Your SlideShare is downloading. ×
0
Authorization and Security Enforcement<br />0<br />Andy Hind<br />Senior Developer, Alfresco<br />twitter: @andy_hind<br />
What’s in the mix?<br />1<br /><ul><li> Public services
Methods + Context (node, parent, ...)
 Principal
 Authorities
Groups, owner
 Permissions
Read, check out
 ACLs
 Enforcement
 What operations can I perform?
 Configuration
 Customisation - RM</li></li></ul><li>Public Services<br />2<br /> Security Enforcement<br /><ul><li> wrapped base services
 pre-execution checks
Can I .... ?
Check with context
PublicServiceAccessService
Much more reliable than using hasPermission
 post-execution checks and filtering
 public-services-context.xml
 public-services-security-context.xml</li></li></ul><li>Public Services<br />3<br />Security Enforcement<br />    <bean id...
Public Services<br />4<br />Security Enforcement<br />    <bean id="NodeService_security" class="org.alfresco.repo.securit...
Public Services<br />5<br />Security Enforcement<br />    <bean id="NodeService_security" class="org.alfresco.repo.securit...
Public Services<br />6<br />Security Enforcement<br />    <bean id="NodeService_security" class="org.alfresco.repo.securit...
Public Services<br />7<br />Security Enforcement<br />    <bean id="NodeService_security" class="org.alfresco.repo.securit...
Authorities<br />8<br /><ul><li> Principal
userName of the Person matched at log in
andy
 Groups
GROUP_woof
Upcoming SlideShare
Loading in...5
×

Authorization and Security Enforcement

1,287

Published on

In this session we will look at authorities and permissions and how they are combined to produce an access control list. We will move on to cover ACL inheritance, how and when ACLs are enforced and more general security configuration and customisation. The security configuration for Records Management will be used as an advanced example.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,287
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
66
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Authorization and Security Enforcement"

