The article directories

I. Authorization process

Spring Security provides authorization protection for Web requests through http.authorizerequests (). Spring Security uses standard Filters to establish interception of Web requests and ultimately authorized access to resources.

The authorization process for Spring Security is as follows:

Analyze the authorization process:

Intercept requests and authenticated users access to the protected web resources are SpringFilterChain FilterSecurityInterceptor subclasses of interception.
Get the resource access policy, From a subclass of SecurityMetadataSource DefaultFilterInvocationSecurityMetadataSource FilterSecurityInterceptor will obtain the required permissions to access the resources Collection < configattribute > < / configattribute >.

SecurityMetadataSource Reads an abstraction of the access policy, which is the configured access policy.

http
.authorizeRequests() .antMatchers("/r/r1").hasAuthority("p1")
.antMatchers("/r/r2").hasAuthority("p2")...Copy the code

FilterSecurityInterceptorWill be calledAccessDecisionManagerMake an authorization decision. If the decision passes, access to the resource is allowed; otherwise, access is denied.

1.1 the AccessDecisionManager

AccessDecisionManager interface definition:

public interface AccessDecisionManager {
    void decide(Authentication var1, Object var2, Collection
       
         var3)
       
    	throws AccessDeniedException,
    	InsufficientAuthenticationException;
    boolean supports(ConfigAttribute var1);
    boolean supports(Class
        var1);
}
Copy the code

The Decide () method is the core of the AccessDecisionManager and is used to determine whether the current user has access to the corresponding protected resource.

Var1: The identity of the visitor to the resource

Var2: The protected resource to be accessed. The Web request corresponds to the FilterInvocation

Var3: is the access policy for a protected resource, via SecurityMetadatasource

1.2 Authorization Decision

AccessDecisionManagerA vote is taken to determine whether a protected resource can be accessed.As you can see from the figure above,AccessDecisionManagerContains a series ofAccessDecisionVoterWill be used againstAuthenticationHave access to protected objects to vote,AccessDecisionManagerThe final decision is made based on the voting results.

The AccessDecisionVoter interface is defined as follows:

public interface AccessDecisionVoter<S> {
    int ACCESS_GRANTED = 1;
    int ACCESS_ABSTAIN = 0;
    int ACCESS_DENIED = -1;

    boolean supports(ConfigAttribute var1);

    boolean supports(Class
        var1);

    int vote(Authentication var1, S var2, Collection
       
         var3)
       ;
}
Copy the code

The return result of vote() will be one of the three constants defined in the AccessDecisionVoter. ACCESS_GRANTED: yes, ACCESS_DENIED: no, and ACCESS_ABSTAIN: no. If the AccessDecisionVoter cannot determine whether the current Authentication has access to the corresponding protected object, the return value of the vote() method is ACCESS_ABSTAIN.

Spring Security has built-in three implementation classes of AccessDecisionManager based on voting as follows, they are AffirmativeBased, ConsensusBased and UnaimousBased. Spring Security uses AffirmativeBased by default.

1, the AffirmativeBased:

① As long as the AccessDecisionVoter votes as ACCESS_GRANTED, the user is allowed to access.

② If all abstentions are passed;

③ If no one votes yes but someone votes no, an AccessDeniedException will be thrown.

2, ConsensusBased:

(1) If the affirmative vote is more than the negative vote, it means the affirmative vote;

② If more votes are cast than votes are cast, AccessDeniedException will be thrown.

(3) if the vote and vote and the same is not equal to zero, and attribute allowEqualGrantedDeniedDecision value is true, is said by, otherwise will throw AccessDeniedException. AllowEqualGrantedDeniedDecision default value is true.

(4) if all the AccessDecisionVoter abstained, will depend on the value of the parameter allowIfAllAbstainDecisions, if the value is true then said through, otherwise will throw an exception AccessDeniedException. The value of the parameter allowIfAllAbstainDecisions to false by default.

3, UnanimousBased:

Holding ous-based logic differs somewhat from the other two implementations, which pass all the configuration properties of a protected object to an AccessDecisionVoter for voting at once, Thursday, however, passes only one ConfigAttribute at a time to the AccessDecisionVoter for voting. Thursday, however, differs from Thursday in general. What this means is that, if the logic of our AccessDecisionVoter is to vote yes as long as one of the configAttributes passed in matches, but not necessarily vote yes in a abuses ousbased case. Holding ousbased logic in detail runs like this: ① If a ConfigAttribute of a protected object configuration is rejected by an arbitrary AccessDecisionVoter, then an AccessDeniedException is thrown.

② If there are no dissenting votes, but there are affirmative votes, the vote is passed.

(3) if all abstained, will depend on the value of the parameter allowIfAllAbstainDecisions, true through, false is thrown AccessDeniedException.

Spring Security also has built-in voter implementation classes such as RoleVoter, AuthenticatedVoter, and WebExpressionVoter.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Getting Started with SpringSecurity in Practice (2)

The article directories

I. Authorization process

1.1 the AccessDecisionManager

1.2 Authorization Decision

Getting Started with SpringSecurity in Practice (2)

The article directories

I. Authorization process

1.1 the AccessDecisionManager

1.2 Authorization Decision

Related Posts

Spring Boot uploads files

Redis’s nightmare: Blocking

Recommended several bottom of the box IDEA plug-in, lu code sharp device