三 Acegi安全系統(tǒng)擴(kuò)展
相信side對Acegi的擴(kuò)展會(huì)給你耳目一新的感覺,提供完整的擴(kuò)展功能,管理界面,中文注釋和靠近企業(yè)的安全策略�����。side只對Acegi不符合企業(yè)應(yīng)用需要的功能進(jìn)行擴(kuò)展,盡量不改動(dòng)其余部分來實(shí)現(xiàn)全套權(quán)限管理功能,以求能更好地適應(yīng)Acegi升級�����。
3.1 基于角色的權(quán)限控制(RBAC)
Acegi 自帶的 sample 表設(shè)計(jì)很簡單: users表{username,password,enabled} authorities表{username,authority},這樣簡單的設(shè)計(jì)無法適應(yīng)復(fù)雜的權(quán)限需求,故SpringSide選用RBAC模型對權(quán)限控制數(shù)據(jù)庫表進(jìn)行擴(kuò)展��。 RBAC引入了ROLE的概念,使User(用戶)和Permission(權(quán)限)分離,一個(gè)用戶擁有多個(gè)角色,一個(gè)角色擁有有多個(gè)相應(yīng)的權(quán)限,從而減少了權(quán)限管理的復(fù)雜度,可更靈活地支持安全策略。
同時(shí),我們也引入了resource(資源)的概念,一個(gè)資源對應(yīng)多個(gè)權(quán)限,資源分為ACL,URL,和FUNTION三種�。注意,URL和FUNTION的權(quán)限命名需要以AUTH_開頭才會(huì)有資格參加投票, 同樣的ACL權(quán)限命名需要ACL_開頭��。
3.2 管理和使用EhCache
3.2.1 設(shè)立緩存
在SpringSide里的 Acegi 擴(kuò)展使用 EhCache 就作為一種緩存解決方案,以緩存用戶和資源的信息和相對應(yīng)的權(quán)限信息。
首先需要一個(gè)在classpath的 ehcache.xml 文件,用于配置 EhCache。
<ehcache>
<defaultCache
maxElementsInMemory="10000"
eternal="false"
overflowToDisk="true"
timeToIdleSeconds="0"
timeToLiveSeconds="0"
diskPersistent="false"
diskExpiryThreadIntervalSeconds= "120"/>
<!-- acegi cache-->
<cache name="userCache"
maxElementsInMemory="10000"
eternal="true"
overflowToDisk= "true"/>
<!-- acegi cache-->
<cache name="resourceCache"
maxElementsInMemory="10000"
eternal="true"
overflowToDisk="true"/>
</ehcache>
maxElementsInMemory設(shè)定了允許在Cache中存放的數(shù)據(jù)數(shù)目��,eternal設(shè)定Cache是否會(huì)過期,overflowToDisk設(shè)定內(nèi)存不足的時(shí)候緩存到硬盤��,timeToIdleSeconds和timeToLiveSeconds設(shè)定緩存游離時(shí)間和生存時(shí)間�����,diskExpiryThreadIntervalSeconds設(shè)定緩存在硬盤上的生存時(shí)間��,注意當(dāng)eternal="true"時(shí),timeToIdleSeconds�,timeToLiveSeconds和diskExpiryThreadIntervalSeconds都是無效的�����。
<defaultCache>是除制定的Cache外其余所有Cache的設(shè)置�����,針對Acegi 的情況, 專門設(shè)置了userCache和resourceCache,都設(shè)為永不過期�����。在applicationContext-acegi-security.xml中相應(yīng)的調(diào)用是
<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager" ref="cacheManager"/>
<property name="cacheName" value=" userCache"/>
</bean>
<bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache" autowire="byName">
<property name="cache" ref="userCacheBackend"/>
</bean>
<bean id="resourceCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
<property name="cacheManager" ref="cacheManager"/>
<property name="cacheName" value=" resourceCache"/>
</bean>
<bean id="resourceCache" class="org.springside.modules.security.service.acegi.cache.ResourceCache" autowire="byName">
<property name="cache" ref="resourceCacheBackend"/>
</bean>
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>
"cacheName" 就是設(shè)定在ehcache.xml 中相應(yīng)Cache的名稱。
userCache使用的是Acegi 的EhCacheBasedUserCache(實(shí)現(xiàn)了UserCache接口), resourceCache是SpringSide的擴(kuò)展類
public interface UserCache {
public UserDetails getUserFromCache (String username);
