OctopusJava EE Security Framework
Concepts
• Authentication– validating the identity of a user
• Authorization– whether a user is allowed to execute a certain
action
• Permission• User/Principal
Security
• Standards– Only role based
• Not good– Documentation (which role is allowed to do
what)– Change (redeployment because we changed
role assignments to method)
Permission based
• Each (group) action(s)– Associated with a permission
• User need permission to execute it
• Very complex system– User can be assigned to group– Permissions are assigned to the group
Octopus
• Permission based• Declarative• Secures
– URL, JSF Components, CDI, EJB
• CDI integrated
Configuration
• Jar File (maven artifact)– <dependency>
<groupId>be.c4j.ee.security</groupId> <artifactId>octopus</artifactId> <version>0.9.3</version> </dependency>
• octopusConfig.properties• CDI bean implements SecurityDataProvider• WEB-INF/securedURLs.ini• ejb-jar.xml
octopusConfig.properties
• All configuration options of framework• Required options have default values• Empty file
– Only authentication for URL
SecurityDataProvider
• Supply authentication and authorization information to Octopus
• AuthenticationInfo getAuthenticationInfo(UsernamePasswordToken token);
• AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals);
login.xhtml
• No requirements imposed by Octopus• Fields
– #{loginBean.username}– #{loginBean.password}– #{loginBean.doLogin}
• actionListener for the login
• Std JSF messages in case of errors
getAuthenticationInfo()
• token.getUsername()– User name entered in login screen
• Return null if user name is not known• AuthenticationInfoBuilder
– For easier instantiation of method result
AuthenticationInfoBuilder
• principalId(Serializable)– Unique identification of user, used in authorization call
• name(String)– Display name for user
• password(Object)– Password for user
• salt(ByteSource)– For salted hashed passwords
• addUserInfo– Additional info usefull for custom permission checks
getAuthorizationInfo()
• principals.getPrimaryPrincipal().getId()– Id of user supplied during authentication
• AuthorizationInfoBuilder• For easier instantiation of method result
AuthorizationInfoBuilder
• addPermission()• addPermissions()• Supply permissions for user
Named permission
• Based on Apache Shiro domain permission• Domain permission
– Domain• Functional area of your application
– Action• Some action within the domain
– Target• Restriction on what items action is allowed
• No interpretation, just strings
Domain permission
• Example– Department:read:*
• * is wildcard• Used in verifying if user has permission
– User is permitted to execute
Required permission User permission
Department:read:* Department:*:*
Domain permission(2)
• Multiple values allowed– Department:read,update:*
Named permission ?
• Assign useful name to permission• Named can be constant of Enum
• Configuration needed in octopusModule
Define named permission
• enum DemoPermission implements NamedPermission { DEPARTMENT_READ, EMPLOYEE_READ_INFO //…}
• namedPermission.class = be.c4j.demo.security.permission.DemoPermission
Define named permission (2)
• @ApplicationScoped @Producespublic PermissionLookup<DemoPermission> buildLookup() {
List<NamedDomainPermission> allPermissions = permissionService.getAllPermissions(); return new PermissionLookup<DemoPermission> (allPermissions, DemoPermission.class);}
• Mapping between enum and domain permisions.
Protect URL
• Specify which URL needs to be protected• Define in securedURLs.ini
• /pages/** = user
• All pages within pages directory (and subdirectories now requires authentication
Protect URL
• /pages/department/** = user, namedPermission[xxx]
• Pages requires authentication and the named permission xxx– xxx = value of enum class
• np instead of namedPermission also allowed
Protect JSF component
• <sec:securedComponent permission="DEPARTMENT_CREATE"/>
• Can be placed inside any JSF component• Component only shown when user has
permission
Protect JSF component (2)
• <sec:requiresUser />• Only authenticated persons see component
• Inverse of rule• not=“true” attribute
– On securedComponent and requiresUser
Protect EJB method
• Annotation based• @RequiresUser• Custom annotation for named permissions
– @DemoPermissionCheck(DemoPermission.DEPARTMENT_CREATE
Custom annotation for security
• public @interface DemoPermissionCheck { DemoPermission[] value();}
• namedPermissionCheck.class = be.c4j.demo.security.permission.DemoPermissionCheck
Custom voters
• extends AbstractGenericVoter• checkPermission(InvocationContext
invocationContext, Set<SecurityViolation> violations) {
• @Named– Needed for securing JSF components
Custom voters (2)
• Set<SecurityViolation> parameter– Put violations messages, empty means allowed
• this.userPrincipal– Current user info
• this.newSecurityViolation(String)– Create violation, for adding to the Set
Custom voters and URL
• /pages/updateSalary.xhtml = user, voter[employeeSalaryUpdateVoter]
• this.hasServletRequestInfo(InvocationContext)
– Called from within URL context?• this.getURLRequestParameter(InvocationContext, String)
– Get URL parameter
Custom voters and EJB methods
• this.checkMethodHasParameterTypes(Set<SecurityViolation>, InvocationContext, Class<?>…)
– Check if method has correct type of parameters– If not, additional entry in Set
• this.verifyMethodHasParameterTypes(InvocationContext, Class<?>…)
– As above, but return boolean– When multiple methods with different
parameter types are supported
• this.getAssignableParameter(InvocationContext, Class<T>[, int])
– Get parameter value of method call– Optional position can be used if multiple
parameters has same type (0-based)
Using custom voters on EJB
• @CustomVoterCheck(EmployeeSalaryUpdateVoter.class)
Custom voters on JSF component
• <sec:securedComponent voter="employeeSalaryUpdateVoter" >
• Voter is the @named CDI bean
Custom voters on JSF component
• Dynamic parameters• <sec:securedComponent voter="employeeSalaryUpdateVoter" >
<sec:securedComponentParameter value="#{employeeBean.employee.id}" /> </sec:securedComponent></sec:securedComponent>
• #{employeeBean.employee.id}– Becomes the single parameters which can be retrieved
by getAssignableParameter()
Top Related