github
/
spring-security
同期ミラー https://github.com/spring-projects/spring-security


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246
							<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="el-access"
    xmlns:xlink="http://www.w3.org/1999/xlink">
    <title>Expression-Based Access Control</title>
    <para> Spring Security 3.0 introduced the ability to use Spring EL expressions as an
        authorization mechanism in addition to the simple use of configuration attributes and
        access-decision voters which have seen before. Expression-based access control is built on
        the same architecture but allows complicated boolean logic to be encapsulated in a single
        expression.</para>
    <section>
        <title>Overview</title>
        <para>Spring Security uses Spring EL for expression support and you should look at how that
            works if you are interested in understanding the topic in more depth. Expressions are
            evaluated with a <quote>root object</quote> as part of the evaluation context. Spring
            Security uses specific classes for web and method security as the root object, in order
            to provide built-in expressions and access to values such as the current
            principal.</para>
        <section xml:id="el-common-built-in">
            <title>Common Built-In Expressions</title>
            <para>The base class for expression root objects is
                <classname>SecurityExpressionRoot</classname>. This provides some common expressions
                which are available in both web and method security.</para>
            <table frame="none">
                <title>Common built-in expressions</title>
                <tgroup cols="2">
                    <colspec colname="c1" colnum="1" colwidth="1.0*"/>
                    <colspec colname="c2" colnum="2" colwidth="2.0*"/>
                    <thead>
                        <row>
                            <entry>Expression</entry>
                            <entry>Description</entry>
                        </row>
                    </thead>
                    <tbody>
                        <row>
                            <entry><literal>hasRole([role])</literal></entry>
                            <entry>Returns <literal>true</literal> if the current principal has the
                                specified role.</entry>
                        </row>
                        <row>
                            <entry><literal>hasAnyRole([role1,role2])</literal></entry>
                            <entry>Returns <literal>true</literal> if the current principal has any
                                of the supplied roles (given as a comma-separated list of
                                strings)</entry>
                        </row>
                        <row>
                            <entry><literal>principal</literal></entry>
                            <entry>Allows direct access to the principal object representing the
                                current user</entry>
                        </row>
                        <row>
                            <entry><literal>authentication</literal></entry>
                            <entry>Allows direct access to the current
                                <interfacename>Authentication</interfacename> object obtained from
                                the <interfacename>SecurityContext</interfacename></entry>
                        </row>
                        <row>
                            <entry><literal>permitAll</literal></entry>
                            <entry>Always evaluates to <literal>true</literal></entry>
                        </row>
                        <row>
                            <entry><literal>denyAll</literal></entry>
                            <entry>Always evaluates to <literal>false</literal></entry>
                        </row>
                        <row>
                            <entry><literal>isAnonymous()</literal></entry>
                            <entry>Returns <literal>true</literal> if the current principal is an
                                anonymous user</entry>
                        </row>
                        <row>
                            <entry><literal>isRememberMe()</literal></entry>
                            <entry>Returns <literal>true</literal> if the current principal is a
                                remember-me user</entry>
                        </row>
                        <row>
                            <entry><literal>isAuthenticated()</literal></entry>
                            <entry>Returns <literal>true</literal> if the user is not
                                anonymous</entry>
                        </row>
                        <row>
                            <entry><literal>isFullyAuthenticated()</literal></entry>
                            <entry>Returns <literal>true</literal> if the user is not an anonymous
                                or a remember-me user</entry>
                        </row>
                    </tbody>
                </tgroup>
            </table>
        </section>
    </section>
    <section xml:id="el-access-web">
        <title>Web Security Expressions</title>
        <para> To use expressions to secure individual URLs, you would first need to set the
            <literal>use-expressions</literal> attribute in the <literal>&lt;http></literal> element
            to <literal>true</literal>. Spring Security will then expect the
            <literal>access</literal> attributes of the <literal>&lt;intercept-url></literal>
            elements to contain Spring EL expressions. The expressions should evaluate to a boolean,
            defining whether access should be allowed or not. For example:<programlisting><![CDATA[
  <http use-expressions="true">
    <intercept-url pattern="/admin*"
        access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
    ...
