8 Archietcture and Implementation
8.1 Technical Overview
8.1.1 Runtime Environment
there is no need to place any special configuration files into your java Runtive Environment.
8.1.2 Core Components (spring-security-core)
SecurityContextHolder, SecurityContext, Authentication
SecuritycontextHolder.MODE_GLOBAL
SecuritycontextHolder.MODE_INHERITABLETHREADLOCAL
SecuritycontextHolder.MODE_THREADLOCAL(这个是默认的)
Obtaining information about the current user
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
一般情况下,principal可以转换成UserDetails
The UserDetailsService
它负责返回一个UserDetails, 这个UserDetails会自动放入SecurityContextHolder
GrantedAuthority
an authority that is granted to a principal. 相当于通常说的roles
Authentication有一个getAuthorities(), 返回 GrantedAuthority数组
它通常是由UserDetailsService加载
总结:主要的building block
.SecurityContextHolder
.SecurityContext
.Authentication
.GrantedAuthority: principal的权限
.UserDetails
.UserDetailsService
8.1.3 Authentication
可用于许多不同的认证环境,推荐不要和容器认证集成
What is authentication in Srping Security?
标准认证情境:
1. 提示用户输入用户名和密码 ---
2. 系统验证当前用户的密码是正确的 -----> 这三步构成认证的过程
3. 获取用户环境信息(角色列表等) ---
4. 为用户建立security context
5. 用户操作有权限的功能
how these take place within spring security:
1. username and password => UsernamePasswordAuthenticationToken (Authentication接口的一个实现)
2. 这个token传给AuthenticationManager验证
3. 验证成功,AuthenticationManager返回一个populated Authentication实例
4. 调用SecurityCotnextHolder.getContext().setAuthentication(...), 把3返回的authentication
作为参数, 建立security context
至此,此用户被认为 be authenticated
一个例子:
...
Setting the SecurityContextHolder Contents Directly
spring security不管Authentication怎么放进SecurityContextHolder, 唯一的要求就是在AbstractSecurityInterceptor
授权用户操作前,SecurityContextHolder已经包含了一个Authentication.
8.1.4 Authentication in a web application
consider a typical web application's authentication process:
1. you visit the home page, and click on a link.
2. request -> server, server认为你访问受保护资源
3. 因为你没认证,server返回respone,indicating 你必须先认证。
返回一个http response code,或是一个web page.
4. 或者在form提交用户名和密码,或者想法子获取你的identity(cookie, x.509证书。。。)
5. 浏览器发给server响应,或者post一个form(用户名和密码),或者放在http header里的认证信息
6. server看信息是否有效,有效,继续,无效,要求重试.
7. 引起认证的请求(就是1步的请求)被重试。 如果有权限,请求成功,否则,返回403 => "forbidden"
spring security有不同的类负责上面的各步骤, 主要是(按出现顺序):
ExceptionTranslationFilter, AuthenticationEntryPoint, "authentication mechanism"
"authentication mechanism"负责调用前面讲的AuthenticationManager
ExceptionTranslationFilter:
主要检测 AbstractSecurityInterceptor(这是授权服务的主要提供者) throw的异常.
处理结果: 1. 403 认证但权限不够 第七步
2. 调用AuthenticationEntryPoint 没认证 第三步
AuthenticationEntryPoint:
负责第三步,每一种认证方式都有自己的AuthenticationEntryPoint.
"authentication mechanism"
收集用户authentication details从a user agent(usually a web browser),在spring security里叫
"authentication mechanism", 比如form方式的login, 或Basic authentication.
收集后,建立一个Authentication "request" object,然后把它传给AuthenticationManager.
在"authentication mechanish"收到一个 fully-populated Authentication对象后,它会认为请求有效,
把这个Authentication放进SecurityContextHolder, 然后使用原始请求重试(第七步)
如果AuthenticationManager认为request无效,"authentication mechainsh"就会让user agent重试
Storing the SecurityContoext between requests
在各请求间保存SecurityContext,由SecurityContextPersistenceFilter来完成,默认把context保存为HttpSession的属性
它为每个请求restore the context到SecurityContextHolder,请求完成后,再从SecurithContextHolder清除
为了安全,不要直接和HttpSession交互.
不使用Http session的应用,比如restful service, 对于每个请求都要re-authenticate. 然而,把
SecurityContextPersistenceFilter仍然放在这个chain,来确保每个请求后SecurityContextHolder能被清除,也是很重要的。
8.1.5 Access-Control(Authentication) in spring security
spring security里, make access-control decisions的类是AccessDecisionManager. 它有一个decide().
对于方法调用,可以使用一个around advice, 对于一个web request, 可以使用standard filter来获得一个around advice.
secure method invcation in the services layer, spring's standard AOP will be adequate.
secure domain objects, you will likely find that AspectJ is worth considering.
Secure Objects and the AbstractSecurityInterceptor
what is a "secure object"? -- any object that can have security(such as an authorization decision) applied to it.
the most common examples are method invocations and web requests.
** each supported security object type has its own interceptor class, which is a subclass of AbstractSecurityIntercptor.
** 如果principal已经认证成功,在调用AbstractSecurityInterceptor时,SecurityContextHolder就会有一个有效的Authentication
AbstractSecurityInterceptor处理secure object requests的流程:
1. 查找当前请求相关的configuration attributes
2. 把secure object, current Authentication, 和configuration attributes传成AccessDecisionManager,
做authorization decision
3. 调用发生时,可选的可以修改Authentication
4. 允许secure object调用继续(假设访问被granted)
5. 如果调用成功, call the AfterInvocationManager if configured
如果出现异常,AfterInvocationManager不会被调用
What are Configuration Attributes?
可以认为configuration attributes是对于AbstractSecurityInterceptor使用的类,有特殊意义的字符串
由ConfigAttribue接口表示.
AbstractSecurityInterceptor有一个SecurityMetadataSource, 它用来查找secure object的 configuration attributes
ROLE_XXX,应当交给RoleVoter来处理
RunAsManager
当AccessDecisionManager决定允许这个request, AbstractSecurityInterceptor通常继续这个request.
前面提到,如果想替换SecurityContext里的Authentication with a different Authentication,
这可以通过AccessDecisionManager调用RunAsManager实现
AfterInvocationManager
AfterInvocationManager is interested in 修改返回的对象,
它只在调用成功的情况下才会被执行.如果有异常,额外的检测会被skipped.
Extending the Secure Object Model
** FiterInvocation.