Deadbolt 2 Java

源http://deadbolt-2-java.herokuapp.com/

Configuration

user拥有下面两种角色:
foo
bar
user有下面一项permissions:
printers.edit

Controller authorisation

保护你的Controller免于未授权使用是一个好的application安全系统的关键因素。
例如

SubjectPresent

这是一个最简单的约束,它请求显示是否有用户登录。

SpecificationResult
@SubjectPresent
public static Result subjectPresent() {
    return ok(accessOk.render());
}
@SubjectPresent(handler = NoUserDeadboltHandler.class)
public static Result subjectPresent_notLoggedIn() {
    return ok(accessOk.render());
}

SubjectNotPresent

这个约束请求一个用户都没有登录

SpecificationResult
@SubjectNotPresent
public static Result subjectNotPresent_loggedIn() {
    return ok(accessOk.render());
}
@SubjectNotPresent(handler = NoUserDeadboltHandler.class)
public static Result subjectNotPresent() {
    return ok(accessOk.render());
}

Restrict

Restrict使用roles的ANDed集合决定是否能访问action。例如,有 “foo”和”bar”的角色的用户可以访问Restrict-protected的action,这个action指定下面任何一种:
foo
bar
foo AND bar
然而,需要 “foo”, “bar” 和”hurdy”的Restrict 将会拒绝user访问。

SpecificationResult
@Restrict({"foo", "bar"})
public class RestrictController extends Controller
@Restrict("foo")
public static Result restrictOne() {
    return ok(accessOk.render());
}
@Restrict({"foo", "bar"})
public static Result restrictTwo() {
    return ok(accessOk.render());
}
@Restrict({"foo", "!bar"})
public static Result restrictThree() {
    return ok(accessOk.render());
}
@Restrict({"hurdy"})
public static Result restrictFour() {
    return ok(accessOk.render());
}
@CustomRestrict(value = {MyRoles.foo, MyRoles.bar}, config = @Restrict(""))
public static Result customRestrictionOne() {
    return ok(accessOk.render());
}
@CustomRestrict(value = MyRoles.hurdy, config = @Restrict(""))
public static Result customRestrictionOne() {
    return ok(accessOk.render());
}

Restrictions

Restrictions 约束允许你使用OR角色组。例如,你可以允许访问匹配下面restrictions中的任何一项的user:
foo
hurdy AND gurdy

SpecificationResult
@Restrictions({@And("foo"),
                @And("bar")})
public class RestrictionsController extends Controller
@Restrictions({@And({"foo", "bar"})})
public static Result restrictionsOne() {
    return ok(accessOk.render());
}
@Restrictions({@And({"hurdy", "gurdy"}), @And("foo")})
public static Result restrictionsTwo() {
    return ok(accessOk.render());
}
@Restrictions({@And("foo"), @And("!bar")})
public static Result restrictionsThree() {
    return ok(accessOk.render());
}
@Restrictions(@And({"hurdy", "foo"}))
public static Result restrictionsFour() {
    return ok(accessOk.render());
}
@Restrictions(@And({"foo", "!bar"}))
public static Result restrictionsFive() {
    return ok(accessOk.render());
}
@CustomRestrictions(value = { @RoleGroup({MyRoles.foo, MyRoles.bar}),
                               @RoleGroup(MyRoles.hurdy)},
                     config = @Restrictions({}))
public static Result customRestrictionOne() {
    return ok(accessOk.render());
}
@CustomRestrictions(value = { @RoleGroup({MyRoles.hurdy, MyRoles.foo}),
                               @RoleGroup({MyRoles.hurdy, MyRoles.bar})},
                     config = @Restrictions({}))
public static Result customRestrictionOne() {
    return ok(accessOk.render());
}

Dynamic

Dynamic 是Deadbolt的最强约束。它强行执行有力的规则。参考整体概述的文档。
在这些例子里面,第一项是action,接下来是相关的DynamicResourceHandler。

SpecificationRuleResult
@Dynamic("pureLuck")
public static Result pureLuck() {
    return ok(accessOk.render());
}

public boolean isAllowed(String name,
                         String meta,
                         DeadboltHandler deadboltHandler,
                         Http.Context context) {
    return System.currentTimeMillis() % 2 == 0;
}
@Dynamic(value = "pureLuck", handler = MyAlternativeDeadboltHandler.class)
public static Result noWayJose() {
    return ok(accessOk.render());
}

public boolean checkPermission(String permissionValue,
                               DeadboltHandler deadboltHandler,
                               Http.Context ctx) {
    // Computer says no
    return false;
}
@Dynamic(value = "pureLuck", handler = MyAlternativeDeadboltHandler.class)
public static Result noWayJose() {
    return ok(accessOk.render());
}

public boolean isAllowed(String name,
                         String meta,
                         DeadboltHandler deadboltHandler,
                         Http.Context context) {
    Subject subject = deadboltHandler.getSubject(context);
    boolean allowed;
    if (DeadboltAnalyzer.hasRole(subject, "admin")) {
        allowed = true;
    } else {
        // a call to view profile is probably a get request, so
        // the query string is used to provide info
        // See the Deadbolt documentation on why this is harder to do with path parameters
        Map queryStrings = context.request().queryString();
        String[] requestedNames = queryStrings.get("userName");
        allowed = requestedNames != null
                  && requestedNames.length == 1
                  && ((AuthorisedUser)subject).userName.equals(requestedNames[0]);
    }
    return allowed;
}
@Dynamic(value = "viewProfile")
public static Result viewProfile(String userName) {
    return ok(accessOk.render());
}

public boolean isAllowed(String name,
                         String meta,
                         DeadboltHandler deadboltHandler,
                         Http.Context context) {
    Subject subject = deadboltHandler.getSubject(context);
    boolean allowed;
    if (DeadboltAnalyzer.hasRole(subject, "admin")) {
        allowed = true;
    } else {
        // a call to view profile is probably a get request, so
        // the query string is used to provide info
        // See the Deadbolt documentation on why this is harder to do with path parameters
        Map queryStrings = context.request().queryString();
        String[] requestedNames = queryStrings.get("userName");
        allowed = requestedNames != null
                  && requestedNames.length == 1
                  && ((AuthorisedUser)subject).userName.equals(requestedNames[0]);
    }
    return allowed;
}

