SlideShare a Scribd company logo

Alfresco DevCon 2018: Role Based Access Control with Apache Shiro

E
Ermanno Russo

https://www.youtube.com/watch?v=1gTRqFAZt4M Discontinued Alfresco Workdesk offers granular Role Based Access Control to define which functionalities users can access based on their role. While working to implement a replacement solution, I had to find a way to replicate this feature, and I found it in Apache Shiro. Using a fairly simple mechanism, I was able to map granular permissions (one for each method exposed by our custom REST API) to Alfresco groups, which act as roles. Moreover, combining this with Spring HATEOAS, it was possible to include in each JSON response only the links to the functionalities the user can actually access, so that our front-end client was able to determine accordingly what page components to display.

Software
1 of 18
Download to read offline
Role Based Access Control with Apache Shiro Ermanno Russo
Learn. Connect. Collaborate. Summary • What is RBAC and how is it related to Alfresco • How did I come across it • Apache Shiro approach to RBAC • How to use it for (Spring Boot) REST API • Using this approach in combination with HATEAOS for the benefit of our front end
Learn. Connect. Collaborate. Role Based Access Control • Permissions apply to operations • Separation of duties Audit, Control, Review • Different from Access Control Lists Permissions apply to content • Available for Share and Governance Services • No out-of-the-box UI for custom roles or zones • Custom permissions and roles need to be defined individually extending configuration
Learn. Connect. Collaborate.
Learn. Connect. Collaborate.
Learn. Connect. Collaborate. Apache Shiro Authorization • Explicit approach (roles as collections of permissions) • Granular, multi level permissions • Flexible security model • Permissions do not need to be defined • Easy to configure an unique permission for each resource/method in a REST API
Learn. Connect. Collaborate. Spring Controller @RequiresPermissions annotation
Learn. Connect. Collaborate. shiro.ini # Format of this configuration file: [role name] = permission1, permission2, ..., permissionN # Format of permissions: [primary level]:[secondary level (optional)]:[tertiary level (optional)]:[HTTP method] [roles] system_admin = * super_user = documents:GET, documents:POST, documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:associations:*, documents:id:download:GET, documents:id:split:*, workflows:* team_lead = documents:GET, documents:id:GET, documents:id:PUT, documents:id:download:GET, documents:id:associations:GET, workflows:* regular_user = documents:GET, documents:id:GET, documents:id:download:GET, documents:id:associations:GET, workflows:GET
Learn. Connect. Collaborate. Wildcard permissions block_resident_52 = door:main:open, door:main:close, door:flat:52:open, door:flat:52:close, door:flat:52:lock, door:flat:52:unlock block_concierge = door:main:open, door:main:close, door:main:lock, door:main:unlock, door:flat:1:open, door:flat:1:close, door:flat:1:lock, door:flat:1:unlock… Wildcards (*) grant all permissions in the level they are placed and in all lower levels block_resident = door:main:open, door:main:close, door:flat:52:* block_concierge = door:main:*, door:flat:* block_manager = *
Learn. Connect. Collaborate. Shiro Subject When an user logs in, we can retrieve his groups with: /alfresco/service/api/people/USERNAME?groups=true and then: “A Subject represents state and security operations for a single application user. These operations include authentication, authorization (access control), and session access. It is Shiro's primary mechanism for single-user security functionality.”
Learn. Connect. Collaborate. Shiro Realm
Learn. Connect. Collaborate. Role Permission Resolver The missing bit:
Learn. Connect. Collaborate. Shiro Filter Here we validate the auth token from the request and retrieve user information (including groups) from it
Learn. Connect. Collaborate. Filter Security Manager Subject Realm shiro.ini Role Permission Resolver
Learn. Connect. Collaborate. Benefits • Suitable for REST API • Little effort to secure new API resources and methods • Little effort to define new, complex roles • Intuitive • Possible to combine it with Alfresco ACLs
Learn. Connect. Collaborate. HATEOAS super_user = documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:download:GET regular_user = documents:id:GET, documents:id:PUT Hypermedia As The Engine Of Application State
Learn. Connect. Collaborate. Spring HATEOAS
Ermanno Russo @mogpuff /in/ermannorusso Thank you! Any questions?

Recommended

Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricks
xordoquy
 
Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Secure PHP Coding - Part 1
Secure PHP Coding - Part 1
Vinoth Kumar
 
Secure PHP Coding - Part 2
Secure PHP Coding - Part 2Secure PHP Coding - Part 2
Secure PHP Coding - Part 2
Vinoth Kumar
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
n|u - The Open Security Community
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
Mikhail Egorov
 

Recommended

Securing REST APIs
Securing REST APIsSecuring REST APIs
Securing REST APIs
Claire Hunsaker
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Django rest framework tips and tricks
Django rest framework tips and tricksDjango rest framework tips and tricks
Django rest framework tips and tricks
xordoquy
 
Secure PHP Coding - Part 1
Secure PHP Coding - Part 1Secure PHP Coding - Part 1
Secure PHP Coding - Part 1
Vinoth Kumar
 
Secure PHP Coding - Part 2
Secure PHP Coding - Part 2Secure PHP Coding - Part 2
Secure PHP Coding - Part 2
Vinoth Kumar
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
n|u - The Open Security Community
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
Mikhail Egorov
 
Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
Oscar Merida
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentry
Brock Noland
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructures
Corley S.r.l.
 
Osquery
OsqueryOsquery
Osquery
Animesh Roy
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
VeilFramework
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Codemgmt
CodemgmtCodemgmt
Codemgmt
Philip Watts
 
Catalyst MVC
Catalyst MVCCatalyst MVC
Catalyst MVC
Sheeju Alex
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part two
isaaczfoster
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and Python
PiXeL16
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 

More Related Content

Similar to Alfresco DevCon 2018: Role Based Access Control with Apache Shiro

Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
SouvikRoy114738
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
Steve Martinelli
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
Oscar Merida
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
Will Schroeder
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentry
Brock Noland
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructures
Corley S.r.l.
 
Osquery
OsqueryOsquery
Osquery
Animesh Roy
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
Marakana Inc.
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
VeilFramework
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
jasonjfrank
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
Will Schroeder
 
Codemgmt
CodemgmtCodemgmt
Codemgmt
Philip Watts
 
Catalyst MVC
Catalyst MVCCatalyst MVC
Catalyst MVC
Sheeju Alex
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
Rails Security
Rails SecurityRails Security
Rails Security
Wen-Tien Chang
 
Role based access control
Role based access controlRole based access control
Role based access control
Peter Edwards
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part two
isaaczfoster
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Chris Gates
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
Jameel Nabbo
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and Python
PiXeL16
 

Similar to Alfresco DevCon 2018: Role Based Access Control with Apache Shiro (20)

Linux privesc.pptx
Linux privesc.pptxLinux privesc.pptx
Linux privesc.pptx
 
OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101OpenStack Toronto Meetup - Keystone 101
OpenStack Toronto Meetup - Keystone 101
 
Staying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHPStaying Sane with Drupal NEPHP
Staying Sane with Drupal NEPHP
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Hive contributors meetup apache sentry
Hive contributors meetup apache sentryHive contributors meetup apache sentry
Hive contributors meetup apache sentry
 
Authentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructuresAuthentication and authorization in res tful infrastructures
Authentication and authorization in res tful infrastructures
 
Osquery
OsqueryOsquery
Osquery
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Veil-PowerView - NovaHackers
Veil-PowerView - NovaHackersVeil-PowerView - NovaHackers
Veil-PowerView - NovaHackers
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
I Have the Power(View)
I Have the Power(View)I Have the Power(View)
I Have the Power(View)
 
Codemgmt
CodemgmtCodemgmt
Codemgmt
 
Catalyst MVC
Catalyst MVCCatalyst MVC
Catalyst MVC
 
Code your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard LearnCode your Own: Authentication Provider for Blackboard Learn
Code your Own: Authentication Provider for Blackboard Learn
 
Rails Security
Rails SecurityRails Security
Rails Security
 
Role based access control
Role based access controlRole based access control
Role based access control
 
My first zf presentation part two
My first zf presentation part twoMy first zf presentation part two
My first zf presentation part two
 
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
REST with Eve and Python
REST with Eve and PythonREST with Eve and Python
REST with Eve and Python
 

Recently uploaded

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
kalichargn70th171
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
TaghreedAltamimi
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
Green Software Development
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
VALiNTRY360
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
AnkitaPandya11
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 

Recently uploaded (20)

UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
The Key to Digital Success_ A Comprehensive Guide to Continuous Testing Integ...
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
 
GreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-JurisicGreenCode-A-VSCode-Plugin--Dario-Jurisic
GreenCode-A-VSCode-Plugin--Dario-Jurisic
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdfTop Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
Top Benefits of Using Salesforce Healthcare CRM for Patient Management.pdf
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.fiscal year variant fiscal year variant.
fiscal year variant fiscal year variant.
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 

Alfresco DevCon 2018: Role Based Access Control with Apache Shiro

  • 1. Role Based Access Control with Apache Shiro Ermanno Russo
  • 2. Learn. Connect. Collaborate. Summary • What is RBAC and how is it related to Alfresco • How did I come across it • Apache Shiro approach to RBAC • How to use it for (Spring Boot) REST API • Using this approach in combination with HATEAOS for the benefit of our front end
  • 3. Learn. Connect. Collaborate. Role Based Access Control • Permissions apply to operations • Separation of duties Audit, Control, Review • Different from Access Control Lists Permissions apply to content • Available for Share and Governance Services • No out-of-the-box UI for custom roles or zones • Custom permissions and roles need to be defined individually extending configuration
  • 6. Learn. Connect. Collaborate. Apache Shiro Authorization • Explicit approach (roles as collections of permissions) • Granular, multi level permissions • Flexible security model • Permissions do not need to be defined • Easy to configure an unique permission for each resource/method in a REST API
  • 8. Learn. Connect. Collaborate. shiro.ini # Format of this configuration file: [role name] = permission1, permission2, ..., permissionN # Format of permissions: [primary level]:[secondary level (optional)]:[tertiary level (optional)]:[HTTP method] [roles] system_admin = * super_user = documents:GET, documents:POST, documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:associations:*, documents:id:download:GET, documents:id:split:*, workflows:* team_lead = documents:GET, documents:id:GET, documents:id:PUT, documents:id:download:GET, documents:id:associations:GET, workflows:* regular_user = documents:GET, documents:id:GET, documents:id:download:GET, documents:id:associations:GET, workflows:GET
  • 9. Learn. Connect. Collaborate. Wildcard permissions block_resident_52 = door:main:open, door:main:close, door:flat:52:open, door:flat:52:close, door:flat:52:lock, door:flat:52:unlock block_concierge = door:main:open, door:main:close, door:main:lock, door:main:unlock, door:flat:1:open, door:flat:1:close, door:flat:1:lock, door:flat:1:unlock… Wildcards (*) grant all permissions in the level they are placed and in all lower levels block_resident = door:main:open, door:main:close, door:flat:52:* block_concierge = door:main:*, door:flat:* block_manager = *
  • 10. Learn. Connect. Collaborate. Shiro Subject When an user logs in, we can retrieve his groups with: /alfresco/service/api/people/USERNAME?groups=true and then: “A Subject represents state and security operations for a single application user. These operations include authentication, authorization (access control), and session access. It is Shiro's primary mechanism for single-user security functionality.”
  • 13. Learn. Connect. Collaborate. Shiro Filter Here we validate the auth token from the request and retrieve user information (including groups) from it
  • 14. Learn. Connect. Collaborate. Filter Security Manager Subject Realm shiro.ini Role Permission Resolver
  • 15. Learn. Connect. Collaborate. Benefits • Suitable for REST API • Little effort to secure new API resources and methods • Little effort to define new, complex roles • Intuitive • Possible to combine it with Alfresco ACLs
  • 16. Learn. Connect. Collaborate. HATEOAS super_user = documents:id:GET, documents:id:PUT, documents:id:DELETE, documents:id:download:GET regular_user = documents:id:GET, documents:id:PUT Hypermedia As The Engine Of Application State