1. Introduction
Welcome to Spring Security’s hands-on dry goods series. So far, you’ve covered configuration – and annotation-based role access control. It’s basically enough for some small projects. However, if the operation manager is expected to be able to dynamically configure and assign permissions, the above two methods obviously cannot meet the requirements. Let’s talk about ideas together.
2. Dynamic permission control also relies on the RBAC model
We should still build dynamic permission control systems on top of RBAC and its variants. All objects accessed, whether apis or static resources, should be things associated with roles collectively referred to as resources. We need to build relationships between characters and resources.
2.1 Resource Mapping to Roles
Here is a resource to role mapping diagram:
The model is roughly as shown above, where each resource corresponds to a Set of roles (Set Set) that may not be duplicated. One detail you can notice is that Role 1 points to both Resource 1 and Resource 2, which is understandable, given the possibility that access to the same Resource may be spread among multiple roles; It can also be mutually exclusive depending on your business. We chose to map resources to roles because when requested, resources are unique and roles can be multiple, and parsing is less efficient if reversed.
3. Request the authentication process
There are many ways to do this, but the general idea is that our request must take two things (at least necessary to get to the point of making an access decision) :
- URIAccess resources must be usedURITo locate. We also passedURITo match the resource interface;Ant Match is bestBecause the
/user/1
和/user/2
It is possible to access the same resource interface. If you want to avoid this situation, either ban this style in the development specification, which has the advantage that the configurator doesn’t have to be familiar with itAntStyle; Or it must be in the hands of the configuration staffAntStyle. - Principal ,Spring SecurityFor the
Authentication
Authentication principal, as I mentioned earlier, is a tricky concept. There are two kinds of user identities in Spring SecurityAuthenticated userThe other is aAnonymous users, they all contain roles. Get the character to the character set for matching.
Then I drew the following diagram to show the flow more clearly:
4. How to integrate the security framework
Although this article is part of the Spring Security series, we can follow these ideas if we use other Security frameworks or develop our own. To sum it up in a programming language, we need two interfaces to work together:
- The interface to obtain the metadata of resource role relationship is the cornerstone of dynamic permission control. Only by interface the mapping relationship between role and resource can dynamic permission control be carried out. There is no one standard, design according to your business.
- The interface that parses the Request and matches the extracted metadata is the final logical implementation of our dynamic permission control. There is no single rule here either
With these two points in mind, it becomes clear that we can implement a Filter with both functions and inject it into the appropriate position in the security framework’s Filter chain. Either you can build your own wheel, or you can use the wheel you have now. So are there any ready-made wheels? I generally recommend that you check to see if the safety frame you choose is readily available before building a wheel. When wheels are readily available and fit your needs, they are often much more effective. If you don’t have one, build one!
5. To summarize
This article mainly clarifies some of the key points needed for dynamic permissions and analyzes the process of requesting authentication. Finally, it also provides some personal opinions on the combination of security framework customization. The realization also wrote the majority, the reason is divided into the upper and lower parts, because the theory and implementation in one part is a bit too long, divided into the first theory, the next part of practice is more appropriate.
Follow our public id: Felordcn for more information
Personal blog: https://felord.cn