CoSec 2.2.0 发布,基于 RBAC 和策略的多租户响应式安全框架
基于 RBAC 和策略的多租户响应式安全框架
更新内容(v2.2.0) 🎉 🎉 🎉
全面支持 Spring Boot 3
- 依赖:更新
me.ahoo.cosid:cosid-bom
版本v2.2.5
- 依赖:更新
org.springframework.boot:spring-boot-dependencies
版本v3.1.2
- 依赖:更新
me.ahoo.cocache:cocache-bom
版本v2.0.3
- 特性:新增
MatcherFactoryRegister
支持扫描注册 Spring 容器定义的ConditionMatcherFactory
/ActionMatcherFactory
增强 SPI - 特性:
EqConditionMatcher
支持参数ignoreCase
- 特性:支持从路径变量(:
/user/{id}
)中抽取参数,注入到安全上下文(request.path.var.*
),以供ConditionMatcher
使用 - 特性:
EqConditionMatcher
支持 Spel 表达式语言
{ "name": "RequestPathVarTemplate", "action": "/user/{id}", "condition": { "eq": { "part": "request.path.var.id", "value": "#{principal.id}" } } }
认证
授权
OAuth
建模类图
安全网关服务
授权策略流程
内置策略匹配器
ActionMatcher
如何自定义 ActionMatcher
(SPI)
class CustomActionMatcherFactory : ActionMatcherFactory { companion object { const val TYPE = "[CustomActionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomActionMatcher(configuration) } } class CustomActionMatcher(override val configuration: Configuration) : ActionMatcher { override val type: String get() = CustomActionMatcherFactory.TYPE override fun match(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }
META-INF/services/me.ahoo.cosec.policy.action.ActionMatcherFactory
# CustomActionMatcherFactory fully qualified name
ConditionMatcher
如何自定义 ConditionMatcher
(SPI)
class CustomConditionMatcherFactory : ConditionMatcherFactory { companion object { const val TYPE = "[CustomConditionType]" } override val type: String get() = TYPE override fun create(configuration: Configuration): ConditionMatcher { return CustomConditionMatcher(configuration) } } class CustomConditionMatcher(configuration: Configuration) : AbstractConditionMatcher(CustomConditionMatcherFactory.TYPE, configuration) { override fun internalMatch(request: Request, securityContext: SecurityContext): Boolean { //Custom matching logic } }
META-INF/services/me.ahoo.cosec.policy.condition.ConditionMatcherFactory
# CustomConditionMatcherFactory fully qualified name
策略 Schema
配置 Policy Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
策略 Demo
{ "id": "id", "name": "name", "category": "category", "description": "description", "type": "global", "tenantId": "tenantId", "condition": { "bool": { "and": [ { "authenticated": {} }, { "rateLimiter": { "permitsPerSecond": 10 } } ] } }, "statements": [ { "action": { "path": { "pattern": "/user/#{principal.id}/*", "options": { "caseSensitive": false, "separator": "/", "decodeAndParseSegments": false } } } }, { "name": "Anonymous", "action": [ "/auth/register", "/auth/login" ] }, { "name": "UserScope", "action": "/user/#{principal.id}/*", "condition": { "authenticated": {} } }, { "name": "Developer", "action": "*", "condition": { "in": { "part": "context.principal.id", "value": [ "developerId" ] } } }, { "name": "RequestOriginDeny", "effect": "deny", "action": "*", "condition": { "regular": { "negate": true, "part": "request.origin", "pattern": "^(http|https)://github.com" } } }, { "name": "IpBlacklist", "effect": "deny", "action": "*", "condition": { "path": { "part": "request.remoteIp", "pattern": "192.168.0.