關(guān)于alfresco代碼跟蹤之security服務(wù)

1、1 安全的實(shí)現(xiàn)安全wiki/wiki/security_and_authentication安全的保證時(shí)機(jī)是在調(diào)用public services的時(shí)候?qū)嵤┑?，訪問控制是通過元數(shù)據(jù)而不是硬編碼實(shí)現(xiàn)的，就是通過使用acegi和aop實(shí)現(xiàn)的。安全控制可以基于 ：方法訪問；提供給方法的參數(shù)；以及調(diào)用方法返回值。安全是通過一下五個(gè)關(guān)鍵服務(wù)完成的。the authentication service、the authority service、the ownable service、the permission service、the person servi

2、ce。訪問控制通過檢查當(dāng)前用戶授予的authority所擁有的permission和permission group允許或者禁止人員執(zhí)行操作一個(gè)特定對(duì)象的方法。例如nodeservice bean readproperties方法在調(diào)用方法之前檢查當(dāng)前用戶是否有讀當(dāng)前節(jié)點(diǎn)的屬性的訪問權(quán)限。在searchservice服務(wù)中，查詢的結(jié)果值返回用戶有read permission權(quán)限的節(jié)點(diǎn)（對(duì)返回結(jié)果進(jìn)行過濾）。對(duì)公共服務(wù)的訪問控制定義在 public-services-context.xml，每個(gè)服務(wù)都定義一個(gè)方法interceptor bean實(shí)現(xiàn)對(duì)方法調(diào)用的安全控制，通常這些定義在publi

3、c-services-security-context.xml。1.1 定義方法級(jí)別的安全在public-services-security-context.xml 中定義了支持基于acegi的security around method invocation。這個(gè)配置了兩個(gè)alfresco特定的bean：一個(gè)voter可以基于對(duì)于當(dāng)前操作參數(shù)授予當(dāng)前用戶的permission的方法調(diào)用，一個(gè)after invocation provider用來為返回值加上安全。方法訪問按照普通的acegi方式定義，但是附加一些內(nèi)容。一下？代表authority，#代表方法參數(shù)索引 *前置判斷是如下形式：ac

4、l_method.? access to the method is restricted to those with the given authority in alfresco. this could be a user name or group. dynamic authorities are not supported acl_node.#.* access control is restricted to users who have the the specified permission for the node on the identified argument. if

5、the argument is a noderef it will be used; if it is a storeref then the root node for the store will be used; if it is a childassociationref then the child node will be used. acl_parent.#.* access control is restricted to users who have the the specified permission for the parent of the node on the

6、identified argument. if the argument is a noderef the parent of the node will be used; if it is a childassociationref then the parent node will be used. role_. check for an acegi authority starting with role_ group_. check for an acegi authority starting with group_ if more than one acl_node.#.* or

7、acl_parent.#.* entry is present then all the permissions must be available for the method to execute. 后置判斷采取如下形式：after_acl_node.* similar to acl_node.#.* but the restriction applies to the return argument. the supported return types are childassociationref, fileinfo, noderef, storeref, resultset; co

8、llections and arrays of storeref, noderef, childassociationref, and fileinfo. after_acl_parent.* similar to acl_parent.#.* but the restriction applies to the return argument. the supported return types are childassociationref, fileinfo, noderef, storeref, resultset; collections and arrays of storere

9、f, noderef, childassociationref, and fileinfo. 2 authentication服務(wù)。1. alfresco把認(rèn)證了的用戶信息acegi的authentication對(duì)象放入當(dāng)前線程，這樣就不用在認(rèn)證了。在認(rèn)證之后會(huì)返回給客戶端一個(gè)ticket，每次調(diào)用的時(shí)候只需要和當(dāng)前線程的authentication進(jìn)行比較，不需要在進(jìn)行認(rèn)證一次浪費(fèi)資源；如果當(dāng)前線程沒有authentication信息的時(shí)候才會(huì)調(diào)用認(rèn)證組件進(jìn)行認(rèn)證;2. 對(duì)于用戶authentication信息以及生成的ticket信息都會(huì)放入緩存中，ticket是根據(jù)用戶名以及一些其他的用

