As long as there are users involved in the system generally have rights management, rights Management to achieve the user access system control, according to security rules or security policy control users can access and only access their authorized resources. Rights management includes two parts: User authentication and authorization.
user authentication
1. Concept
User authentication, the user to access the system, the system to verify the legitimacy of user identity. The most common methods of user authentication: 1, User name password method, 2, Fingerprint punch, 3, certificate-based authentication method. The system verifies that the user's identity is legitimate and the user can access the system's resources.
2. User authentication process
3. Key objects
Subject: The main body, understanding for the user, may be the program, all to access the system's resources, the system needs to subject identity authentication.
Principal: Identity information, usually unique, a principal has more than one identity, but there is one master identity information (primary principal)
Credential: Credential information, can be password, certificate, fingerprint
Summary: The principal is required to provide identity information and credential information when conducting identity authentication
User Authorization1. Concept
User authorization, simple understanding as access control, after the user authentication through, the system to the user access to resources control, the user has access to resources to access.
2. Authorization process
3. Key objects
The process of authorization is understood to be: what does the Who do with what (which)?
Who: the subject is subject,subject after the authentication through the system access control.
What (which): Resource (Resource), subject must have access to the resource to access the resource. Resources such as: System user list page, product modification menu, Commodity ID 001 product information.
Resources are categorized as resource types and resource instances:
The user information of the system is the resource type, which is equivalent to Java class.
The user with ID 001 in the system is the resource instance, which is equivalent to the new Java object.
How: Permissions/Permission (permission), for resource permissions or licensing, subject has permission access to resources, how to access/operation needs to define permission, permissions such as: User Add, user modification, product deletion.
4. Permission model
Subject (account number, password)
Resource (resource name, access address)
Permissions (permission name, resource ID)
Role (role name)
Roles and permission relationships (role ID, permission ID)
Principal and role relationships (principal ID, role ID)
Such as:
Typically, the resources and permissions tables are merged into a permission table in enterprise development, as follows:
Resource (resource name, access address)
Permissions (permission name, resource ID)
Merge to:
Permissions (permission name, resource name, resource access address)
Often referred to as the general model of Rights Management, but the enterprise in the development of the system according to its own characteristics will be modified, but the user, role, permissions, user role relationship, role permission relationship is needed to understand.
3. Assigning Permissions:
The user needs to assign the appropriate permissions to access the appropriate resources. Permissions are licensing for the operation of the resource. Typically assigning permissions to a user requires persisting permission information, such as storing it in a relational database. Write user information, rights Management, user-assigned permissions information to the database (permission data model)
4. Permission control:1. Role-based access control
RBAC (role based access control), roles-based access controls.
Like what:
System roles include: Department manager, general manager. (Roles are divided by user)
Implemented in system code:
If the user is a department manager, you can access the code in the IF
if (User.hasrole (' department manager ')) {
System Resource Content
User Reports view
}
Problem:
Roles for people, people as users in the system belongs to the active content, if the role can access the resources change, you need to modify your code, such as: need to change to the department manager and general manager can be a user report view, the code changed to:
if (User.hasrole (' department manager ') | | user.hasrole (' general Manager ')) {
System Resource Content
User Reports view
}
Role-based access control is not conducive to system maintenance (scalability is not strong).
2. Resource-based access control
RBAC (Resource based access control), resource-based access controls.
Resources are immutable in the system, such as resources: Methods in the class, buttons in the page.
Access to the resource requires permission permissions, and the code can be written as:
if (user.haspermission (' User report view (permission Identifier) ')} {
System Resource Content
User Reports view
}
The above method can solve the user role change without modifying the upper permission control code.
If you need to change permissions only need to assign permissions module to operate, to the department manager or general manager to add or remove permissions.
It is recommended that you use resource-based access control to implement rights management.
Summarize:
In the desire to have a good understanding of Shiro, these basic knowledge must be understood. The next blog will explain the rights management solution. If you like the blog post, click the "Top" at the end
http://blog.csdn.net/chenxiaochan/article/details/72880772
"URL-based rights Management Shiro (i)"--basic