Successfully reported this slideshow.
URL Attention https://bit.ly/devio2019-authz
#cmdevio #cmdevio2 ✦ ✦ ✦ ✦ 
 ✦ ✦ ✦ 
 ✦ ✦ 
 Twitter @daisuke_m
#cmdevio #cmdevio2 
 
 
 
 
 
 
 
 
 
 

#cmdevio #cmdevio2 
 
 
 

#cmdevio #cmdevio2 API UI
#cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦ ✦ total 45 min
#cmdevio #cmdevio2 
 4 
 ADI, ADF

#cmdevio #cmdevio2
#cmdevio #cmdevio2 
 
 
 

#cmdevio #cmdevio2 ✦ ✦ ✦ 

#cmdevio #cmdevio2 
 4 
 ADI, ADF

#cmdevio #cmdevio2 
 
 
 
 
 
 
 
 
 
 
 
 ※ 
 ( )
#cmdevio #cmdevio2 
 
 @PreAuthorize @PostAuthorize 
 
 @PreFilter @PostFilter ※ 
 Java Spring Security
#cmdevio #cmdevio2 
 4 
 ADI, ADF

#cmdevio #cmdevio2 ¥20,856 
 

#cmdevio #cmdevio2 ✦ 
 adf: (adi) ↦ allow/deny (boolean) ✦ 
 ✦ ✦ 

#cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦
#cmdevio #cmdevio2 ✦ Referer ✦ ✦ ✦ ✦ ✦
#cmdevio #cmdevio2
#cmdevio #cmdevio2 ✦ 
 ✦ ✦ ✦ ✦ ✦
#cmdevio #cmdevio2 
 4 
 ADI, ADF

#cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦
#cmdevio #cmdevio2 
 
 
 
 
 
 emps.create({
 "id": "ezaki"
 }); POST /emps
 
 {
 "id": "ezaki"
 }
#cmdevio #cmdevio2 ✦
#cmdevio #cmdevio2 ✦ ✦ CreateEmp ListEmp GetEmp UpdateEmp DeleteEmp ✦ ✦ ✦ ✦ AWS
#cmdevio #cmdevio2 ✦ 
 adf: (adi) ↦ allow/deny (boolean) @RequestMapping
 fun getEmp(param: Any, adi: AccessDicisionInfo) ...
#cmdevio #cmdevio2 ADI 
 
 adf 

#cmdevio #cmdevio2 ✦ ✦ 
 ✦ adi.action
#cmdevio #cmdevio2 adi.sub.authorities ✦ { "name": "ezaki", "authorities": [ "ListEmp", "GetEmp", "UpdateEmp", "UpdateEmpB...
#cmdevio #cmdevio2 ✦ ✦ UpdateEmp UpdateEmp("kaga", { "name": " " }) UpdateEmp("kaga", { "salary": 888888 }) by kaga by kag...
#cmdevio #cmdevio2 ✦ ✦ UpdateEmp
 ✦ UpdateEmpByAdmin
 ✦ 

#cmdevio #cmdevio2 ✦ ✦ UpdateEmpByAdmin("kaga", { "salary": 888888 }) UpdateEmp("kaga", { "name": " " }) UpdateEmpByAdmin ...
#cmdevio #cmdevio2 ✦ ✦ adi.action ✦ adi.sub.authorities ✦ adf ✦ adi.action adi.sub.authorities ✦ contains
#cmdevio #cmdevio2 

#cmdevio #cmdevio2 
 
 

#cmdevio #cmdevio2 postFilter ✦ ✦ GetEmp { "id": "kaga", "address": "...", "name": "Kaga Masaru", "tel": "090-0000-0006", ...
#cmdevio #cmdevio2 ✦ ✦ ✦ GetEmpByAdmin GetEmp { "id": "kaga", "address": "...", "name": "Kaga Masaru", "tel": "090-0000-00...
#cmdevio #cmdevio2 ✦ 
 ✦ ✦ ListEmp ✦ ✦ ListEmp ListEmpForPartner ✦ ListEmp ListEmpForPartner
#cmdevio #cmdevio2 ✦ 
 ✦ ✦ ✦ ✦ ✦ ✦ ✦
#cmdevio #cmdevio2
#cmdevio #cmdevio2 ✦ ✦ ezaki UpdateEmp("ezaki", p) name 
 ✦ ezaki UpdateEmp("kanou", p) name 
 ✦ ✦ 
 UpdateEmp
#cmdevio #cmdevio2 ✦ 
 /emps/ezaki ✦ ✦ adi.obj.owner ✦ adi.sub.name adi.obj.owner ✦ adi.obj.owner
#cmdevio #cmdevio2 ✦ { "id": "ezaki",
 "owner": "ezaki", // ... } { "id": "kanou", "owner": "kanou", // ... } fun adf(adi:...
#cmdevio #cmdevio2 ✦ ✦ ezaki UpdateEmp("kaga", p) name 
 ✦ ezaki UpdateEmp("ushijima", p) name 
 ✦ ✦ 

