To solve the application permissions. Seam Security provides a scalable framework. The following class diagram provides an overview of the main components of the permission framework:
The related classes will be explained in detail in the following sections.
15.6.8.1. PermissionResolverThis is actually an interface that provides a solution to the permissions of individual objects. Seam provides the following built-inPermissionResolverImplementation:
RuleBasedPermissionResolver-This permission parser uses Drools to handle rule-based permission checks.
PersistentPermissionResolver-This permission parser stores object permissions in a persistent storage, such as relational databases.
Implementing your own permission parser is very simple.PermissionResolverThe interface only defines two methods that must be implemented, as shown in the following table. Publish your own Seam projectPermissionResolverDuring deployment, it will be scanned by itself and the defaultResolverChainRegister.
Table 15.7. PermissionResolver Interface
Return type |
Method |
Description |
|---|---|---|
|
|
This method must resolve the currently authenticated user (by calling |
|
|
This method removes any objects from the specified set. If |
Note:
Since they are cached in user sessions, any custom PermissionResolver implementation must comply with several restrictions. First, they may not contain any State that is more fine-grained than the call back scope (and the scope of the component itself should be application and call back ). Second, they cannot use dependency injection because they may be accessed from multiple threads at the same time. In fact, we recommend that you use@BypassInterceptorsAnnotation to completely bypass the Seam interceptor stack.
OneResolverChainContains an ordered object permission for a special object class or permission target.PermissionResolver.
DefaultResolverChainIt consists of all the permission Resolvers found during application deployment. When the defaultResolverChainWill triggerorg.jboss.seam.security.defaultResolverChainCreatedEvent (PassResolverChainInstance ). It also allows you to add a parser that is not found during release for some reason, or sort the parser in the list again and remove a parser.
The following sequence diagram shows the interaction between components in the permission framework during the license check process. A license check may come from several sources, such as security interceptor,s:hasPermissionEL function, or call through APIIdentity.checkPermission:
1. Start a license to check some places (code or through an EL expression) resulting in callingIdentity.hasPermission().
1.1.IdentityCallPermissionMapper.resolvePermission(), Pass the parsed permission as the parameter.
1.1.1.PermissionMapperContainsResolverChainInstance, with the class as the key valueMap. It uses this ing to locate the target object of the permission correctly.ResolverChain. Once it has a correctResolverChainBy callingResolverChain.getResolvers()RetrievePermissionResolverList.
1.1.2. TraversalResolverChainInPermissionResolver,PermissionMapperThehasPermission()Method, pass the checked permission instance as the parameter, and then pass the permission check successfully,PermissionMapperReturntrueToIdentity. IfPermissionResolverIf the returned value is not true, the license check fails.
One of the built-in permission Resolvers provided by Seam,RuleBasedPermissionResolverPermission evaluation is allowed based on a set of Drools security rules. Rules Engine has the following advantages: 1) centralized location of the business logic used to evaluate user permissions; 2) quick── Drools uses very effective algorithms to evaluate a large number of complex rules including multiple conditions.
If you use the rule-based permission feature provided by Seam security, release the following jar packages required by Drools as needed:
Drools-compiler.jar
Drools-core.jar
Janino. jar
Antlr-runtime.jar
Mvel14.jar
RuleBasedPermissionResolverFirst, you mustcomponents.xmlConfigure a Drools rule repository. By default, the rule repository name issecurityRulesFor example:
<Drools: rule-base name = "securityRules">
<Drools: rule-files>
<Value>/META-INF/security. drl </value>
</Drools: rule-files>
</Drools: rule-base>
</Components>
The default rule repository name can be specifiedRuleBasedPermissionResolverOfsecurity-rulesAttribute to overload:
Once the rule repository is configured (RuleBase) To write security rules.
The first step in writing security rules is in the jar file of your application./META-INFDirectory to create a new rule file. Normally, this file is likesecurity.drlIn this way, however, you can use any name you like as longcomponents.xmlCorresponding configuration.
