三?Acegi安全系統擴展?

????? 相信side對Acegi的擴展會給你耳目一新的感覺,提供完整的擴展功能,管理界面,中文注釋和靠近企業的安全策略。side只對Acegi不符合企業應用需要的功能進行擴展,盡量不改動其余部分來實現全套權限管理功能,以求能更好地適應Acegi升級。

3.1 基于角色的權限控制(RBAC)

??? Acegi 自帶的 sample 表設計很簡單: users表{username,password,enabled} authorities表{username,authority},這樣簡單的設計無法適應復雜的權限需求,故SpringSide選用RBAC模型對權限控制數據庫表進行擴展。?RBAC引入了ROLE的概念,使User(用戶)和Permission(權限)分離,一個用戶擁有多個角色,一個角色擁有有多個相應的權限,從而減少了權限管理的復雜度,可更靈活地支持安全策略。

??? 同時,我們也引入了resource(資源)的概念,一個資源對應多個權限，資源分為ACL,URL,和FUNTION三種。注意，URL和FUNTION的權限命名需要以AUTH_開頭才會有資格參加投票, 同樣的ACL權限命名需要ACL_開頭。

3.2?管理和使用EhCache

3.2.1 設立緩存

在SpringSide里的 Acegi 擴展使用 EhCache?就作為一種緩存解決方案,以緩存用戶和資源的信息和相對應的權限信息。

首先需要一個在classpath的ehcache.xml 文件，用于配置EhCache。

				
						
								<ehcache>

						
				
				
						
								???
						
				
				
						
								??? <defaultCache
??????????? maxElementsInMemory="10000"
??????????? eternal="false"
??????????? overflowToDisk="true"
??????????? timeToIdleSeconds="0"
??????????? timeToLiveSeconds="0"
??????????? diskPersistent="false"
 ???????????diskExpiryThreadIntervalSeconds= "120"/> 
??? <!-- acegi cache-->
??? <cache name="userCache"
?????????? maxElementsInMemory="10000"
?????????? eternal="true"
 ??????????overflowToDisk= "true"/>
??? <!-- acegi cache-->   
??? <cache name="resourceCache"
?????????? maxElementsInMemory="10000"
?????????? eternal="true"
?????????? overflowToDisk="true"/>
</ehcache>
						
				
		

???? maxElementsInMemory設定了允許在Cache中存放的數據數目，eternal設定Cache是否會過期，overflowToDisk設定內存不足的時候緩存到硬盤，timeToIdleSeconds和timeToLiveSeconds設定緩存游離時間和生存時間，diskExpiryThreadIntervalSeconds設定緩存在硬盤上的生存時間，注意當eternal="true"時，timeToIdleSeconds，timeToLiveSeconds和diskExpiryThreadIntervalSeconds都是無效的。

<defaultCache>是除制定的Cache外其余所有Cache的設置，針對Acegi 的情況, 專門設置了userCache和resourceCache，都設為永不過期。在applicationContext-acegi-security.xml中相應的調用是

				
				
				<bean id="userCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
??????? <property name="cacheManager" ref="cacheManager"/>
??????? <property name="cacheName" value="  userCache"/>
??? </bean>
??? <bean id="userCache" class="org.acegisecurity.providers.dao.cache.EhCacheBasedUserCache" autowire="byName">
??????? <property name="cache" ref="userCacheBackend"/>
??? </bean>
??? <bean id="resourceCacheBackend" class="org.springframework.cache.ehcache.EhCacheFactoryBean">
??????? <property name="cacheManager" ref="cacheManager"/>
??????? <property name="cacheName" value="  resourceCache"/>
??? </bean>
??? <bean id="resourceCache" class="org.springside.modules.security.service.acegi.cache.ResourceCache" autowire="byName">
??????? <property name="cache" ref="resourceCacheBackend"/>
??? </bean>
<bean id="cacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/>

		

"cacheName" 就是設定在ehcache.xml 中相應Cache的名稱。

userCache使用的是Acegi 的EhCacheBasedUserCache(實現了UserCache接口), resourceCache是SpringSide的擴展類

				public interface UserCache   {
				
						
??? public UserDetails getUserFromCache   (String username);
				
						
??? public void putUserInCache   (UserDetails user);
				
						
??? public void removeUserFromCache   (String username);
}
		

				public class ResourceCache   {

				??? public ResourceDetails getAuthorityFromCache   (String resString) {...
				?? }

