Spring security system: acegi security --

Http://starrynight.blogdriver.com/starrynight/204036.html

Spring security system: acegi security --

Acegi Introduction

Acegi security system is a security framework for Spring framework, which can be seamlessly integrated with popular web containers. It uses spring to provide security and authentication security services, including bean context, interceptor and interface-oriented programming. Therefore, the acegi security system can easily meet complex security requirements.

Security involves two different concepts: authentication and authorization. The former is about verifying whether users are actually the identities they claim. Authorization is about checking whether a user is allowed to perform a specific operation.

In the acegi security system, the user to be authenticated, the system or agent is called "principal ". Unlike other security systems, acegi does not have roles or user groups.

Key components of acegi System Design

The acegi security system includes the following seven key functional components:

L authentication object, which contains the authorization information of principal, credential, and principal. It can also contain other information about the customer initiating the authentication request, such as the IP address.

2. The contextholder object uses threadlocal to store the authentication object.

3. authenticationmanager is used to authentication objects in contextholder.

4 accessdecissionmanager: Used to authorize a specific operation.

5. runasmanager is used to selectively Replace the authentication object when a specific operation is executed.

6. The secure object interceptor is used to coordinate the execution of authenticationmanager, accessdecissionmanager, runasmanager, and specific operations.

7. objectdefinitionsource contains the authorization definitions for specific operations.

The relationship between the seven key functional components is shown in (the gray part in the figure is the key component ):

Security management objects

The acegi security system currently supports two types of security management objects.

The first type of security management object manages the methodinvocation of the AOP alliance. developers can use it to protect the Business Objects in the spring container. To enable spring-managed beans to be used as methodinvocation, beans can be managed through proxyfactorybean and beannameautoproxycreator, just as they are used in Spring transaction management.

The second type is filterinvocation. It is created with a filter and simply wraps the HTTP servletrequest, servletresponse, and filterchain. Filterinvocation can be used to protect HTTP resources. Generally, developers do not need to understand its working mechanism, because they only need to add the filter to Web. XML, and the acegi security system can work.

Security configuration parameters

Each security management object can describe a variety of unlimited security authentication requests. For example, a methodinvocation object can describe any method call with any parameters, while a filterinvocation can describe any http url.

The acegi security system must record the security configuration parameters applied to each authentication request. For example, for the bankmanager. getbalance (INT accountnumber) method and the bankmanager. approveloan (INT applicationnumber) method, the security configurations of authentication requests are different.

To save the security configurations of different authentication requests, you must use the configuration parameters. From the implementation perspective, the configuration parameters are represented using the configattribute interface. The acegi security system provides an implementation of the configattribute interface, securityconfig, which saves the configuration parameters as a string.

The configattributedefinition class is a simple container of the configattribute object. It stores a set of configattributes related to specific requests.

When the security interceptor receives a security authentication request, it needs to decide which configuration parameter to apply. In other words, it needs to find the configattributedefinition object applied to this request. The process of searching is handled by the objectdefinitionsource interface. The main method of this interface is public configattributedefinition getattributes (Object object). The object parameter is a security management object. Because the security management object contains detailed information about the authentication request, the implementation class of the objectdefinitionsource interface can obtain the required detailed information to find the relevant configattributedefiniton object.

How acegi works

To illustrate how the acegi security system works, we envision an example of using acegi. Generally, a security system needs to function and must do the following:

L first, the system obtains principal and credential from the client request;

2. Then the system authenticates the principal and credential information;

3. If the authentication succeeds, the system retrieves the principal authorization information;

4. The client initiates an operation request;

5. The system checks prinal Al's authorization for this operation based on the pre-configured parameters;

6. If the authorization check is successful, the operation is executed; otherwise, the operation is rejected.

So how does the acegi security system complete these tasks? First, let's take a look at the charts related to acegi security system authentication and authorization:

 

In the figure, the green part is the abstract base class of the security interceptor. It contains two management classes: authenticationmanager and accessdecisionmanager. Authenticationmanager is used to authentication objects (including principal, credential, and principal authorization information) in contextholder. accessdecissionmanager is used to authorize a specific operation.

