octopus framework; permission based security framework for java ee
DESCRIPTION
Octopus framework for using permission based security in your Java EE app capable of securing URL, JSF components and CDI and EJB methods with the same security voters.TRANSCRIPT
![Page 1: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/1.jpg)
OctopusJava EE Security Framework
![Page 2: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/2.jpg)
Concepts
• Authentication– validating the identity of a user
• Authorization– whether a user is allowed to execute a certain
action
• Permission• User/Principal
![Page 3: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/3.jpg)
Security
• Standards– Only role based
• Not good– Documentation (which role is allowed to do
what)– Change (redeployment because we changed
role assignments to method)
![Page 4: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/4.jpg)
Permission based
• Each (group) action(s)– Associated with a permission
• User need permission to execute it
• Very complex system– User can be assigned to group– Permissions are assigned to the group
![Page 5: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/5.jpg)
Octopus
• Permission based• Declarative• Secures
– URL, JSF Components, CDI, EJB
• CDI integrated
![Page 6: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/6.jpg)
Configuration
• Jar File (maven artifact)– <dependency>
<groupId>be.c4j.ee.security</groupId> <artifactId>octopus</artifactId> <version>0.9.3</version> </dependency>
• octopusConfig.properties• CDI bean implements SecurityDataProvider• WEB-INF/securedURLs.ini• ejb-jar.xml
![Page 7: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/7.jpg)
octopusConfig.properties
• All configuration options of framework• Required options have default values• Empty file
– Only authentication for URL
![Page 8: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/8.jpg)
SecurityDataProvider
• Supply authentication and authorization information to Octopus
• AuthenticationInfo getAuthenticationInfo(UsernamePasswordToken token);
• AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals);
![Page 9: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/9.jpg)
login.xhtml
• No requirements imposed by Octopus• Fields
– #{loginBean.username}– #{loginBean.password}– #{loginBean.doLogin}
• actionListener for the login
• Std JSF messages in case of errors
![Page 10: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/10.jpg)
getAuthenticationInfo()
• token.getUsername()– User name entered in login screen
• Return null if user name is not known• AuthenticationInfoBuilder
– For easier instantiation of method result
![Page 11: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/11.jpg)
AuthenticationInfoBuilder
• principalId(Serializable)– Unique identification of user, used in authorization call
• name(String)– Display name for user
• password(Object)– Password for user
• salt(ByteSource)– For salted hashed passwords
• addUserInfo– Additional info usefull for custom permission checks
![Page 12: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/12.jpg)
getAuthorizationInfo()
• principals.getPrimaryPrincipal().getId()– Id of user supplied during authentication
• AuthorizationInfoBuilder• For easier instantiation of method result
![Page 13: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/13.jpg)
AuthorizationInfoBuilder
• addPermission()• addPermissions()• Supply permissions for user
![Page 14: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/14.jpg)
Named permission
• Based on Apache Shiro domain permission• Domain permission
– Domain• Functional area of your application
– Action• Some action within the domain
– Target• Restriction on what items action is allowed
• No interpretation, just strings
![Page 15: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/15.jpg)
Domain permission
• Example– Department:read:*
• * is wildcard• Used in verifying if user has permission
– User is permitted to execute
Required permission User permission
Department:read:* Department:*:*
![Page 16: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/16.jpg)
Domain permission(2)
• Multiple values allowed– Department:read,update:*
![Page 17: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/17.jpg)
Named permission ?
• Assign useful name to permission• Named can be constant of Enum
• Configuration needed in octopusModule
![Page 18: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/18.jpg)
Define named permission
• enum DemoPermission implements NamedPermission { DEPARTMENT_READ, EMPLOYEE_READ_INFO //…}
• namedPermission.class = be.c4j.demo.security.permission.DemoPermission
![Page 19: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/19.jpg)
Define named permission (2)
• @ApplicationScoped @Producespublic PermissionLookup<DemoPermission> buildLookup() {
List<NamedDomainPermission> allPermissions = permissionService.getAllPermissions(); return new PermissionLookup<DemoPermission> (allPermissions, DemoPermission.class);}
• Mapping between enum and domain permisions.
![Page 20: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/20.jpg)
Protect URL
• Specify which URL needs to be protected• Define in securedURLs.ini
• /pages/** = user
• All pages within pages directory (and subdirectories now requires authentication
![Page 21: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/21.jpg)
Protect URL
• /pages/department/** = user, namedPermission[xxx]
• Pages requires authentication and the named permission xxx– xxx = value of enum class
• np instead of namedPermission also allowed
![Page 22: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/22.jpg)
Protect JSF component
• <sec:securedComponent permission="DEPARTMENT_CREATE"/>
• Can be placed inside any JSF component• Component only shown when user has
permission
![Page 23: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/23.jpg)
Protect JSF component (2)
• <sec:requiresUser />• Only authenticated persons see component
• Inverse of rule• not=“true” attribute
– On securedComponent and requiresUser
![Page 24: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/24.jpg)
Protect EJB method
• Annotation based• @RequiresUser• Custom annotation for named permissions
– @DemoPermissionCheck(DemoPermission.DEPARTMENT_CREATE
![Page 25: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/25.jpg)
Custom annotation for security
• public @interface DemoPermissionCheck { DemoPermission[] value();}
• namedPermissionCheck.class = be.c4j.demo.security.permission.DemoPermissionCheck
![Page 26: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/26.jpg)
Custom voters
• extends AbstractGenericVoter• checkPermission(InvocationContext
invocationContext, Set<SecurityViolation> violations) {
• @Named– Needed for securing JSF components
![Page 27: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/27.jpg)
Custom voters (2)
• Set<SecurityViolation> parameter– Put violations messages, empty means allowed
• this.userPrincipal– Current user info
• this.newSecurityViolation(String)– Create violation, for adding to the Set
![Page 28: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/28.jpg)
Custom voters and URL
• /pages/updateSalary.xhtml = user, voter[employeeSalaryUpdateVoter]
• this.hasServletRequestInfo(InvocationContext)
– Called from within URL context?• this.getURLRequestParameter(InvocationContext, String)
– Get URL parameter
![Page 29: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/29.jpg)
Custom voters and EJB methods
• this.checkMethodHasParameterTypes(Set<SecurityViolation>, InvocationContext, Class<?>…)
– Check if method has correct type of parameters– If not, additional entry in Set
• this.verifyMethodHasParameterTypes(InvocationContext, Class<?>…)
– As above, but return boolean– When multiple methods with different
parameter types are supported
![Page 30: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/30.jpg)
• this.getAssignableParameter(InvocationContext, Class<T>[, int])
– Get parameter value of method call– Optional position can be used if multiple
parameters has same type (0-based)
![Page 31: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/31.jpg)
Using custom voters on EJB
• @CustomVoterCheck(EmployeeSalaryUpdateVoter.class)
![Page 32: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/32.jpg)
Custom voters on JSF component
• <sec:securedComponent voter="employeeSalaryUpdateVoter" >
• Voter is the @named CDI bean
![Page 33: Octopus framework; Permission based security framework for Java EE](https://reader036.vdocument.in/reader036/viewer/2022081413/5491ddd6ac795920288b4631/html5/thumbnails/33.jpg)
Custom voters on JSF component
• Dynamic parameters• <sec:securedComponent voter="employeeSalaryUpdateVoter" >
<sec:securedComponentParameter value="#{employeeBean.employee.id}" /> </sec:securedComponent></sec:securedComponent>
• #{employeeBean.employee.id}– Becomes the single parameters which can be retrieved
by getAssignableParameter()