15.6.8. Permission Authorization Model
To solve the application permissions. Seam Security provides a scalable framework. The following class diagram provides an overview of the main components of the permission framework:
The related classes will be explained in detail in the following sections.
15.6.8.1. PermissionResolver
This is actually an interface that provides a solution to the permissions of individual objects. Seam provides the following built-inPermissionResolver
Implementation:
RuleBasedPermissionResolver
-This permission parser uses Drools to handle rule-based permission checks.
PersistentPermissionResolver
-This permission parser stores object permissions in a persistent storage, such as relational databases.
15.6.8.1.1. compile your own PermissionResolver
Implementing your own permission parser is very simple.PermissionResolver
The interface only defines two methods that must be implemented, as shown in the following table. Publish your own Seam projectPermissionResolver
During deployment, it will be scanned by itself and the defaultResolverChain
Register.
Table 15.7. PermissionResolver Interface
Return type |
Method |
Description |
boolean |
hasPermission(Object target, String action) |
This method must resolve the currently authenticated user (by callingIdentity.getPrincipal() Obtained) Is there a pass?target Andaction The permission specified by the parameter. If the user has this permissiontrue Otherwise, returnfalse . |
void |
filterSetByAction(Set<Object> targets, String action) |
This method removes any objects from the specified set. IfhasPermission() The method has the sameaction Parameter value.true |
Note:
Since they are cached in user sessions, any custom PermissionResolver implementation must comply with several restrictions. First, they may not contain any State that is more fine-grained than the call back scope (and the scope of the component itself should be application and call back ). Second, they cannot use dependency injection because they may be accessed from multiple threads at the same time. In fact, we recommend that you use@BypassInterceptors
Annotation to completely bypass the Seam interceptor stack.
15.6.8.2. ResolverChain
OneResolverChain
Contains an ordered object permission for a special object class or permission target.PermissionResolver
.
DefaultResolverChain
It consists of all the permission Resolvers found during application deployment. When the defaultResolverChain
Will triggerorg.jboss.seam.security.defaultResolverChainCreated
Event (PassResolverChain
Instance ). It also allows you to add a parser that is not found during release for some reason, or sort the parser in the list again and remove a parser.
The following sequence diagram shows the interaction between components in the permission framework during the license check process. A license check may come from several sources, such as security interceptor,s:hasPermission
EL function, or call through APIIdentity.checkPermission
:
1. Start a license to check some places (code or through an EL expression) resulting in callingIdentity.hasPermission()
.
1.1.Identity
CallPermissionMapper.resolvePermission()
, Pass the parsed permission as the parameter.
1.1.1.PermissionMapper
ContainsResolverChain
Instance, with the class as the key valueMap
. It uses this ing to locate the target object of the permission correctly.ResolverChain
. Once it has a correctResolverChain
By callingResolverChain.getResolvers()
RetrievePermissionResolver
List.
1.1.2. TraversalResolverChain
InPermissionResolver
,PermissionMapper
ThehasPermission()
Method, pass the checked permission instance as the parameter, and then pass the permission check successfully,PermissionMapper
Returntrue
ToIdentity
. IfPermissionResolver
If the returned value is not true, the license check fails.
15.6.9. RuleBasedPermissionResolver
One of the built-in permission Resolvers provided by Seam,RuleBasedPermissionResolver
Permission evaluation is allowed based on a set of Drools security rules. Rules Engine has the following advantages: 1) centralized location of the business logic used to evaluate user permissions; 2) quick── Drools uses very effective algorithms to evaluate a large number of complex rules including multiple conditions.
15.6.9.1. dependent package
If you use the rule-based permission feature provided by Seam security, release the following jar packages required by Drools as needed:
Drools-compiler.jar
Drools-core.jar
Janino. jar
Antlr-runtime.jar
Mvel14.jar
15.6.9.2. Configuration
RuleBasedPermissionResolver
First, you mustcomponents.xml
Configure a Drools rule repository. By default, the rule repository name issecurityRules
For example:
<Components xmlns = "http://jboss.com/products/seam/components"
Xmlns: core = "http://jboss.com/products/seam/core"
Xmlns: security = "http://jboss.com/products/seam/security"
Xmlns: drools = "http://jboss.com/products/seam/drools"
Xmlns: xsi = "http://www.w3.org/2001/XMLSchema-instance"
Xsi: schemaLocation =
Http://jboss.com/products/seam/core http://jboss.com/products/seam/core-2.1.xsd
Http://jboss.com/products/seam/components http://jboss.com/products/seam/components-2.1.xsd
Http://jboss.com/products/seam/drools http://jboss.com/products/seam/drools-2.1.xsd"
Http://jboss.com/products/seam/security http://jboss.com/products/seam/security-2.1.xsd ">
<Drools: rule-base name = "securityRules">
<Drools: rule-files>
<Value>/META-INF/security. drl </value>
</Drools: rule-files>
</Drools: rule-base>
</Components>
The default rule repository name can be specifiedRuleBasedPermissionResolver
Ofsecurity-rules
Attribute to overload:
<Security: rule-based-permission-resolver security-rules = "# {prodSecurityRules}"/>
Once the rule repository is configured (RuleBase
) To write security rules.