Here is an example of methodsecurityinterceptor:

<Bean id = "bankmanagersecurity"

Class = "net. SF. acegisecurity. Intercept. method. methodsecurityinterceptor">

<Property name = "validateconfigattributes">

<Value> true </value>

</Property>

<Property name = "authenticationmanager">

<Ref bean = "authenticationmanager"/>

</Property>

<Property name = "accessdecisionmanager">

<Ref bean = "accessdecisionmanager"/>

</Property>

<Property name = "objectdefinitionsource">

<Value>

Net. SF. acegisecurity. Context. bankmanager. Delete * =

Role_supervisor, run_as_server

Net. SF. acegisecurity. Context. bankmanager. getbalance =

Role_teller, role_supervisor, banksecurity_customer, run _

</Value>

</Property>

</Bean>

In the preceding configuration file, methodsecurityinterceptor is an implementation class of abstractsecurityinterceptor. It contains two managers: authenticationmanager and accessdecisionmanager. The configurations are as follows:

<Bean id = "authenticationdao" class = "net. SF. acegisecurity. providers. Dao. JDBC. jdbcdaoimpl">

<Property name = "datasource"> <ref bean = "datasource"/> </property>

</Bean>

<Bean id = "daoauthenticationprovider"

Class = "net. SF. acegisecurity. providers. Dao. daoauthenticationprovider">

<Property name = "authenticationdao"> <ref bean = "authenticationdao"/> </property>

</Bean>

<Bean id = "authenticationmanager" class = "net. SF. acegisecurity. providers. providermanager">

<Property name = "providers">

<List> <ref bean = "daoauthenticationprovider"/> </List>

</Property>

</Bean>

false

The preparation is complete. Now let's take a look at how the acegi security system implements authentication and authorization mechanisms. Take an application that uses HTTP basic authentication as an example. It includes the following steps:

1. the user logs on to the system and acegi logs from acegisecurity. the security interceptor of the UI subsystem (such as basicprocessingfilter) obtains the user's login information (including principal and credential), puts it into the authentication object, and saves it in the contextholder object;

2. The security interceptor sends the authentication object to authenticationmanager for identity authentication. If the authentication succeeds, the authentication object with principal authorization information is returned. At this time, the authentication object of the contextholder object already has the detailed information of principal;

3. After the user successfully logs on, he/she continues his/her business operations;

4. After receiving the client operation request, the security Interceptor (bankmanagersecurity) packs the operation request data into a security management object (filterinvocation or methodinvocation object );

5. Then, read the relevant security configuration parameter configattributedefinition from the configuration file (objectdefinitionsource;

6. Then, the security interceptor retrieves the authentication object in contextholder, passes it to authenticationmanager for identity authentication, and updates the authentication object of contextholder with the return value;

7. Submit the authentication object, configattributedefinition object, and security management object (secure object) to accessdecisionmanager to check the principal operation authorization;

8. If the authorization check is successful, the client request is executed; otherwise, the request is rejected;

Accessdecisionvoter

Note that the accessdecisionmanager in the previous section is an affirmativebased class. Its voting policy for user authorization is as long as it passes an authorization vote check. Its allowifallabstaindecisions attribute value is false, this means that if all voting permissions are revoked, the authorization check will fail.

The acegi security system includes several accessdecisionmanagers Based on voting policies. The rolevoter in the previous section is one of the voting policy implementations, which is a subclass of accessdecisionvoter. The specific implementation class of accessdecisionvoter performs authorization decisions through voting. accessdecisionmanager determines whether to pass the authorization check or throw the exception of accessdeniedexception Based on the voting result.

Accessdecisionvoter interface has three methods:

Public int vote (authentication, object, configattributedefinition config );

Public Boolean supports (configattribute attribute );

Public Boolean supports (class clazz );

The vote method returns the int return value. They are three static member attributes of accessdecisionvoter: access_abstain, access_denied, and access_granted. They are both waivers, denied, and approve.

In the acegi security system, the accessdecisionmanager with a voting policy has three implementation classes: affirmativebased, consensusbased, and unanimousbased. Their voting policy is that the affirmativebased class can pass through only one vote. The consensusbased class requires a majority of votes to approve, while the unanimousbased class requires all votes to pass.

The rolevoter class is an acegi security system accessdecisionvoter interface implementation. If configattribute starts with role _ and rolevoter, the voting is performed. If the string return value of the getautority method of grantedauthority matches one or more configattributes starting with role _, the request passes the vote. Otherwise, the request fails. If there is no configattribute starting with role _, rolevoter disallows.

How does the security interceptor work?

Methodinvocation interceptor

Filterinvocation interceptor authentication request

Authentication Manager

Authentication provider authorized access demo-manager

Voting demo-manager

Contextholder User Interface target recommended for authorization management

HTTP session Authentication

HTTP Basic Authentication