  </http>
]]></programlisting>Here we have defined that the <quote>admin</quote> area of an application
            (defined by the URL pattern) should only be available to users who have the granted
            authority <quote>admin</quote> and whose IP address matches a local subnet. We've
            already seen the built-in <literal>hasRole</literal> expression in the previous section.
            The expression <literal>hasIpAddress</literal> is an additional built-in expression
            which is specific to web security. It is defined by the
            <classname>WebSecurityExpressionRoot</classname> class, an instance of which is used as
            the expression root object when evaluation web-access expressions. This object also
            directly exposed the <interfacename>HttpServletRequest</interfacename> object under the
            name <literal>request</literal> so you can invoke the request directly in an
            expression.</para>
        <para>If expressions are being used, a <classname>WebExpressionVoter</classname> will be
            added to the <interfacename>AccessDecisionManager</interfacename> which is used by the
            namespace. So if you aren't using the namespace and want to use expressions, you will
            have to add one of these to your configuration.</para>
    </section>
    <section>
        <title>Method Security Expressions</title>
        <para>Method security is a bit more complicated than a simple allow or deny rule. Spring
            Security 3.0 introduced some new annotations in order to allow comprehensive support for
            the use of expressions.</para>
        <section xml:id="el-pre-post-annotations">
            <title><literal>@Pre</literal> and <literal>@Post</literal> Annotations</title>
            <para>There are four annotations which support expression attributes to allow pre and
                post-invocation authorization checks and also to support filtering of submitted
                collection arguments or return values. They are <literal>@PreAuthorize</literal>,
                <literal>@PreFilter</literal>, <literal>@PostAuthorize</literal> and
                <literal>@PostFilter</literal>. Their use is enabled through the
                <literal>global-method-security</literal> namespace
                element:<programlisting><![CDATA[<global-method-security pre-post-annotations="enabled"/>]]></programlisting></para>
            <section>
                <title>Access Control using <literal>@PreAuthorize</literal> and
                    <literal>@PostAuthorize</literal></title>
                <para>The most obviously useful annotation is <literal>@PreAuthorize</literal> which
                    decides whether a method can actually be invoked or not. For example (from the
                    <quote>Contacts</quote> sample
                    application)<programlisting>
 @PreAuthorize("hasRole('ROLE_USER')")
 public void create(Contact contact);</programlisting>which
                    means that access will only be allowed for users with the role "ROLE_USER".
                    Obviously the same thing could easily be achieved using a traditional
                    configuration and a simple configuration attribute for the required role. But
                    what
                    about:<programlisting>
 @PreAuthorize("hasPermission(#contact, 'admin')")
 public void deletePermission(Contact contact, Sid recipient, Permission permission);</programlisting>Here
                    we're actually using a method argument as part of the expression to decide
                    whether the current user has the <quote>admin</quote>permission for the given
                    contact. The built-in <literal>hasPermission()</literal> expression is linked
                    into the Spring Security ACL module through the application context, as we'll
                    <link xlink:href="#el-permission-evaluator">see below</link>. You can access any
                    of the method arguments by name as expression variables, provided your code has
                    debug information compiled in. Any Spring-EL functionality is available within
                    the expression, so you can also access properties on the arguments. For example,
                    if you wanted a particular method to only allow access to a user whose username
                    matched that of the contact, you could write</para>
                <programlisting>
 @PreAuthorize("#contact.name == principal.name)")
 public void doSomething(Contact contact);</programlisting>
                <para>Here we are accessing another built–in expression, which is the
                    <literal>principal</literal> of the current Spring Security
                    <interfacename>Authentication</interfacename> object obtained from the security
                    context. You can also access the <interfacename>Authentication</interfacename>
                    object itself directly using the expression name
                    <literal>authentication</literal>.</para>
                <para>Less commonly, you may wish to perform an access-control check after the
                    method has been invoked. This can be achieved using the
                    <literal>@PostAuthorize</literal> annotation. To access the return value from a
                    method, use the built–in name <literal>returnObject</literal> in the
                    expression.</para>
            </section>
            <section>
                <title>Filtering using <literal>@PreFilter</literal> and
                    <literal>@PostFilter</literal></title>
                <para>As you may already be aware, Spring Security supports filtering of collections
                    and arrays and this can now be achieved using expressions. This is most commonly
                    performed on the return value of a method. For
                    example:<programlisting>  @PreAuthorize("hasRole('ROLE_USER')")
  @PostFilter("hasPermission(filterObject, 'read') or hasPermission(filterObject, 'admin')")
  public List&lt;Contact> getAll();</programlisting>When
                    using the <literal>@PostFilter</literal> annotation, Spring Security iterates
                    through the returned collection and removes any elements for which the supplied
                    expression is false. The name <literal>filterObject</literal> refers to the
                    current object in the collection. You can also filter before the method call,
                    using <literal>@PreFilter</literal>, though this is a less common requirement.