  1. 1. Authorization and Security Enforcement<br />0<br />Andy Hind<br />Senior Developer, Alfresco<br />twitter: @andy_hind<br />
  2. 2. What’s in the mix?<br />1<br /><ul><li> Public services
  3. 3. Methods + Context (node, parent, ...)
  4. 4. Principal
  5. 5. Authorities
  6. 6. Groups, owner
  7. 7. Permissions
  8. 8. Read, check out
  9. 9. ACLs
  10. 10. Enforcement
  11. 11. What operations can I perform?
  12. 12. Configuration
  13. 13. Customisation - RM</li></li></ul><li>Public Services<br />2<br /> Security Enforcement<br /><ul><li> wrapped base services
  14. 14. pre-execution checks
  15. 15. Can I .... ?
  16. 16. Check with context
  17. 17. PublicServiceAccessService
  18. 18. Much more reliable than using hasPermission
  19. 19. post-execution checks and filtering
  20. 20. public-services-context.xml
  21. 21. public-services-security-context.xml</li></li></ul><li>Public Services<br />3<br />Security Enforcement<br /> <bean id="NodeService" class="org.springframework.aop.framework.ProxyFactoryBean"><br /> <property name="proxyInterfaces"><br /> <list><br /> <value>org.alfresco.service.cmr.repository.NodeService</value><br /> </list><br /> </property><br /> <property name="target"><br /> <ref bean="nodeService"/><br /> </property><br /> <property name="interceptorNames"><br /> <list><br /> <idref local="NodeService_transaction"/><br /> <idref local="AuditMethodInterceptor"/><br /> <idref local="exceptionTranslator"/><br /><idref bean="NodeService_security"/><br /></list><br /> </property><br /> </bean><br />
  22. 22. Public Services<br />4<br />Security Enforcement<br /> <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"><br /> <property name="authenticationManager"><ref bean="authenticationManager"/></property><br /> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property><br /> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property><br /> <property name="objectDefinitionSource"><br /> <value><br />org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR<br />org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW<br />org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren<br /> ...<br />org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY<br /> </value><br /> </property><br /> </bean><br />public ChildAssociationRefcreateNode(<br />NodeRefparentRef,<br />QNameassocTypeQName,<br />QNameassocQName,<br />QNamenodeTypeQName)<br />throws InvalidNodeRefException, InvalidTypeException;<br />
  23. 23. Public Services<br />5<br />Security Enforcement<br /> <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"><br /> <property name="authenticationManager"><ref bean="authenticationManager"/></property><br /> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property><br /> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property><br /> <property name="objectDefinitionSource"><br /> <value><br />org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR<br />org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW<br />org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren<br /> ...<br />org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY<br /> </value><br /> </property><br /> </bean><br />public ChildAssociationRefcreateNode(<br />NodeRefparentRef,<br />QNameassocTypeQName,<br />QNameassocQName,<br />QNamenodeTypeQName)<br />throws InvalidNodeRefException, InvalidTypeException;<br />createNode=ACL_NODE.0.sys:base.CreateChildren<br />
  24. 24. Public Services<br />6<br />Security Enforcement<br /> <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"><br /> <property name="authenticationManager"><ref bean="authenticationManager"/></property><br /> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property><br /> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property><br /> <property name="objectDefinitionSource"><br /> <value><br />org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR<br />org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW<br />org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren<br /> ...<br />org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY<br /> </value><br /> </property><br /> </bean><br />public ChildAssociationRefcreateNode(<br />NodeRefparentRef,<br />QNameassocTypeQName,<br />QNameassocQName,<br />QNamenodeTypeQName)<br />throws InvalidNodeRefException, InvalidTypeException;<br />createNode=ACL_NODE.0.sys:base.CreateChildren<br />public ChildAssociationRefcreateNode(<br />NodeRefparentRef,<br />
  25. 25. Public Services<br />7<br />Security Enforcement<br /> <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"><br /> <property name="authenticationManager"><ref bean="authenticationManager"/></property><br /> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property><br /> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property><br /> <property name="objectDefinitionSource"><br /> <value><br />org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR<br />org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW<br />org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties<br />org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren<br /> ...<br />org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY<br /> </value><br /> </property><br /> </bean><br />public ChildAssociationRefcreateNode(<br />NodeRefparentRef,<br />QNameassocTypeQName,<br />QNameassocQName,<br />QNamenodeTypeQName)<br />throws InvalidNodeRefException, InvalidTypeException;<br />org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY<br />
  26. 26. Authorities<br />8<br /><ul><li> Principal
  27. 27. userName of the Person matched at log in
  28. 28. andy
  29. 29. Groups
  30. 30. GROUP_woof
  31. 31. “Role”
  32. 32. ROLE_ADMINISTRATOR
  33. 33. Group, configuration
  34. 34. DynamicAuthority interface
  35. 35. ROLE_OWNER
  36. 36. ROLE_LOCK_OWNER</li></li></ul><li>Authorities<br />9<br />Zones<br /><ul><li> authorities are in one or more zones
  37. 37. hide groups used as RBAC roles
  38. 38. APP.DEFAULT
  39. 39. APP.SHARE
  40. 40. APP.RM
  41. 41. AUTH.ALF
  42. 42. AUTH.EXT.<ID>
