Spring
security
acl
為 Access-Control List 的縮寫;而 access control 則:
It’s generally considered good security practice to adopt a "deny-by-default" where you explicitly specify what is allowed and disallow everything else. Defining what is accessible to unauthenticated users is a similar situation, particularly for web applications. Many sites require that users must be authenticated for anything other than a few URLs (for example the home and login pages). In this case it is easiest to define access configuration attributes for these specific URLs rather than have for every secured resource. Put differently, sometimes it is nice to say ROLE_SOMETHING
is required by default and only allow certain exceptions to this rule, such as for login, logout and home pages of an application. You could also omit these pages from the filter chain entirely, thus bypassing the access control checks, but this may be undesirable for other reasons, particularly if the pages behave differently for authenticated users.
This is what we mean by anonymous authentication. Note that there is no real conceptual difference between a user who is "anonymously authenticated" and an unauthenticated user. Spring Security’s anonymous authentication just gives you a more convenient way to configure your access-control attributes. Calls to servlet API calls such as getCallerPrincipal
, for example, will still return null even though there is actually an anonymous authentication object in the SecurityContextHolder
.
There are other situations where anonymous authentication is useful, such as when an auditing interceptor queries the SecurityContextHolder
to identify which principal was responsible for a given operation. Classes can be authored more robustly if they know the SecurityContextHolder
always contains an Authentication
object, and never null
.
Anonymous authentication support is provided automatically when using the HTTP configuration Spring Security 3.0 and can be customized (or disabled) using the <anonymous>
element. You don’t need to configure the beans described here unless you are using traditional bean configuration.
Three classes that together provide the anonymous authentication feature. AnonymousAuthenticationToken
is an implementation of Authentication
, and stores the GrantedAuthority
s which apply to the anonymous principal. There is a corresponding AnonymousAuthenticationProvider
, which is chained into the ProviderManager
so that AnonymousAuthenticationToken
s are accepted. Finally, there is an AnonymousAuthenticationFilter
, which is chained after the normal authentication mechanisms and automatically adds an AnonymousAuthenticationToken
to the SecurityContextHolder
if there is no existing Authentication
held there. The definition of the filter and authentication provider appears as follows:
The key
is shared between the filter and authentication provider, so that tokens created by the former are accepted by the latter [6]. The userAttribute
is expressed in the form of usernameInTheAuthenticationToken,grantedAuthority[,grantedAuthority]
. This is the same syntax as used after the equals sign for the userMap
property of InMemoryDaoImpl
.
As explained earlier, the benefit of anonymous authentication is that all URI patterns can have security applied to them. For example:
Rounding out the anonymous authentication discussion is the AuthenticationTrustResolver
interface, with its corresponding AuthenticationTrustResolverImpl
implementation. This interface provides an isAnonymous(Authentication)
method, which allows interested classes to take into account this special type of authentication status. The ExceptionTranslationFilter
uses this interface in processing AccessDeniedException
s. If an AccessDeniedException
is thrown, and the authentication is of an anonymous type, instead of throwing a 403 (forbidden) response, the filter will instead commence the AuthenticationEntryPoint
so the principal can authenticate properly. This is a necessary distinction, otherwise principals would always be deemed "authenticated" and never be given an opportunity to login via form, basic, digest or some other normal authentication mechanism.
You will often see the ROLE_ANONYMOUS
attribute in the above interceptor configuration replaced with IS_AUTHENTICATED_ANONYMOUSLY
, which is effectively the same thing when defining access controls. This is an example of the use of the AuthenticatedVoter
which we will see in the authorization chapter. It uses an AuthenticationTrustResolver
to process this particular configuration attribute and grant access to anonymous users. The AuthenticatedVoter
approach is more powerful, since it allows you to differentiate between anonymous, remember-me and fully-authenticated users. If you don’t need this functionality though, then you can stick with ROLE_ANONYMOUS
, which will be processed by Spring Security’s standard RoleVoter
.
Spring 官方說明
A user
、An application
、A role
,例如:利用FB或是LINE等應用程式登入的這一個"身份or實體"。String getAuthority();
getAuthority
來取得用戶的所有權限ROLE_ADMINISTRATOR or ROLE_HR_SUPERVISOR
。AuthenticationManager
設置Authentication, to represent the principal in a Spring Security-specific manner.
