Access Control
RBAC(role-based access control) to ABAC(Attribute-based access control):
https://en.wikipedia.org/wiki/Attribute-based_access_control引用
Historically, access control models have included mandatory access control (MAC), discretionary access control (DAC), and more recently role-based access control (RBAC). These access control models are user-centric and do not take into account additional parameters such as resource information, relationship between the user (the requesting entity) and the resource, and dynamic information e.g. time of the day or user IP. ABAC tries to address this by defining access control based on attributes which describe the requesting entity (the user), the targeted object or resource, the desired action (view, edit, delete...), and environmental or contextual information. This is why access control is said to be attribute-based.
http://www.webfarmr.eu/2010/09/xacml-101-a-quick-intro-to-attribute-based-access-control-with-xacml/
Key words of ABAC:
引用
Subject: user
Resource: course, attribute: privacy(private or public)
Action: CRUD
Policy:
Rule:
某种意义上,i可以将 RBAC 看成是 ABAC 的子集,since a role is just one attribute.
OAuth 2.0
OAuth 2 Simplified
https://aaronparecki.com/2012/07/29/2/oauth2-simplified
The OAuth 2.0 Specification –
http://tools.ietf.org/html/rfc6749引用
OAuth defines four roles:
resource owner
An entity capable of granting access to a protected resource.
When the resource owner is a person, it is referred to as an
end-user.
resource server
The server hosting the protected resources, capable of accepting
and responding to protected resource requests using access tokens.
client
An application making protected resource requests on behalf of the
resource owner and with its authorization. The term "client" does
not imply any particular implementation characteristics (e.g.,
whether the application executes on a server, a desktop, or other
devices).
authorization server
The server issuing access tokens to the client after successfully
authenticating the resource owner and obtaining authorization.
The interaction between the authorization server and resource server
is beyond the scope of this specification. The authorization server
may be the same server as the resource server or a separate entity.
A single authorization server may issue access tokens accepted by
multiple resource servers.
https://www.forgerock.com/blog/oauth2/引用
In addition to these four roles, two different types of tokens are defined by the standard:
Access Token :
Access tokens are credentials provided by the client to access protected resources. An access token is a string that represents an authorization issued to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server. The access token provides an abstraction layer, replacing different authorization constructs such as traditional credentials (username/password) with a single token that is understood by the resource server.
Refresh Token :
Although not mandated by the specification, access tokens ideally have an expiration time that can last anywhere from a few minutes to several hours. Refresh tokens are credentials that are used to obtain access tokens. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.
OpenID Connect:
Why Not Just Use OAuth 2.0?
http://stackoverflow.com/questions/33934920/what-openid-connect-adds-to-oauth-2-0-why-is-oauth-2-0-not-sufficient-for-authe
http://oauth.net/articles/authentication/
https://developer.salesforce.com/page/Inside_OpenID_Connect_on_Force.com#Why_Not_Just_Use_OAuth_2.0.3F
Control Flags of PAM (pluggable authentication module):
http://docs.oracle.com/javase/6/docs/api/javax/security/auth/login/Configuration.html引用
The Flag value controls the overall behavior as authentication proceeds down the stack. The following represents a description of the valid values for Flag and their respective semantics:
1) Required - The LoginModule is required to succeed.
If it succeeds or fails, authentication still continues
to proceed down the LoginModule list.
2) Requisite - The LoginModule is required to succeed.
If it succeeds, authentication continues down the
LoginModule list. If it fails,
control immediately returns to the application
(authentication does not proceed down the
LoginModule list).
3) Sufficient - The LoginModule is not required to
succeed. If it does succeed, control immediately
returns to the application (authentication does not
proceed down the LoginModule list).
If it fails, authentication continues down the
LoginModule list.
4) Optional - The LoginModule is not required to
succeed. If it succeeds or fails,
authentication still continues to proceed down the
LoginModule list.
The overall authentication succeeds only if all Required and Requisite LoginModules succeed. If a Sufficient LoginModule is configured and succeeds, then only the Required and Requisite LoginModules prior to that Sufficient LoginModule need to have succeeded for the overall authentication to succeed. If no Required or Requisite LoginModules are configured for an application, then at least one Sufficient or Optional LoginModule must succeed.