  43. 43. Dynamic authorities are not zoned</li></li></ul><li>Permissions<br />10<br />Ownable – aspect/permissions/service/dynamic authority<br /> <permissionSet type="cm:ownable" expose="selected"><br /> <!-- Permission control to allow ownership of the node to be taken from others --><br /> <permissionGroup name="TakeOwnership" requiresType="false" expose="false"><br /> <includePermissionGrouppermissionGroup="SetOwner" type="cm:ownable" /><br /> </permissionGroup><br /> <permissionGroup name="SetOwner" requiresType="false" expose="false"/><br /> <!-- The low level permission to control setting the owner of a node --><br /> <permission name="_SetOwner" expose="false" requiresType="false"><br /> <grantedToGrouppermissionGroup="SetOwner" /><br /> <requiredPermission on="node" type="sys:base" name="_WriteProperties" /><br /> </permission><br /> </permissionSet><br />
  44. 44. ACLs<br />11<br />Introduction<br /><ul><li> All nodes have an ACL
  45. 45. An ACL applies to the node and ALL of its properties
  46. 46. Content read and write are special
  47. 47. There are no property level permissions
  48. 48. One global ACL (context free) – applies to all nodes
  49. 49. An ACL is a list of ACEs
  50. 50. Optionally an ACL inherits ACEs from its primary parent
  51. 51. ACE
  52. 52. Authority – Permissions – Deny/Allow – (Unused context)</li></li></ul><li>ACLs<br />12<br />Example<br />1<br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  53. 53. ACLs<br />13<br />Example<br />1<br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  54. 54. ACLs<br />14<br />Example<br />1<br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  55. 55. ACLs<br />15<br />Example<br />1<br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  56. 56. ACLs<br />16<br />Example<br />All – Read – Allow – 0 <br />1<br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  57. 57. ACLs<br />17<br />Example<br />All – Read – Allow – 0 <br />1<br />All – Read – Allow – 1 <br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  58. 58. ACLs<br />18<br />Example<br />All – Read – Allow – 2<br />ROLE_OWNER – All – Allow – 0 <br />GROUP_A – Write – Allow – 0<br />GROUP_A – CreateChildren – Allow – 0 <br />1<br />2<br />6<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  59. 59. ACLs<br />19<br />Example<br />All – Read – Allow – 0 <br />1<br />All – Read – Allow – 1 <br />2<br />6<br />All – Read – Allow – 2<br />Andy – All – Allow – 0 <br />Bob – Write – Allow – 0 <br />Bob – WriteContent – Deny – 0<br />7<br />3<br />8<br />9<br />4<br />5<br />11<br />10<br />13<br />12<br />14<br />
  60. 60. Configuration<br />20<br />Back to NodeService security enforcement<br /><ul><li>org.alfresco.service.cmr.repository.NodeService.getStores
  61. 61. ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties
  62. 62. org.alfresco.service.cmr.repository.NodeService.createStore
  63. 63. ACL_METHOD.ROLE_ADMINISTRATOR
  64. 64. org.alfresco.service.cmr.repository.NodeService.exists
  65. 65. ACL_ALLOW
  66. 66. org.alfresco.service.cmr.repository.NodeService.getNodeStatus
  67. 67. ACL_NODE.0.sys:base.ReadProperties</li></li></ul><li>Configuration<br />21<br />Back to NodeService security enforcement (2)<br /><ul><li>org.alfresco.service.cmr.repository.NodeService.createNode
  68. 68. ACL_NODE.0.sys:base.CreateChildren
  69. 69. org.alfresco.service.cmr.repository.NodeService.moveNode
  70. 70. ACL_NODE.0.sys:base.DeleteNode
  71. 71. ACL_NODE.1.sys:base.CreateChildren
  72. 72. org.alfresco.service.cmr.repository.NodeService.addChild
  73. 73. ACL_NODE.0.sys:base.CreateChildren
  74. 74. ACL_NODE.1.sys:base.ReadProperties
  75. 75. org.alfresco.service.cmr.repository.NodeService.*
  76. 76. ACL_DENY</li></li></ul><li>Configuration<br />22<br />Configuration options<br /><ul><li>ACL_METHOD.<authority>
  77. 77. ACL_NODE.<#>.<permission>
  78. 78. ACL_PARENT.<#>.<permission>
  79. 79. ROLE_ . . .
  80. 80. GROUP_ . . .
  81. 81. AFTER_ACL_NODE.<permission>
  82. 82. AFTER_ACL_PARENT.<permission></li></li></ul><li>History<br />23<br /><ul><li>2.2
  83. 83. AVM ACL for every nodes
  84. 84. 3.0
  85. 85. DM ACL for every node
  86. 86. 3.2
  87. 87. RM
  88. 88. 3.4
  89. 89. Query read improvements
  90. 90. Removed hibernate
  91. 91. Future
  92. 92. Integrate read evaluation in the query
  93. 93. Read evaluation on the DB</li></li></ul><li>Evaluation/Performance<br />24<br /><ul><li>“system”
  94. 94. Global permissions
  95. 95. “admin”
  96. 96. Node ACLs and dynamic authorities
  97. 97. Bulk fetch of node properties
  98. 98. AuthenticationUtil.runAs()</li></li></ul><li>Extension<br />25<br />Common extensions<br /><ul><li> Changing existing settings
  99. 99. Adding a new service and protection
  100. 100. Types and aspects
  101. 101. Related permissions and permission groups
  102. 102. Dynamic authorities
  103. 103. Public service
  104. 104. Public service security configuration
  105. 105. Replace/extend voting – RM </li></li></ul><li>RM<br />26<br />Introduction<br /><ul><li> Capabilities (50 +)
  106. 106. CreateModifyDestroyFoldersCapability
  107. 107. Caveats
  108. 108. Supplementary marking
  109. 109. Property with a list of allowable values
  110. 110. Authority assigned one or more values
  111. 111. Authority must have one or all matching values to read the record
  112. 112. Classified records
  113. 113. Hierarchy of security levels
  114. 114. Also uses normal ACLs
  115. 115. Adds a new AccessDecisionVoter and related classes
  116. 116. RM.<Policy>.<#>.<#>...
  117. 117. RM_CAP.<Capability>.<#>.<capability>
  118. 118. RM_ALLOW, RM_DENY</li></li></ul><li>RM<br />27<br />Modified NodeService protection example<br /><ul><li>org.alfresco.service.cmr.repository.NodeService.createNode
  119. 119. ACL_NODE.0.sys:base.CreateChildren,RM.Create.0.3
  120. 120. Create is a combination of RM capabilities
  121. 121. NodeService.createNode()
  122. 122. NodeService.addChild()
  123. 123. FileFolderService.copy()
  124. 124. FileFolderService.create()
  125. 125. destination
  126. 126. node copied or linked OR type created
  127. 127. Checking for the CreateChildren permission is not enough</li></li></ul><li>RM<br />28<br />Create policy has to consider<br /><ul><li> Read access to target for link or copy
  128. 128. File records capability
  129. 129. Create modify destroy folders capability
  130. 130. Declare records in closed folders capability
  131. 131. Create/modify records in cutoff folders capability
  132. 132. Create/modify/destroy fileplan metadata capability
  133. 133. Change or delete references capability</li></li></ul><li>Learn More<br />29<br />wiki.alfresco.com<br />forums.alfresco.com<br />twitter: @AlfrescoECM<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×