認証の標準的な方法は分かった。では認可はどう管理するんだい? #cmdevio
10 likes7,095 views
The document discusses the implementation of access control using Java Spring security, detailing various methods for creating, listing, getting, updating, and deleting employee information. It outlines the decision-making process for allowing or denying access based on user authorities and actions. The content is structured with examples and code snippets illustrating how to manage permissions and resource access in an API context.
![#cmdevio #cmdevio2
adi.sub.authorities
✦
{
"name": "ezaki",
"authorities": [
"ListEmp",
"GetEmp",
"UpdateEmp",
"UpdateEmpByAdmin"
]
}
{
"name": "takada",
"authorities": [
"ListEmp",
"UpdateEmp"
]
}
fun adf(adi: AccessDecisionInfo) {
return adi.sub.authorities.contains(adi.action)
}](https://image.slidesharecdn.com/20191101-developersio2019tokyo-authz-191101004531/85/cmdevio-30-320.jpg)
![#cmdevio #cmdevio2
✦
{
"id": "kaga",
"acl": [
{ ezaki
UpdateEmp }
],
// ...
}
{
"id": "ushijima",
"acl": [],
// ...
}
fun adf(adi: AccessDecisionInfo) {
return adi.obj.acl.allow(adi.sub, adi.action)
}](https://image.slidesharecdn.com/20191101-developersio2019tokyo-authz-191101004531/85/cmdevio-47-320.jpg)
![#cmdevio #cmdevio2
✦ { ezaki UpdateEmp }
✦
{
"effect": "allow",
"action": "UpdateEmp",
"authority": "Leader"
}
{
"name": "ezaki",
"authorities": [
"Leader",
// ...
]
}
obj ADI ( ) sub ADI](https://image.slidesharecdn.com/20191101-developersio2019tokyo-authz-191101004531/85/cmdevio-48-320.jpg)
認証の標準的な方法は分かった。では認可はどう管理するんだい? #cmdevio
- 3. #cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦ ✦ ✦ ✦ Twitter @daisuke_m
- 8. #cmdevio #cmdevio2 4 ADI, ADF
- 12. #cmdevio #cmdevio2 4 ADI, ADF
- 13. #cmdevio #cmdevio2 ※ ( )
- 14. #cmdevio #cmdevio2 @PreAuthorize @PostAuthorize @PreFilter @PostFilter ※ Java Spring Security
- 15. #cmdevio #cmdevio2 4 ADI, ADF
- 17. #cmdevio #cmdevio2 ✦ adf: (adi) ↦ allow/deny (boolean) ✦ ✦ ✦
- 22. #cmdevio #cmdevio2 4 ADI, ADF
- 24. #cmdevio #cmdevio2 emps.create({ "id": "ezaki" }); POST /emps { "id": "ezaki" }
- 26. #cmdevio #cmdevio2 ✦ ✦ CreateEmp ListEmp GetEmp UpdateEmp DeleteEmp ✦ ✦ ✦ ✦ AWS
- 27. #cmdevio #cmdevio2 ✦ adf: (adi) ↦ allow/deny (boolean) @RequestMapping fun getEmp(param: Any, adi: AccessDicisionInfo) { if (adf(adi) == false) { throw AccessDeniedException() } val resource = service.getEmp(param) return Response.ok(resource) }
- 29. #cmdevio #cmdevio2 ✦ ✦ ✦ adi.action
- 30. #cmdevio #cmdevio2 adi.sub.authorities ✦ { "name": "ezaki", "authorities": [ "ListEmp", "GetEmp", "UpdateEmp", "UpdateEmpByAdmin" ] } { "name": "takada", "authorities": [ "ListEmp", "UpdateEmp" ] } fun adf(adi: AccessDecisionInfo) { return adi.sub.authorities.contains(adi.action) }
- 31. #cmdevio #cmdevio2 ✦ ✦ UpdateEmp UpdateEmp("kaga", { "name": " " }) UpdateEmp("kaga", { "salary": 888888 }) by kaga by kaga 200 OK 403 Forbidden
- 32. #cmdevio #cmdevio2 ✦ ✦ UpdateEmp ✦ UpdateEmpByAdmin ✦
- 33. #cmdevio #cmdevio2 ✦ ✦ UpdateEmpByAdmin("kaga", { "salary": 888888 }) UpdateEmp("kaga", { "name": " " }) UpdateEmpByAdmin UpdateEmp 200 OK (by ezaki) 200 OK (by kaga) ( API )403 Forbidden (by takada)
- 34. #cmdevio #cmdevio2 ✦ ✦ adi.action ✦ adi.sub.authorities ✦ adf ✦ adi.action adi.sub.authorities ✦ contains
- 37. #cmdevio #cmdevio2 postFilter ✦ ✦ GetEmp { "id": "kaga", "address": "...", "name": "Kaga Masaru", "tel": "090-0000-0006", "salary": 999999, "dept": 2 } { "id": "kaga", "name": "Kaga Masaru", "tel": "090-0000-0006", "dept": 2 } by ezaki by takada
- 38. #cmdevio #cmdevio2 ✦ ✦ ✦ GetEmpByAdmin GetEmp { "id": "kaga", "address": "...", "name": "Kaga Masaru", "tel": "090-0000-0006", "salary": 999999, "dept": 2 } { "id": "kaga", "name": "Kaga Masaru", "tel": "090-0000-0006", "dept": 2 }
- 39. #cmdevio #cmdevio2 ✦ ✦ ✦ ListEmp ✦ ✦ ListEmp ListEmpForPartner ✦ ListEmp ListEmpForPartner
- 42. #cmdevio #cmdevio2 ✦ ✦ ezaki UpdateEmp("ezaki", p) name ✦ ezaki UpdateEmp("kanou", p) name ✦ ✦ UpdateEmp
- 43. #cmdevio #cmdevio2 ✦ /emps/ezaki ✦ ✦ adi.obj.owner ✦ adi.sub.name adi.obj.owner ✦ adi.obj.owner
- 44. #cmdevio #cmdevio2 ✦ { "id": "ezaki", "owner": "ezaki", // ... } { "id": "kanou", "owner": "kanou", // ... } fun adf(adi: AccessDecisionInfo) { return adi.sub.name == adi.obj.owner }
- 45. #cmdevio #cmdevio2 ✦ ✦ ezaki UpdateEmp("kaga", p) name ✦ ezaki UpdateEmp("ushijima", p) name ✦ ✦
- 47. #cmdevio #cmdevio2 ✦ { "id": "kaga", "acl": [ { ezaki UpdateEmp } ], // ... } { "id": "ushijima", "acl": [], // ... } fun adf(adi: AccessDecisionInfo) { return adi.obj.acl.allow(adi.sub, adi.action) }
- 48. #cmdevio #cmdevio2 ✦ { ezaki UpdateEmp } ✦ { "effect": "allow", "action": "UpdateEmp", "authority": "Leader" } { "name": "ezaki", "authorities": [ "Leader", // ... ] } obj ADI ( ) sub ADI
- 49. #cmdevio #cmdevio2 ✦ ✦ ✦ adf ✦ ✦ adi.action ✦ adi.sub.name ✦ adi.sub.authorities ✦ adi.obj.owner ✦ adi.obj.acl ✦