学习acegi-security - OMG,到底在寻找什么..................

原帖地址：http://bulain.javaeye.com/blog/24000

学习acegi-security
这几天对acegi研究了一下，现对这几天的研究做个总结。

网上资料对于acegi在web上的应用非常多，所以特意不从web入手，而从一般的java方法入手。

acegi的基本原理就是利用拦截器，对请求进行拦截，在拦截前和拦截后做些安全验证，以达到安全目的。所谓安全，一般包括两个部分，一为认证(authentication),二为授权(authorization)。

1，拦截器体系
acegi中拦截器为分为三类：
(1)filter拦截器(FilterSecurityInterceptor),主要对web应用进行拦截，即利用servlet的filter进行拦截。
(2)method拦截器，分为spring的method拦截器(MethodSecurityInterceptor)和aspectj的method拦截器(AspectJSecurityInterceptor)。

代码

public abstract class AbstractSecurityInterceptor implements InitializingBean, ApplicationEventPublisherAware,
MessageSourceAware {
private AccessDecisionManager accessDecisionManager;
private AfterInvocationManager afterInvocationManager;
private ApplicationEventPublisher eventPublisher;
private AuthenticationManager authenticationManager;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private RunAsManager runAsManager = new NullRunAsManager();
private boolean alwaysReauthenticate = false ;
private boolean rejectPublicInvocations = false ;
private boolean validateConfigAttributes = true ;
.........
protected Object afterInvocation(InterceptorStatusToken token, Object returnedObject) {
............
SecurityContextHolder.getContext().setAuthentication(token.getAuthentication());
............
if (afterInvocationManager != null ) {
returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);
}
............
}
protected InterceptorStatusToken beforeInvocation(Object object) {
............
authenticated = this .authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
............
this .accessDecisionManager.decide(authenticated, object, attr);
............
Authentication runAs = this .runAsManager.buildRunAs(authenticated, object, attr);
if (runAs == null ) {
............
return new InterceptorStatusToken(authenticated, false , attr, object);
} else {
............
SecurityContextHolder.getContext().setAuthentication(runAs);
return new InterceptorStatusToken(authenticated, true , attr, object);
}
............
}
}
public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
public void invoke(FilterInvocation fi) throws IOException, ServletException {
if ((fi.getRequest() != null ) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null )
&& observeOncePerRequest) {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} else {
if (fi.getRequest() != null ) {
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
}
InterceptorStatusToken token = super .beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super .afterInvocation(token, null );
}
}
}
............
}
public class MethodSecurityInterceptor extends AbstractSecurityInterceptor implements MethodInterceptor {
public Object invoke(MethodInvocation mi) throws Throwable {
Object result = null ;
InterceptorStatusToken token = super .beforeInvocation(mi);
try {
result = mi.proceed();
} finally {
result = super .afterInvocation(token, result);
}
return result;
}
............
}
public class AspectJSecurityInterceptor extends AbstractSecurityInterceptor {
public Object invoke(JoinPoint jp, AspectJCallback advisorProceed) {
Object result = null ;
InterceptorStatusToken token = super .beforeInvocation(jp);
try {
result = advisorProceed.proceedWithObject();
} finally {
result = super .afterInvocation(token, result);
}
return result;
}
............
}

上面的代码片断已经显示,所有的真正参与验证的代码都在父类AbstractSecurityInterceptor.beforeInvocation()之中进行，而对于拦截器都只是做些委托罢了。这样可以把具体的验证代码同拦截器分开，也有利于扩展，用其他的aop技术或拦截器进行扩展，可以很轻松。

认证体系由AuthenticationManager负责，授权体系由AccessDecisionManager负责，RunAsManager 是作为用户身份转换的手段。AfterInvocationManager留下了一个接口，可以扩展默认的授权体系，可以做一些其他额外的工作。