#cmdevio #cmdevio2 ✦ ✦ authorities ✦ ✦
#cmdevio #cmdevio2 ✦ { "id": "kaga",
 "acl": [ { ezaki UpdateEmp } ], // ... } { "id": "ushijima", "acl": [], // ... } fun...
#cmdevio #cmdevio2 ✦ { ezaki UpdateEmp } ✦ { "effect": "allow", "action": "UpdateEmp", "authority": "Leader" } { "name": "...
#cmdevio #cmdevio2 ✦ ✦ ✦ adf ✦ ✦ adi.action ✦ adi.sub.name ✦ adi.sub.authorities ✦ adi.obj.owner ✦ adi.obj.acl ✦
#cmdevio #cmdevio2 
 
 https://classmethod.jp/recruit/ https://prismatix.jp/recruit/
認証の標準的な方法は分かった。では認可はどう管理するんだい? #cmdevio
認証の標準的な方法は分かった。では認可はどう管理するんだい? #cmdevio

認証の標準的な方法は分かった。では認可はどう管理するんだい? #cmdevio

181 views

Published on

「認証は OIDC 等のデファクトに乗っておけ」
というのはわかりました。ではその次。認証した後です。
残念ながらアクセス制御の枠組みにはデファクトがありませ

Published in: Technology
License: CC Attribution License
no profile picture user

  • Be the first to comment

認証の標準的な方法は分かった。では認可はどう管理するんだい? #cmdevio

  1. 1. URL Attention https://bit.ly/devio2019-authz
  2. 2. #cmdevio #cmdevio2 ✦ ✦ ✦ ✦ 
 ✦ ✦ ✦ 
 ✦ ✦ 
 Twitter @daisuke_m
  3. 3. #cmdevio #cmdevio2 
 
 
 
 
 
 
 
 
 
 

  4. 4. #cmdevio #cmdevio2 
 
 
 

  5. 5. #cmdevio #cmdevio2 API UI
  6. 6. #cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦ ✦ total 45 min
  7. 7. #cmdevio #cmdevio2 
 4 
 ADI, ADF

  8. 8. #cmdevio #cmdevio2
  9. 9. #cmdevio #cmdevio2 
 
 
 

  10. 10. #cmdevio #cmdevio2 ✦ ✦ ✦ 

  11. 11. #cmdevio #cmdevio2 
 4 
 ADI, ADF

  12. 12. #cmdevio #cmdevio2 
 
 
 
 
 
 
 
 
 
 
 
 ※ 
 ( )
  13. 13. #cmdevio #cmdevio2 
 
 @PreAuthorize @PostAuthorize 
 
 @PreFilter @PostFilter ※ 
 Java Spring Security
  14. 14. #cmdevio #cmdevio2 
 4 
 ADI, ADF

  15. 15. #cmdevio #cmdevio2 ¥20,856 
 

  16. 16. #cmdevio #cmdevio2 ✦ 
 adf: (adi) ↦ allow/deny (boolean) ✦ 
 ✦ ✦ 

  17. 17. #cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦
  18. 18. #cmdevio #cmdevio2 ✦ Referer ✦ ✦ ✦ ✦ ✦
  19. 19. #cmdevio #cmdevio2
  20. 20. #cmdevio #cmdevio2 ✦ 
 ✦ ✦ ✦ ✦ ✦
  21. 21. #cmdevio #cmdevio2 
 4 
 ADI, ADF

  22. 22. #cmdevio #cmdevio2 ✦ ✦ ✦ ✦ ✦ ✦
  23. 23. #cmdevio #cmdevio2 
 
 
 
 
 
 emps.create({
 "id": "ezaki"
 }); POST /emps
 
 {
 "id": "ezaki"
 }
  24. 24. #cmdevio #cmdevio2 ✦
  25. 25. #cmdevio #cmdevio2 ✦ ✦ CreateEmp ListEmp GetEmp UpdateEmp DeleteEmp ✦ ✦ ✦ ✦ AWS
  26. 26. #cmdevio #cmdevio2 ✦ 
 adf: (adi) ↦ allow/deny (boolean) @RequestMapping
 fun getEmp(param: Any, adi: AccessDicisionInfo) { if (adf(adi) == false) { throw AccessDeniedException() } val resource = service.getEmp(param) return Response.ok(resource) }
  27. 27. #cmdevio #cmdevio2 ADI 
 