				??? public void putAuthorityInCache   (ResourceDetails resourceDetails) {...? }
?
				?? public void removeAuthorityFromCache   (String resString) {... }

				??? public List getUrlResStrings() {... }

				??? public List getFunctions() {.. }
				
						
}
				
				
		

UserCache 就是通過EhCache對UserDetails 進行緩存管理, 而ResourceCache 是對ResourceDetails 類進行緩存管理

				public interface UserDetails   extends Serializable {

				??? public boolean isAccountNonExpired();
				
						
??? public boolean isAccountNonLocked();
				
						
??? public GrantedAuthority[] getAuthorities();
				
						
??? public boolean isCredentialsNonExpired();
				
						
??? public boolean isEnabled();
				
						
??? public String getPassword();
				
						
??? public String getUsername();
}
		

				public interface ResourceDetails   extends Serializable {
				
						
??? public String getResString();
				
						
??? public String getResType();
				
						
??? public GrantedAuthority[] getAuthorities();

				}
		

UserDetails 包含用戶信息和相應的權限，ResourceDetails 包含資源信息和相應的權限。

				public interface GrantedAuthority     {
??? public String getAuthority   ();
}
		

???? GrantedAuthority 就是權限信息，在Acegi 的 sample 里GrantedAuthority 的信息如ROLE_USER, ROLE_SUPERVISOR, ACL_CONTACT_DELETE, ACL_CONTACT_ADMIN等等，網上也有很多例子把角色作為GrantedAuthority ，但事實上看看ACL 就知道， Acegi本身根本就沒有角色這個概念，GrantedAuthority 包含的信息應該是權限，對于非ACL的權限用 AUTH_ 開頭更為合理, 如SpringSide里的 AUTH_ADMIN_LOGIN, AUTH_BOOK_MANAGE 等等。

3.2.2 管理緩存

???? 使用AcegiCacheManager對userCache和resourceCache進行統一緩存管理。當在后臺對用戶信息進行修改或賦權的時候, 在更新數據庫同時就會調用acegiCacheManager相應方法, 從數據庫中讀取數據并替換cache中相應部分,使cache與數據庫同步。

				public class AcegiCacheManager extends BaseService {

				??? private ResourceCache resourceCache   ;

				??? private UserCache userCache   ;
				
						

						??? /**
???? * 修改User時更改userCache  
???? */
						
??? public void modifyUserInCache   (User user, String orgUsername) {...??? }
??? /**
???? * 修改Resource時更改resourceCache  
???? */
??? public void modifyResourceInCache   (Resource resource, String orgResourcename) {...??? }
??? /**
???? *   修改權限時同時修改userCache和resourceCache
???? */
??? public void modifyPermiInCache   (Permission permi, String orgPerminame) {...? }
??? /**
???? * User授予角色時更改userCache
???? */
??? public void authRoleInCache   (User user) {...??? }
??? /**
???? * Role授予權限時更改userCache和resourceCache  
???? */
??? public void authPermissionInCache   (Role role) {...? }
??? /**
???? * Permissioni授予資源時更改resourceCache  
???? */
??? public void authResourceInCache   (Permission permi) {...? }
??? /**
???? *   初始化userCache
???? */
??? public void initUserCache   () {...? }
??? /**
???? *   初始化resourceCache
???? */
??? public void initResourceCache   () {... }
??? /**
???? *  獲取所有的url資源
???? */
??? public List getUrlResStrings   () {... ?}
??? /**
???? * 獲取所有的Funtion資源  
???? */
??? public List getFunctions   () {...? }
??? /**
???? * 根據資源串獲取資源  
???? */
??? public ResourceDetails getAuthorityFromCache   (String resString) {...? }
  ??
?......


}
		

?