10、戶信息生成的，這樣保證不會(huì)url假冒；3. 如果對(duì)authentication是怎么存在線程里面不理解的，可以參考acegi的context以及contextholder部分；4. 由于很多操作，對(duì)與當(dāng)前線程綁定的authentication人來說是無(wú)權(quán)做的，所以要更改authentication信息，從而使用具有更高權(quán)限的人來做，這個(gè)就是 string currentuser = authenticationutil.getrunasuser();authenticationutil.setrunasuser(currentuser);的用處，如果不理解，可以看看acegirunasmana

11、ger一部分內(nèi)容。2.1 子系統(tǒng)說明從alfresco3開始認(rèn)證部分是用來subsystem（子系統(tǒng)）的概念，認(rèn)證系統(tǒng)是由子系統(tǒng)完成的。在alfresco中由于安全部分使用了acegi，所以認(rèn)證的處理也包含兩部分內(nèi)容，一部分是用于提供acegi的authenticationmanager，另外一部分就是認(rèn)證服務(wù)的接口authenticationservice，這兩部分的底層代碼相同，都是使用了subsystem。但是subsystem的實(shí)現(xiàn)不同，authenticationservice使用了 localauthenticationservice 屬性指名了使用localauthenticat

12、ionservice，這個(gè)從repository庫(kù)進(jìn)行認(rèn)證。而在authenticationdao中（用于acegi的authenticationmanager)沒有配置sourcebeanname屬性，這是因?yàn)樵诮?jīng)過authenticationservice認(rèn)證后，在acegi安全判斷的過程就不需要認(rèn)證了。2.2 總圖2.3 關(guān)于authenticationservice2.3.1 用戶登錄 這部分使用jsp頁(yè)面來完成的，用戶進(jìn)入系統(tǒng)后的首頁(yè)為context/index.jsp。/ get the start location as configured by the web-client

13、configwebapplicationcontext context = webapplicationcontextutils.getrequiredwebapplicationcontext(session.getservletcontext();configservice configservice = (configservice)context.getbean(webclientconfigservice);clientconfigelement configelement = (clientconfigelement)configservice.getglobalconfig().

14、getconfigelement(client);string location = configelement.getinitiallocation();authenticationservice authservice = (authenticationservice)context.getbean(authenticationservice);/ override with the users preference if they have oneuser user = (user)session.getattribute(authenticationhelper.authenticat

15、ion_user);if (user != null) usertransaction tx = (transactionservice)context.getbean(transactionservice).getusertransaction(); tx.begin();try authservice.validate(user.getticket(); / ensure construction of the facescontext before attemping a service call facescontext fc = faceshelper.getfacescontext

16、(request, response, application); string preference = (string)preferencesservice.getpreferences(fc).getvalue(start-location); if (preference != null) location = preference; mit(); catch (authenticationexception autherr) try tx.rollback(); catch (throwable tex) / expired ticket authenticationse

17、rvice unpauth = (authenticationservice)context.getbean(authenticationservice); unpauth.invalidateticket(unpauth.getcurrentticket(); unpauth.clearcurrentsecuritycontext(); catch (throwable e) try tx.rollback(); catch (throwable tex) elseusertransaction tx = (transactionservice)context.getbean(transac

18、tionservice).getusertransaction(); tx.begin();try authservice.authenticateasguest();personservice personservice = (personservice)context.getbean(personservice); noderef guestref = personservice.getperson(permissionservice.guest_authority); user = new user(authservice.getcurrentusername(), authservic

19、e.getcurrentticket(), guestref); session.setattribute(authenticationhelper.authentication_user, user); / ensure construction of the facescontext before attemping a service call facescontext fc = faceshelper.getfacescontext(request, response, application); string preference = (string)preferencesservi

20、ce.getpreferences(session).getvalue(start-location); if (preference != null) location = preference; session.removeattribute(authenticationhelper.authentication_user); mit(); catch (throwable e) try tx.rollback(); catch (throwable tex) if (request.getmethod().equalsignorecase(get) if (navigatio

21、nbean.location_myalfresco.equals(location) / clear previous location - fixes the issue adb-61 facescontext fc = faceshelper.getfacescontext(request, response, application); if (fc != null) navigationbean navigationbean = (navigationbean)faceshelper.getmanagedbean(fc, navigationbean); if (navigationb