在AbstractSecurityInterceptor.beforeInvocation()中，
首先进行认证，authenticated = this.authenticationManager.authenticate(SecurityContextHolder.getContext().getAuthentication());
其次进行授权，this.accessDecisionManager.decide(authenticated, object, attr);

AbstractSecurityInterceptor.afterInvocation()中，
做其他扩展，returnedObject = afterInvocationManager.decide(token.getAuthentication(), token.getSecureObject(),token.getAttr(), returnedObject);

2，认证体系
2.1认证管理器
认证体系的核心为AuthenticationManager，他的方法authenticate(Authentication authentication)负责所有的认证。在acegi中，由具体类ProviderManager来进行认证过程。

代码

public interface AuthenticationManager {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
public abstract class AbstractAuthenticationManager
implements AuthenticationManager{
public final Authentication authenticate(Authentication authRequest)
throws AuthenticationException {
try {
Authentication authResult = doAuthentication(authRequest);
copyDetails(authRequest, authResult);
return authResult;
} catch (AuthenticationException e) {
e.setAuthentication(authRequest);
throw e;
}
}
private void copyDetails(Authentication source, Authentication dest) {
if ((dest instanceof AbstractAuthenticationToken) && (dest.getDetails() == null )) {
AbstractAuthenticationToken token = (AbstractAuthenticationToken) dest;
token.setDetails(source.getDetails());
}
}
protected abstract Authentication doAuthentication(Authentication authentication)
throws AuthenticationException;
.........
}
public class ProviderManager extends AbstractAuthenticationManager implements InitializingBean,
ApplicationEventPublisherAware, MessageSourceAware {
private List providers;
............
public Authentication doAuthentication(Authentication authentication)
throws AuthenticationException {
.........
Iterator iter = providers.iterator();
............
while (iter.hasNext()) {
.............
AuthenticationProvider provider = (AuthenticationProvider) iter.next();
.........
result = provider.authenticate(authentication);
............
}
............
}
.........
}

从上面代码片断可以看出，真正的认证过程是在ProviderManager.doAuthentication()中进行的。而ProviderManager并不是具体的认证者，他只是个管理器，它要将具体的认证过程委托给具体的认证器提供者AuthenticationProvider去做。

2.2认证提供者
认证提供者就有很多了，可以提供各种各样的认证。如dao,ldap,anonymous,authbyadapter，cas,jaas,remeberme,remote,runnasimpl,testing,x509等。

代码

public interface AuthenticationProvider {
public Authentication authenticate(Authentication authentication) throws AuthenticationException;
public boolean supports(Class authentication);
}

具体的认证提供者类就不详细分析了，只提个名字：DaoAuthenticationProvider,LdapAuthenticationProvider，AnonymousAuthenticationProvider，AuthByAdapterProvider，CasAuthenticationProvider，JaasAuthenticationProvider，RememberMeAuthenticationProvider，RemoteAuthenticationProvider，RunAsImplAuthenticationProvider，TestingAuthenticationProvider，X509AuthenticationProvider。

3，授权体系
3.1授权管理器
授权体系的核心为授权管理器(AccessDecisionManager)，它的方法decide(Authentication authentication, Object object, ConfigAttributeDefinition config)进行具体的授权动作。

