Deadbolt 2 Java
来源:互联网 发布:2016淘宝助理手机版 编辑:程序博客网 时间:2024/06/07 20:49
源http://deadbolt-2-java.herokuapp.com/
Configuration
user拥有下面两种角色:
foo
bar
user有下面一项permissions:
printers.edit
Controller authorisation
保护你的Controller免于未授权使用是一个好的application安全系统的关键因素。
例如
SubjectPresent
这是一个最简单的约束,它请求显示是否有用户登录。
SpecificationResult
@SubjectPresentpublic static Result subjectPresent() { return ok(accessOk.render());}@SubjectPresent(handler = NoUserDeadboltHandler.class)public static Result subjectPresent_notLoggedIn() { return ok(accessOk.render());}SubjectNotPresent
这个约束请求一个用户都没有登录
SpecificationResult
@SubjectNotPresentpublic static Result subjectNotPresent_loggedIn() { return ok(accessOk.render());}@SubjectNotPresent(handler = NoUserDeadboltHandler.class)public static Result subjectNotPresent() { return ok(accessOk.render());}Restrict
Restrict使用roles的ANDed集合决定是否能访问action。例如,有 “foo”和”bar”的角色的用户可以访问Restrict-protected的action,这个action指定下面任何一种:
foo
bar
foo AND bar
然而,需要 “foo”, “bar” 和”hurdy”的Restrict 将会拒绝user访问。
SpecificationResult
@Restrict({"foo", "bar"})public class RestrictController extends Controller@Restrict("foo")public static Result restrictOne() { return ok(accessOk.render());}@Restrict({"foo", "bar"})public static Result restrictTwo() { return ok(accessOk.render());}@Restrict({"foo", "!bar"})public static Result restrictThree() { return ok(accessOk.render());}@Restrict({"hurdy"})public static Result restrictFour() { return ok(accessOk.render());}@CustomRestrict(value = {MyRoles.foo, MyRoles.bar}, config = @Restrict(""))public static Result customRestrictionOne() { return ok(accessOk.render());}@CustomRestrict(value = MyRoles.hurdy, config = @Restrict(""))public static Result customRestrictionOne() { return ok(accessOk.render());}Restrictions
Restrictions 约束允许你使用OR角色组。例如,你可以允许访问匹配下面restrictions中的任何一项的user:
foo
hurdy AND gurdy
SpecificationResult
@Restrictions({@And("foo"), @And("bar")})public class RestrictionsController extends Controller@Restrictions({@And({"foo", "bar"})})public static Result restrictionsOne() { return ok(accessOk.render());}@Restrictions({@And({"hurdy", "gurdy"}), @And("foo")})public static Result restrictionsTwo() { return ok(accessOk.render());}@Restrictions({@And("foo"), @And("!bar")})public static Result restrictionsThree() { return ok(accessOk.render());}@Restrictions(@And({"hurdy", "foo"}))public static Result restrictionsFour() { return ok(accessOk.render());}@Restrictions(@And({"foo", "!bar"}))public static Result restrictionsFive() { return ok(accessOk.render());}@CustomRestrictions(value = { @RoleGroup({MyRoles.foo, MyRoles.bar}), @RoleGroup(MyRoles.hurdy)}, config = @Restrictions({}))public static Result customRestrictionOne() { return ok(accessOk.render());}@CustomRestrictions(value = { @RoleGroup({MyRoles.hurdy, MyRoles.foo}), @RoleGroup({MyRoles.hurdy, MyRoles.bar})}, config = @Restrictions({}))public static Result customRestrictionOne() { return ok(accessOk.render());}Dynamic
Dynamic 是Deadbolt的最强约束。它强行执行有力的规则。参考整体概述的文档。
在这些例子里面,第一项是action,接下来是相关的DynamicResourceHandler。
SpecificationRuleResult
@Dynamic("pureLuck")public static Result pureLuck() { return ok(accessOk.render());}public boolean isAllowed(String name, String meta, DeadboltHandler deadboltHandler, Http.Context context) { return System.currentTimeMillis() % 2 == 0;}@Dynamic(value = "pureLuck", handler = MyAlternativeDeadboltHandler.class)public static Result noWayJose() { return ok(accessOk.render());}public boolean checkPermission(String permissionValue, DeadboltHandler deadboltHandler, Http.Context ctx) { // Computer says no return false;}@Dynamic(value = "pureLuck", handler = MyAlternativeDeadboltHandler.class)public static Result noWayJose() { return ok(accessOk.render());}public boolean isAllowed(String name, String meta, DeadboltHandler deadboltHandler, Http.Context context) { Subject subject = deadboltHandler.getSubject(context); boolean allowed; if (DeadboltAnalyzer.hasRole(subject, "admin")) { allowed = true; } else { // a call to view profile is probably a get request, so // the query string is used to provide info // See the Deadbolt documentation on why this is harder to do with path parameters Map queryStrings = context.request().queryString(); String[] requestedNames = queryStrings.get("userName"); allowed = requestedNames != null && requestedNames.length == 1 && ((AuthorisedUser)subject).userName.equals(requestedNames[0]); } return allowed;}@Dynamic(value = "viewProfile")public static Result viewProfile(String userName) { return ok(accessOk.render());}public boolean isAllowed(String name, String meta, DeadboltHandler deadboltHandler, Http.Context context) { Subject subject = deadboltHandler.getSubject(context); boolean allowed; if (DeadboltAnalyzer.hasRole(subject, "admin")) { allowed = true; } else { // a call to view profile is probably a get request, so // the query string is used to provide info // See the Deadbolt documentation on why this is harder to do with path parameters Map queryStrings = context.request().queryString(); String[] requestedNames = queryStrings.get("userName"); allowed = requestedNames != null && requestedNames.length == 1 && ((AuthorisedUser)subject).userName.equals(requestedNames[0]); } return allowed;}Pattern
Pattern允许你使用正则表达式(RE)决定访问。
SpecificationResult
@Pattern("printers.edit")public static Result editPrinter() { return ok(accessOk.render());}@Pattern("printers.detonate")public static Result detonatePrinter() { return ok(accessOk.render());}@Pattern(value = "(.)*\\.edit", patternType = PatternType.REGEX)public static Result editPrinterRegex() { return ok(accessOk.render());}Unrestricted
使用Unrestricted允许你忽略更宽泛的约束。例如,一个controller使用Dynamic保护,但是controller里面的方法可以不受以上约束,通过@Unrestrcted注解。
SpecificationResult
@Restrict("hurdy")public class UnrestrictedController extends Controller { public static Result index() { return ok(accessOk.render()); }}@Restrict("hurdy")public class UnrestrictedController extends Controller { @Unrestricted public static Result unrestrictedWithinAConstrainedController() { return ok(accessOk.render()); }}Template 授权
Deadbolt tags does not offer any real protected against misuse on your server side, but it does allow you to customise your UI according to the privileges of the current user.