3.3 資源權限定義擴展

???? Acegi給出的sample里,資源權限對照關系是配置在xml中的,試想一下如果你的企業安全應用有500個用戶,100個角色權限的時候,維護這個xml將是個繁重無比的工作,如何動態更改用戶權限更是個頭痛的問題。

?? <bean id="contactManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
????? <property name="authenticationManager"><ref bean="authenticationManager"/></property>
????? <property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
????? <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
????? <property name="objectDefinitionSource">
???????? <value>
??????????? sample.contact.ContactManager.create=ROLE_USER
??????????? sample.contact.ContactManager.getAllRecipients=ROLE_USER
??????????? sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
??????????? sample.contact.ContactManager.getById=ROLE_USER,AFTER_ACL_READ
??????????? sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
??????????? sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
??????????? sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
???????? </value>
????? </property>
?? </bean>

??<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
????? <property name="authenticationManager"><ref bean="authenticationManager"/></property>
????? <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
????? <property name="objectDefinitionSource">
???????? <value>
?????? CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
?????? PATTERN_TYPE_APACHE_ANT
?????? /index.jsp=ROLE_ANONYMOUS,ROLE_USER
?????? /hello.htm=ROLE_ANONYMOUS,ROLE_USER
?????? /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
?????? /switchuser.jsp=ROLE_SUPERVISOR
?????? /j_acegi_switch_user=ROLE_SUPERVISOR
?????? /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
????   /**=ROLE_USER
???????? </value>
????? </property>
?? </bean>

?對如此不Pragmatic的做法,SpringSide進行了擴展, 讓Acegi 能動態讀取數據庫中的權限資源關系。

3.3.1 Aop Invocation Authorization

??? <bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
??????? <property name="authenticationManager" ref="authenticationManager"/>
??????? <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
??????? <property name="objectDefinitionSource" ref="methodDefinitionSource"/>
??? </bean>
??? <bean id="methodDefinitionSource" class="org.springside.security.service.acegi.DBMethodDefinitionSource">
??????? <property name="acegiCacheManager" ref="acegiCacheManager"/>
??? </bean>

???? 研究下Aceig的源碼,ObjectDefinitionSource的實際作用是返回一個ConfigAttributeDefinition對象，而Acegi Sample 的方式是用MethodDefinitionSourceEditor把xml中的文本Function資源權限對應關系信息加載到MethodDefinitionMap ( MethodDefinitionSource?的實現類 )中, 再組成ConfigAttributeDefinition，而我們的擴展目標是從緩存中讀取信息來組成ConfigAttributeDefinition。

???? MethodSecurityInterceptor是通過調用AbstractMethodDefinitionSource的lookupAttributes(method)方法獲取ConfigAttributeDefinition。所以我們需要實現自己的ObjectDefinitionSource，繼承AbstractMethodDefinitionSource并實現其lookupAttributes方法,從緩存中讀取資源權限對應關系組成并返回ConfigAttributeDefinition即可。SpringSide中的DBMethodDefinitionSource類的部分實現如下 :

public class DBMethodDefinitionSource extendsAbstractMethodDefinitionSource {
......
??? protected ConfigAttributeDefinitionlookupAttributes(Method mi) {
??????? Assert.notNull(mi, "lookupAttrubutes in the DBMethodDefinitionSource is null");
??????? String methodString = mi.getDeclaringClass().getName() + "." + mi.getName();
??????? if (!acegiCacheManager.isCacheInitialized()) {
??????????? //初始化Cache
??????????? acegiCacheManager.initResourceCache();
??????? }
??????? //獲取所有的function
??????? List methodStrings = acegiCacheManager.getFunctions();
??????? Set auths = new HashSet();
??????? //取權限的合集
??????? for (Iterator iter = methodStrings.iterator(); iter.hasNext();) {
??????????? String mappedName = (String) iter.next();
??????????? if (methodString.equals(mappedName)
??????????????????? || isMatch(methodString, mappedName)) {
??????????????? ResourceDetails resourceDetails = acegiCacheManager.getAuthorityFromCache(mappedName);
??????????????? if (resourceDetails == null) {
??????????????????? break;
??????????????? }
??????????????? GrantedAuthority[] authorities = resourceDetails.getAuthorities();
??????????????? if (authorities == null || authorities.length == 0) {
??????????????????? break;
??????????????? }
??????????????? auths.addAll(Arrays.asList(authorities));
??????????? }
??????? }
??????? if (auths.size() == 0)
??????????? return null;
??????? ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
??????? String authoritiesStr = " ";
??????? for (Iterator iter = auths.iterator(); iter.hasNext();) {
??????????? GrantedAuthority authority = (GrantedAuthority) iter.next();
??????????? authoritiesStr += authority.getAuthority() + ",";
??????? }
??????? String authStr = authoritiesStr.substring(0, authoritiesStr.length() - 1);
??????? configAttrEditor.setAsText(authStr);
?????? //組裝并返回ConfigAttributeDefinition
??????? return (ConfigAttributeDefinition) configAttrEditor.getValue();
??? }
??? ......
}

