SlideShare a Scribd company logo

Alfresco DevCon 2018: Role Based Access Control with Apache Shiro

E
Ermanno Russo

https://www.youtube.com/watch?v=1gTRqFAZt4M Discontinued Alfresco Workdesk offers granular Role Based Access Control to define which functionalities users can access based on their role. While working to implement a replacement solution, I had to find a way to replicate this feature, and I found it in Apache Shiro. Using a fairly simple mechanism, I was able to map granular permissions (one for each method exposed by our custom REST API) to Alfresco groups, which act as roles. Moreover, combining this with Spring HATEOAS, it was possible to include in each JSON response only the links to the functionalities the user can actually access, so that our front-end client was able to determine accordingly what page components to display.

Software
1 of 18
Download to read offline
Role Based Access Control with Apache Shiro Ermanno Russo
Learn. Connect. Collaborate. Summary • What is RBAC and how is it related to Alfresco • How did I come across it • Apache Shiro approach to RBAC • How to use it for (Spring Boot) REST API • Using this approach in combination with HATEAOS for the benefit of our front end
Learn. Connect. Collaborate. Role Based Access Control • Permissions apply to operations • Separation of duties Audit, Control, Review • Different from Access Control Lists Permissions apply to content • Available for Share and Governance Services • No out-of-the-box UI for custom roles or zones • Custom permissions and roles need to be defined individually extending configuration
Learn. Connect. Collaborate.
Learn. Connect. Collaborate.
Learn. Connect. Collaborate. Apache Shiro Authorization • Explicit approach (roles as collections of permissions) • Granular, multi level permissions • Flexible security model • Permissions do not need to be defined • Easy to configure an unique permission for each resource/method in a REST API
Learn. Connect. Collaborate. Spring Controller @RequiresPermissions annotation
Learn. Connect. Collaborate. shiro.ini # Format of this configuration file: [role name] = permission1, permission2, ..., permissionN # Format of permissions: [primary level]:[secondary level (optional)]:[tertiary level (optional)]:[HTTP method] [roles] system_admin = * super_user = documents:GET, documents:POST, documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:associations:*, documents:id:download:GET, documents:id:split:*, workflows:* team_lead = documents:GET, documents:id:GET, documents:id:PUT, documents:id:download:GET, documents:id:associations:GET, workflows:* regular_user = documents:GET, documents:id:GET, documents:id:download:GET, documents:id:associations:GET, workflows:GET
Learn. Connect. Collaborate. Wildcard permissions block_resident_52 = door:main:open, door:main:close, door:flat:52:open, door:flat:52:close, door:flat:52:lock, door:flat:52:unlock block_concierge = door:main:open, door:main:close, door:main:lock, door:main:unlock, door:flat:1:open, door:flat:1:close, door:flat:1:lock, door:flat:1:unlock… Wildcards (*) grant all permissions in the level they are placed and in all lower levels block_resident = door:main:open, door:main:close, door:flat:52:* block_concierge = door:main:*, door:flat:* block_manager = *
Learn. Connect. Collaborate. Shiro Subject When an user logs in, we can retrieve his groups with: /alfresco/service/api/people/USERNAME?groups=true and then: “A Subject represents state and security operations for a single application user. These operations include authentication, authorization (access control), and session access. It is Shiro's primary mechanism for single-user security functionality.”
Learn. Connect. Collaborate. Shiro Realm
Learn. Connect. Collaborate. Role Permission Resolver The missing bit:
Learn. Connect. Collaborate. Shiro Filter Here we validate the auth token from the request and retrieve user information (including groups) from it
Learn. Connect. Collaborate. Filter Security Manager Subject Realm shiro.ini Role Permission Resolver
Learn. Connect. Collaborate. Benefits • Suitable for REST API • Little effort to secure new API resources and methods • Little effort to define new, complex roles • Intuitive • Possible to combine it with Alfresco ACLs
Learn. Connect. Collaborate. HATEOAS super_user = documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:download:GET regular_user = documents:id:GET, documents:id:PUT Hypermedia As The Engine Of Application State
Learn. Connect. Collaborate. Spring HATEOAS
Ermanno Russo @mogpuff /in/ermannorusso Thank you! Any questions?

Recommended

Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricksxordoquy
 
Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Vinoth Kumar
 
Secure PHP Coding - Part 2
Secure PHP Coding - Part 2Secure PHP Coding - Part 2
Secure PHP Coding - Part 2Vinoth Kumar
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Securityn|u - The Open Security Community
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 

Recommended

Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIsClaire Hunsaker
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricksxordoquy
 
Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Vinoth Kumar
 
Secure PHP Coding - Part 2
Secure PHP Coding - Part 2Secure PHP Coding - Part 2
Secure PHP Coding - Part 2Vinoth Kumar
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Securityn|u - The Open Security Community
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptxSouvikRoy114738
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPOscar Merida
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentryBrock Noland
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresCorley S.r.l.
 
