SharePoint 2010安全性体系和基于Claims的授权方式PPT课件

1、SharePoint 2010安全性体系和基于Claims的授权方式,侯钟雷 SharePoint Server MVP ,内容,SharePoint安全性基础知识 基于声明式的安全模型简介 配置基于声明式的安全性 开发机会,SharePoint安全性基础知识,Security 101,认证与识别 Authentication creates identity for security principal Identities stored in user accounts repository Authentication performed using credentials Authen

2、tication produces some form of badge 授权和访问控制 Subsystem used to define security policy Privileged users configure ACLs on objects Subsystem enforces policy at run time,SharePoint 2007认证方式,SharePoint认证基于外部组件 Windows Authentication via Windows Server and IIS FBA via ASP.NET and authentication provider

3、Web SSO via Active Directory Federation Services (ADFS) SharePoint为外部身份创建配置信息 Tracked per site collection in User Profile List Seen by developers as SPUser object,SHAREPOINTSystem帐号,WSS V2会暴露AppPool的运行身份 WSS V3引入了SHAREPOINTsystem Hides IIS Application Pool Identity from users Runs as God within WSS

4、authorization system Removes need to treat Application Pool Identity as site user,Web Server,WSS 身份 vs. Windows 身份,理解之前的区别很重要,Pages, Lists & Documents SharePoint content,AdventureWorks Database SQL Server,XML File local file system,Web Application Worker Process,Authorized using Windows Identity,Aut

5、horized using SharePoint Identity,权限提升,代码一般在当前用户身份下运行 Authorization works as expected in SharePoint Sometime code must do things current user cannot do 利用代码可以提升运行的身份 Advantage: elevated code can do anything Disadvantage: elevated code can do anything,SPSite对象和权限提升,Accessing sites with WSS object is

6、tricky Must create new SPSite object after elevating,对象的安全性与继承,Each site collection is a hierarchy Each object may have its own ACL Object without ACL relies on parent Top-level site is top-level object in hierarchy,安全关系模型,SPUser represents external security principal SPGroup is internal SharePoint

7、group,Rights,Role Definition,AuthZ,SP Group,SP User,Role Assignment,1,N,SP User,Resource,N,1,N,N,N,N,N,N,介绍基于声明的安全模式,SharePoint 2010 安全性体系,SharePoint 2010 可以快速的切换认证模型 WSS moves to claim-based security model SharePoint 12 style now considered legacy mode 为什么要这样做? It decouples WSS from authentication

8、provider Supports multiple authentication providers for one URL Identity can be passed without Kerberos delegation It enables federation between organizations ACLs configured with DLs, Audiences and Orgs PeoplePicker controls understands claims,一些术语,Identity: security principal used to configure sec

9、urity policy Claim: attribute of an identity (Login Name, AD Group, etc) Issuer: trusted party that creates claims Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML) Issuing Authority: issues security tokens knowing claims desired by ta

10、rget application Security Token Service (STS): builds, signs and issues security tokens Relying Party: application that makes authorization decisions based on claims,Active Client - Smart Client App,基于声明式的应用场景,Passive Client - Browser,SharePoint 2010中的认证声明,Two important scenarios Incoming claims Out

11、going claims How do incoming claims work? Identity token created by external identity STS SharePoint STS creates claim-based identity SharePoint STS based on Claims Provider Incoming claim identity is mapped to SPUser Authorization of SPUser just like it is in SharePoint 2007,Outgoing Claims,What id

12、entity is used for code on WFE? By default, code has claims-based identity Legacy mode can be used for Windows identity What are the scenarios? WFE code calls to application services WFE code calls to external LOB systems WFE code calls to external SharePoint farms,配置基于声明的认证,Admin 界面,开发机会,安全关系模型,1,N

13、,N,N,N,1,N,N,N,N,SP User,Resource,开发机会,Same as in SharePoint 2007 Write code that creates groups Write code that assigns permissions New to SharePoint 2010 Create a custom claims-provider Create an identity transformation service with Geneva Server,总结,SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Op