UsernamePasswordAuthenticationToken
(我們在前面看到的Authentication
interface 的實例)的實例中。AuthenticationManager
的實例進行驗證。AuthenticationManager
返回填充完全的Authentication
實例。SecurityContextHolder.getContext().setAuthentication(…)
並傳入返回的身份驗證對象來建立 security context。Spring 官方說明
維基百科
docs.spring.io
PermissionCollection
的子類別,可用add()
將 permission object 加到該 permission 所屬的 permissionCollection 中BasePermission
class 以獲得所有可用權限,提供READ,WRITE,CREATE,DELETE和ADMINISTRATION權限。Spring acl簡介
docs.oracle.com
維基百科
Apple 開發者說明
* About Authentication, Authorization, and Permissions
* About Software Security
* Authentication and Identification In Depth
* Understanding Permissions
acl_sid
權限表Identifier | Data Type | Nullable | Default | Uniqueness | Comment |
---|---|---|---|---|---|
id |
serial8 |
PRIMARY KEY |
主鍵 | ||
sid |
varchar |
NOT NULL |
權限名稱||帳號 | ||
principal |
boolean |
NOT NULL |
是否是帳號 |
acl_class
受保護的 classIdentifier | Data Type | Nullable | Default | Uniqueness | Comment |
---|---|---|---|---|---|
id |
serial8 |
PRIMARY KEY |
主鍵 | ||
class |
varchar |
NOT NULL |
domain object class 的 FQN |
acl_object_identity
權限身分Identifier | Definition | Comment |
---|---|---|
id |
serial8 PRIMARY KEY |
主鍵 |
object_id_class |
int8 NOT NULL |
持久層 class |
object_id_identity |
varchar NOT NULL |
持久層 Primary Key |
parent_object |
int8 |
父層 |
owner_sid |
int8 |
外鍵:acl_sid |
entries_inheriting |
boolean NOT NULL DEFAULT'0' |
是否繼承父層權限 |
acl_entry
資訊授權Identifier | Definition | Comment |
---|---|---|
id |
serial8 PRIMARY KEY |
主鍵 |
acl_object_identity |
int8 NOT NULL |
acl_object_identity主鍵 |
ace_order |
int4 NOT NULL |
Acl權限順序 |
sid |
int8 NOT NULL |
外鍵:acl_sid |
mask |
int8 NOT NULL |
權限掩碼(對應到acl_object_identity.owner_sid) |
granting |
BOOLEAN NOT NULL |
是否授權 |
audit_success |
BOOLEAN NOT NULL |
是否開啟審核成功訊息 |
audit_failure |
BOOLEAN NOT NULL |
是否開啟審核失敗訊息 |
{package}/AclMethodSecurityConfiguration
Expression | Description |
---|---|
hasRole([role]) | 允許指定的角色,不需要加ROLE_ 前缀。 |
hasAnyRole([role1, role2]) | 允許的多個角色(擁有其一即可)。 |
hasAuthority([authority]) | 允許指定的權限,需要加ROLE_ 前缀。 |
hasAnyAuthority([authority1, authority2]) | 允許的多個權限(擁有其一即可)。 |
principal | 允許直接訪問代表當前用戶的主要對象 |
authentication | 允許直接訪問從SecurityContext 取得的當前認證對象 |
permitAll | 允許任何人 |
denyAll | 拒絕任何人 |
isAnonymous() | 匿名用戶 |
isRememberMe() | "記住我"用戶 |
isAuthenticated() | 非匿名用戶 |
isFullyAuthenticated() | 非匿名或非"記住我"的用戶 |
hasPermission(Object target, Object permission) | 用戶是否有訪問指定目標的指定權限,例如:hasPermission(domainObject, 'read') |
hasPermission(Object targetId, String targetType, Object permission) | 用戶是否有訪問指定目標的指定權限,例如: hasPermission(1, 'com.example.domain.Message', 'read') |
acl.getEntries().size()
:取得目前ACL長度BasePermission
ADMINISTRATION
使用帳號進行權限存取DELETE
刪除權限CREATE
新增權限READ
讀取權限WRITE
寫入權限PrincipalSid()
:設定需要給予的ROLE,需要加入ROLE_
前缀GrantedAuthoritySid()
: 設定需要給予的USERNAME官方說明
Spring Security ACL Plugin
Difference between Role and GrantedAuthority in Spring Security
Spring Security中的ACL
Introduction to Spring Security ACL
Spring Security – Roles and Privileges
Spring Security – @PreFilter and @PostFilter
Granted Authority Versus Role in Spring Security
spring security中Authority、Role的区别