请问如何在基于 graphql-java 的 GraphQL 实现中使用 sureness 库?
ShellWen opened this issue · comments
请问如何在基于 graphql-java 的 GraphQL 实现中使用 sureness 库?
服务器框架是用的 Ktor,感觉 sureness 似乎只能对 RESTful 进行保护
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
How to use sureness library in GraphQL implementation based on graphql-java?
The server framework uses Ktor, and it seems that sureness can only protect RESTful
@GoFly233 hi 可以对graphql API保护,但不能对graphql里面的请求数据进行权限控制。如果需要对其请求数据权限控制,graphql官网建议是放到业务逻辑层即具体的后端API中 - https://graphql.cn/learn/authorization/ , 我有一种思路不知道行不行供参考。
- 对graphql关联的后端微服务API进行认证鉴权保护-一般这里使用统一网关
- 在实现graphql请求数据对象对应的每个dataFetcher里,判断对应请求到的后端微服务API是否返回无权限(即403状态码),然后对graphql返回数据进行置空或者其它处理
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@GoFly233 hi can protect the graphql API, but cannot perform permission control on the request data in graphql. If you need to request data permission control for it, the graphql official website recommends putting it in the business logic layer, that is, the specific back-end API-https://graphql.cn/learn/authorization/. I have a way of thinking about whether it will work or not for reference.
- Authenticate and protect the back-end microservice API associated with graphql-generally the unified gateway is used here
- In each dataFetcher corresponding to the graphql request data object, determine whether the back-end microservice API corresponding to the request returns no permission (ie 403 status code), and then blank or perform other processing on the graphql returned data
@GoFly233 hi 可以对graphql API保护,但不能对graphql里面的请求数据进行权限控制。如果需要对其请求数据权限控制,graphql官网建议是放到业务逻辑层即具体的后端API中 - https://graphql.cn/learn/authorization/ , 我有一种思路不知道行不行供参考。
- 对graphql关联的后端微服务API进行认证鉴权保护-一般这里使用统一网关
- 在实现graphql请求数据对象对应的每个dataFetcher里,判断对应请求到的后端微服务API是否返回无权限(即403状态码),然后对graphql返回数据进行置空或者其它处理
这边暂时不打算做微服务,但是还是感谢给了我一种思路
目前的想法就是在 Service 做鉴权,如果鉴权失败就直接抛出异常交给上层处理(即 GraphQL Resolves,View 层)
你看这样可信度大概如何?后端萌新,如果理解不到位还请多多指教
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@GoFly233 hi can protect the graphql API, but cannot perform permission control on the request data in graphql. If you need to request data permission control for it, the graphql official website recommends putting it in the business logic layer, that is, the specific back-end API-https://graphql.cn/learn/authorization/. I have a way of thinking about whether it will work or not for reference.
- Authenticate and protect the back-end microservice API associated with graphql-generally the unified gateway is used here
- In each dataFetcher corresponding to the graphql request data object, determine whether the back-end microservice API corresponding to the request returns no permission (ie 403 status code), and then blank or perform other processing on the graphql returned data
We don’t plan to do microservices for the time being, but thank you for giving me a way of thinking
The current idea is to perform authentication in the Service. If authentication fails, an exception will be thrown directly to the upper layer for processing (ie GraphQL Resolves, View layer)
What do you think of this credibility? The back end is cute, if you don’t understand it well, please advise
@GoFly233 可以试试,我看graphql官网建议也是放到业务逻辑层
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@GoFly233 can try, I think the graphql official website suggests that it is also placed in the business logic layer
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@GoFly233 can try, I think the graphql official website suggests that it should also be placed in the business logic layer
Then
@GoFly233 可以试试,我看graphql官网建议也是放到业务逻辑层
是指在业务逻辑层手动鉴权吗?那是不是不需要全局拦截器了?
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
@GoFly233 can try, I think the graphql official website suggests that it should also be placed in the business logic layer
Does it mean manual authentication at the business logic layer? Is there no need for a global interceptor?
不是,官网说的业务逻辑层我理解的是graphql后面的具体服务实现(即非graphql层)。可以按你说的service抛出,全局拦截权限异常处理试试
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
No, the business logic layer mentioned on the official website I understand is the specific service implementation behind graphql (that is, the non-graphql layer). You can throw according to the service you said, try to handle the exception of the global interception authority
你好,请问这个还有问题吗 没有的话我关了哦
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
Hello, do you have any questions about this? If not, I will close it.
你好,请问这个还有问题吗 没有的话我关了哦
我来关吧,谢谢了
Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑🤝🧑👫🧑🏿🤝🧑🏻👩🏾🤝👨🏿👬🏿
Hello, do you have any questions about this? If not, I will close it.
I'll close it, thank you