Access Control
RBAC(role-based access control) to ABAC(Attribute-based access control):
https://en.wikipedia.org/wiki/Attribute-based_access_control引用
Historically, access control models have included mandatory access control (MAC), discretionary access control (DAC), and more recently role-based access control (RBAC). These access control models are user-centric and do not take into account additional parameters such as resource information, relationship between the user (the requesting entity) and the resource, and dynamic information e.g. time of the day or user IP. ABAC tries to address this by defining access control based on attributes which describe the requesting entity (the user), the targeted object or resource, the desired action (view, edit, delete...), and environmental or contextual information. This is why access control is said to be attribute-based.
http://www.webfarmr.eu/2010/09/xacml-101-a-quick-intro-to-attribute-based-access-control-with-xacml/
Key words of ABAC:
引用
Subject: user
Resource: course, attribute: privacy(private or public)
Action: CRUD
Policy:
Rule:
某种意义上,i可以将 RBAC 看成是 ABAC 的子集,since a role is just one attribute.
OAuth 2.0
OAuth 2 Simplified
https://aaronparecki.com/2012/07/29/2/oauth2-simplified
The OAuth 2.0 Specification –
http://tools.ietf.org/html/rfc6749引用
OAuth defines four roles:
resource owner
An entity capable of granting access to a protected resource.
When the resource owner is a person, it is referred to as an
end-user.
resource server
The server hosting the protected resources, capable of accepting
and responding to protected resource requests using access tokens.
client
An application making protected resource requests on behalf of the
resource owner and with its authorization. The term "client" does
not imply any particular implementation characteristics (e.g.,
whether the application executes on a server, a desktop, or other
devices).
authorization server
The server issuing access tokens to the client after successfully
authenticating the resource owner and obtaining authorization.
The interaction between the authorization server and resource server
is beyond the scope of this specification. The authorization server
may be the same server as the resource server or a separate entity.
A single authorization server may issue access tokens accepted by
multiple resource servers.
https://www.forgerock.com/blog/oauth2/引用
In addition to these four roles, two different types of tokens are defined by the standard:
Access Token :
Access tokens are credentials provided by the client to access protected resources. An access token is a string that represents an authorization issued to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server. The access token provides an abstraction layer, replacing different authorization constructs such as traditional credentials (username/password) with a single token that is understood by the resource server.
Refresh Token :
Although not mandated by the specification, access tokens ideally have an expiration time that can last anywhere from a few minutes to several hours. Refresh tokens are credentials that are used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.
OpenID Connect:
Why Not Just Use OAuth 2.0?
http://stackoverflow.com/questions/33934920/what-openid-connect-adds-to-oauth-2-0-why-is-oauth-2-0-not-sufficient-for-authe
http://oauth.net/articles/authentication/
https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com#Why_Not_Just_Use_OAuth_2.0.3F
Control Flags of PAM (pluggable authentication module):
http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html引用
The Flag value controls the overall behavior as authentication proceeds down the stack. The following represents a description of the valid values for Flag and their respective semantics:
1) Required - The LoginModule is required to succeed.
If it succeeds or fails, authentication still continues
to proceed down the LoginModule list.
2) Requisite - The LoginModule is required to succeed.
If it succeeds, authentication continues down the
LoginModule list. If it fails,
control immediately returns to the application
(authentication does not proceed down the
LoginModule list).
3) Sufficient - The LoginModule is not required to
succeed. If it does succeed, control immediately
returns to the application (authentication does not
proceed down the LoginModule list).
If it fails, authentication continues down the
LoginModule list.
4) Optional - The LoginModule is not required to
succeed. If it succeeds or fails,
authentication still continues to proceed down the
LoginModule list.
The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.
分享到:
相关推荐
ARAAS支持基于角色的访问控制(Role-Based Access Control, RBAC)、基于策略的访问控制(Policy-Based Access Control, PBAC)和基于属性的访问控制(Attribute-Based Access Control, ABAC)。这些模型允许管理员...
3. **基于属性的授权(Attribute-Based Access Control, ABAC)**:在ABAC中,授权决策基于用户、资源、操作和环境的属性。例如,只有当用户位于公司网络内时,才允许他们访问敏感数据。 4. **强制访问控制...