要注意幾點的是:
1) 初始化Cache是比較浪費資源的，所以SpringSide中除第一次訪問外的Cache的更新是針對性更新。

2) 因為method采用了匹配方式(詳見 isMatch() 方法) , 即對于*Book和save*這兩個資源來說，只要當前訪問方法是Book結尾或以save開頭都算匹配得上，所以應該取這些能匹配上的資源的相對應的權限的合集。

3) 使用ConfigAttributeEditor 能更方便地組裝ConfigAttributeDefinition。

3.3.2 Filter Invocation Authorization

??? <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
??????? <property name="authenticationManager" ref="authenticationManager"/>
??????? <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager"/>
??????? <property name="objectDefinitionSource" ref="filterDefinitionSource"/>
??? </bean>

??? <bean id="filterDefinitionSource" class="org.springside.security.service.acegi.DBFilterInvocationDefinitionSource">
??????? <property name="convertUrlToLowercaseBeforeComparison" value="true"/>
??????? <property name="useAntPath" value="true"/>
??????? <property name="acegiCacheManager" ref="acegiCacheManager"/>
??? </bean>

???? PathBasedFilterInvocationDefinitionMap和RegExpBasedFilterInvocationDefinitionMap都是 FilterInvocationDefinitionSource的實現類,當PATTERN_TYPE_APACHE_ANT字符串匹配上時時,FilterInvocationDefinitionSourceEditor 選用PathBasedFilterInvocationDefinitionMap 把xml中的文本URL資源權限對應關系信息加載。

???? FilterSecurityInterceptor通過FilterInvocationDefinitionSource的lookupAttributes(url)方法獲取ConfigAttributeDefinition。 所以，我們可以通過繼承FilterInvocationDefinitionSource的抽象類AbstractFilterInvocationDefinitionSource，并實現其lookupAttributes方法,從緩存中讀取URL資源權限對應關系即可。SpringSide的DBFilterInvocationDefinitionSource類部分實現如下:

public class DBFilterInvocationDefinitionSource extends?AbstractFilterInvocationDefinitionSource {

......
??? public ConfigAttributeDefinition lookupAttributes(String url) {
??????? if (!acegiCacheManager.isCacheInitialized()) {
??????????? acegiCacheManager.initResourceCache();
??????? }

??????? if (isUseAntPath()) {
??????????? // Strip anything after a question mark symbol, as per SEC-161.
??????????? int firstQuestionMarkIndex = url.lastIndexOf("?");
??????????? if (firstQuestionMarkIndex != -1) {
??????????????? url = url.substring(0, firstQuestionMarkIndex);
??????????? }
??????? }
??????? List urls = acegiCacheManager.getUrlResStrings();
??????? //URL資源倒敘排序
??????? Collections.sort(urls);
??????? Collections.reverse(urls);
//是否先全部轉為小寫再比較
??????? if (convertUrlToLowercaseBeforeComparison) {
??????????? url = url.toLowerCase();
??????? }
??????? GrantedAuthority[] authorities = new GrantedAuthority[0];
??????? for (Iterator iterator = urls.iterator(); iterator.hasNext();) {
??????????? String resString = (String) iterator.next();
??????????? boolean matched = false;
              //可選擇使用AntPath和Perl5兩種不同匹配模式  
??????????? if (isUseAntPath()) {
??????????????? matched = pathMatcher.match(resString, url);
??????????? } else {
??????????????? Pattern compiledPattern;
??????????????? Perl5Compiler compiler = new Perl5Compiler();
??????????????? try {
??????????????????? compiledPattern = compiler.compile(resString,
??????????????????????????? Perl5Compiler.READ_ONLY_MASK);
??????????????? } catch (MalformedPatternException mpe) {
??????????????????? throw new IllegalArgumentException(
??????????????????????????? "Malformed regular expression: " + resString);
??????????????? }
??????????????? matched = matcher.matches(url, compiledPattern);
??????????? }
??????????? if (matched) {
??????????????? ResourceDetails rd = acegiCacheManager.getAuthorityFromCache(resString);
??????????????? authorities = rd.getAuthorities();
??????????????? break;
??????????? }
??????? }
??????? if (authorities.length > 0) {
??????????? String authoritiesStr = " ";
??????????? for (int i = 0; i < authorities.length; i++) {
??????????????? authoritiesStr += authorities[i].getAuthority() + ",";
??????????? }
??????????? String authStr = authoritiesStr.substring(0, authoritiesStr
??????????????????? .length() - 1);
??????????? ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
??????????? configAttrEditor.setAsText(authStr);
??????????? return (ConfigAttributeDefinition) configAttrEditor.getValue();
??????? }
??????? return null;
??? }

