,数据拥有方字段为“createUser”,则可修改最终执行的SQL“SELECT*FROM TABLE;”为“SELECT*FROM TABLEWHERE createUser=A;”,并进行执行返回结果。After user A initiates a viewing request for TABLE data, the SQL received by the ORM framework custom interceptor is "SELECT*FROM TABLE;", the data permission for reading user A is "view data created by me", and the data owner field If it is "createUser", you can modify the final executed SQL "SELECT*FROM TABLE;" to "SELECT*FROM TABLEWHERE createUser=A;", and execute it to return the result.

经过上述流程,即可实现不侵入业务代码和硬编码来实现对数据权限的管控,且如果需要修改用户的数据权限,可通过配置的方式改变,本配置可在拦截器中实时生效。如果需要增加其他数据权限类型可按照上述方式扩展,原理相同。After the above process, it is possible to realize the control of data permissions without invading business code and hard coding, and if you need to modify the user's data permissions, you can change it through configuration. This configuration can take effect in real time in the interceptor. If you need to add other data permission types, you can expand it in the above way, and the principle is the same.

上述以Mybatis为例实现了一个具体的数据权限管理模型,其余ORM框架实现原理相同。The above takes Mybatis as an example to implement a specific data rights management model, and the implementation principles of other ORM frameworks are the same.

本发明还提供一种基于ORM框架的数据权限隔离系统,包括持久层模块和映射模块,The present invention also provides a data authority isolation system based on the ORM framework, comprising a persistence layer module and a mapping module,

持久层模块基于java的数据库持久层框架,配置用户的数据权限,映射模块通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,The persistence layer module is based on the Java database persistence layer framework to configure the user's data permissions. The mapping module uses the ORM framework to mark the data owner field with custom annotations in the mapping class.

映射模块通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。The mapping module obtains the user's data authority and the data owner field of the data master table according to the user's data query request through the ORM framework custom interceptor, and modifies the SQL that the database corresponding to the user's data authority and the data owner field needs to execute statement, execute the modified SQL statement to complete data permission control.

上述系统内的各模块之间的信息交互、执行过程等内容,由于与本发明方法实施例基于同一构思,具体内容可参见本发明方法实施例中的叙述,此处不再赘述。Since the information exchange and execution process among the modules in the above system are based on the same concept as the method embodiment of the present invention, the specific content can be found in the description in the method embodiment of the present invention, which will not be repeated here.

同样地,本发明系统基于ORM框架实现通用业务场景下的数据权限隔离,可实现不侵入业务代码和硬编码来对数据权限的管控,可通过配置的方式改变用户的数据权限,并通过拦截器实时生效,修改执行sql语句,提高了编码和实现业务的效率,降低了业务编码实现的成本。Similarly, based on the ORM framework, the system of the present invention realizes the isolation of data rights in general business scenarios, can realize the control of data rights without invading business codes and hard codes, and can change the user's data rights through configuration, and through the interceptor Effective in real time, modify and execute SQL statements, improve the efficiency of coding and business implementation, and reduce the cost of business coding implementation.

需要说明的是,上述各流程和各系统结构中不是所有的步骤和模块都是必须的,可以根据实际的需要忽略某些步骤或模块。各步骤的执行顺序不是固定的,可以根据需要进行调整。上述各实施例中描述的系统结构可以是物理结构,也可以是逻辑结构,即,有些模块可能由同一物理实体实现,或者,有些模块可能分由多个物理实体实现,或者,可以由多个独立设备中的某些部件共同实现。It should be noted that not all steps and modules in the above processes and system structures are necessary, and some steps or modules may be omitted according to actual needs. The execution order of each step is not fixed and can be adjusted as required. The system structure described in the above embodiments may be a physical structure or a logical structure, that is, some modules may be implemented by the same physical entity, or some modules may be implemented by multiple physical entities, or may be implemented by multiple physical entities. Some components in separate devices are implemented together.

以上所述实施例仅是为充分说明本发明而所举的较佳的实施例,本发明的保护范围不限于此。本技术领域的技术人员在本发明基础上所作的等同替代或变换,均在本发明的保护范围之内。本发明的保护范围以权利要求书为准。The above-mentioned embodiments are only preferred embodiments for fully illustrating the present invention, and the protection scope of the present invention is not limited thereto. Equivalent substitutions or transformations made by those skilled in the art on the basis of the present invention are all within the protection scope of the present invention. The protection scope of the present invention is subject to the claims.