*", "options": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false } } } }, { "name": "RegionWhitelist", "effect": "deny", "action": "*", "condition": { "regular": { "negate": true, "part": "request.attributes.ipRegion", "pattern": "^中国\\|0\\|(上海|广东省)\\|.*" } } }, { "name": "AllowDeveloperOrIpRange", "action": "*", "condition": { "bool": { "and": [ { "authenticated": {} } ], "or": [ { "in": { "part": "context.principal.id", "value": [ "developerId" ] } }, { "path": { "part": "request.remoteIp", "pattern": "192.168.0.*", "options": { "caseSensitive": false, "separator": ".", "decodeAndParseSegments": false } } } ] } } }, { "name": "TestContains", "effect": "allow", "action": "*", "condition": { "contains": { "part": "request.attributes.ipRegion", "value": "上海" } } }, { "name": "TestStartsWith", "effect": "allow", "action": "*", "condition": { "startsWith": { "part": "request.attributes.ipRegion", "value": "中国" } } }, { "name": "TestEndsWith", "effect": "allow", "action": "*", "condition": { "endsWith": { "part": "request.attributes.remoteIp", "value": ".168.0.1" } } } ] }
应用权限元数据 Schema
配置 App Permission Schema 以支持 IDE (IntelliJ IDEA) 输入自动完成。
应用权限元数据 Demo
{ "id": "manage", "condition": { "bool": { "and": [ { "authenticated": {} }, { "groupedRateLimiter": { "part": "request.remoteIp", "permitsPerSecond": 10, "expireAfterAccessSecond": 1000 } }, { "inTenant": { "value": "default" } } ] } }, "groups": [ { "name": "order", "description": "order management", "permissions": [ { "id": "manage.order.ship", "name": "Ship", "description": "Ship", "action": "/order/ship" }, { "id": "manage.order.issueInvoice", "name": "Issue an invoice", "description": "Issue an invoice", "action": "/order/issueInvoice" } ] } ] }
OpenTelemetry
CoSec 遵循 OpenTelemetry General identity attributes 规范。
感谢
CoSec 权限策略设计参考 AWS IAM 。
低调大师中文资讯倾力打造互联网数据资讯、行业资源、电子商务、移动互联网、网络营销平台。
持续更新报道IT业界、互联网、市场资讯、驱动更新,是最及时权威的产业资讯及硬件资讯报道平台。
转载内容版权归作者及来源网站所有,本站原创内容转载请注明来源。
- 上一篇
Simple Admin - Go 语言分布式后台管理系统 v1.1.0 发布
Simple Admin Core v1.1.0 更新 新增: 阿里云短信支持 修复: 部分已知问题 更新: 依赖更新 Goctls v1.5.15 更新 新增:Mixin 生成命令,可生成软删除 优化:api desc 生成优化 新增:proto2api 命令用于生成 api 修复:mixin 命令英文简介 goctls 安装方法 go install github.com/suyuan32/goctls@latest Simple Admin Backend UI v1.1.0 更新 优化: 暗夜模式下 table action 图标 优化: mcms 页面, 新增 阿里云短信支持 Simple Admin File v1.1.0 更新 优化: 移除 knife 依赖,更换为 lancet 效果预览 项目文档地址:https://doc.ryansu.pro/zh/ Gitee:https://gitee.com/hopefire/simple-admin-core Github:https://github.com/suyuan32/simple-admin-co...
- 下一篇
MyBatis-Flex v1.5.3 发布,进一步优化链式操作
MyBatis-Flex: 一个优雅的 MyBatis 增强框架 特征 1、很轻量 MyBatis-Flex 整个框架只依赖 MyBatis,再无其他任何第三方依赖。 2、只增强 MyBatis-Flex 支持 CRUD、分页查询、多表查询、批量操作,但不丢失 MyBatis 原有的任何功能。 3、高性能 MyBatis-Flex 采用独特的技术架构、相比同类框架(比如 MyBatis-Plus),MyBatis-Flex 的在增删改查等方面的性能均超越其 5~10 倍或以上。 4、更灵动 MyBatis-Flex 支持多主键、多表查询、逻辑删除、乐观锁、数据脱敏、数据加密、多数据源、分库分表、字段权限、 字段加密、多租户、事务管理、SQL 审计... 等等等等。 这一切,免费且灵动。 在 v1.5.3 中,主要是优化了链式查询和链式更新的功能,如下是 MyBatis-Flex 一个简单的示例: @SpringBootTest class ArticleServiceTest { @Autowired ArticleService articleService; @...
相关文章
文章评论
共有0条评论来说两句吧...