What should the security rule file contain? In this case, it is a good idea to look at the Drools document at least. In any case, start with a very simple example:
Package MyApplicationPermissions;Let's take a look. The first thing we see is the package declaration. In Drools, a rule set is essentially used. You can use this package name arbitrarily -- it does not involve anything outside the rule base range.
Next, we noticed somePermissionCheckAndRoleClass Import Statement. These import information tells the rule engine to reference these classes in our Rules.
Finally, I complete the rule code. Each rule in the package should have a unique name (usually a description of the purpose of the rule ). In this example, our rule isCanUserDeleteCustomersIt is used to check whether a user is allowed to delete a customer record.
From the perspective of the subject defined by the rule, we can see two completely different parts. The rule consists of two parts: the left-hand side (LHS) and the right-hand side (RHS. The LHS consists of the condition parts of the rule. For example, a column must meet the conditions for activating the rule. LHSwhenPerformance. RHS is the action part of the rule that is the result or that only meets all the conditions in the LHS. RHSthenPerformance. Rule endingend.
If we look at the LHS section of the rule, we can see that two conditions are listed. Let's first look at the first condition:
C: PermissionCheck (target = "customer", action = "delete ")This condition indicates that there must betargetThe property is equal to "customer", andactionAttribute equal to "delete"PermissionCheckObject.
So what is working memory )? Drools is also called stateful session. The working memory is an object that stores context information sessions, the context information is required when the rules engine makes a license check. Each timehasPermission()Method is called, a temporaryPermissionCheckObject, orFact, Inserted into the working memory.PermissionCheckThe permission is exactly the same as the permission to be checked, so if you callhasPermission("account", "create")Then onetargetEqual to "account ",actionEqual to "create"PermissionCheckThe object will be inserted into the working memory.
BesidesPermissionCheckFacts also has a role that verifies that the user is one of the members.org.jboss.seam.security.RoleFact. TheseRoleFacts is synchronized with the user's verified role at the beginning of each license check. The result is that if a verified user is not a member of the role, anyRoleObjects will be deleted before the next license check. BesidesPermissionCheckAndRoleFacts, working memory also savesjava.security.PrincipalObject.
By callingRuleBasedPermissionResolver.instance().getSecurityContext().insert()Method, passing an object as a parameter, you can also insert this object into the working memory as an additional long-term fact. Synchronization that has been discussed at the beginning of each license checkRoleThe object is an exception.
Back to our simple example, we will notice that the first line of LHS hasc:Prefix. This is a variable binding used to reference matching conditions (in this examplePermissionCheck. Looking at the second line of LHS, we can see:
This condition indicates that there must be a "admin" in the working memory.RoleObject. As mentioned above, a user role is inserted into the working memory at the beginning of each license check. Therefore, these two conditions are essentially "if you are checkingcustomer:deleteAnd the user is a member of the "admin" role. The rule is activated ".
So what is the result of activating the rule? Let's look at the rule RHS:
C. grant ()RHS is composed of Java code and called in this examplecObjectgrant()Method,cThe object is already inPermissionCheckVariable binding of the object is mentioned in. BesidesPermissionCheckObjectnameAndactionAttribute.grantedThe property is initializedfalse. CallPermissionCheckOfgrant()Method settingsgrantedThe property istrueThis means that the license check is successful and allows the user to run any action to perform the license check.
So far, we have only checked the string permission target. You can also write security rules for more complex types of permission targets. For example, suppose you want to write a security rule to allow your users to create blog comments. The following rules demonstrate how to expressMemberBlogAs the target of the license check, and the verified user isuserRule syntax for a role member:
Ignore it in your sub-rulePermissionCheckOfactionRestriction. It is also possible to implement a wildcard permit check (allow all actions for a given permission target. Like this:
This rule allowsadminThe Role user executes anycustomerLicense checkAnyAction.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
