Skip to main content

Home/ SoftwareEngineering/ Group items tagged Role

Rss Feed Group items tagged

Filter: All | Bookmarks | Topics Simple Middle
kuni katsuya

Chapter 10. Integration with CDI - 0 views

www.graniteds.org/...graniteds.ee6cdi.html

graniteds javaee6 cdi remoting Flex security

shared by kuni katsuya on 12 Sep 12 - No Cached
  • Chapter 10. Integration with CDI
  • GraniteDS provides out-of-the-box integration with CDI via the Tide API
  • GraniteDS also integrates with container security for authentication and role-based authorization
  • ...37 more annotations...
  • always have to include this library in either WEB-INF/lib
  • support for CDI is included in the library granite-cdi.jar
  • 10.1. Configuration with Servlet 3 On Servlet 3 compliant containers, GraniteDS can use the new APIs to automatically register its own servlets and filters and thus does not need any particular configuration in web.xml. This automatic setup is triggered when GraniteDS finds a class annotated with @FlexFilter in one of the application archives:
  • @FlexFilter(configProvider=CDIConfigProvider.class) public class GraniteConfig { }  
  • list of annotation names that enable remote access to CDI beans
  • ConfigProvider
  • override these values by setting them in the annotation properties
  • tide=true,         type="cdi",         factoryClass=CDIServiceFactory.class,         tideInterfaces={Identity.class}
  • @FlexFilter declaration will setup an AMF processor for the specified url pattern
  • tideAnnotations
  • defines suitable default values
  • @TideEnabled
  • @RemoteDestination
  • always declared by default
  • tideInterfaces
  • tideRoles
  • exceptionConverters
  • amf3MessageInterceptor
  • 10.3.2. Typesafe Remoting with Dependency Injection
  • It is possible to benefit from even more type safety by using the annotation [Inject] instead of In. When using this annotation, the full class name is used to find the target bean in the CDI context instead of the bean name.
  • Security
  • integration between the client RemoteObject credentials and the server-side container security
  • client-side component named
  • identity
  • API to define runtime authorization checks on the Flex UI
  • login()
  • logout()
  • login(username, password, loginResult, loginFault)
  • logout()
  • bindable property
  • represents the current authentication state
  • loggedIn
  • identity.loggedIn 
  • integrated with server-side role-based security
  • identity.hasRole('admin')
  • clear the security cache manually with
  • identity.clearSecurityCache()
kuni katsuya

Chapter 10. Integration with CDI - 0 views

www.graniteds.org/...graniteds.ee6cdi.html

java security graniteds CDI

shared by kuni katsuya on 09 Aug 12 - No Cached
  • 10.3.5. Security GraniteDS provides a client-side component named identity that ensures the integration between the client RemoteObject credentials and the server-side container security. It additionally includes an easy-to-use API to define runtime authorization checks on the Flex UI.
  • CDI identity component (of class org.granite.tide.cdi.Identity) predictably provides two methods login() and logout()
  • identity component is integrated with server-side role-based security and can be used to get information or show/hide UI depending on the user access rights:
  • ...2 more annotations...
  •  enabled="{identity.hasRole('admin')}"
  • button labeled Delete will be enabled only if the user has the role admin
kuni katsuya

Security Module Drafts - Apache DeltaSpike - Apache Software Foundation - 0 views

cwiki.apache.org/...Security+Module+Drafts

ApacheDeltaSpike

shared by kuni katsuya on 16 Aug 12 - No Cached
  • Authorization
  • Impersonalization
    • kuni katsuya
      kuni katsuya on 16 Aug 12
       
      impersonation
  • authenticates “as a user” or access application imitating his identity - without knowing his password
  • ...36 more annotations...
  • elements of the user interface are displayed to the user based on the user's privilege level
  • assign permissions to individual objects within the application’s business domain
    • kuni katsuya
      kuni katsuya on 16 Aug 12
       
      individual objects == instances
  • Permissions
  • Permissions assigned to user for a given resource in the tree are inherited by other resources
  • Permissions are inherited
  • persist user, group and role information in database. JPA implementation is his dream
  • Security Module Drafts
  • Identity
  • interface Identity
  • login()
  • logout()
  • getUser()
  • Events LoggedInEvent LoginFailedEvent AlreadyLoggedInEvent PreLoggedOutEvent PostLoggedOutEvent PreAuthenticateEvent PostAuthenticateEvent
  • Object level permission
  • Grant or revoke permissions
  • Group management
  • User/Identity management
  • identity.hasRole
  • identity.hasPermission
  • Permissions model
  • Identity Management (IDM)
  • User, Group and Role
  • Events
  • hooks for common IDM or Security operations
  • Audit and logging for permission and IDM related changes
  • Event API.
  • Impersonalization
  • Impersonalization
  • control which elements of the user interface are displayed to the user based on their assigned permissions
  • ask for permission
  • without need to obtain object from DB
  • String resourceId
  • structure of resources
  • more advanced security resolution mechanisms
  • Rules based engine
  • external services - XACML
kuni katsuya