22、ean != null) navigationbean.setlocation(null); navigationbean.settoolbarlocation(null); / send redirect response.sendredirect(request.getcontextpath() + /faces/jsp/dashboards/container.jsp); else response.sendredirect(request.getcontextpath() + /faces/jsp/browse/browse.jsp); / route webdav requestse

23、lse if (request.getmethod().equalsignorecase(propfind) | request.getmethod().equalsignorecase(options) response.sendredirect(request.getcontextpath() + /webdav/);這段代碼不難理解了就是獲取到公共服務(wù)的authenticationservice authservice = (authenticationservice)context.getbean(authenticationservice);注意這里bean的名字是大寫” authe

24、nticationservice”,這個(gè)bean的定義位于public-service-context.xml，是一個(gè)公共服務(wù)。因?yàn)檫@個(gè)服務(wù)是使用了aop對(duì)authenticationservice服務(wù)（定義在authentication-context.xml中）的封裝2.3.2 公共服務(wù)定義公共服務(wù)定義如下：位于配置文件public- services -context.xml org.alfresco.service.cmr.security.authenticationservice 2.3.3 關(guān)于目標(biāo)target這個(gè)步驟是使用配置服務(wù)讀取webclient的配置信息決定哪些文件支持

25、在線編輯。配置文件位于authentication-services-context.xml。 localauthenticationservice 這里使用了子系統(tǒng)subsystemchainingauthenticationservice，這里的applicationcontextmanager為authentication。認(rèn)證接口有3個(gè)實(shí)現(xiàn)，一個(gè)是基本的實(shí)現(xiàn)，另外一個(gè)是對(duì)基本實(shí)現(xiàn)的鏈?zhǔn)桨b，第三個(gè)就是使用鏈?zhǔn)阶酉到y(tǒng)對(duì)認(rèn)證進(jìn)行包裝。這個(gè)鏈?zhǔn)阶酉到y(tǒng)在提供更改認(rèn)證的方法的時(shí)候就是使用sourcebeanname配置的bean名字也就是名字為localauthenticationservice

26、的bean配置的實(shí)現(xiàn)。對(duì)于鏈?zhǔn)秸J(rèn)證則包含localauthenticationservice于其它配置的bean。默認(rèn)使用的是alfrescontlm下的localauthenticationservice，其實(shí)使用的就是存儲(chǔ)庫(kù)進(jìn)行認(rèn)證。2.3.4 截?cái)嗥?authenticationservice_transaction事物截?cái)嗥?，很好理解了。定義如下：位于配置文件public- services -context.xml propagation_not_supported, readonly propagation_not_supported, readonly propag

27、ation_not_supported, readonly propagation_not_supported, readonly propagation_not_supported, readonly propagation_not_supported, readonly $server.transaction.mode.default auditmethodinterceptor審計(jì)追蹤截?cái)嗥?，也很好理解了。定義如下：位于配置文件public-service-context.xml false exceptiontranslator異常處理截?cái)嗥?，也很好理?/p>

28、了。定義如下：位于配置文件public- services -context.xml false authenticationservice_security這個(gè)截?cái)嗥黝愂褂玫氖莈rcept.method.aopalliance.methodsecurityinterceptor這個(gè)截?cái)嗥?，如果不懂可以看acegi的文檔，這個(gè)截?cái)嗥魇莂cegi的安全截?cái)嗥?，用到了authenticationmanager、accessdecisionmanager、afterinvocationmanager等所有構(gòu)成安全部分的組件。因?yàn)樵谡J(rèn)證服

29、務(wù)中不僅是包含了獲取用戶認(rèn)證信息的操作，還包括了創(chuàng)建認(rèn)證、更新認(rèn)證、設(shè)置認(rèn)證、刪除深證、封禁/解禁認(rèn)證、等這些只有管理員才能做的操作，所以這個(gè)截?cái)嗥魇潜ＷC這些操作只有acl_method.role_administrator權(quán)限的人才能操作。定義如下：位于配置文件public-services-security-context.xml org.alfresco.service.cmr.security.authenticationservice.createauthentication=acl_method.role_administrator org.alfresco.service.cmr

30、.security.authenticationservice.updateauthentication=acl_allow org.alfresco.service.cmr.security.authenticationservice.setauthentication=acl_method.role_administrator org.alfresco.service.cmr.security.authenticationservice.deleteauthentication=acl_method.role_administrator org.alfresco.service.cmr.s

31、ecurity.authenticationservice.setauthenticationenabled=acl_method.role_administrator org.alfresco.service.cmr.security.authenticationservice.getauthenticationenabled=acl_method.role_administrator org.alfresco.service.cmr.security.authenticationservice.authenticationexists=acl_method.role_administrat

32、or org.alfresco.service.cmr.security.authenticationservice.getcurrentusername=acl_allow org.alfresco.service.cmr.security.authenticationservice.invalidateusersession=acl_method.role_administrator org.alfresco.service.cmr.security.authenticationservice.invalidateticket=acl_allow org.alfresco.service.