代码

public interface AccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException, InsufficientAuthenticationException;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
}
public abstract class AbstractAccessDecisionManager implements AccessDecisionManager, InitializingBean,
MessageSourceAware {
private List decisionVoters;
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private boolean allowIfAllAbstainDecisions = false ;
public boolean supports(ConfigAttribute attribute) {
Iterator iter = this .decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (voter.supports(attribute)) {
return true ;
}
}
return false ;
}
public boolean supports(Class clazz) {
Iterator iter = this .decisionVoters.iterator();
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
if (!voter.supports(clazz)) {
return false ;
}
}
return true ;
}
..............
}
public class AffirmativeBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this .getDecisionVoters().iterator();
int deny = 0 ;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
return ;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break ;
default :
break ;
}
}
if (deny > 0 ) {
throw new AccessDeniedException(messages.getMessage( "AbstractAccessDecisionManager.accessDenied" ,
"Access is denied" ));
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class ConsensusBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
Iterator iter = this .getDecisionVoters().iterator();
int grant = 0 ;
int deny = 0 ;
int abstain = 0 ;
while (iter.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) iter.next();
int result = voter.vote(authentication, object, config);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break ;
case AccessDecisionVoter.ACCESS_DENIED:
deny++;
break ;
default :
abstain++;
break ;
}
}
if (grant > deny) {
return ;
}
if (deny > grant) {
throw new AccessDeniedException(messages.getMessage( "AbstractAccessDecisionManager.accessDenied" ,
"Access is denied" ));
}
if ((grant == deny) && (grant != 0 )) {
if ( this .allowIfEqualGrantedDeniedDecisions) {
return ;
} else {
throw new AccessDeniedException(messages.getMessage( "AbstractAccessDecisionManager.accessDenied" ,
"Access is denied" ));
}
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}
public class UnanimousBased extends AbstractAccessDecisionManager {
public void decide(Authentication authentication, Object object, ConfigAttributeDefinition config)
throws AccessDeniedException {
int grant = 0 ;
int abstain = 0 ;
Iterator configIter = config.getConfigAttributes();
while (configIter.hasNext()) {
ConfigAttributeDefinition thisDef = new ConfigAttributeDefinition();
thisDef.addConfigAttribute((ConfigAttribute) configIter.next());
Iterator voters = this .getDecisionVoters().iterator();
while (voters.hasNext()) {
AccessDecisionVoter voter = (AccessDecisionVoter) voters.next();
int result = voter.vote(authentication, object, thisDef);
switch (result) {
case AccessDecisionVoter.ACCESS_GRANTED:
grant++;
break ;
case AccessDecisionVoter.ACCESS_DENIED:
throw new AccessDeniedException(messages.getMessage( "AbstractAccessDecisionManager.accessDenied" ,
"Access is denied" ));
default :
abstain++;
break ;
}
}
}
// To get this far, there were no deny votes
if (grant > 0 ) {
return ;
}
// To get this far, every AccessDecisionVoter abstained
checkAllowIfAllAbstainDecisions();
}
..............
}

授权管理器AccessDecisionManager默认有三个实现，具体为AffirmativeBased，ConsensusBased，UnanimousBased。三个具体实现都大同小异，主要在具有角色是否应该授权上。
而具体能否单个角色是否授权，是委派给AccessDecisionVoter去做的。

3.2授权投票者
授权投票责的核心是接口AccessDecisionVoter。他有几个具体实现类：BasicAclEntryVoter，AuthenticatedVoter，RoleVoter。