 adf 

  28. 28. #cmdevio #cmdevio2 ✦ ✦ 
 ✦ adi.action
  29. 29. #cmdevio #cmdevio2 adi.sub.authorities ✦ { "name": "ezaki", "authorities": [ "ListEmp", "GetEmp", "UpdateEmp", "UpdateEmpByAdmin" ] } { "name": "takada", "authorities": [ "ListEmp", "UpdateEmp" ] } fun adf(adi: AccessDecisionInfo) { return adi.sub.authorities.contains(adi.action) }
  30. 30. #cmdevio #cmdevio2 ✦ ✦ UpdateEmp UpdateEmp("kaga", { "name": " " }) UpdateEmp("kaga", { "salary": 888888 }) by kaga by kaga 200 OK 403 Forbidden
  31. 31. #cmdevio #cmdevio2 ✦ ✦ UpdateEmp
 ✦ UpdateEmpByAdmin
 ✦ 

  32. 32. #cmdevio #cmdevio2 ✦ ✦ UpdateEmpByAdmin("kaga", { "salary": 888888 }) UpdateEmp("kaga", { "name": " " }) UpdateEmpByAdmin UpdateEmp 200 OK (by ezaki) 200 OK (by kaga)
 ( API )403 Forbidden (by takada)
  33. 33. #cmdevio #cmdevio2 ✦ ✦ adi.action ✦ adi.sub.authorities ✦ adf ✦ adi.action adi.sub.authorities ✦ contains
  34. 34. #cmdevio #cmdevio2 

  35. 35. #cmdevio #cmdevio2 
 
 

  36. 36. #cmdevio #cmdevio2 postFilter ✦ ✦ GetEmp { "id": "kaga", "address": "...", "name": "Kaga Masaru", "tel": "090-0000-0006", "salary": 999999, "dept": 2 } { "id": "kaga", "name": "Kaga Masaru", "tel": "090-0000-0006", "dept": 2 } by ezaki by takada
  37. 37. #cmdevio #cmdevio2 ✦ ✦ ✦ GetEmpByAdmin GetEmp { "id": "kaga", "address": "...", "name": "Kaga Masaru", "tel": "090-0000-0006", "salary": 999999, "dept": 2 } { "id": "kaga", "name": "Kaga Masaru", "tel": "090-0000-0006", "dept": 2 }
  38. 38. #cmdevio #cmdevio2 ✦ 
 ✦ ✦ ListEmp ✦ ✦ ListEmp ListEmpForPartner ✦ ListEmp ListEmpForPartner
  39. 39. #cmdevio #cmdevio2 ✦ 
 ✦ ✦ ✦ ✦ ✦ ✦ ✦
  40. 40. #cmdevio #cmdevio2
  41. 41. #cmdevio #cmdevio2 ✦ ✦ ezaki UpdateEmp("ezaki", p) name 
 ✦ ezaki UpdateEmp("kanou", p) name 
 ✦ ✦ 
 UpdateEmp
  42. 42. #cmdevio #cmdevio2 ✦ 
 /emps/ezaki ✦ ✦ adi.obj.owner ✦ adi.sub.name adi.obj.owner ✦ adi.obj.owner
  43. 43. #cmdevio #cmdevio2 ✦ { "id": "ezaki",
 "owner": "ezaki", // ... } { "id": "kanou", "owner": "kanou", // ... } fun adf(adi: AccessDecisionInfo) { return adi.sub.name == adi.obj.owner }
  44. 44. #cmdevio #cmdevio2 ✦ ✦ ezaki UpdateEmp("kaga", p) name 
 ✦ ezaki UpdateEmp("ushijima", p) name 
 ✦ ✦ 

  45. 45. #cmdevio #cmdevio2 ✦ ✦ authorities ✦ ✦
  46. 46. #cmdevio #cmdevio2 ✦ { "id": "kaga",
 "acl": [ { ezaki UpdateEmp } ], // ... } { "id": "ushijima", "acl": [], // ... } fun adf(adi: AccessDecisionInfo) { return adi.obj.acl.allow(adi.sub, adi.action) }
  47. 47. #cmdevio #cmdevio2 ✦ { ezaki UpdateEmp } ✦ { "effect": "allow", "action": "UpdateEmp", "authority": "Leader" } { "name": "ezaki", "authorities": [ "Leader", // ... ] } obj ADI ( ) sub ADI
  48. 48. #cmdevio #cmdevio2 ✦ ✦ ✦ adf ✦ ✦ adi.action ✦ adi.sub.name ✦ adi.sub.authorities ✦ adi.obj.owner ✦ adi.obj.acl ✦
  49. 49. #cmdevio #cmdevio2 
 
 https://classmethod.jp/recruit/ https://prismatix.jp/recruit/

×
Save this presentation