1. What is access control
Basically it comes to system users should be involved in rights management, rights management belongs to the category of system security, rights management to achieve control of user access to the system, in accordance with safety rules or security policies to control user access and can only access their own authorized resources,
Understand two concepts: user and resource access control is to allow the user to specify only operating resources (CRUD) specified users here, and also includes access to the machine side machine interface. Rights management including user authentication and authorization in two parts, referred to as authentication and authorization. The need for access
First, control of resources through user authentication, authentication after a user has access to the resources to get access to.
2. What is the ACL and RBAC
* ACL: Access Control List Access Control Lists
* Prevailed kind permission design, its core is directly linked to users and permissions
* Pros: Easy to use, easy development
* Cons: Users and permissions directly linked, resulting in complexity when granted, scattered, not easy to manage
* Examples: common file system permissions design, add directly to the user permissions
* RBAC: based access control role
* role-based access control system. Privileges associated with the role, the user becomes a member of appropriate roles and get those roles permissions
* advantages: simplifies the management of users and privileges by the user to classify such roles and privileges associated
* Cons: development contrast ACL relatively complex
* example: based on RBAC permissions model validation framework and application Shiro the Apache, the Spring Security
* BAT enterprise ACL, generally is a reporting system, Ali ODPs
* summary: not too complicated, too many rules, maintainability and performance will decline, more multi-classification ABAC, PBAC, etc.
3.Shiro Chart interactions and the four core modules authentication, authorization, session management and encryption
- Apache Shiro Kan网http://shiro.apache.org/introduction.html Identity Authentication, is the general (not just logon to log between human-computer interaction, as well as machine-machine interaction) Login
-
Authorizing Authorization, assigning roles to the user or to access certain resources
-
Session Management Session Management, the user's session administrator, in most cases is web session (login session also includes machine-machine interaction at)
-
Encryption Cryptography, encryption and decryption of data, such as password encryption and decryption, etc.
4. Shiro Common name:
- Subject
- We put the user or program called a host (such as users, third-party services, time-tasking), subject to access system resources or
- SecurityManager
- Security Manager, Subject of authentication and authorization should be carried out under a security manager
- Authenticator
- Certification is mainly responsible for the authenticated Subject
- Realm
- Connector data field, and Shiro security data, such connection jdbc database; information acquired by the authentication and authorization realm
- Authorizer
- Authorizer, mainly responsible for authorizing Subject to control role or have permission to subject
- Cryptography
- Encryption and decryption, Shiro data encryption and decryption method comprising easy to use and understand, simplifying many complex api
- Cache Manager
- Cache Manager, such as authentication or authorization information managed by the cache to improve performance more information navigation: http://shiro.apache.org/reference.html
5. Shrio user access rights control running processes
User (subject) enter the account password -> realem authentication and authorization to obtain information -> Authenticator authentication -> Authorizer authorization