......
?}

繼承AbstractFilterInvocationDefinitionSource注意幾點：
1)? 需要先把獲取回來的URL資源按倒序派序，以達到 a/b/c/d.* 在 a/.* 之前的效果(詳見 Acegi sample 的applicationContext-acegi-security.xml 中的filterInvocationInterceptor的注釋)，為的是更具體的URL可以先匹配上，而獲取具體URL的權限，如a/b/c/d.*權限AUTH_a, AUTH_b 才可查看,? a/.* 需要權限AUTH_a 才可查看，則如果當前用戶只擁有權限AUTH_b,則他只可以查看a/b/c/d.jsp 而不能察看a/d.jsp。

2)?基于上面的原因，故第一次匹配上的就是當前所需權限，而不是取權限的合集。

3) 可以選用AntPath 或 Perl5 的資源匹配方式，感覺AntPath匹配方式基本足夠。

4) Filter 權限控制比較適合于較粗顆粒度的權限，如設定某個模塊下的頁面是否能訪問等，對于具體某個操作如增刪修改，是否能執行，用Method??Invocation 會更佳些，所以注意兩個方面一起控制效果更好

?

3.4 授權操作

???? RBAC模型中有不少多對多的關系，這些關系都能以一個中間表的形式來存放，而Hibernate中可以不建這中間表對應的hbm.xml , 以資源與權限的配置為例，如下:

<hibernate-mapping package="org.springside.modules.security.domain">
??? <class name="Permission" table="PERMISSIONS" dynamic-insert="true" dynamic-update="true">
??????? <cache usage="nonstrict-read-write"/>
??????? <id name="id" column="ID">
??????????? <generator class="native"/>
??????? </id>
??????? <property name="name" column="NAME" not-null="true"/>
??????? <property name="descn" column="DESCN"/>
??????? <property name="operation" column="OPERATION"/>
??????? <property name="status" column="STATUS"/>
??????? <set name="roles" table="ROLE_PERMIS" lazy="true" inverse="true" cascade="save-update" batch-size="5">
??????????? <key>
??????????????? <column name="PERMIS_ID" not-null="true"/>
??????????? </key>
??????????? <many-to-many class="Role" column="ROLE_ID" outer-join="auto"/>
??????? </set>
??????? <set name="resources" table="PERMIS_RESC" lazy="true" inverse="false" cascade="save-update" batch-size="5">
??????????? <key>
??????????????? <column name="PERMIS_ID" not-null="true"/>
??????????? </key>
??????????? <many-to-many class="Resource" column="RESC_ID"/>
??????? </set>
??? </class>
</hibernate-mapping>

<hibernate-mapping package="org.springside.modules.security.domain">
??? <class name="Resource" table="RESOURCES" dynamic-insert="true" dynamic-update="true">
??????? <cache usage="nonstrict-read-write"/>
??????? <id name="id" column="ID">
??????????? <generator class="native"/>
??????? </id>
??????? <property name="name" column="NAME" not-null="true"/>
??????? <property name="resType" column="RES_TYPE" not-null="true"/>
??????? <property name="resString" column="RES_STRING" not-null="true"/>
??????? <property name="descn" column="DESCN"/>
??????? <set name="permissions" table="PERMIS_RESC" lazy="true" inverse="true" cascade="save-update" batch-size="5">
??????????? <key>
??????????????? <column name="RESC_ID" not-null="true"/>
??????????? </key>
??????????? <many-to-many class="Permission" column="PERMIS_ID" outer-join="auto"/>
??????? </set>
??? </class>
</hibernate-mapping>

配置時注意幾點:

1) 因為是分配某個權限的資源，所以權限是主控方，把inverse設為false，資源是被控方inverse設為true

2) cascade是"save-update"，千萬別配成delete

3) 只需要 permission.getResources().add(resource)， permission.getResources()..remove(resource) 即可很方便地完成授權和取消授權操作

大盤預測 國富論