RolePermissionResolver (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...RolePermissionResolver.html

security ApacheShiro authorization RolePermissionResolver

shared by kuni katsuya on 23 Sep 12 - No Cached
  • RolePermissionResolver
  • resolves a String value and converts it into a Collection of Permission instances
  •  Collection<Permission> resolvePermissionsInRole(String roleString)
  • ...2 more annotations...
  • role name to resolve
  • Collection of Permissions
kuni katsuya

TH01-EP03-US004 - Property Mgmt, Edit Location & Directions, Content Mgmt - Projects - ... - 0 views

confluence.visualfrenzy.com/...viewpage.action

shared by kuni katsuya on 06 Dec 12 - No Cached
  • Property Mgmt
  • Property Mgmt
  • Property Mgmt
  • ...18 more annotations...
  • Property Mgmt
  • Property Mgmt
  • Property Mgmt
  • As a user
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      with what granted roles? from which organization?
  • ability to see
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      permissions required: retrieve these resource types
  • Location Type
  • Description
  • Airports
  • belonging to other organizations
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      content (license) owned by organization different than user's
  • clone this information
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      clone = retrieve, then create ie. required permissions: {retrieve,create:}
  • have the rights
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      generally speaking, there can be a few independent but overlapping mechanism that will control who is allowed to do what with content: 1. any subject's access to the content itself can be controlled via authorization rules (ie. required vs granted permissions) enforced via system-wide resource-based access control 2. content licensors (~content owners) can restrict the usage of their content by: * whom - ie. content licensee (legally/commercially represented by an organization) * how - eg. reuse as unmodified, create derivatives, composite, redistribute, etc * where - ie. distribution channels their content can be used (eg. only on hotel's vbrochure site, but not in any ids/gds channels) * when - temporal restrictions may limit scope of content license grant by: start, end, duration, season, etc 3. content licensees can further filter or funnel content available to them (resulting from a combination of license granted to them and access control) based on their own criteria (eg. generate a templated hotel presentation only if: at least 1 textual description, 5 photos and 1 video for a hotel is available with a license to combine them (composite content)
  • see how other organizations describe the property
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      permission required: retrieve hotel descriptive content(?) owned by independent organization
  • Property Mgmt
  • which textual information
  • displayed
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      displayed where? on specific channels?
  • ECM will ask user to confirm that the user has rights to use that content
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      if ecm/vfml is to manage content licensing as a third party between organizations (content licensors & licensees) shouldn't ecm *know* if the user('s organization) has rights to use the content in question? is this question posed to the user (with required explicit acknowledgement) purely to absolve vfml from liability issues that may result from licensing disagreements?
  • property’s
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      this being the user's (organization's) 'version'or 'view'of the hotel, since this user normally wouldn't/shouldn't be granted permissions to replace content for a hotel on a different organization's 'view'or 'version' of the same hotel
  • to see the user’s original content
    • kuni katsuya
      kuni katsuya on 06 Dec 12
       
      this implies that *at least* one version of such (temporarily) replaceable content needs to be managed/maintaned to allow reverting what if, deliberately, ignorantly or maliciously, a user replaces the same piece of--textual or any type, really--content for this hotel n times? will all n versions be required to be managed as an undo history? the user's ''original content'' might have been version 1, but equally might have been 1 mean: - previous version of the content, regardless of which user - initial version of that content attached to the hotel regardless of which user created/updated it and ignoring which organization owns it?, or, -
kuni katsuya