Osquery
OsqueryOsquery
OsqueryAnimesh Roy
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Codemgmt
CodemgmtCodemgmt
CodemgmtPhilip Watts
 
Catalyst MVC
Catalyst MVCCatalyst MVC
Catalyst MVCSheeju Alex
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
 
Rails Security
Rails SecurityRails Security
Rails SecurityWen-Tien Chang
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part twoisaaczfoster
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and PythonPiXeL16
 
Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 

More Related Content

Similar to Alfresco DevCon 2018: Role Based Access Control with Apache Shiro

OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101Steve Martinelli
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPOscar Merida
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentryBrock Noland
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresCorley S.r.l.
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeilFramework
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)Will Schroeder
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnDan Rinzel
 
Role based access control
Role based access controlRole based access control
Role based access controlPeter Edwards
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part twoisaaczfoster
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and PythonPiXeL16
 

Similar to Alfresco DevCon 2018: Role Based Access Control with Apache Shiro (20)

Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentry
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructures
 
Osquery
OsqueryOsquery
Osquery
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Codemgmt
CodemgmtCodemgmt
Codemgmt
 
Catalyst MVC
Catalyst MVCCatalyst MVC
Catalyst MVC
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Role based access control
Role based access controlRole based access control
Role based access control
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part two
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and Python
 

Recently uploaded

Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfIdiosysTechnologies1
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfLivetecs LLC
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...OnePlan Solutions
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 

Recently uploaded (20)

Best Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdfBest Web Development Agency- Idiosys USA.pdf
Best Web Development Agency- Idiosys USA.pdf
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
How to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdfHow to Track Employee Performance A Comprehensive Guide.pdf
How to Track Employee Performance A Comprehensive Guide.pdf
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 

Alfresco DevCon 2018: Role Based Access Control with Apache Shiro

  • 1. Role Based Access Control with Apache Shiro Ermanno Russo
  • 2. Learn. Connect. Collaborate. Summary • What is RBAC and how is it related to Alfresco • How did I come across it • Apache Shiro approach to RBAC • How to use it for (Spring Boot) REST API • Using this approach in combination with HATEAOS for the benefit of our front end
  • 3. Learn. Connect. Collaborate. Role Based Access Control • Permissions apply to operations • Separation of duties Audit, Control, Review • Different from Access Control Lists Permissions apply to content • Available for Share and Governance Services • No out-of-the-box UI for custom roles or zones • Custom permissions and roles need to be defined individually extending configuration
  • 6. Learn. Connect. Collaborate. Apache Shiro Authorization • Explicit approach (roles as collections of permissions) • Granular, multi level permissions • Flexible security model • Permissions do not need to be defined • Easy to configure an unique permission for each resource/method in a REST API
  • 8. Learn. Connect. Collaborate. shiro.ini # Format of this configuration file: [role name] = permission1, permission2, ..., permissionN # Format of permissions: [primary level]:[secondary level (optional)]:[tertiary level (optional)]:[HTTP method] [roles] system_admin = * super_user = documents:GET, documents:POST, documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:associations:*, documents:id:download:GET, documents:id:split:*, workflows:* team_lead = documents:GET, documents:id:GET, documents:id:PUT, documents:id:download:GET, documents:id:associations:GET, workflows:* regular_user = documents:GET, documents:id:GET, documents:id:download:GET, documents:id:associations:GET, workflows:GET
  • 9. Learn. Connect. Collaborate. Wildcard permissions block_resident_52 = door:main:open, door:main:close, door:flat:52:open, door:flat:52:close, door:flat:52:lock, door:flat:52:unlock block_concierge = door:main:open, door:main:close, door:main:lock, door:main:unlock, door:flat:1:open, door:flat:1:close, door:flat:1:lock, door:flat:1:unlock… Wildcards (*) grant all permissions in the level they are placed and in all lower levels block_resident = door:main:open, door:main:close, door:flat:52:* block_concierge = door:main:*, door:flat:* block_manager = *
  • 10. Learn. Connect. Collaborate. Shiro Subject When an user logs in, we can retrieve his groups with: /alfresco/service/api/people/USERNAME?groups=true and then: “A Subject represents state and security operations for a single application user. These operations include authentication, authorization (access control), and session access. It is Shiro's primary mechanism for single-user security functionality.”
  • 13. Learn. Connect. Collaborate. Shiro Filter Here we validate the auth token from the request and retrieve user information (including groups) from it
  • 14. Learn. Connect. Collaborate. Filter Security Manager Subject Realm shiro.ini Role Permission Resolver
  • 15. Learn. Connect. Collaborate. Benefits • Suitable for REST API • Little effort to secure new API resources and methods • Little effort to define new, complex roles • Intuitive • Possible to combine it with Alfresco ACLs
  • 16. Learn. Connect. Collaborate. HATEOAS super_user = documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:download:GET regular_user = documents:id:GET, documents:id:PUT Hypermedia As The Engine Of Application State