Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to implement custom access policy in Spring Security". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to implement a custom access policy in Spring Security".

Foreword:

We will explore a system in which users share spreadsheets, with access to each spreadsheet stored separately. We have explicitly modeled the permission store as simply as possible; imagine that it is calling a recording system elsewhere. Note that in this simplified implementation, the access decision is binary: you either have access or you don't. In this implementation, read / write access makes no difference.

1. Safety comment

Opening SpreadsheetService shows a method annotated with @ Secured.

Secured ("com.jdriven.model.Spreadsheet") public void read (Spreadsheet spreadsheet) {log.info ("Reading {}", spreadsheet);}

The @ Secured annotation parameter is the fully qualified class name of the domain object access we want to restrict. This method has the same type of parameters, which is the specific instance that we will protect.

Conveniently, the @ Secured annotation does not need to refer to parameters by name; it can be retrieved separately by type in our AccessDecisionVoter.

two。 Voting mechanism

The access decision is made by AccessDecisionManager, which authorizes the configured AccessDecisionVorters list. Voters can choose to approve or reject specific method calls based on their own application logic. If the voter cannot decide on a particular method call, it can choose to abstain and leave the decision to other voters. By default, you will get an acknowledgement-based access decision manager that allows methods to be called when only one voter votes to grant access, regardless of whether or not there is a vote to deny access.

Our four purposes are that we need a custom voter to verify the user's access to the spreadsheet against the stored access record. We do this by extending AbstractAclVoter, where AbstractAclVoter can find parameter domain object instances for configured handled domain object classes and method calls. We will implement the voting method, which is passed by authenticated users, security method calls, and a set of ConfigAttributes.

@ Overridepublic int vote (Authentication authentication, MethodInvocation methodInvocation, Collection attributes) {for (ConfigAttribute configAttribute: attributes) {if (supports (configAttribute)) {User principal = (User) authentication.getPrincipal (); Spreadsheet domainObjectInstance = (Spreadsheet) getDomainObjectInstance (methodInvocation); return hasSpreadsheetAccess (principal, domainObjectInstance)? ACCESS_GRANTED: ACCESS_DENIED;}} return ACCESS_ABSTAIN;}

Our voter is passed one or more ConfigAttributes, just like the @ Secured annotation itself, which we validate by calling Boolean support (ConfigAttribute):

@ Overridepublic boolean supports (ConfigAttribute attribute) {return getProcessDomainObjectClass () .getName () .equals (attribute.getAttribute ());}

Considering these implementations, voters abstain only if the ConfigAttribute does not match the configured ProcessDomainObjectClass. According to the stored access records, in all other cases, voters will vote to approve or deny access.

3. Configuration

We need to configure two parts of the application to trigger custom access decision voter logic.

First, we need to activate the @ Secured annotation through @ EnableGlobalMethodSecurity (securedEnabled=true), which is done in AccessDecisionConfiguration.

Second, we need to add the spreadsheet AccessDecisionVoter to the list of decision voters considered by AccessDecisionManager. To do this, we extended the GlobalMethodSecurity configuration to override AccessDecisionManager AccessDecisionManager (). We call it super.accessDecisionManager () to get the default confirmation-based access decision manager by adding our own voters at the end.

If you need to protect multiple domain object types, you can easily add more voters to the list.

4. Test

Our spreadsheet AccessDecisionVoterit test uses mock users Alice and Bob, as well as malicious third users Eve, who all try to access a single spreadsheet.

We can see that access to the spreadsheet follows the rules stored at the beginning of each test:

Alice can access the spreadsheet.

Bob can also access spreadsheets.

Eve cannot access the spreadsheet because she received an AccessDeniedException.

At this point, I believe you have a deeper understanding of "how to implement a custom access policy in Spring Security". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.