Spring Security Application Development (14) key concepts of authorization related concepts

1.1.1. Secure Object

Secure Object refers to a Method invovation or a URL resource.

1.1.2. grantedauthority

The grantedauthority is used to express the permissions ( that is, the role name )that the specified user obtains .

 Public Interface extends Serializable {   // Returns a string that expresses an already authorized character.   // returns NULL if the authorization condition is not met.  String getauthority ();}  

1.1.3. Accessdecisionmanager

Accessdecisionmanager is The Access Decision manager interface provided by Spring Security.

 public  interface   Accessdecisionmanager { //  The decision-making process is executed, the final approval does not throw an exception, and the final veto throws an exception.  void   Decide (authentication Authentication, Object object,collection  <ConfigAttribute> configattributes) throws   accessdeniedexception,insufficientauthenticationexception;  //  boolean   Supports (Configattribute attribute);  //  boolean  supports (class<?> Clazz);}  

in the In the Spring Security Access Decision Manager model, an Access Decision manager can configure multiple decision polling. For the same access request, it may not be the same poll results for different decision-makers, so you need to specify a strategy to make the final decision based on these voting results. There are three built-in policies available in Spring Security :

Affirmativebased

As long as a voter voted in favour, the decision is final. If there is no affirmative vote, but there is one or more veto, the final decision is negatived.

Unanimousbased

The final decision is negatived only if a veto is voted on by a voter. If there is no veto, but there is one or more votes in favour, the final result is in favour.

Consensusbased

If the number of votes in favour is greater than the number of veto votes, the final decision is in favour. If the number of votes in favour is less than the veto, the final decision is negatived. If both the affirmative and the veto are present, and the number is equal, the final result is determined by a parameter, which by default considers the final result to be in favor.

In the above three strategies, if neither the affirmative nor the veto, the decision is made on the basis of the abstention vote, and there are additional parameters to determine whether the abstention vote participates in the decision, which by default considers the final result to be rejected.

1.1.4. Voter

Accessdecisionvoter is The Access decision polling interface provided by Spring Security.

Spring Security The following several built-in voting options are available.

 Public InterfaceAccessdecisionvoter<s> { intaccess_granted = 1;//affirmative vote. intAccess_abstain = 0;//abstain from voting. intAccess_denied =-1;//veto the vote.  Booleansupports (Configattribute attribute);BooleanSupports (class<?>clazz); intvote (authentication authentication, S object,collection<ConfigAttribute>attributes);} 

Rolevoter: Role-based voting device.

At this point, the securable object property is the role that can access the securable object.

If any one of the roles in the user-owned role exists in the collection of security object properties, the vote is voted. The security object property collection is empty, or the polling device does not support all securable object properties, then abstain from voting. If any one of the securable object properties is supported without matching any of these properties, a veto is cast.

Authenticatedvoter: Authentication-based voting device.

Certifications have three levels of security:

Is_authenticated_fully: Full certification.

Highest level with maximum permissions. For example, by entering the user name and password directly.

Is_authenticated_remembered: Remember me certification.

Center level, right center. For example, by logging in when the "Remember me" check box on the login, close the browser after the visit to the page again do not have to enter the password directly through authentication.

is_authenticated_anonymously: Anonymous authentication.

Lowest level, least privilege. For example, some pages allow normal access without logging in.

The decision-making process is as follows:

If there is a security object attribute that requires full authentication and is currently in the passed full authentication level, the vote is voted.

If there is a requirement in the securable object attribute that remembers my authentication, and is currently in the pass by remembering my certification level, or the full certification level, then vote in favor.

If there is a security object attribute that requires anonymous authentication and is currently in an anonymous authentication level, or if you remember my authentication level, or the full certification level, then vote in favor.

If the polling device supports at least one securable object property, and the current security level does not meet the requirements of these securable object properties, a veto is cast.

If the securable object property collection is empty or does not support any of these securable object properties, the vote is abstained.

Rolehierarchyvoter: role-based layered voting device.

This class inherits from Rolevote class. The essence is the role-based voting device, which adds support for the role hierarchy of the tree structure.

can describe a role A also has all of the roles A1 and A2 , while A1 has both role A11 and Roles A12 All permissions for this scenario.

in the The following polls are also available in the Spring Security Web - Related package:

Webexpressionvoter: a Web expression-based voter.

Here's The WEB expression is an expression that resembles the value in the Access property in the following configuration :

< http > <  pattern= "/admin*"access= "hasrole (' admin ') and hasipaddress (' 192.168.1.0/24 ') "/></http>

the securable object property at this time is Webexpressionconfigattribute.

Spring Security Application Development (14) key concepts of authorization related concepts