分享到:
相关推荐
ReactGoogle OAuth 2.0 轻松将Google OAuth 2.0单一登录添加到React应用,并让您的服务器处理您的访问和刷新令牌。 该库可直接与配合使用,并以最少的设置立即提供Google OAuth 2.0集成。 文件: : 安装 npm ...
创建一个新用户 ...使用git clone https://github.com/victorsouzadev/authentication-authorization-control-access-and-simple-CRUD-with-nodesj-and-sequelize.git克隆存储库, git clone git@github.com
SAML2.0核心协议规范 saml-core-2.0-os
Gin-OAuth2 Gin-OAuth2专为也希望使用OAuth2的用户而设计。 它是由Go开发人员创建的,他们需要Gin中间件才能使用OAuth2,但找不到任何中间件。 项目背景和功能 在选择Go框架时,对于使用什么有很多困惑。 场景非常...
Spring Boot Oauth2.0 测试 1.运行工程 2.无token时,访问接口: POST 接口响应: { "error": "unauthorized", "error_description": "Full authentication is required to access this resource" } 3.获取token ...
user authorization-template 1 bind aaa-authorization-template 2001 local-privilege-level 15 exit authentication-template 1 bind aaa-authentication-template 2001 exit user-name admin bind ...
ARAAS是基于互联网技术的身份验证和资源访问授权系统。 它使用了OMG的资源访问决策服务(RAD)的一些想法来提供用于用户身份验证和授权的中央服务。
见: Authentication, Authorization, and Access Control 访问控制(Access Control) 对网络领域访问的限制。对Apache来说,通常是指对某些URLs访问的限制。 见: Authentication, Authorization, and Access ...
yup-oauth2是一个实用程序库,可实现多个OAuth 2.0流。 主要由google-apis-rs使用,以针对Google服务进行身份验证。 yup-oauth2是一个实用程序库,可实现多个OAuth 2.0流。 主要由google-apis-rs使用,以针对Google...
OmniAuth OAuth2 该gem包含用于OmniAuth的通用OAuth2策略。 它旨在用作其他策略的构建块策略,并且不能独立使用(因为它没有收集uid和用户信息的固有方法)。建立OAuth2策略要使用此gem创建OmniAuth OAuth2策略,您...
PHP OAuth 2.0服务器联盟/ oauth2-server是用PHP编写的OAuth 2.0授权服务器的符合标准的实现,这使得与OAuth 2.0的协作变得微不足道。 您可以轻松地配置OAuth 2.0服务器PHP OAuth 2.0服务器联盟/ oauth2-server是用...
authentication, authorization, accounting, SSO, apigateway
Authentication_Prototype 该项目是一个原型,用户使用从其手机帐户中选择的 Google 帐户进行身份验证,并可以连接到云端点后端。 后端有两种方法,sayHi(unauthenticated) 和 sayHiAuth(authenticated)
WPC Qi Specification - Authentication Protocol - V1.3 -2021 - 最新完整英文电子正式版(45页).zip
快速身份验证-oauth2 用于对提供者进行身份验证的中间件。 灵感来自 。 var oauth2 = require ( 'express-authentication-oauth2' ) ;
spring-boot-oauth2-jwt-swagger-ui Spring Boot,OAuth 2,JWT(Json Web令牌)和Swagger UISpring Boot + OAuth 2.0 + JWT + Swagger-UI 2?如何开始? $ mvn spring-boot:runSwagger-UI 启动应用程序后,单击用户...
auth/authentication-client && mvn install 生成ide配置: mvn idea:idea 并导入对应的ide进行开发,IDE安装lombok插件(很重要,否则IDE会显示编译报错) 编译 & 启动 1.启动基础服务:docker-compose -f docker-...
Golang OAuth 2.0服务器一种开放协议,允许通过简单,标准的方法从Web,移动和桌面应用程序进行安全授权。协议流程 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | ...
认证和授权节点组件 学生们: JoãoBarata44857 +351 918673224 Diogo Leandro编号 +351 967564849 Tiago Matias编号44827 +351 910891726 协调员和联合协调员: 工程 日期:10/03/2020 ...
引言 ... 统一授权和访问控制。 在每个公司内,都有不同的后端服务和相应的管理后端。 通常,不同的系统都有自己的帐户系统和权限管理模块。 重复开发使开发资源浪费。 而且没有统一的帐号,造成... 支持OAuth 2.0授权