代码

public interface AccessDecisionVoter {
public static final int ACCESS_GRANTED = 1 ;
public static final int ACCESS_ABSTAIN = 0 ;
public static final int ACCESS_DENIED = - 1 ;
public boolean supports(ConfigAttribute attribute);
public boolean supports(Class clazz);
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config);
}
public abstract class AbstractAclVoter implements AccessDecisionVoter {
public boolean supports(Class clazz) {
if (MethodInvocation. class .isAssignableFrom(clazz)) {
return true ;
} else if (JoinPoint. class .isAssignableFrom(clazz)) {
return true ;
} else {
return false ;
}
}
............
}
public class BasicAclEntryVoter extends AbstractAclVoter implements InitializingBean {
private AclManager aclManager;
private String internalMethod;
private String processConfigAttribute;
private int [] requirePermission;
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null ) && attribute.getAttribute().startsWith(getProcessConfigAttribute())) {
return true ;
} else {
return false ;
}
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attr = (ConfigAttribute) iter.next();
if ( this .supports(attr)) {
// Need to make an access decision on this invocation
// Attempt to locate the domain object instance to process
Object domainObject = getDomainObjectInstance(object);
// If domain object is null, vote to abstain
if (domainObject == null ) {
if (logger.isDebugEnabled()) {
logger.debug( "Voting to abstain - domainObject is null" );
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
// Evaluate if we are required to use an inner domain object
if ((internalMethod != null ) && ! "" .equals(internalMethod)) {
try {
Class clazz = domainObject.getClass();
Method method = clazz.getMethod(internalMethod, new Class[] {});
domainObject = method.invoke(domainObject, new Object[] {});
} catch (NoSuchMethodException nsme) {
throw new AuthorizationServiceException( "Object of class '" + domainObject.getClass()
+ "' does not provide the requested internalMethod: " + internalMethod);
} catch (IllegalAccessException iae) {
if (logger.isDebugEnabled()) {
logger.debug( "IllegalAccessException" , iae);
if (iae.getCause() != null ) {
logger.debug( "Cause: " + iae.getCause().getMessage(), iae.getCause());
}
}
throw new AuthorizationServiceException( "Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
} catch (InvocationTargetException ite) {
if (logger.isDebugEnabled()) {
logger.debug( "InvocationTargetException" , ite);
if (ite.getCause() != null ) {
logger.debug( "Cause: " + ite.getCause().getMessage(), ite.getCause());
}
}
throw new AuthorizationServiceException( "Problem invoking internalMethod: " + internalMethod
+ " for object: " + domainObject);
}
}
// Obtain the ACLs applicable to the domain object
AclEntry[] acls = aclManager.getAcls(domainObject, authentication);
// If principal has no permissions for domain object, deny
if ((acls == null ) || (acls.length == 0 )) {
if (logger.isDebugEnabled()) {
logger.debug( "Voting to deny access - no ACLs returned for this principal" );
}
return AccessDecisionVoter.ACCESS_DENIED;
}
// Principal has some permissions for domain object, check them
for ( int i = 0 ; i < acls.length; i++) {
// Locate processable AclEntrys
if (acls[i] instanceof BasicAclEntry) {
BasicAclEntry processableAcl = (BasicAclEntry) acls[i];
// See if principal has any of the required permissions
for ( int y = 0 ; y < requirePermission.length; y++) {
if (processableAcl.isPermitted(requirePermission[y])) {
if (logger.isDebugEnabled()) {
logger.debug( "Voting to grant access" );
}
return AccessDecisionVoter.ACCESS_GRANTED;
}
}
}
}
// No permissions match
if (logger.isDebugEnabled()) {
logger.debug(
"Voting to deny access - ACLs returned, but insufficient permissions for this principal" );
}
return AccessDecisionVoter.ACCESS_DENIED;
}
}
return AccessDecisionVoter.ACCESS_ABSTAIN;
}
...............
}
public class AuthenticatedVoter implements AccessDecisionVoter {
public static final String IS_AUTHENTICATED_FULLY = "IS_AUTHENTICATED_FULLY" ;
public static final String IS_AUTHENTICATED_REMEMBERED = "IS_AUTHENTICATED_REMEMBERED" ;
public static final String IS_AUTHENTICATED_ANONYMOUSLY = "IS_AUTHENTICATED_ANONYMOUSLY" ;
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private boolean isFullyAuthenticated(Authentication authentication) {
return (!authenticationTrustResolver.isAnonymous(authentication)
&& !authenticationTrustResolver.isRememberMe(authentication));
}
public void setAuthenticationTrustResolver(AuthenticationTrustResolver authenticationTrustResolver) {
Assert.notNull(authenticationTrustResolver, "AuthenticationTrustResolver cannot be set to null" );
this .authenticationTrustResolver = authenticationTrustResolver;
}
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null )
&& (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())
|| IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute()))) {
return true ;
} else {
return false ;
}
}
public boolean supports(Class clazz) {
return true ;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if ( this .supports(attribute)) {
result = ACCESS_DENIED;
if (IS_AUTHENTICATED_FULLY.equals(attribute.getAttribute())) {
if (isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_REMEMBERED.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isRememberMe(authentication)
|| isFullyAuthenticated(authentication)) {
return ACCESS_GRANTED;
}
}
if (IS_AUTHENTICATED_ANONYMOUSLY.equals(attribute.getAttribute())) {
if (authenticationTrustResolver.isAnonymous(authentication) || isFullyAuthenticated(authentication)
|| authenticationTrustResolver.isRememberMe(authentication)) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}
public class RoleVoter implements AccessDecisionVoter {
private String rolePrefix = "ROLE_" ;
public boolean supports(ConfigAttribute attribute) {
if ((attribute.getAttribute() != null ) && attribute.getAttribute().startsWith(getRolePrefix())) {
return true ;
} else {
return false ;
}
}
public boolean supports(Class clazz) {
return true ;
}
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition config) {
int result = ACCESS_ABSTAIN;
Iterator iter = config.getConfigAttributes();
while (iter.hasNext()) {
ConfigAttribute attribute = (ConfigAttribute) iter.next();
if ( this .supports(attribute)) {
result = ACCESS_DENIED;
for ( int i = 0 ; i < authentication.getAuthorities().length; i++) {
if (attribute.getAttribute().equals(authentication.getAuthorities()[i].getAuthority())) {
return ACCESS_GRANTED;
}
}
}
}
return result;
}
}