public void putUserInCache (UserDetails user);
public void removeUserFromCache (String username);
}
public class ResourceCache {
public ResourceDetails getAuthorityFromCache (String resString) {... }
public void putAuthorityInCache (ResourceDetails resourceDetails) {... }
public void removeAuthorityFromCache (String resString) {... }
public List getUrlResStrings() {... }
public List getFunctions() {.. }
}
UserCache 就是通過EhCache對UserDetails 進(jìn)行緩存管理, 而ResourceCache 是對ResourceDetails 類進(jìn)行緩存管理
public interface UserDetails extends Serializable {
public boolean isAccountNonExpired();
public boolean isAccountNonLocked();
public GrantedAuthority[] getAuthorities();
public boolean isCredentialsNonExpired();
public boolean isEnabled();
public String getPassword();
public String getUsername();
}
public interface ResourceDetails extends Serializable {
public String getResString();
public String getResType();
public GrantedAuthority[] getAuthorities();
}
UserDetails 包含用戶信息和相應(yīng)的權(quán)限��,ResourceDetails 包含資源信息和相應(yīng)的權(quán)限。
public interface GrantedAuthority {
public String getAuthority ();
}
GrantedAuthority 就是權(quán)限信息,在Acegi 的 sample 里GrantedAuthority 的信息如ROLE_USER, ROLE_SUPERVISOR, ACL_CONTACT_DELETE, ACL_CONTACT_ADMIN等等��,網(wǎng)上也有很多例子把角色作為GrantedAuthority ��,但事實(shí)上看看ACL 就知道, Acegi本身根本就沒有角色這個(gè)概念�,GrantedAuthority 包含的信息應(yīng)該是權(quán)限,對于非ACL的權(quán)限用 AUTH_ 開頭更為合理, 如SpringSide里的 AUTH_ADMIN_LOGIN, AUTH_BOOK_MANAGE 等等��。
3.2.2 管理緩存
使用AcegiCacheManager對userCache和resourceCache進(jìn)行統(tǒng)一緩存管理��。當(dāng)在后臺對用戶信息進(jìn)行修改或賦權(quán)的時(shí)候, 在更新數(shù)據(jù)庫同時(shí)就會(huì)調(diào)用acegiCacheManager相應(yīng)方法, 從數(shù)據(jù)庫中讀取數(shù)據(jù)并替換cache中相應(yīng)部分,使cache與數(shù)據(jù)庫同步��。
public class AcegiCacheManager extends BaseService {
private ResourceCache resourceCache ;
private UserCache userCache ;
/**
* 修改User時(shí)更改userCache
*/
public void modifyUserInCache (User user, String orgUsername) {... }
/**
* 修改Resource時(shí)更改resourceCache
*/
public void modifyResourceInCache (Resource resource, String orgResourcename) {... }
/**
* 修改權(quán)限時(shí)同時(shí)修改userCache和resourceCache
*/
public void modifyPermiInCache (Permission permi, String orgPerminame) {... }
/**
* User授予角色時(shí)更改userCache
*/
public void authRoleInCache (User user) {... }
/**
* Role授予權(quán)限時(shí)更改userCache和resourceCache
*/
public void authPermissionInCache (Role role) {... }
/**
* Permissioni授予資源時(shí)更改resourceCache
*/
public void authResourceInCache (Permission permi) {... }
/**
* 初始化userCache
*/
public void initUserCache () {... }
/**
* 初始化resourceCache
*/
public void initResourceCache () {... }
/**
* 獲取所有的url資源
*/
public List getUrlResStrings () {... }
/**
* 獲取所有的Funtion資源
*/
public List getFunctions () {... }
/**
* 根據(jù)資源串獲取資源
*/
public ResourceDetails getAuthorityFromCache (String resString) {... }
......