15.6.9.3. Write security rules
The first step in writing security rules is in the jar file of your application./META-INF
Directory to create a new rule file. Normally, this file is likesecurity.drl
In this way, however, you can use any name you like as longcomponents.xml
Corresponding configuration.
What should the security rule file contain? In this case, it is a good idea to look at the Drools document at least. In any case, start with a very simple example:
Package MyApplicationPermissions;
Import org. jboss. seam. security. permission. PermissionCheck;
Import org. jboss. seam. security. Role;
Rule CanUserDeleteCustomers
When
C: PermissionCheck (target = "customer", action = "delete ")
Role (name = "admin ")
Then
C. grant ();
End
Let's take a look. The first thing we see is the package declaration. In Drools, a rule set is essentially used. You can use this package name arbitrarily -- it does not involve anything outside the rule base range.
Next, we noticed somePermissionCheck
AndRole
Class Import Statement. These import information tells the rule engine to reference these classes in our Rules.
Finally, I complete the rule code. Each rule in the package should have a unique name (usually a description of the purpose of the rule ). In this example, our rule isCanUserDeleteCustomers
It is used to check whether a user is allowed to delete a customer record.
From the perspective of the subject defined by the rule, we can see two completely different parts. The rule consists of two parts: the left-hand side (LHS) and the right-hand side (RHS. The LHS consists of the condition parts of the rule. For example, a column must meet the conditions for activating the rule. LHSwhen
Performance. RHS is the action part of the rule that is the result or that only meets all the conditions in the LHS. RHSthen
Performance. Rule endingend
.
If we look at the LHS section of the rule, we can see that two conditions are listed. Let's first look at the first condition:
C: PermissionCheck (target = "customer", action = "delete ")
This condition indicates that there must betarget
The property is equal to "customer", andaction
Attribute equal to "delete"PermissionCheck
Object.
So what is working memory )? Drools is also called stateful session. The working memory is an object that stores context information sessions, the context information is required when the rules engine makes a license check. Each timehasPermission()
Method is called, a temporaryPermissionCheck
Object, orFact, Inserted into the working memory.PermissionCheck
The permission is exactly the same as the permission to be checked, so if you callhasPermission("account", "create")
Then onetarget
Equal to "account ",action
Equal to "create"PermissionCheck
The object will be inserted into the working memory.
BesidesPermissionCheck
Facts also has a role that verifies that the user is one of the members.org.jboss.seam.security.Role
Fact. TheseRole
Facts is synchronized with the user's verified role at the beginning of each license check. The result is that if a verified user is not a member of the role, anyRole
Objects will be deleted before the next license check. BesidesPermissionCheck
AndRole
Facts, working memory also savesjava.security.Principal
Object.
By callingRuleBasedPermissionResolver.instance().getSecurityContext().insert()
Method, passing an object as a parameter, you can also insert this object into the working memory as an additional long-term fact. Synchronization that has been discussed at the beginning of each license checkRole
The object is an exception.
Back to our simple example, we will notice that the first line of LHS hasc:
Prefix. This is a variable binding used to reference matching conditions (in this examplePermissionCheck
. Looking at the second line of LHS, we can see:
Role (name = "admin ")
This condition indicates that there must be a "admin" in the working memory.Role
Object. As mentioned above, a user role is inserted into the working memory at the beginning of each license check. Therefore, these two conditions are essentially "if you are checkingcustomer:delete
And the user is a member of the "admin" role. The rule is activated ".
So what is the result of activating the rule? Let's look at the rule RHS:
C. grant ()
RHS is composed of Java code and called in this examplec
Objectgrant()
Method,c
The object is already inPermissionCheck
Variable binding of the object is mentioned in. BesidesPermissionCheck
Objectname
Andaction
Attribute.granted
The property is initializedfalse
. CallPermissionCheck
Ofgrant()
Method settingsgranted
The property istrue
This means that the license check is successful and allows the user to run any action to perform the license check.
15.6.9.4. Non-character permission target
So far, we have only checked the string permission target. You can also write security rules for more complex types of permission targets. For example, suppose you want to write a security rule to allow your users to create blog comments. The following rules demonstrate how to expressMemberBlog
As the target of the license check, and the verified user isuser
Rule syntax for a role member:
Rule CanCreateBlogComment
No-loop
Activation-group "permissions"
When
Blog: MemberBlog ()
Check: PermissionCheck (target = blog, action = "create", granted = false)
Role (name = "user ")
Then
Check. grant ();
End15.6.9.5. wildcard permit check
Ignore it in your sub-rulePermissionCheck
Ofaction
Restriction. It is also possible to implement a wildcard permit check (allow all actions for a given permission target. Like this:
Rule CanDoAnythingToCustomersIfYouAreAnAdmin
When
C: PermissionCheck (target = "customer ")
Role (name = "admin ")
Then
C. grant ();
End;
This rule allowsadmin
The Role user executes anycustomer
License checkAnyAction.