Spring Security(Third Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Group-based access control

The JdbcUserDetailsManager class supports the ability to add a level of indirection between the users and the GrantedAuthority declarations by grouping GrantedAuthority into logical sets called groups.

Users are then assigned one or more groups, and their membership confers a set of the GrantedAuthority declarations:

As you can see in the preceding diagram, this indirection allows the assignment of the same set of roles to multiple users, by simply assigning any new users to existing groups. This is different behavior that we've seen so far, where previously we assigned GrantedAuthority directly to inpidual users.

This bundling of common sets of authorities can be helpful in the following scenarios:

  • You need to segregate users into communities, with some overlapping roles between groups.
  • You want to globally change the authorization for a class of user. For example, if you have a supplier group, you might want to enable or disable their access to particular portions of the application.
  • You have a large number of users, and you don't need user-level authority configuration.

Unless your application has a very small user base, there is a very high likelihood that you'll be using group-based access control. While group-based access control is slightly more complex than other strategies, the flexibility and simplicity of managing a user's access makes this complexity worthwhile. This indirect technique of aggregating user privileges by group is commonly referred to as group-based access control (GBAC).

GBAC is an approach common to almost every secured operating system or software package on the market. Microsoft Active Directory (AD) is one of the most visible implementations of large-scale GBAC, due to its design of slotting AD users into groups and assigning privileges to those groups. Management of privileges in large AD-based organizations is made exponentially simpler through the use of GBAC.

Try to think of the security models of the software you use—how are the users, groups, and privileges managed? What are the pros and cons of the way the security model is written?

Let's add a level of abstraction to the JBCP calendar application and apply the concept of group-based authorization to the site.

上一章目录下一章