}
3.3 資源權(quán)限定義擴(kuò)展
Acegi給出的sample里,資源權(quán)限對照關(guān)系是配置在xml中的,試想一下如果你的企業(yè)安全應(yīng)用有500個(gè)用戶,100個(gè)角色權(quán)限的時(shí)候,維護(hù)這個(gè)xml將是個(gè)繁重?zé)o比的工作,如何動(dòng)態(tài)更改用戶權(quán)限更是個(gè)頭痛的問題。
<bean id="contactManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
sample.contact.ContactManager.create=ROLE_USER
sample.contact.ContactManager.getAllRecipients=ROLE_USER
sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
sample.contact.ContactManager.getById=ROLE_USER,AFTER_ACL_READ
sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
</value>
</property>
</bean>
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS,ROLE_USER
/hello.htm=ROLE_ANONYMOUS,ROLE_USER
/logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
/switchuser.jsp=ROLE_SUPERVISOR
/j_acegi_switch_user=ROLE_SUPERVISOR
/acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
</value>
</property>
</bean>
對如此不Pragmatic的做法,SpringSide進(jìn)行了擴(kuò)展, 讓Acegi 能動(dòng)態(tài)讀取數(shù)據(jù)庫中的權(quán)限資源關(guān)系�。
3.3.1 Aop Invocation Authorization
<bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="objectDefinitionSource" ref="methodDefinitionSource"/>
</bean>
<bean id="methodDefinitionSource" class="org.springside.security.service.acegi.DBMethodDefinitionSource">
<property name="acegiCacheManager" ref="acegiCacheManager"/>
</bean>
研究下Aceig的源碼,ObjectDefinitionSource的實(shí)際作用是返回一個(gè)ConfigAttributeDefinition對象,而Acegi Sample 的方式是用MethodDefinitionSourceEditor把xml中的文本Function資源權(quán)限對應(yīng)關(guān)系信息加載到MethodDefinitionMap ( MethodDefinitionSource 的實(shí)現(xiàn)類 )中, 再組成ConfigAttributeDefinition�����,而我們的擴(kuò)展目標(biāo)是從緩存中讀取信息來組成ConfigAttributeDefinition�。
MethodSecurityInterceptor是通過調(diào)用AbstractMethodDefinitionSource的lookupAttributes(method)方法獲取ConfigAttributeDefinition��。所以我們需要實(shí)現(xiàn)自己的ObjectDefinitionSource�����,繼承AbstractMethodDefinitionSource并實(shí)現(xiàn)其lookupAttributes方法,從緩存中讀取資源權(quán)限對應(yīng)關(guān)系組成并返回ConfigAttributeDefinition即可�����。SpringSide中的DBMethodDefinitionSource類的部分實(shí)現(xiàn)如下 :
public class DBMethodDefinitionSource extends AbstractMethodDefinitionSource {
......
protected ConfigAttributeDefinition lookupAttributes(Method mi) {
Assert.notNull(mi, "lookupAttrubutes in the DBMethodDefinitionSource is null");
String methodString = mi.getDeclaringClass().getName() + "." + mi.getName();
if (!acegiCacheManager.isCacheInitialized()) {
//初始化Cache
acegiCacheManager.initResourceCache();
}
//獲取所有的function
List methodStrings = acegiCacheManager.getFunctions();
Set auths = new HashSet();
//取權(quán)限的合集
for (Iterator iter = methodStrings.iterator(); iter.hasNext();) {
String mappedName = (String) iter.next();
if (methodString.equals(mappedName)
|| isMatch(methodString, mappedName)) {
ResourceDetails resourceDetails = acegiCacheManager.getAuthorityFromCache(mappedName);
if (resourceDetails == null) {
break;
}
GrantedAuthority[] authorities = resourceDetails.getAuthorities();
if (authorities == null || authorities.length == 0) {
break;
}
auths.addAll(Arrays.asList(authorities));
}
}
if (auths.size() == 0)
return null;
ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
String authoritiesStr = " ";
for (Iterator iter = auths.iterator(); iter.hasNext();) {
GrantedAuthority authority = (GrantedAuthority) iter.next();
authoritiesStr += authority.getAuthority() + ",";
}
String authStr = authoritiesStr.substring(0, authoritiesStr.length() - 1);
configAttrEditor.setAsText(authStr);
//組裝并返回ConfigAttributeDefinition
return (ConfigAttributeDefinition) configAttrEditor.getValue();
}
......
