The problems I am facing is related to authorization,
I am granting application's role to the users in this way:
BasicModel.grantRole(relationshipManager, identity.getAccount(), role);
but when I use
hasRole(this.relationshipManager, this.identity.getAccount(), role);
seems to return always true, even if I grant another role, eg. I granted ROLEA role and when I ask for ROLEB it returns true. The grantRole methods that I found in the PL quickstarts are not recognized by the compiler but the hasRole it does.
the authorization annotations seems that are not working, allow users that are not loggedin to invoke the method, and of course allow users with any role to invoke the method
#LoggedIn
#RolesAllowed({"borrower"})
Otherwise seems that PL is working well, with autenthication, and the identityManager. My enviornonment is WildFly 8.2 , and PK 2.7.Final, JPA. These are the classes that I am mapping from the basic model :
<class>org.picketlink.idm.jpa.model.sample.simple.AttributedTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.RoleTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.IdentityTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.RelationshipTypeEntity</class<
<class>org.picketlink.idm.jpa.model.sample.simple.RelationshipIdentityTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.PartitionTypeEntity</class>
<class>org.picketlink.idm.jpa.model.sample.simple.AttributeTypeEntity</class>
This may not be the final answer, just won't fit into a comment.
One radical way is to debug the whole thing manually. A slightly less mind-blowing approach, though, would be to look at the database contents. You didn't mention your db type, but there are plenty of tools for examining db contents around. Use one of them:
Go to user_type_entity table (maybe without unserscores) and note the user id.
Go to role_type_entity table and check your role names being there, only one line each. Note the ids of the roles.
Go to relationship_identity_type_entity table and look at the role/assignee pairs with the same owner_id (owner_id likely points to some Grant type in relationship_type_entity table, but we do not need to exmine that now).
So, the key question: do you have the undesired roles assigned to your users there? If so, your function does exactly what it is supposed to do, and you need to look at your code more closely to see if you granted the thing accidentally somewhere.
If your user is not listed as an assignee of the role and yet the hasRole returns true ... well, then you may have a problem with Picketlink itself, and debugging of the function may be required.
I checked the database registers and found that i was assigning all the roles to the users. I also used the HttpSecutiryConfiguration for the authorization problems.
Related
I'm trying to figure out what I need to specify in UML for a role-based access control system.
Basically I have a Database and only specific people are supposed to access specific functions or informations from that database. My academic helper told me to use a role-based access control system and scribbled some stuff onto a paper.
On the left you can see the 3 roles, and connected to it the database, both in the model part of the Model-View-Control.
My question basically: Which functions/variables do I need in the class Role and the role classes so the access control system works and why?
Generally this is supposed to be written in Java.
EDIT: Each Role has its own login credentials, so they will be identified upon login. With this login they are supposed to get one of those roles, but I don’t know how to give them that role.
I was looking for some diagram I found via google a long time ago, long before this question.
RBAC is a standardized model, it doesn't really contain multiple representations. You can extend it with additional security models, and it's multilevel, so higher levels are optional.
Flat RBAC, the first level, requires the following
users acquire permissions through roles
many to many user role assignment
many to many permission role assignment
user-role assignment review (user - role mapping can be changed, not hardcoded)
users can use permissions of multiple roles simultaneously
I have never seen a full implementation of RBAC in the wild. In a previous job we ultimately had to add point 2 to the application to enable administrators to go into a "support" mode, to view an accounts profile as they would.
This diagram gives a largely complete level 4 representation.
Here is the source of this diagram, it has a lot more information than what I'm saying.
I think the biggest variance you'll have (besides naming) is what object has "check access" and the general naming of these objects and methods.
For further reading on the subject, I would suggest these
Role-Based Access Control, Second Edition
ANSI blog
ANSI specification
NIST 4 levels of RBAC implementation
NIST adding attributes to role-based access control
Wikipedia RBAC, also contains UML
There are other documents including some criticisms, I usually find that simply using RBAC is not sufficient, as there are often more complex requirements than just "manager can do X", for example.
Well, still there are many, many ways to model this. And basically it's not an UML but a design issue. Anyway, here's a possibility:
A user has a single Role which is permanently assigned during a login. Of course a user with admin privilege could alter this role to something else. The Role holds a list of assigned Applications where the association class RoleApplication can hold attributes about what the role can do with the application.
Now how you control that an admin can change rights and all these pretty things that come along with a security system are definitely too broad to go here.
i need some suggestions in designing application, in my application there will be insurance cases and according to roles users will access the cases and different level of life cycle of the Case.Here i need to restrict users to access same case.If one user is accessing one case with caseid (123) and other user should not able to access same case(123). Please can anyone suggest how can i achieve this.
You need some kind of locking. Depending on your specific requirements there are different ways to accomplish this.
For web applications you can use this algorithm which uses a table to store locks and ajax to refresh the locks as long as the user remains on the edit page. The algorithm can be used even if you don't use PHP on the client.
Following is one way of doing this
Make provision in the database (add a column) to indicate that, that particular case is being accessed.
When a user access a case, check the database field if that case is already being accessed, if not update the database field indicating the same.
If another user, tries to access the same case, then based on the database field value appropriate response will be send
Its important to note that the transactions mentioned in #2 i.e. database read and update should be ATOMIC.
The way you are planning to implement locking is not a good practice. I am not sure about my sql but if you are using microsoft sql or oracle then the best practice is to implement optimistic lock mechanism.
