Spring Security (14)--authority Authentication Basics

Directory

1.1 Spring Security's AOP Advice thought

1.2 Abstractsecurityinterceptor

1.2.1 Configattribute

1.2.2 Runasmanager

1.2.3 Afterinvocationmanager

The authority authentication of Spring security is the responsibility of the Accessdecisionmanager Interface. specifically, the Decide () method is responsible, as defined Below.

void Decide (authentication authentication, object object, collection<configattribute> Configattributes)

throws accessdeniedexception, insufficientauthenticationexception;

As you can see, the method receives three parameters, the first parameter is the authentication object containing the current user information, the second parameter represents the protected object currently being requested, basically methodinvocation (using aop), Joinpoint (using aspectj) and filterinvocation (web request) three types; The third parameter represents the configuration properties of the protected object that is currently being accessed, such as a list of Roles.

1.1 Spring Security's AOP Advice thought

For the use of aop, we can use several different types of advice:before, after, throws, and Around. Where around advice is very useful, we can control whether to execute the method, whether to modify the return value of the method, and whether to throw an Exception. Spring security is also used by around advice when it comes to method invocations and Web Requests. In a method invocation, the standard spring AOP can be used to achieve the effect of around advice, while a Web request is made by using the standard filter to achieve around advice effect.

For most people, we prefer to have permission control over the service Layer's method calls because our primary business logic is implemented at the service Level. If You're just trying to protect the service layer, then you can use spring aop. If you need to protect the domain object directly, then you can consider using ASPECTJ.

You can choose to use ASPECTJ or spring AOP to authenticate a method invocation, or choose to use Filter to authenticate a web Request. of course, you can also choose to use any combination of these three methods for Authentication. It is common practice to use filter to make a rough authentication of web requests, supplemented by a finer-grained authentication of the service Layer's methods using spring aop.

1.2 Abstractsecurityinterceptor

Abstractsecurityinterceptor is an abstract class that implements interception of access to protected objects, which has several more important methods. The Beforeinvocation () method implements the check of permissions for access to protected objects, internally using the Accessdecisionmanager and Authenticationmanager;finallyinvocation () method is used to implement some cleanup work after the protected object has been requested, mainly if the SecurityContext is changed in Beforeinvocation (), then the finallyinvocation () You need to revert to the original securitycontext, the call to the method should be included in the finally statement block when the subclass requests the protected resource, and the Afterinvocation () method implements the processing of the returned Result. The decide () method is called by default when Afterinvocationmanager is Injected. Abstractsecurityinterceptor just provides these methods, and contains the default implementation, specifically how the call will be responsible for the SUBCLASS. Each protected object has an interceptor class that inherits from abstractsecurityinterceptor, and Methodsecurityinterceptor will be used to invoke the protected method. The filtersecurityinterceptor will be used for protected web Requests. They have consistent logic in handling requests for protected objects, with the following logic in Particular.

1. Pass the protected object that is requesting the call to the Beforeinvocation () method for permission Authentication.

2, permission authentication failed to throw an exception directly.

3. Authentication success will attempt to invoke the protected object, finallyinvocation () will be executed after the call is completed, whether it is a successful call or throws an Exception.

4. If no exception is thrown after the protected object is invoked, afterinvocation () is Called.

The following is a core code of Methodsecurityinterceptor in making method Calls.

public Object invoke (methodinvocation mi) throws throwable {

Interceptorstatustoken token = Superbeforeinvocation (mi);

Object result;

Try {

result = Mi.proceed ();

} finally {

Super. Finallyinvocation (token);

}

return Super. Afterinvocation (token, result);

}

1.2.1 Configattribute

The Abstractsecurityinterceptor beforeinvocation () method is used internally by the injected Accessdecisionmanager decide () method for Authentication. As mentioned earlier, the decide () method is required to receive a protected object corresponding to the Configattribute Collection. A configattribute may be just a simple role name, depending on the Accessdecisionmanager's Implementation. Abstractsecurityinterceptor will use a Securitymetadatasource object to get the Configattribute collection associated with the protected object. The specific securitymetadatasource will be provided by the subclass Implementation. Configattribute is defined in the form of annotations on protected methods, or on protected URLs through access Properties. For example, Our common <intercept-url pattern= "/**" access= "role_user,role_admin"/> means Configattribute ROLE_USER and Role_ The admin app is on all URL Requests. For the default Accessdecisionmanager implementation, the above configuration means that access is allowed as long as there is one grantedauthority in the User's permission to match one of the two Configattribute. of course, strictly speaking Configattribute is just a simple configuration attribute, the specific explanation will be decided by accessdecisionmanager.

1.2.2 Runasmanager

        In some cases you might want to replace the authentication saved in Securitycontext. This can be achieved by runasmanager. In the Beforeinvocation () method body of abstractsecurityinterceptor, after Accessdecisionmanager authentication succeeds, A new authentication will be built on the existing authentication based on runasmanager, and a new securitycontext will be generated if the new authentication is not Empty. and store the newly-produced authentication in it. The authentication that is obtained from SecurityContext when a protected resource is requested is the newly generated Authentication. The original securitycontext is reset to Securitycontextholder in Finallyinvocation () after the request is Completed. The Abstractsecurityinterceptor default is a nullrunasmanager that implements an empty implementation of Runasmanager. In addition, Spring Security has a Non-empty implementation class Runasmanagerimpl for runasmanager, This is the logic when constructing a new authentication: if the Configattribute in the protected object has a configuration property that starts with "run_as_", precede the property with "role_", And then assign it as a grantedauthority to the authentication that will be created, such as a property in Configattribute that has a "run_as_admin", a "role_run_as_admin "grantedauthority), and finally use the original authentication principal, permissions and other information to build a new authentication to return; if there is no" Run_as_ " Begins with the configattribute, it returns null Directly. Runasmanagerimpl the core code for building a new authentication is shown below.

public Authentication Buildrunas (authentication authentication, object object, collection<configattribute> attributes ) {

list<grantedauthority> newauthorities = new arraylist<grantedauthority> ();

for (configattribute attribute:attributes) {

if (This. supports (attribute)) {

Grantedauthority extraauthority = newsimplegrantedauthority (getroleprefix () + attribute.getattribute ());

Newauthorities.add (extraauthority);

}

}

if (newauthorities.size () = = 0) {

return null;

}

Add existing authorities

Newauthorities.addall (authentication.getauthorities ());

return New Runasusertoken (this. key, authentication.getprincipal (), authentication.getcredentials (),

newauthorities, Authentication.getclass ());

}

1.2.3 Afterinvocationmanager

After the requested protected object finishes, The return value can be modified by the afterinvocation () method. Abstractsecurityinterceptor gives control over the return value to the Afterinvocationmanager it holds. Afterinvocationmanager can choose to modify, not modify, or throw exceptions to the return value (for example, post-permission authentication does not pass).

The following is a diagram of abstractsecurityinterceptor related relationships provided by the spring security official Documentation.

(note: This article is written based on spring Security3.1.6)

Spring Security (14)--authority Authentication Basics