Java Persistence/ManyToMany - Wikibooks, open books for an open world - 0 views

en.wikibooks.org/...ManyToMany

java JPA many-to-many @ManyToMany wikibooks book

shared by kuni katsuya on 23 Oct 12 - Cached
  • Bi-directional Many to Many
  • object model can choose if it will be mapped in both directions
  • in which direction it will be mapped
  • ...9 more annotations...
  • one direction must be defined as the owner and the other must use the mappedBy attribute to define its mapping
  • you will end up getting duplicate rows
  • If the mappedBy is not used, then the persistence provider will assume there are two independent relationships
  • As with all bi-directional relationships it is your object model's and application's responsibility to maintain the relationship in both direction
  • Mapping a Join Table with Additional Columns
  • solution is to create a class that models the join table
  • requires a composite primary key
  • To make your life simpler, I would recommend adding a generated Id attribute to the association class
  • Another usage is if you have a Map relationship between two objects, with a third unrelated object or data representing the Map key
    • kuni katsuya
      kuni katsuya on 23 Oct 12
       
      eg. map key = AuthorizationContext, map value = {Subject,Role}
kuni katsuya

Chapter 10. Integration with CDI - 0 views

www.graniteds.org/...graniteds.ee6cdi.html

graniteds cdi integration

shared by kuni katsuya on 15 May 12 - No Cached
  • GraniteDS provides out-of-the-box integration with CDI via the Tide API
  • Integration with CDI
  • fully supports serialization of JPA entities from and to your Flex application, taking care of lazily loaded associations
  • ...3 more annotations...
  • GraniteDS also integrates with container security for authentication and role-based authorization
  • granite-cdi.jar
  • JBoss 6 and GlassFish v3
kuni katsuya

Part 3 of dependency injection in Java EE 6 - 1 views

www.theserverside.com/...endency-injection-in-Java-EE-6

javaee6 cdi

shared by kuni katsuya on 13 Jul 12 - Cached
  • powerful way of formalizing the recurring bean roles that often arise as a result of application architectural patterns
kuni katsuya

Permission (Apache Shiro 1.2.1 API) - 0 views

shiro.apache.org/...Permission.html

ApacheShiro permission

shared by kuni katsuya on 29 Aug 12 - No Cached
  • A Permission represents the ability to perform an action or access a resource. A Permission is the most granular, or atomic, unit in a system's security policy and is the cornerstone upon which fine-grained security models are built.
  • a Permission instance only represents functionality or access - it does not grant it
  • permissions are immutable and reflect an application's raw functionality
  • ...4 more annotations...
  • because Permissions represent raw functionality and only change when the application's source code changes, they are immutable at runtime - they represent 'what' the system can do
  • by transitive association, the user 'has' the permissions in their roles
  • all Permission checks are relegated to Realm implementations, and only those implementations really determine how a user 'has' a permission or not
  • Realm could use the semantics described here, or it could utilize some other mechanism entirely
kuni katsuya

Managing Project Permissions - JIRA Latest - Atlassian Documentation - Confluence - 0 views

confluence.atlassian.com/...Managing+Project+Permissions

security authorization PermissionScheme example Jira

shared by kuni katsuya on 01 Sep 12 - No Cached
  • Permission Schemes
  • A permission scheme is a set of
  • user/group/role
  • ...7 more annotations...
  • assignments for the project permissions
  • Every project has a permission scheme
  • One permission scheme can be associated with multiple projects
  • access rights
  • Permission schemes prevent having to set up permissions individually for every project
  • Once a permission scheme is set up
  • it can be applied to all projects that have the same type of access requirements
kuni katsuya

AuthorizingRealm (Apache Shiro :: Core 1.1.0 API) - 0 views

127.0.0.1/...AuthorizingRealm.html

security ApacheShiro Realm AuthorizingRealm authorization

shared by kuni katsuya on 03 Sep 12 - No Cached
  • Class AuthorizingRealm
  • An AuthorizingRealm extends the AuthenticatingRealm's capabilities by adding Authorization (access control) support
  • perform all role and permission checks automatically (and subclasses do not have to write this logic) as long as the getAuthorizationInfo(org.apache.shiro.subject.PrincipalCollection) method returns an AuthorizationInfo
  • ...3 more annotations...
  • AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)
  • Returns an account's authorization-specific information for the specified principals, or null if no account could be found
  • automatically perform access control checks for the corresponding Subject
kuni katsuya