The link given below should help you understand better.
www.asp.net/mvc/overview/getting-started/getting-started-with-ef-using-mvc/handling-concurrency-with-the-entity-framework-in-an-asp-net-mvc-application
As the title says, i have a need to create a dynamic menu stored as a tree in the database and there are plans to put an interface on it.Now i need to decide how to implement the Access Control Layer based on what is on the market suitable for this requirement.
I heavily use Spring IoC, spring mvc etc....with hibernate for my project. I've used apache shiro before and it's not bad.just that the community is still young so it takes time for a question regarding shiro to have contributions and there is not extensive documentation.
I was still planing on using shiro anyway because i've an experience which i don't have with spring security.Now the first question should have been Is is a good idea to tie ACL to menu system|navigation system .I would be please if anyone could share his experience regarding that.
So on top of my head i have this model in mind users, roles, rights, users_rights ,roles_users, roles_rights
users //contains creds and user detail
roles //contains roles
rights // contains rights (including menu entries matching rights, if i have to tie them)
roles_users //many-to-many roles-users with extra columns mapped as entity
roles_rights // many-to-many roles-rights with extra columns mapped as entity
users_rights //many-to-many users-rights mapped as entity with extra columns. special rights for user and overwrite the overall rights given by roles. can deny rights given by a role or add rights not inside any roles
so in the rights table i could have like:
id
name // in the form of admin:users:list
description
menu_name // unique name what shows on page
menu_url
the only question is that how do i handle submenu? self many-to-many rights-rights?
at the end it all becomes so complex.So i would like have other perspective, insights ,suggestions. thanks
I hope I understood what you want.
I think that using a self foreign key is valid.
However, I would suggest that you compute the "ACL value" of a sub menu upon its creation, or upon update of one of the parents,
So you won't spent time calculating it while during ACL check for the sub menu.
I'm sorry if I didn't use the terms correctly,
What in general I mean is that if you have some value at a tree, and this value might be dependent on the value of the parent node in the tree,
you should consider to calculate the value for the child node/leaf during insertion , update, or any change at one of the ancestors.
I'm multing a multi-tenant SaaS web-application in Java, Spring, Struts2 and Hibernate. After a bit of research, i choose to implement multi-tenancy in a shared db, shared schema, shared table approach. And tagging each db-line with a tenantId.
I have rewritting my application, so Managers and Dao's will take the tenantId as a parameter to only serve the correct db-resources.
This works perfect for all view's when getting information. And also for creating new stuff (using the logged in users tenantId to store the info).
However, for updating and deleting stuff I am not sure how to secure my application.
For example: When a user want to edit an object, the url will be: /edit?objectId=x
And this is mapped to an action that will retrieve this object by Id. Meaning any logged in user can by url-modification view any object.
This i can solve by adding the tenantId to the Dao so if the User tries to view an object outside his tenancy he will get nothing.
Ok thats ok then, but about when sending in the edit-form?
What if the user modifies the request, messing with the hidden field objectId so the action will receive a request to alter an object not belonging to the users tenancy.
Or if the users url-modifies a delete action /delete?objectId=x
Basicly I need some way of assure that the logged in user has access to whatever he is trying to do. For all get's its easy. Just putting the tenantId in the where clause.
But for updates and deletes i'm not sure what direction to go.
I could query the db for every update and delete to see if the users has access to the object, but i'm trying to keep db-interaction to the minimum. So i find it impractical to make an extra db-call for every such action.
Does anyone have any hints or tips to my issues?
The same for reading applies to writing/updating: user can only see/access/change what they own. Your question is more about database that about anything else. The same constraints you apply to viewing data must also apply to writing data.
In this case, you don't want to wear the performance of a query first then an update. That's fine, since you can update the database with conditions. Since this seems likely to be database-level in your case you need to know what your database is capable of (to do it in one go). For example, oracle has the merge statement.
I am quite late to this thread and maybe you have already built the solution you were asking here about. Anyway, I have implemented a database-per-tenant multitenant web application using Spring Boot 2 and secured the web access using Spring Security 5. The data access is via Spring JPA (with Hibernate 5 as the JPA provider). Do take a look here.
I've got a pretty ordinary Java EE application running on JBOSS.
It uses the JBoss DatabaseLoginModule JAAS authentication.
It also has application layer users/roles in Hibernate that are exactly the same.
I've got an idea ( which I think is pretty useful for me, anyway) to have a capability bit I can set in the software license object (not using hibernate) that makes all users the read-only user. This lets me make a read only version of the product by relicensing it.
What I'd like to do is remap the user associations based on a boolean flag accessible inside the program.
So normally we get ( many-many join)
User -*UserRole*-Role -*RoleActions
where
user.roleid =>role.id
When the boolean is set ( a capability bit set in the software license )
I'd like JAAS to act like all users were roleid =1 when the license says so.
Any ideas ?
By subclassing DatabaseServerLoginModule I can perform extra checks. ( on the software licence)
Trivially I can then
If the licence is expired, give A Readonly user ( the credentials are fixed)
If the license has the read-only capability bit set, give the Read-only user ( the credentials are fixed)
Since the login has been intercepted, the Hibernate User lookup will be for the right user.
Maybe I'm missing the boat here, but why not do that programatically?
In User object, provide a transient getter like getAuthenticatedRoles() that would additionally filter what Hibernate loaded. Additonally, make the original mapped collection getter protected, and use only getAuthenticatedRoles() from other Java code.