"White hat Talk web security" study note of the 10th Chapter access control

10th Chapter Access Control 10.1 What can I do?

Permission control is the value of a principal (identity) to an object needs to implement some kind of operation, and the system to this kind of operation limit is the permission control.

In a security system, the identification of the subject is the problem of "authentication", and the object is Carmine resource, which is the request object initiated by the subject. In the process of the subject's operation on the object, the system control body cannot operate the object "without restriction", and the process is "access control".

in the in WEB applications, common access controls can be categorized as " URL-based access Control", "Method-based access control", and "data-based access control", depending on the access to italics.

in the The permissions control for the user in the WEB system needs to be detected in the filter.

10.2Vertical Rights Management

the essence of vertical rights management is role-based access control ( RBAC).

Spring Security provides two ways to manage permissions, one is " URL-based access control" and another "method-based access control." In other words, the springsecurity verifies the role that the user belongs to to decide whether to authorize.

10.3Horizontal Rights Management

Horizontal permissions refer to the rights control issues of different users in the same role. As far as vertical rights management is concerned, the horizontal permission problem appears in the same role, the general system just verifies the role, does not have the user in the role to do the subdivision, does not have the subset of the data to subdivide, therefore lacks one user to the data correspondence relation.

Because horizontal rights management is caused by the lack of a single data-level access control, horizontal rights management can also be referred to as "data-based access control".

The reason why horizontal rights management is difficult:

for the data access control, and business integration is very close, not easy to subdivide;

data access control may involve various aspects, such as cross-table, cross-Library queries, affecting performance.

10.4 OAuthIntroduction

The OAUTH protocol provides a secure, open, and easy standard for the authorization of user resources. Unlike previous licensing methods , OAuth 's authorization does not allow a third party to touch the user's account information (such as a user name and password), which means that the third party can request authorization for the user's resources without using the user's username and password, so OAuth is secure.

Features: (1). simple: both OAUTH service providers and application developers are easy to understand and use;

(2). Security: Not related to user key information, more secure and more flexible;

(3). Open: Any service provider can implement OAuth, and any software developer can use OAuth;

See:

spring-security-oauth2.0 Certification

http://oauth.net/code/

"White hat Talk web security" study note of the 10th Chapter access control