《SharePoint2010安全性体系和基于Claims的授权方式》由会员分享,可在线阅读,更多相关《SharePoint2010安全性体系和基于Claims的授权方式(27页珍藏版)》请在金锄头文库上搜索。
1、SharePoint 2010安全性体系和基于Claims的授权方式,雷 SharePoint Server MVP,内容,SharePoint安全性基础知识 基于声明式的安全模型简介 配置基于声明式的安全性 开发机会,SharePoint安全性基础知识,Security 101,认证与识别 Authentication creates identity for security principal Identities stored in user accounts repository Authentication performed using credentials Authentic
2、ation produces some form of badge 授权和访问控制 Subsystem used to define security policy Privileged users configure ACLs on objects Subsystem enforces policy at run time,SharePoint 2007认证方式,SharePoint认证基于外部组件 Windows Authentication via Windows Server and IIS FBA via ASP.NET and authentication provider Web
3、 SSO via Active Directory Federation Services (ADFS) SharePoint为外部身份创建配置信息 Tracked per site collection in User Pro Seen by developers as SPUser object,SHAREPOINTSystem帐号,WSS V2会暴露AppPool的运行身份 WSS V3引入了SHAREPOINTsystem Hides IIS Application Pool Identity from users Runs as God within WSS authorizatio
4、n system Removes need to treat Application Pool Identity as site user,Web Server,WSS 身份 vs. Windows 身份,理解之前的区别很重要,Pages, Lists & Documents SharePoint content,AdventureWorks Database SQL Server,XML File local,Web Application Worker Process,Authorized using Windows Identity,Authorized using SharePoint
5、 Identity,权限提升,代码一般在当前用户身份下运行 Authorization works as expected in SharePoint Sometime code must do things current user cannot do 利用代码可以提升运行的身份 Advantage: elevated code can do anything Disadvantage: elevated code can do anything,SPSite对象和权限提升,Accessing sites with WSS object is tricky Must create new S
6、PSite object after elevating,对象的安全性与继承,Each site collection is a hierarchy Each object may have its own ACL Object without ACL relies on parent Top-level site is top-level object in hierarchy,安全关系模型,SPUser represents external security principal SPGroup is internal SharePoint group,Rights,Role Defini
7、tion,AuthZ,SP Group,SP User,Role Assignment,1,N,SP User,Resource,N,1,N,N,N,N,N,N,介绍基于声明的安全模式,SharePoint 2010 安全性体系,SharePoint 2010 可以快速的切换认证模型 WSS moves to claim-based security model SharePoint 12 style now considered legacy mode 为什么要这样做? It decouples WSS from authentication provider Supports multip
8、le authentication providers for one URL Identity can be passed without Kerberos delegation It enables federation between organizations ACLs configured with DLs, Audiences and Orgs PeoplePicker controls understands claims,一些术语,Identity: security principal used to configure security policy Claim: attr
9、ibute of an identity (Login Name, AD Group, etc) Issuer: trusted party that creates claims Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML) Issuing Authority: issues security tokens knowing claims desired by target application Securit
10、y Token Service (STS): builds, signs and issues security tokens Relying Party: application that makes authorization decisions based on claims,Active Client - Smart Client App,基于声明式的应用场景,Passive Client - Browser,SharePoint 2010中的认证声明,Two important scenarios Incoming claims Outgoing claims How do inco
11、ming claims work? Identity token created by external identity STS SharePoint STS creates claim-based identity SharePoint STS based on Claims Provider Incoming claim identity is mapped to SPUser Authorization of SPUser just like it is in SharePoint 2007,Outgoing Claims,What identity is used for code
12、on WFE? By default, code has claims-based identity Legacy mode can be used for Windows identity What are the scenarios? WFE code calls to application services WFE code calls to external LOB systems WFE code calls to external SharePoint farms,配置基于声明的认证,Admin 界面,开发机会,安全关系模型,1,N,N,N,N,1,N,N,N,N,SP User
13、,Resource,开发机会,Same as in SharePoint 2007 Write code that creates groups Write code that assigns permissions New to SharePoint 2010 Create a custom claims-provider Create an identity transformation service with Geneva Server,总结,SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities,Learn More about SharePoint 2010,Information forIT Prosat TechNet,Information forDevelopersat MSDN,Information forEveryone,