}
要注意幾點(diǎn)的是:
1) 初始化Cache是比較浪費(fèi)資源的��,所以SpringSide中除第一次訪問外的Cache的更新是針對性更新��。
2) 因?yàn)閙ethod采用了匹配方式(詳見 isMatch() 方法) , 即對于*Book和save*這兩個(gè)資源來說�����,只要當(dāng)前訪問方法是Book結(jié)尾或以save開頭都算匹配得上,所以應(yīng)該取這些能匹配上的資源的相對應(yīng)的權(quán)限的合集。
3) 使用ConfigAttributeEditor 能更方便地組裝ConfigAttributeDefinition。
3.3.2 Filter Invocation Authorization
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
<property name="objectDefinitionSource" ref="filterDefinitionSource"/>
</bean>
<bean id="filterDefinitionSource" class="org.springside.security.service.acegi.DBFilterInvocationDefinitionSource">
<property name="convertUrlToLowercaseBeforeComparison" value="true"/>
<property name="useAntPath" value="true"/>
<property name="acegiCacheManager" ref="acegiCacheManager"/>
</bean>
PathBasedFilterInvocationDefinitionMap和RegExpBasedFilterInvocationDefinitionMap都是 FilterInvocationDefinitionSource的實(shí)現(xiàn)類,當(dāng)PATTERN_TYPE_APACHE_ANT字符串匹配上時(shí)時(shí),FilterInvocationDefinitionSourceEditor 選用PathBasedFilterInvocationDefinitionMap 把xml中的文本URL資源權(quán)限對應(yīng)關(guān)系信息加載�����。
FilterSecurityInterceptor通過FilterInvocationDefinitionSource的lookupAttributes(url)方法獲取ConfigAttributeDefinition�����。 所以,我們可以通過繼承FilterInvocationDefinitionSource的抽象類AbstractFilterInvocationDefinitionSource��,并實(shí)現(xiàn)其lookupAttributes方法,從緩存中讀取URL資源權(quán)限對應(yīng)關(guān)系即可。SpringSide的DBFilterInvocationDefinitionSource類部分實(shí)現(xiàn)如下:
public class DBFilterInvocationDefinitionSource extends AbstractFilterInvocationDefinitionSource {
......
public ConfigAttributeDefinition lookupAttributes(String url) {
if (!acegiCacheManager.isCacheInitialized()) {
acegiCacheManager.initResourceCache();
}
if (isUseAntPath()) {
// Strip anything after a question mark symbol, as per SEC-161.
int firstQuestionMarkIndex = url.lastIndexOf("?");
if (firstQuestionMarkIndex != -1) {
url = url.substring(0, firstQuestionMarkIndex);
}
}
List urls = acegiCacheManager.getUrlResStrings();
//URL資源倒敘排序
Collections.sort(urls);
Collections.reverse(urls);
//是否先全部轉(zhuǎn)為小寫再比較
if (convertUrlToLowercaseBeforeComparison) {
url = url.toLowerCase();
}
GrantedAuthority[] authorities = new GrantedAuthority[0];
for (Iterator iterator = urls.iterator(); iterator.hasNext();) {
String resString = (String) iterator.next();
boolean matched = false;
//可選擇使用AntPath和Perl5兩種不同匹配模式
if (isUseAntPath()) {
matched = pathMatcher.match(resString, url);
} else {
Pattern compiledPattern;
Perl5Compiler compiler = new Perl5Compiler();
try {
compiledPattern = compiler.compile(resString,
Perl5Compiler.READ_ONLY_MASK);
} catch (MalformedPatternException mpe) {
throw new IllegalArgumentException(
"Malformed regular expression: " + resString);
}
matched = matcher.matches(url, compiledPattern);
}
if (matched) {
ResourceDetails rd = acegiCacheManager.getAuthorityFromCache(resString);
authorities = rd.getAuthorities();
break;
}
}
if (authorities.length > 0) {
String authoritiesStr = " ";
for (int i = 0; i < authorities.length; i++) {
authoritiesStr += authorities[i].getAuthority() + ",";
}
String authStr = authoritiesStr.substring(0, authoritiesStr
.length() - 1);
ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
configAttrEditor.setAsText(authStr);
return (ConfigAttributeDefinition) configAttrEditor.getValue();
}
return null;
}
......