【标题】"hi3a: 提供OAuth2,ABAC和日志记录的AAA服务器" 涉及到的关键技术主要包括认证(Authentication)、授权(Authorization)和审计(Auditing),通常简称为AAA服务。OAuth2是其中的一个核心协议,用于处理...
权限控制主要关注三个方面:认证(Authentication)、授权(Authorization)和审计(Auditing)。认证是指确认用户身份的过程,如登录时输入用户名和密码;授权则是确定已认证的用户可以执行哪些操作;审计则记录了...
Spring Security提供ABAC(属性基访问控制)和RBAC(角色基访问控制)两种模型。你可以使用`@Secured`、`@PreAuthorize`、`@PostAuthorize`等注解进行方法级别的权限控制。同时,还可以通过配置XML或Java配置来定义...
Spring Security的核心概念包括认证(Authentication)和授权(Authorization),支持RBAC(Role-Based Access Control)角色权限模型。 3. **JAAS(Java Authentication and Authorization Service)**: Java...
权限管理模型有多种,如基于角色的访问控制(Role-Based Access Control, RBAC)、基于策略的访问控制(Policy-Based Access Control, PBAC)和基于属性的访问控制(Attribute-Based Access Control, ABAC)等。...
2. ABAC(Attribute-Based Access Control,基于属性的访问控制):根据用户、资源和环境的属性来决定访问权限。 3. RBAC(Role-Based Access Control,基于角色的访问控制):已提及,是最常见的一种模型。 4. PBAC...
- ABAC(Attribute-Based Access Control):基于属性的访问控制,更灵活,可以根据用户属性、资源属性、环境属性等进行权限判断。 - 授权请求处理:接收来自其他服务或组件的授权请求,进行权限检查,并返回结果...
授权则决定允许用户访问哪些资源或执行哪些操作,这通常涉及到权限管理,比如角色基础的访问控制(Role-Based Access Control, RBAC)、策略语言(如 Apache ABAC 或者 Open Policy Agent(OPA))等。 在这个实战...
5. **授权机制**:Spring Security的授权机制包括表达式式访问控制(Expression-Based Access Control,简称ABAC)和角色基于的访问控制(Role-Based Access Control,简称RBAC)。使用访问决策管理器(Access ...
2. **授权(Authorization)**:提供细粒度的权限控制,可以根据角色、资源、操作等进行授权决策,支持RBAC(Role-Based Access Control)和ABAC(Attribute-Based Access Control)模型。 3. **会话管理(Session ...
权限控制通常涉及Role-Based Access Control (RBAC) 或 Attribute-Based Access Control (ABAC)。 6. **错误处理(Error Handling)**:良好的错误处理机制能提供清晰的反馈,帮助调用者理解问题所在。在RESTful ...
- **定义**:Spring Security是Spring框架的一个扩展模块,用于为基于Spring的应用程序提供认证(Authentication)和授权(Authorization)服务。 - **历史背景**:Spring Security最初被称为“Acegi Security ...
- **认证 (Authentication)** 和 **授权 (Authorization)**: - 认证:验证用户的身份,确保用户提供的凭证(如用户名和密码)有效。 - 授权:基于用户的认证结果来决定用户能够访问哪些资源或执行哪些操作。 - *...
常见的认证机制有OAuth2.0、OpenID Connect和JWT(JSON Web Tokens)。这些协议提供了标准化的方法来颁发和验证访问令牌,确保只有经过验证的用户或服务才能进行操作。 其次,**授权(Authorization)**决定了验证...
常见的授权策略有Role-Based Access Control (RBAC)、Attribute-Based Access Control (ABAC)等。我们可以通过注解如@Secured、@PreAuthorize、@PostAuthorize等方式来控制方法级别的访问权限。 五、会话管理 ...
5. **AuthorizationServer**: 对于OAuth2认证和授权,Spring Security提供了AuthorizationServer来处理客户端请求和令牌管理。 三、基本配置 在Spring Security的配置中,你需要创建一个`...
4. **权限表达式(Expression-Based Access Control)**:Spring Security提供了一种表达式语言,允许在访问控制规则中使用逻辑表达式。例如,`@PreAuthorize("hasRole('ROLE_ADMIN')"`或`@PostAuthorize("return...
Spring Security通过访问决策管理器和权限表达式语言实现细粒度的授权,如基于角色的访问控制(RBAC)和基于权限的访问控制(ABAC)。 二、主要组件 1. Filter Security Interceptor(过滤器安全拦截器):这是...