33、cmr.security.authenticationservice.getcurrentticket=acl_allow org.alfresco.service.cmr.security.authenticationservice.clearcurrentsecuritycontext=acl_allow org.alfresco.service.cmr.security.authenticationservice.iscurrentuserthesystemuser=acl_allow org.alfresco.service.cmr.security.authenticationser

34、vice.guestuserauthenticationallowed=acl_allow org.alfresco.service.cmr.security.authenticationservice.getdomains=acl_method.role_administrator org.alfresco.service.cmr.security.authenticationservice.getdomainsthatallowusercreation=acl_method.role_administrator org.alfresco.service.cmr.security.authe

35、nticationservice.getdomainsthatallowuserdeletion=acl_method.role_administrator org.alfresco.service.cmr.security.authenticationservice.getdomiansthatallowuserpasswordchanges=acl_method.role_administrator 2.4 關(guān)于acegi authenticationmanager2.4.1 配置文件位于authentication-services-context.xml 類net.sf

36、.viders.providermanageracegi的標(biāo)準(zhǔn)類了。 authenticatedauthenticationpassthroughprovideran authentication provider that just believes authentications bound to the local thread are valid if they are set as authenticated。authenticatedauthenticationpassthroughprovider,代碼很簡(jiǎn)單了，就是直接通過認(rèn)證。位

37、于authentication-services-context.xml daoauthenticationprovideracegi的daoauthenticationprovider。易用了authenticationdao，參見authenticationdao。位于authentication-services-context.xml 關(guān)于accessdecisionmanager 關(guān)于afterinvocationmanager2.4.2 authenticationdaoacegi對(duì)認(rèn)證鏈的支持是通過一個(gè)authenticationman

38、ager管理多個(gè)authenticationprovider實(shí)現(xiàn)的，但是alfresco對(duì)它進(jìn)行了擴(kuò)展，使得daoauthenticationprovider本身也支持認(rèn)證連管理。定義位于authentication-services-context.xml org.alfresco.repo.security.authentication.mutableauthenticationdao 可以看到這個(gè)dao就支持鏈?zhǔn)秸J(rèn)證，這個(gè)bean的類為org.alfresco.repo.management.subsystems.chainingsubsystemproxyfactory，這個(gè)類是一個(gè)工

39、廠類，這個(gè)類與childapplicationcontextmanager類允許特定的接口代理給子應(yīng)用環(huán)境鏈。它是采用以下方法決定一個(gè)特殊的方法調(diào)用的目標(biāo)的，返回的代理會(huì)按照順序搜索應(yīng)用環(huán)境鏈并且選擇第一個(gè)具有必須得方法名或者沒有實(shí)現(xiàn)activatablebean接口，或者那些目標(biāo)是鏈中特殊成語(yǔ)的函數(shù)。詳見鏈?zhǔn)阶酉到y(tǒng)。 對(duì)于applicationcontextmanager bean的配置如下： $authentication.chain 這個(gè)bean的實(shí)現(xiàn)為defaultchildapplicationcontextmanager類，提供的defaultchain配置位于repository

40、.properties，為authentication.chain=alfrescontlm1:alfrescontlm。這個(gè)authentication manager包含了兩個(gè)applicationcontextfactory對(duì)應(yīng)了兩中認(rèn)證子系統(tǒng)環(huán)境分別是alfrescontlm1和alfrescontlm。在alfresco 3.1版本中實(shí)現(xiàn)了如下的認(rèn)證子系統(tǒng)：alfresco、alfrescontlm、kerberos、ldap、passthru等，配置文件位于alfrescosubsystemsauthentication中。2.4.3 saltsource2.4.4 passwordencoder2.5 applicationcontextmanager之a(chǎn)uthentication配置文件位于authentication