Freigegebene Casbin APIs
Einführung
Gehen wir davon aus, dass die Frontend-Anwendung Ihres Anwendungssystems das access_token des eingeloggten Benutzers erhalten hat und nun den Benutzer für einen Zugriff authentifizieren möchte. Sie können das access_token nicht einfach in den HTTP-Anfrageheader einfügen, um diese APIs zu nutzen, da Casdoor das Feld Authorization verwendet, um die Zugriffsberechtigung zu prüfen. Wie bei anderen APIs, die von Casdoor bereitgestellt werden, besteht das Feld Authorization aus der Anwendungskunden-ID und dem Geheimnis, unter Verwendung des Basic HTTP Authentication Scheme. Es sieht aus wie Authorization: Basic <Ihre_Anwendungs_ClientId> <Ihr_Anwendungs_ClientSecret>. Aus diesem Grund sollten Casbin APIs vom Anwendungsserver im Backend aufgerufen werden. Hier sind die Schritte, wie man es macht.
Nehmen Sie zum Beispiel die Anwendung app-vue-python-example auf der Demoseite, der Autorisierungsheader sollte sein: Authorization: Basic 294b09fbc17f95daf2fe dd8982f7046ccba1bbd7851d5c1ece4e52bf039d.
- Das Frontend übergibt das
access_tokenüber den HTTP-Anfrageheader an den Backend-Server. - Der Backend-Server ruft die Benutzer-ID aus dem
access_tokenab.
Als Vorabinformation, diese Schnittstellen sind auch (vorerst) für das (sub, obj, act) Modell konzipiert. Der Body ist das von dem Casbin-Modell der Berechtigung definierte Anfrageformat, das üblicherweise sub, obj und act repräsentiert.
Neben der API-Schnittstelle zur Anforderung der Durchsetzung von Berechtigungskontrollen bietet Casdoor auch andere Schnittstellen, die externen Anwendungen helfen, Informationen über Berechtigungspolitiken zu erhalten, die hier ebenfalls aufgeführt sind.
Durchsetzen
The Enforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:
permissionId: The identity of a specific permission policy (format:organization name/permission name)modelId: The identity of a permission model (format:organization name/model name) - enforces against all permissions using this modelresourceId: The identity of a resource - enforces against all permissions for this resourceenforcerId: The identity of a specific enforcerowner: The organization name - enforces against all permissions in this organization
Request using permissionId:
curl --location --request POST 'http://localhost:8000/api/enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Request using modelId:
curl --location --request POST 'http://localhost:8000/api/enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Request using resourceId:
curl --location --request POST 'http://localhost:8000/api/enforce?resourceId=example-org/example-resource' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Response:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
true
],
"data2": [
"example-org/example-model/example-adapter"
]
}
Note: When using modelId, resourceId, enforcerId, or owner parameters, the response data array may contain multiple boolean values (one for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.
BatchEnforce
The BatchEnforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:
permissionId: The identity of a specific permission policy (format:organization name/permission name)modelId: The identity of a permission model (format:organization name/model name) - enforces against all permissions using this modelenforcerId: The identity of a specific enforcerowner: The organization name - enforces against all permissions in this organization
Request using permissionId:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"], ["example-org/example-user3", "example-resource", "example-action"]]'
Request using modelId:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"]]'
Antwort:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
[
true,
true,
false
]
],
"data2": [
"example-org/example-model/example-adapter"
]
}
Note: When using modelId, enforcerId, or owner parameters, the response data array may contain multiple arrays of boolean values (one array for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.
GetAllObjects
This API retrieves all objects (resources) that a user has access to. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-objects?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-objects' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Antwort:
{
"status": "ok",
"msg": "",
"data": [
"app-built-in",
"example-resource"
]
}
GetAllActions
This API retrieves all actions that a user can perform. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-actions?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-actions' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Antwort:
{
"status": "ok",
"msg": "",
"data": [
"read",
"write",
"admin"
]
}
GetAllRoles
This API retrieves all roles assigned to a user. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-roles?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-roles' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Antwort:
{
"status": "ok",
"msg": "",
"data": [
"role_kcx66l"
]
}
RunCasbinCommand
This API executes Casbin CLI commands and returns their output. It's designed for running language-specific Casbin command-line tools through Casdoor's backend, supporting languages like Java, Go, Node.js, Python, and others.
The API includes an in-memory cache that stores command results for 5 minutes. When the same command is executed with identical parameters, the cached result is returned immediately without re-executing the command, improving response times and reducing server load.
Request:
curl --location --request GET 'http://localhost:8000/api/run-casbin-command?language=go&args=["-v"]' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Parameters:
language: The programming language for the Casbin CLI (e.g.,go,java,node,python)args: A JSON-encoded array of command-line arguments (e.g.,["-v"]for version,["new"]for creating new files). Note: URL-encode the JSON array when using it as a query parameter
Response:
{
"status": "ok",
"msg": "",
"data": "casbin version 2.x.x"
}
The cache key is generated from the language and arguments, so different commands are cached independently. Expired entries are automatically cleaned up to prevent memory growth.