Each tag has an “Or” variant, e.g. restrictOr, that allows you to pass in a alternative body for when authorisation fails.
For each example, the unprotected content is on the left, the Deadbolt tag is in the center and the result of the authorisation is on the right.
subjectPresent
This is one of the simplest constraints in Deadbolt. It simply requires that a user be present (i.e. logged in).
Unprotected contentSpecificationResult
This content should be visible
@subjectPresent() { This content should be visible}This content should be visible
This content should NOT be visible
@subjectPresent(new security.NoUserDeadboltHandler()) { This content should NOT be visible}This content should be visible
@subjectPresentOr() { This content should be visible}{Sorry, no access}This content should be visible
This content should NOT be visible
@subjectPresentOr(new security.NoUserDeadboltHandler()) { This content should be NOT visible}{Sorry, no access}Sorry, no access
subjectNotPresent
The counterpart to subjectPresent. This constraint requires that a user isn’t present (i.e. no-one is logged in).
Unprotected contentSpecificationResult
This content should NOT be visible
@subjectNotPresent() { This content should NOT be visible}This content should be visible
@subjectNotPresent(new security.NoUserDeadboltHandler) { This content should be visible}This content should be visible
This content should NOT be visible
@subjectNotPresentOr() { This content should NOT be visible}{Sorry, no access}Sorry, no access
This content should be visible
@subjectNotPresentOr(new security.NoUserDeadboltHandler) { This content should be visible}{Sorry, no access}This content should be visible
restrict
restrict uses an ANDed set of roles within an array to determine if a part of a template is rendered. For example, a user with the roles “foo” and “bar” could see a restrict-protected area of template that required any of the following:
foo
bar
foo AND bar
However, a restrict that required “foo”, “bar” and “hurdy” would not render the protected area.
Giving multiple arrays in the list gives the equivalent of the Restrictions controller action.
As a convenience for creating Array[String] instances, you can use the TemplateUtils#as(String…) method.
内容可见
@restrict(la(as(“foo”, “bar”))) {
This content should be visible
}
内容不可见
@restrict(la(as(“foo”, “bar”, “hurdy”))) {
This content should NOT be visible
}
内容可见
@restrict(List(as(“hurdy”), as(“foo”, “bar”))) {
This content should be visible
}
内容可见
@restrictOr(la(as(“foo”, “bar”))) {
This content should be visible
}{Sorry, you’re not allowed to see this}
内容不可见
@restrictOr(la(as(“foo”, “bar”, “hurdy”))) {
This content should NOT be visible
}{Sorry, you’re not allowed to see this}
dynamic
依赖你的luck,内容可见
@dynamic(handler, “pureLuck”) {
This content may be visible, depending on your luck
}
内容不可见
@dynamic(new MyDeadboltHandler(“pureLuck”, “”, new MyAlternativeDynamicResourceHandler())) {
This content should NOT be visible
}
依赖你的luck,内容可见
@dynamicOr(“pureLuck”) {
This content may be visible, depending on your luck
}{Guess you were unlucky}
内容不可见
@dynamicOr(“pureLuck”, “”, new security.MyAlternativeDeadboltHandler()) {
This content should NOT be visible
}{Guess you were unlucky}
pattern
内容可见
@pattern(handler, “printers.edit”) {
This content should be visible
}
内容不可见
@pattern(handler, “printers.foo”) {
This content should not visible
}
内容可见
@pattern(handler, “(.)*\.edit”, PatternType.REGEX) {
This content should not visible
}
- Deadbolt 2 Java
- Integrating Deadbolt
- 【java 2】java泛型
- 【Java】(2)Java反射
- Java(2)
- Java-2
- java 2
- Java-2
- Java 2
- java(2)
- Java(2)
- java(2)
- java 2
- Java -2
- Java-2
- Java 2
- Java(2)
- JAVA | 2
- eclipse工程中jquery-3.1.1.js出现错误
- 自定义TabLayout的下划线的长度
- html&JavaScript演练(计算器):获取HTML内容、函数、按钮(一)
- windows下mysql忘记root密码
- RunningMan FZU
- Deadbolt 2 Java
- bzoj 2462 [BeiJing2011]矩阵模板 (hash)
- 读取和写入配置文件
- 中科爱讯WiFi探针在公共安全管理系统的应用
- Matlab中维度的理解
- Switch与ToggleButton
- jemalloc横向分析(三) arena_run_split_large使用分配的chunk存放tcache
- nexus发布项目与创建工厂
- ssm整合意外报空指针