Pattern

Pattern允许你使用正则表达式(RE)决定访问。

SpecificationResult
@Pattern("printers.edit")
public static Result editPrinter() {
    return ok(accessOk.render());
}
@Pattern("printers.detonate")
public static Result detonatePrinter() {
    return ok(accessOk.render());
}
@Pattern(value = "(.)*\\.edit", patternType = PatternType.REGEX)
public static Result editPrinterRegex() {
    return ok(accessOk.render());
}

Unrestricted

使用Unrestricted允许你忽略更宽泛的约束。例如,一个controller使用Dynamic保护,但是controller里面的方法可以不受以上约束,通过@Unrestrcted注解。

SpecificationResult
@Restrict("hurdy")
public class UnrestrictedController extends Controller {

    public static Result index() {
        return ok(accessOk.render());
    }
}
@Restrict("hurdy")
public class UnrestrictedController extends Controller {

    @Unrestricted
    public static Result unrestrictedWithinAConstrainedController() {
        return ok(accessOk.render());
    }
}

Template 授权

Deadbolt tags does not offer any real protected against misuse on your server side, but it does allow you to customise your UI according to the privileges of the current user.

Each tag has an “Or” variant, e.g. restrictOr, that allows you to pass in a alternative body for when authorisation fails.

For each example, the unprotected content is on the left, the Deadbolt tag is in the center and the result of the authorisation is on the right.

subjectPresent

This is one of the simplest constraints in Deadbolt. It simply requires that a user be present (i.e. logged in).

Unprotected contentSpecificationResult
This content should be visible

@subjectPresent() {
  This content should be visible
}

This content should be visible
This content should NOT be visible

@subjectPresent(new security.NoUserDeadboltHandler()) {
  This content should NOT be visible
}

This content should be visible

@subjectPresentOr() {
  This content should be visible
}{Sorry, no access}

This content should be visible
This content should NOT be visible

@subjectPresentOr(new security.NoUserDeadboltHandler()) {
  This content should be NOT visible
}{Sorry, no access}

Sorry, no access

subjectNotPresent

The counterpart to subjectPresent. This constraint requires that a user isn’t present (i.e. no-one is logged in).

Unprotected contentSpecificationResult
This content should NOT be visible

@subjectNotPresent() {
  This content should NOT be visible
}

This content should be visible

@subjectNotPresent(new security.NoUserDeadboltHandler) {
  This content should be visible
}

This content should be visible
This content should NOT be visible

@subjectNotPresentOr() {
  This content should NOT be visible
}{Sorry, no access}

Sorry, no access
This content should be visible

@subjectNotPresentOr(new security.NoUserDeadboltHandler) {
  This content should be visible
}{Sorry, no access}

This content should be visible

restrict

restrict uses an ANDed set of roles within an array to determine if a part of a template is rendered. For example, a user with the roles “foo” and “bar” could see a restrict-protected area of template that required any of the following:
foo
bar
foo AND bar
However, a restrict that required “foo”, “bar” and “hurdy” would not render the protected area.

Giving multiple arrays in the list gives the equivalent of the Restrictions controller action.

As a convenience for creating Array[String] instances, you can use the TemplateUtils#as(String…) method.
内容可见
@restrict(la(as(“foo”, “bar”))) {
This content should be visible
}
内容不可见
@restrict(la(as(“foo”, “bar”, “hurdy”))) {
This content should NOT be visible
}
内容可见
@restrict(List(as(“hurdy”), as(“foo”, “bar”))) {
This content should be visible
}
内容可见
@restrictOr(la(as(“foo”, “bar”))) {
This content should be visible
}{Sorry, you’re not allowed to see this}
内容不可见
@restrictOr(la(as(“foo”, “bar”, “hurdy”))) {
This content should NOT be visible
}{Sorry, you’re not allowed to see this}

dynamic

依赖你的luck,内容可见
@dynamic(handler, “pureLuck”) {
This content may be visible, depending on your luck
}
内容不可见
@dynamic(new MyDeadboltHandler(“pureLuck”, “”, new MyAlternativeDynamicResourceHandler())) {
This content should NOT be visible
}
依赖你的luck,内容可见
@dynamicOr(“pureLuck”) {
This content may be visible, depending on your luck
}{Guess you were unlucky}
内容不可见
@dynamicOr(“pureLuck”, “”, new security.MyAlternativeDeadboltHandler()) {
This content should NOT be visible
}{Guess you were unlucky}

pattern

内容可见
@pattern(handler, “printers.edit”) {
This content should be visible
}
内容不可见
@pattern(handler, “printers.foo”) {
This content should not visible
}
内容可见
@pattern(handler, “(.)*\.edit”, PatternType.REGEX) {
This content should not visible
}

你可能感兴趣的:(play2,deadbolt2)