这三个授权投票实现类中 acl 又最复杂。他会委托给acl管理器(AclManager)来做具体的授权工作。

3.3acl授权体系
AclManager只有一个实现类AclProviderManager ,负责提供acl授权实体。

代码

public interface AclManager {
public AclEntry[] getAcls(Object domainInstance);
public AclEntry[] getAcls(Object domainInstance, Authentication authentication);
}
public class AclProviderManager implements AclManager, InitializingBean {
public AclEntry[] getAcls(Object domainInstance) {
Assert.notNull(domainInstance, "domainInstance is null - violating interface contract" );
Iterator iter = providers.iterator();
while (iter.hasNext()) {
AclProvider provider = (AclProvider) iter.next();
if (provider.supports(domainInstance)) {
if (logger.isDebugEnabled()) {
logger.debug( "ACL lookup using " + provider.getClass().getName());
}
return provider.getAcls(domainInstance);
}
}
if (logger.isDebugEnabled()) {
logger.debug( "No AclProvider found for " + domainInstance.toString());
}
return null ;
}
public AclEntry[] getAcls(Object domainInstance, Authentication authentication) {
Assert.notNull(domainInstance, "domainInstance is null - violating interface contract" );
Assert.notNull(authentication, "authentication is null - violating interface contract" );
Iterator iter = providers.iterator();
while (iter.hasNext()) {
AclProvider provider = (AclProvider) iter.next();
if (provider.supports(domainInstance)) {
if (logger.isDebugEnabled()) {
logger.debug( "ACL lookup using " + provider.getClass().getName());
}
return provider.getAcls(domainInstance, authentication);
} else {
if (logger.isDebugEnabled()) {
logger.debug( "Provider " + provider.toString() + " does not support " + domainInstance);
}
}
}
if (logger.isDebugEnabled()) {
logger.debug( "No AclProvider found for " + domainInstance.toString());
}
return null ;
}
.........
}

posted on 2006-12-28 23:52 OMG 阅读(1317) 评论(0) 编辑收藏所属分类: Auth/acegi

常用链接

留言簿(1)

随笔分类

随笔档案

IT风云人物

文档

朋友

相册

经典网站

搜索

最新评论

阅读排行榜

评论排行榜


只有注册用户登录后才能发表评论。




网站导航: 博客园 IT新闻知识库 C++博客博问管理
相关文章: 学习acegi-security JAAS 与 ACL Spring安全系统：Acegi Security- - [Acegi]acegi-security-sample-contacts-filter例子学习