Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.
2. Concepts
• Authentication
– validating the identity of a user
• Authorization
– whether a user is allowed to execute a certain
action
• Permission
• User/Principal
3. Security
• Standards
– Only role based
• Not good
– Documentation (which role is allowed to do
what)
– Change (redeployment because we changed
role assignments to method)
4. Permission based
• Each (group) action(s)
– Associated with a permission
• User need permission to execute it
• Very complex system
– User can be assigned to group
– Permissions are assigned to the group
8. SecurityDataProvider
• Supply authentication and authorization
information to Octopus
• AuthenticationInfo
getAuthenticationInfo(UsernamePasswordToken token);
• AuthorizationInfo
getAuthorizationInfo(PrincipalCollection principals);
9. login.xhtml
• No requirements imposed by Octopus
• Fields
– #{loginBean.username}
– #{loginBean.password}
– #{loginBean.doLogin}
• actionListener for the login
• Std JSF messages in case of errors
11. AuthenticationInfoBuilder
• principalId(Serializable)
– Unique identification of user, used in authorization call
• name(String)
– Display name for user
• password(Object)
– Password for user
• salt(ByteSource)
– For salted hashed passwords
• addUserInfo
– Additional info usefull for custom permission checks
14. Named permission
• Based on Apache Shiro domain permission
• Domain permission
– Domain
• Functional area of your application
– Action
• Some action within the domain
– Target
• Restriction on what items action is allowed
• No interpretation, just strings
15. Domain permission
• Example
– Department:read:*
• * is wildcard
• Used in verifying if user has permission
– User is permitted to execute
Required permission User permission
Department:read:* Department:*:*
19. Define named permission (2)
• @ApplicationScoped @Produces
public PermissionLookup<DemoPermission>
buildLookup() {
List<NamedDomainPermission> allPermissions =
permissionService.getAllPermissions();
return new PermissionLookup<DemoPermission>
(allPermissions, DemoPermission.class);
}
• Mapping between enum and domain
permisions.
20. Protect URL
• Specify which URL needs to be protected
• Define in securedURLs.ini
• /pages/** = user
• All pages within pages directory (and
subdirectories now requires authentication
21. Protect URL
• /pages/department/** = user, namedPermission[xxx]
• Pages requires authentication and the named
permission xxx
– xxx = value of enum class
• np instead of namedPermission also
allowed
22. Protect JSF component
• <sec:securedComponent
permission="DEPARTMENT_CREATE"/>
• Can be placed inside any JSF component
• Component only shown when user has
permission
23. Protect JSF component (2)
• <sec:requiresUser />
• Only authenticated persons see component
• Inverse of rule
• not=“true” attribute
– On securedComponent and requiresUser
24. Protect EJB method
• Annotation based
• @RequiresUser
• Custom annotation for named permissions
– @DemoPermissionCheck(DemoPermission.DEPARTMENT_CR
EATE
25. Custom annotation for security
• public @interface DemoPermissionCheck {
DemoPermission[] value();
}
• namedPermissionCheck.class =
be.c4j.demo.security.permission.DemoPermissionCheck
27. Custom voters (2)
• Set<SecurityViolation> parameter
– Put violations messages, empty means allowed
• this.userPrincipal
– Current user info
• this.newSecurityViolation(String)
– Create violation, for adding to the Set
28. Custom voters and URL
• /pages/updateSalary.xhtml = user,
voter[employeeSalaryUpdateVoter]
• this.hasServletRequestInfo(InvocationContext)
– Called from within URL context?
• this.getURLRequestParameter(InvocationContext, String)
– Get URL parameter
29. Custom voters and EJB methods
• this.checkMethodHasParameterTypes(Set<SecurityViolati
on>, InvocationContext, Class<?>…)
– Check if method has correct type of parameters
– If not, additional entry in Set
• this.verifyMethodHasParameterTypes(InvocationContext,
Class<?>…)
– As above, but return boolean
– When multiple methods with different
parameter types are supported
31. Using custom voters on EJB
• @CustomVoterCheck(EmployeeSalaryUpdateVoter.class)
32. Custom voters on JSF component
• <sec:securedComponent
voter="employeeSalaryUpdateVoter" >
• Voter is the @named CDI bean
33. Custom voters on JSF component
• Dynamic parameters
• <sec:securedComponent voter="employeeSalaryUpdateVoter" >
<sec:securedComponentParameter
value="#{employeeBean.employee.id}" />
</sec:securedComponent>
</sec:securedComponent>
• #{employeeBean.employee.id}
– Becomes the single parameters which can be retrieved
by getAssignableParameter()