                    The syntax is just the same, but if there is more than one argument which is a
                    collection type then you have to select one by name using the
                    <literal>filterTarget</literal> property of this annotation.</para>
                <para>Note that filtering is obviously not a substitute for tuning your data
                    retrieval queries. If you are filtering large collections and removing many of
                    the entries then this is likely to be inefficient.</para>
            </section>
        </section>
        <section xml:id="el-method-built-in">
            <title>Built-In Expressions</title>
            <para>There are some built-in expressions which are specific to method security, which
                we have already seen in use above. The <literal>filterTarget</literal> and
                <literal>returnValue</literal> values are simple enough, but the use of the
                <literal>hasPermission()</literal> expression warrants a closer look.</para>
            <section xml:id="el-permission-evaluator">
                <title>The <interfacename>PermissionEvaluator</interfacename> interface</title>
                <para><literal>hasPermission()</literal> expressions are delegated to an instance of
                    <interfacename>PermissionEvaluator</interfacename>. It is intended to bridge
                    between the expression system and Spring Security's ACL system, allowing you to
                    specify authorization constraints on domain objects, based on abstract
                    permissions. It has no explicit dependencies on the ACL module, so you could
                    swap that out for an alternative implementation if required. The interface has
                    two methods:
                    <programlisting language="java">
 boolean hasPermission(Authentication authentication, Object targetDomainObject,
                             Object permission);

 boolean hasPermission(Authentication authentication, Serializable targetId,
                              String targetType, Object permission);
</programlisting>which
                    map directly to the available versions of the expression, with the exception
                    that the first argument (the <interfacename>Authentication</interfacename>
                    object) is not supplied. The first is used in situations where the domain
                    object, to which access is being controlled, is already loaded. Then expression
                    will return true if the current user has the given permission for that object.
                    The second version is used in cases where the object is not loaded, but its
                    identifier is known. An abstract <quote>type</quote> specifier for the domain
                    object is also required, allowing the correct ACL permissions to be loaded. This
                    has traditionally been the Java class of the object, but does not have to be as
                    long as it is consistent with how the permissions are loaded.</para>
                <para>To use <literal>hasPermission()</literal> expressions, you have to explicitly
                    configure a <interfacename>PermissionEvaluator</interfacename> in your
                    application context. This would look something like this: <programlisting language="xml"> <![CDATA[
<security:global-method-security pre-post-annotations="enabled">
  <security:expression-handler ref="expressionHandler"/>
</security:global-method-security>

<bean id="expressionHandler" class=
  "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler">
     <property name="permissionEvaluator" ref="myPermissionEvaluator"/>
</bean>]]></programlisting>Where <literal>myPermissionEvaluator</literal> is the bean which
                    implements <interfacename>PermissionEvaluator</interfacename>. Usually this will
                    be the implementation from the ACL module which is called
                    <classname>AclPermissionEvaluator</classname>. See the <quote>Contacts</quote>
                    sample application configuration for more details.</para>
            </section>
        </section>
    </section>
</chapter>