SharePoint 2010安全性体系和基于Claims的授权方式PPT演示文稿_第1页
SharePoint 2010安全性体系和基于Claims的授权方式PPT演示文稿_第2页
SharePoint 2010安全性体系和基于Claims的授权方式PPT演示文稿_第3页
SharePoint 2010安全性体系和基于Claims的授权方式PPT演示文稿_第4页
SharePoint 2010安全性体系和基于Claims的授权方式PPT演示文稿_第5页
已阅读5页,还剩22页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

1、SharePoint 2010安全性体系和基于Claims的授权方式,侯钟雷 SharePoint Server MVP ,内容,SharePoint安全性基础知识 基于声明式的安全模型简介 配置基于声明式的安全性 开发机会,SharePoint安全性基础知识,Security 101,认证与识别 Authentication creates identity for security principal Identities stored in user accounts repository Authentication performed using credentials Authen

2、tication produces some form of badge 授权和访问控制 Subsystem used to define security policy Privileged users configure ACLs on objects Subsystem enforces policy at run time,SharePoint 2007认证方式,SharePoint认证基于外部组件 Windows Authentication via Windows Server and IIS FBA via ASP.NET and authentication provider

3、Web SSO via Active Directory Federation Services (ADFS) SharePoint为外部身份创建配置信息 Tracked per site collection in User Profile List Seen by developers as SPUser object,SHAREPOINTSystem帐号,WSS V2会暴露AppPool的运行身份 WSS V3引入了SHAREPOINTsystem Hides IIS Application Pool Identity from users Runs as God within WSS

4、authorization system Removes need to treat Application Pool Identity as site user,Web Server,WSS 身份 vs. Windows 身份,理解之前的区别很重要,Pages, Lists & Documents SharePoint content,AdventureWorks Database SQL Server,XML File local file system,Web Application Worker Process,Authorized using Windows Identity,Aut

5、horized using SharePoint Identity,权限提升,代码一般在当前用户身份下运行 Authorization works as expected in SharePoint Sometime code must do things current user cannot do 利用代码可以提升运行的身份 Advantage: elevated code can do anything Disadvantage: elevated code can do anything,SPSite对象和权限提升,Accessing sites with WSS object is

6、tricky Must create new SPSite object after elevating,对象的安全性与继承,Each site collection is a hierarchy Each object may have its own ACL Object without ACL relies on parent Top-level site is top-level object in hierarchy,安全关系模型,SPUser represents external security principal SPGroup is internal SharePoint

7、group,Rights,Role Definition,AuthZ,SP Group,SP User,Role Assignment,1,N,SP User,Resource,N,1,N,N,N,N,N,N,介绍基于声明的安全模式,SharePoint 2010 安全性体系,SharePoint 2010 可以快速的切换认证模型 WSS moves to claim-based security model SharePoint 12 style now considered legacy mode 为什么要这样做? It decouples WSS from authentication

8、provider Supports multiple authentication providers for one URL Identity can be passed without Kerberos delegation It enables federation between organizations ACLs configured with DLs, Audiences and Orgs PeoplePicker controls understands claims,一些术语,Identity: security principal used to configure sec

9、urity policy Claim: attribute of an identity (Login Name, AD Group, etc) Issuer: trusted party that creates claims Security Token: serialized set of claims in digitally signed by issuing authority (Windows security token or SAML) Issuing Authority: issues security tokens knowing claims desired by ta

10、rget application Security Token Service (STS): builds, signs and issues security tokens Relying Party: application that makes authorization decisions based on claims,Active Client - Smart Client App,基于声明式的应用场景,Passive Client - Browser,SharePoint 2010中的认证声明,Two important scenarios Incoming claims Out

11、going claims How do incoming claims work? Identity token created by external identity STS SharePoint STS creates claim-based identity SharePoint STS based on Claims Provider Incoming claim identity is mapped to SPUser Authorization of SPUser just like it is in SharePoint 2007,Outgoing Claims,What id

12、entity is used for code on WFE? By default, code has claims-based identity Legacy mode can be used for Windows identity What are the scenarios? WFE code calls to application services WFE code calls to external LOB systems WFE code calls to external SharePoint farms,配置基于声明的认证,Admin 界面,开发机会,安全关系模型,1,N

13、,N,N,N,1,N,N,N,N,SP User,Resource,开发机会,Same as in SharePoint 2007 Write code that creates groups Write code that assigns permissions New to SharePoint 2010 Create a custom claims-provider Create an identity transformation service with Geneva Server,总结,SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security De

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论