https://www.youtube.com/watch?v=1gTRqFAZt4M
Discontinued Alfresco Workdesk offers granular Role Based Access Control to define which functionalities users can access based on their role. While working to implement a replacement solution, I had to find a way to replicate this feature, and I found it in Apache Shiro. Using a fairly simple mechanism, I was able to map granular permissions (one for each method exposed by our custom REST API) to Alfresco groups, which act as roles. Moreover, combining this with Spring HATEOAS, it was possible to include in each JSON response only the links to the functionalities the user can actually access, so that our front-end client was able to determine accordingly what page components to display.
2. Learn. Connect. Collaborate.
Summary
• What is RBAC and how is it related to Alfresco
• How did I come across it
• Apache Shiro approach to RBAC
• How to use it for (Spring Boot) REST API
• Using this approach in combination with
HATEAOS for the benefit of our front end
3. Learn. Connect. Collaborate.
Role Based
Access
Control
• Permissions apply to operations
• Separation of duties
Audit, Control, Review
• Different from Access Control Lists
Permissions apply to content
• Available for Share and Governance Services
• No out-of-the-box UI for custom roles or zones
• Custom permissions and roles need to be
defined individually extending configuration
6. Learn. Connect. Collaborate.
Apache Shiro
Authorization
• Explicit approach (roles as collections of
permissions)
• Granular, multi level permissions
• Flexible security model
• Permissions do not need to be defined
• Easy to configure an unique permission for
each resource/method in a REST API
9. Learn. Connect. Collaborate.
Wildcard
permissions
block_resident_52 = door:main:open, door:main:close,
door:flat:52:open, door:flat:52:close, door:flat:52:lock,
door:flat:52:unlock
block_concierge = door:main:open, door:main:close,
door:main:lock, door:main:unlock, door:flat:1:open,
door:flat:1:close, door:flat:1:lock,
door:flat:1:unlock…
Wildcards (*) grant all permissions in the level they are
placed and in all lower levels
block_resident = door:main:open, door:main:close,
door:flat:52:*
block_concierge = door:main:*, door:flat:*
block_manager = *
10. Learn. Connect. Collaborate.
Shiro Subject
When an user logs in, we can retrieve his groups with:
/alfresco/service/api/people/USERNAME?groups=true
and then:
“A Subject represents state and security operations for a
single application user.
These operations include authentication, authorization
(access control), and session access. It is Shiro's primary
mechanism for single-user security functionality.”
13. Learn. Connect. Collaborate.
Shiro Filter
Here we validate the auth token from the request
and retrieve user information (including groups)
from it
15. Learn. Connect. Collaborate.
Benefits
• Suitable for REST API
• Little effort to secure new API resources and
methods
• Little effort to define new, complex roles
• Intuitive
• Possible to combine it with Alfresco ACLs
16. Learn. Connect. Collaborate.
HATEOAS
super_user = documents:id:GET, documents:id:PUT, documents:id:DELETE,
documents:id:download:GET
regular_user = documents:id:GET, documents:id:PUT
Hypermedia As The Engine Of Application State