Claims (8)

1.一种基于ORM框架的数据权限隔离方法,其特征是基于java的数据库持久层框架,配置用户的数据权限,通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,1. A data authority isolation method based on an ORM framework, characterized in that a database persistence layer framework based on java, configures a user's data authority, and uses a custom annotation to mark the data owner field in the mapping class through the ORM framework, 通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。Through the ORM framework custom interceptor, according to the user's data query request, the user's data authority and the data owner field of the data master table are obtained, and the SQL statement to be executed by the database corresponding to the user's data authority and the data owner field is modified, Execute the modified SQL statement to complete data permission control. 2.根据权利要求1所述的一种基于ORM框架的数据权限隔离方法,其特征是基于Mybatis,配置用户的数据权限,通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,2. a kind of data authority isolation method based on ORM framework according to claim 1, it is characterized in that based on Mybatis, configure the data authority of user, use self-defined annotation mark data owner field in mapping class by ORM framework, 通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。Through the ORM framework custom interceptor, according to the user's data query request, the user's data authority and the data owner field of the data master table are obtained, and the SQL statement to be executed by the database corresponding to the user's data authority and the data owner field is modified, Execute the modified SQL statement to complete data permission control. 3.根据权利要求2所述的一种基于ORM框架的数据权限隔离方法,其特征是根据用户的数据查询请求,通过Mybatis组装并输出数据库需要执行的SQL语句,通过自定义拦截器根据所述用户的数据查询请求获取用户的数据权限及数据主表的数据拥有方字段,修改所述的数据库需要执行的SQL语句。3. a kind of data authority isolation method based on ORM framework according to claim 2, it is characterized in that according to the data query request of user, by Mybatis assemble and output the SQL statement that database needs to execute, by self-defined interceptor according to described The user's data query request obtains the user's data authority and the data owner field of the data master table, and modifies the SQL statement to be executed by the database. 4.根据权利要求1-3任一项所述的一种基于ORM框架的数据权限隔离方法,其特征是所述修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,包括:4. a kind of data authority isolation method based on ORM framework according to any one of claim 1-3, it is characterized in that the SQL statement that the database corresponding to the data authority of described modification described user and data owner field needs to execute ,include: 增加WHERE条件筛选输出的SQL语句。Added WHERE condition to filter the output SQL statement. 5.一种基于ORM框架的数据权限隔离系统,其特征是包括持久层模块和映射模块,5. a data authority isolation system based on ORM framework, is characterized in that comprising persistence layer module and mapping module, 持久层模块基于java的数据库持久层框架,配置用户的数据权限,映射模块通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,The persistence layer module is based on the Java database persistence layer framework to configure the user's data permissions. The mapping module uses the ORM framework to mark the data owner field with custom annotations in the mapping class. 映射模块通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。The mapping module obtains the user's data authority and the data owner field of the data master table according to the user's data query request through the ORM framework custom interceptor, and modifies the SQL that the database corresponding to the user's data authority and the data owner field needs to execute statement, execute the modified SQL statement to complete data permission control. 6.根据权利要求5所述的一种基于ORM框架的数据权限隔离系统,其特征是持久层模块基于Mybatis,配置用户的数据权限,映射模块通过ORM框架在映射类中使用自定义注解标记数据拥有方字段,6. a kind of data authority isolation system based on ORM framework according to claim 5, it is characterized in that persistence layer module is based on Mybatis, configures user's data authority, and mapping module uses self-defined annotation mark data in mapping class by ORM framework owning field, 映射模块通过ORM框架自定义拦截器根据用户的数据查询请求,获取用户的数据权限及数据主表的数据拥有方字段,修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,执行修改后SQL语句,完成数据权限控制。The mapping module obtains the user's data authority and the data owner field of the data master table according to the user's data query request through the ORM framework custom interceptor, and modifies the SQL that the database corresponding to the user's data authority and the data owner field needs to execute statement, execute the modified SQL statement to complete data permission control. 7.根据权利要求6所述的一种基于ORM框架的数据权限隔离系统,其特征是持久层模块根据用户的数据查询请求,通过Mybatis组装并输出数据库需要执行的SQL语句,映射模块通过自定义拦截器根据所述用户的数据查询请求获取用户的数据权限及数据主表的数据拥有方字段,修改所述的数据库需要执行的SQL语句。7. a kind of data authority isolation system based on ORM framework according to claim 6, it is characterized in that persistence layer module according to user's data query request, is assembled by Mybatis and outputs the SQL statement that database needs to execute, the mapping module is through self-defining The interceptor obtains the user's data authority and the data owner field of the data master table according to the user's data query request, and modifies the SQL statement to be executed by the database. 8.根据权利要求5-7任一项所述的一种基于ORM框架的数据权限隔离系统,其特征是所述映射模块修改所述用户的数据权限和数据拥有方字段对应的数据库需要执行的SQL语句,包括:8. a kind of data authority isolation system based on ORM framework according to any one of claim 5-7, it is characterized in that described mapping module revises described user's data authority and the database corresponding to data owner field needs to perform. SQL statements, including: 增加WHERE条件筛选输出的SQL语句。Added WHERE condition to filter the output SQL statement.
CN202210664890.0A 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework Pending CN115168836A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210664890.0A CN115168836A (en) 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210664890.0A CN115168836A (en) 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework

Publications (1)

Publication Number Publication Date
CN115168836A true CN115168836A (en) 2022-10-11

Family

ID=83484644

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210664890.0A Pending CN115168836A (en) 2022-06-14 2022-06-14 Data permission isolation method based on ORM framework

Country Status (1)

Country Link
CN (1) CN115168836A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024098858A1 (en) * 2022-11-08 2024-05-16 杭州趣链科技有限公司 Database access system and method, computer device, and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160085779A1 (en) * 2014-09-19 2016-03-24 Benefitfocus.Com, Inc. Systems and methods for dynamically intercepting and adjusting persistence behaviors via runtime configuration
US20180137184A1 (en) * 2016-11-15 2018-05-17 Spirent Communications, Inc. Sql interceptor for use with third party data analytics packages
CN109815284A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 A kind of method and apparatus of data processing
CN110941628A (en) * 2019-08-09 2020-03-31 四川邦辰信息科技有限公司 Data isolation implementation method based on SQL statement interception and analysis technology
CN113486326A (en) * 2021-07-02 2021-10-08 重庆沄析工业互联网有限公司 Method for realizing data line permission based on Mybatis interceptor
CN114461610A (en) * 2022-01-29 2022-05-10 中国建设银行股份有限公司 Data authority control method and device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160085779A1 (en) * 2014-09-19 2016-03-24 Benefitfocus.Com, Inc. Systems and methods for dynamically intercepting and adjusting persistence behaviors via runtime configuration
US20180137184A1 (en) * 2016-11-15 2018-05-17 Spirent Communications, Inc. Sql interceptor for use with third party data analytics packages
CN109815284A (en) * 2019-01-04 2019-05-28 平安科技(深圳)有限公司 A kind of method and apparatus of data processing
CN110941628A (en) * 2019-08-09 2020-03-31 四川邦辰信息科技有限公司 Data isolation implementation method based on SQL statement interception and analysis technology
CN113486326A (en) * 2021-07-02 2021-10-08 重庆沄析工业互联网有限公司 Method for realizing data line permission based on Mybatis interceptor
CN114461610A (en) * 2022-01-29 2022-05-10 中国建设银行股份有限公司 Data authority control method and device, electronic equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘利静;燕鹏飞;: "基于Spring MVC的灵活查询技术在水路运政业务中的研究与应用", 数字通信世界, no. 09, 1 September 2016 (2016-09-01) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024098858A1 (en) * 2022-11-08 2024-05-16 杭州趣链科技有限公司 Database access system and method, computer device, and storage medium

Similar Documents

Publication Publication Date Title
CN110443059B (en) Data protection method and device
US11308072B2 (en) Declarative and unified data transition
US10841094B2 (en) Private and public media data in a decentralized system
CN112889040A (en) Database management
US20170185661A1 (en) Extensible extract, transform and load (etl) framework
CN101004683A (en) Method and device for accessing database
CN104252454B (en) A kind of data permission control method and system towards cloud computing multi-tenant pattern
CN106570406A (en) Data level permission configuration method and device
EP3516549A1 (en) Systems and methods for accessing a database management system
EP3051440A1 (en) Keyvalue database data table updating method and data table updating device
CN113220762A (en) Method, device, processor and storage medium for realizing general record processing of key service field change in big data application
EP1217547A2 (en) Object integrated management system
CN110992005B (en) Method and system for realizing data authority control processing in big data application
CN114443015A (en) Method for generating adding, deleting, modifying and checking service interface based on database metadata
CN110647564A (en) Hive table establishing method, electronic device and computer readable storage medium
US11281700B2 (en) Graph-based operations on an entity-relationship database
WO2017136867A1 (en) Systems and methods for securing an entity-relationship system
CN113918149A (en) Interface development method and device, computer equipment and storage medium
CN115168836A (en) Data permission isolation method based on ORM framework
CN102567372A (en) Student information management system
CN108804078A (en) A kind of software design pattern reconstructing method based on template
CN117407893A (en) Data rights management method, device, equipment and media based on API configuration
CN111444543A (en) Data authority management method and system
CN108111495A (en) A kind of authority control method and device
CN106778341A (en) data right management system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination