Group items tagged

Single User (anton.marinov)

Single User (felix.zhuang)

Single User (jason.ibele)

Single User (cuneyt.tuna)

Single User (parth.upadhye)

Tutorials All Tutorials UML Tutorials UML 2.1 Tutorial UML Tutorial - Part 1 Intro UML Tutorial - Part 2 Intro The Business Process Model The Component Model The Dynamic Model The Logical Model The Physical Model The Use Case Model UML Database Modeling Enterprise Architect Tutorials Creating Strategic Models Diagram Filters BPEL: Step by Step Guide Resource Management Testing Management Traceability RTF Documentation Use Case Metrics Structured Use Case Scenarios

Video Demonstrations All Videos Getting Started Requirements Management Modeling & Productivity Tools Code Engineering and the Debug Workbench Version Control Integration (Eclipse, Visual Studio, TFS)

UML Tutorial - Structure UML Tutorial - Behavior The Business Process Model Deployment of EA MDA Overview Rich-Text (RTF) Reporting Version Control Integration Requirements Management

White Papers & E-Books

Roles Business Analyst Database Administrator Deployment & Rollout Developer Project Manager Software Architects Software Engineer Technology Developer Testers

Solutions

MDG Technologies MDG Technologies EJB Technology.xml Testing Technology.xml

UML Profiles & Patterns UML Patterns UML Patterns Create UML Patterns Import UML Patterns Use UML Patterns UML Profiles UML Profiles: Introduction UML Profile for SPEM XML Schema (XSD) Generation Web Modeling Profile Eriksson-Penker Business Extensions Open Distributed Processing (UML4ODP)

which assumes Shiro's

String format.

Authorization Sequence

what happens inside Shiro whenever an authorization call is made.

invokes any of the Subject hasRole*, checkRole*, isPermitted*, or checkPermission*

securityManager implements the org.apache.shiro.authz.Authorizer interface

delegates to the application's SecurityManager by calling the securityManager's nearly identical respective hasRole*, checkRole*, isPermitted*, or checkPermission* method variants

relays/delegates to its internal org.apache.shiro.authz.Authorizer instance by calling the authorizer's respective hasRole*, checkRole*, isPermitted*, or checkPermission* method

Realm's own respective hasRole*, checkRole*, isPermitted*, or checkPermission* method is called

Authorization Sequence

implies a set of behaviors (i.e. permissions) based on a role name only

named collection of actual permission statements

your realm is what will tell Shiro whether or not roles or permissions exist

Each Realm interaction functions as follows:

key difference with a RolePermissionResolver however is that the input String is a role name, and not a permission string.

Configuring a global RolePermissionResolver

RolePermissionResolver has the ability to represent Permission instances needed by a Realm to perform permission checks.

translate a role name into a concrete set of Permission instances

globalRolePermissionResolver = com.foo.bar.authz.MyPermissionResolver ... securityManager.authorizer.rolePermissionResolver = $globalRolePermissionResolver

shiro.ini

Principle of least privilege

object-capability model, any software entity can potentially act as both a subject and object

Access control models used by current systems tend to fall into one of two classes:

Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject)

identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.

Authorization determines what a subject can do on the system

Authorization

Access control models

categorized as either discretionary or non-discretionary

three most widely recognized models are

Attribute-based access control

Discretionary access control

Discretionary access control (DAC) is a policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.

Every object in the system has an owner

access policy for an object is determined by its owner

DAC systems, each object's initial owner is the subject that caused it to be created

Mandatory access control

Mandatory access control refers to allowing access to a resource

that allow a given user to access the resource

Management is often simplified (over what can be required) if the information can be protected using

or by implementing sensitivity labels.

Sensitivity labels

A subject's sensitivity label specifies its

level of trust required for access

subject must have a sensitivity level equal to or higher than the requested object

Role-based access control

Role-based access control (RBAC) is an

access policy

Access control

resource (door, file, customer record, etc)

define a permission to any depth

Permissions Defined

Permissions represent what can be done in your application

A well formed permission describes a resource types and what actions are possible when you interact with those resources

Roles Defined

Roles are effectively a collection of permissions

Explicit Roles

An explicit role has permissions explicitly assigned to it and therefore is an explicit collection of permissions

Implicit Roles

Annotation Authorization

@RequiresPermissions(“account:create”)‏

Permission Check

Permission Schemes

A permission scheme is a set of

assignments for the project permissions

Every project has a permission scheme

One permission scheme can be associated with multiple projects

Permission schemes prevent having to set up permissions individually for every project

15.6.1.1. What is a role? A role is a group, or type, of user that may have been granted certain privileges for performing one or more specific actions within an application

used to create logical groups of users for the convenient assignment of specific application privileges

15.6.1.2. What is a permission? A permission is a privilege (sometimes once-off) for performing a single, specific action. It is entirely possible to build an application using nothing but permissions, however roles offer a higher level of convenience when granting privileges to groups of users

consisting of three "aspects";

An empty @Restrict implies a permission check of componentName:methodName

implied permission required to call the delete() method is account:delete

equivalent of this would be to write @Restrict("#{s:hasPermission('account','delete')}")

@Restrict annotation may reference any objects that exist within a Seam context. This is extremely useful when performing permission checks for a specific object instance.

selectedAccount

selectedAccount

 Identity.instance().checkRestriction

If the expression specified doesn't evaluate to true, either if the user is not logged in, a NotLoggedInException exception is thrown or if the user is logged in, an AuthorizationException exception is thrown.

Permission

A Permission is only a statement of behavior, nothing more.

a statement that describes raw functionality in an application and nothing more

define only "What" the application can do

JdbcRealm

A Realm is a security component that can access application-specific security entities such as users, roles, and permissions to determine authentication and authorization operations

security-specific DAOs

If for some reason you don't want your Realm implementation to perform authentication duties, you should override the supports(org.apache.shiro.authc.AuthenticationToken) method to always return false

does not require you to implement or extend any User, Group or Role interfaces or classes

Shiro tries to maintain a non-intrusive development philosophy

coincident lifetimes, and it is very common for the whole to manage the lifecycle of its parts

For example; certain procedures and workflows will need to be developed (new hire/leaver procedures for example)

Permissions are provided in two ways: A Collection of Strings, where each String can usually be converted into Permission objects by a Realm's PermissionResolver A Collection of Permission objects

most Realms store both sets of data for a Subject

a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo

Permissions are provided in two ways:

Collection of Strings

Collection of Permission objects

represent the total aggregate collection of permissions

If caching is enabled and if any authorization data for an account is changed at runtime, such as adding or removing roles and/or permissions, the subclass implementation should clear the cached AuthorizationInfo for that account via the

getAuthorizationInfo

AuthorizingRealm

AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)

Returns an account's authorization-specific information for the specified principals, or null if no account could be found

This implementation obtains the actual AuthorizationInfo object

and then caches it for efficient reuse if caching is enabled

clearCachedAuthorizationInfo(PrincipalCollection principals)

Clears out the AuthorizationInfo cache entry for the specified account.