}
繼承AbstractFilterInvocationDefinitionSource注意幾點(diǎn):
1) 需要先把獲取回來的URL資源按倒序派序��,以達(dá)到 a/b/c/d.* 在 a/.* 之前的效果(詳見 Acegi sample 的applicationContext-acegi-security.xml 中的filterInvocationInterceptor的注釋)��,為的是更具體的URL可以先匹配上��,而獲取具體URL的權(quán)限,如a/b/c/d.*權(quán)限AUTH_a, AUTH_b 才可查看, a/.* 需要權(quán)限AUTH_a 才可查看,則如果當(dāng)前用戶只擁有權(quán)限AUTH_b,則他只可以查看a/b/c/d.jsp 而不能察看a/d.jsp�����。
2) 基于上面的原因,故第一次匹配上的就是當(dāng)前所需權(quán)限�����,而不是取權(quán)限的合集��。
3) 可以選用AntPath 或 Perl5 的資源匹配方式,感覺AntPath匹配方式基本足夠�����。
4) Filter 權(quán)限控制比較適合于較粗顆粒度的權(quán)限��,如設(shè)定某個(gè)模塊下的頁面是否能訪問等,對于具體某個(gè)操作如增刪修改�����,是否能執(zhí)行��,用Method Invocation 會(huì)更佳些��,所以注意兩個(gè)方面一起控制效果更好
3.4 授權(quán)操作
RBAC模型中有不少多對多的關(guān)系�����,這些關(guān)系都能以一個(gè)中間表的形式來存放�����,而Hibernate中可以不建這中間表對應(yīng)的hbm.xml , 以資源與權(quán)限的配置為例,如下:
<hibernate-mapping package="org.springside.modules.security.domain">
<class name="Permission" table="PERMISSIONS" dynamic-insert="true" dynamic-update="true">
<cache usage="nonstrict-read-write"/>
<id name="id" column="ID">
<generator class="native"/>
</id>
<property name="name" column="NAME" not-null="true"/>
<property name="descn" column="DESCN"/>
<property name="operation" column="OPERATION"/>
<property name="status" column="STATUS"/>
<set name="roles" table="ROLE_PERMIS" lazy="true" inverse="true" cascade="save-update" batch-size="5">
<key>
<column name="PERMIS_ID" not-null="true"/>
</key>
<many-to-many class="Role" column="ROLE_ID" outer-join="auto"/>
</set>
<set name="resources" table="PERMIS_RESC" lazy="true" inverse="false" cascade="save-update" batch-size="5">
<key>
<column name="PERMIS_ID" not-null="true"/>
</key>
<many-to-many class="Resource" column="RESC_ID"/>
</set>
</class>
</hibernate-mapping>
<hibernate-mapping package="org.springside.modules.security.domain">
<class name="Resource" table="RESOURCES" dynamic-insert="true" dynamic-update="true">
<cache usage="nonstrict-read-write"/>
<id name="id" column="ID">
<generator class="native"/>
</id>
<property name="name" column="NAME" not-null="true"/>
<property name="resType" column="RES_TYPE" not-null="true"/>
<property name="resString" column="RES_STRING" not-null="true"/>
<property name="descn" column="DESCN"/>
<set name="permissions" table="PERMIS_RESC" lazy="true" inverse="true" cascade="save-update" batch-size="5">
<key>
<column name="RESC_ID" not-null="true"/>
</key>
<many-to-many class="Permission" column="PERMIS_ID" outer-join="auto"/>
</set>
</class>
</hibernate-mapping>
配置時(shí)注意幾點(diǎn):
1) 因?yàn)槭欠峙淠硞€(gè)權(quán)限的資源,所以權(quán)限是主控方,把inverse設(shè)為false�,資源是被控方inverse設(shè)為true
2) cascade是"save-update"��,千萬別配成delete
3) 只需要 permission.getResources().add(resource), permission.getResources()..remove(resource) 即可很方便地完成授權(quán)和取消授權(quán)操作
|