Securing Data Access - 0 views

login.salesforce.com/...security_data_access.htm

security SecurityModel authorization PermissionScheme permissions example salesforce.com

shared by kuni katsuya on 07 Sep 12 - No Cached
kuni katsuya

Realm | Apache Shiro - 0 views

shiro.apache.org/realm.html

Shiro Realm

shared by kuni katsuya on 09 Aug 12 - No Cached
  • A Realm is a component that can access application-specific security data such as users, roles, and permissions. The Realm translates this application-specific data into a format that Shiro understands so Shiro can in turn provide a single easy-to-understand Subject programming API no matter how many data sources exist or how application-specific your data might be.
  • A Realm is essentially a security-specific DAO
kuni katsuya

Spring Security - Features - 0 views

static.springsource.org/...features.html

Java security SpringSecurity

shared by kuni katsuya on 09 Aug 12 - Cached
  • Domain object instance security: In many applications it's desirable to define Access Control Lists (ACLs) for individual domain object instances. We provide a comprehensive ACL package with features including integer bit masking, permission inheritance (including blocking), an optimized JDBC-backed ACL repository, caching and a pluggable, interface-driven design.
  • OpenID Support: the web's emerging single sign-on standard (supported by Google, IBM, Sun, Yahoo and others) is also supported in Spring Security
  • Easy integration with existing databases: Our implementations have been designed to make it easy to use your existing authentication schema and data (without modification). Of course, you can also provide your own Data Access Object if you wish. Password encoding: Of course, passwords in your authentication repository need not be in plain text. We support both SHA and MD5 encoding, and also pluggable "salt" providers to maximise password security.
  • ...5 more annotations...
  • Caching: Spring Security optionally integrates with Spring's Ehcache factory. This flexibility means your database (or other authentication repository) is not repeatedly queried for authentication information when using Spring Security with stateless applications.
  • Run-as replacement: The system fully supports temporarily replacing the authenticated principal for the duration of the web request or bean invocation. This enables you to build public-facing object tiers with different security configurations than your backend objects.
  • Tag library support: Your JSP files can use our taglib to ensure that protected content like links and messages are only displayed to users holding the appropriate granted authorities. The taglib also fully integrates with Spring Security's ACL services, and obtaining extra information about the logged-in principal.
  • User Provisioning APIs: Support for groups, hierarchical roles and a user management API, which all combine to reduce development time and significantly improve system administration.
  • Enterprise-wide single sign on using CAS 3: Spring Security integrates with JA-SIG's open source Central Authentication Service (CAS)
kuni katsuya

Permissions | Apache Shiro - 0 views

shiro.apache.org/permissions.html

security Shiro permissions authorization

shared by kuni katsuya on 07 Aug 12 - No Cached
  • Permission as a statement that defines an explicit behavior or action
  • lowest-level constructs in security polices
  • explicitly define only "what" the application can do
  • ...69 more annotations...
  • do not at all describe "who" is able to perform the action(s)
  • Multiple Parts
  • Wildcard Permissions support the concept of multiple levels or parts. For example, you could restructure the previous simple example by granting a user the permission printer:query
  • Multiple Values Each part can contain multiple values. So instead of granting the user both the "printer:print" and "printer:query" permissions, you could simply grant them one: printer:print,query
  • All Values What if you wanted to grant a user all values in a particular part? It would be more convenient to do this than to have to manually list every value. Again, based on the wildcard character, we can do this. If the printer domain had 3 possible actions (query, print, and manage), this: printer:query,print,manage
  • simply becomes this: printer:*
  • Using the wildcard in this way scales better than explicitly listing actions since, if you added a new action to the application later, you don't need to update the permissions that use the wildcard character in that part.
  • Finally, it is also possible to use the wildcard token in any part of a wildcard permission string. For example, if you wanted to grant a user the "view" action across all domains (not just printers), you could grant this: *:view Then any permission check for "foo:view" would return true
  • Instance-Level Access Control
  • instance-level Access Control Lists
  • Checking Permissions
  • SecurityUtils.getSubject().isPermitted("printer:print:lp7200")
  • printer:*:*
  • all actions on a single printer
  • printer:*:lp7200
    • kuni katsuya
      kuni katsuya on 03 Sep 12
       
      note: wildcard * usage for 'actions' part
  • missing parts imply that the user has access to all values corresponding to that part
  • printer:print is equivalent to printer:print:*
  • Missing Parts
  • rule of thumb is to
  • use the most specific permission string possible
  • when performing permission checks
  • first part is the
  • domain
    • kuni katsuya
      kuni katsuya on 03 Sep 12
       
      aka 'resource'
  • that is being operated on (printer)
  • second part is the
  • action
  • (query) being performed
  • There is no limit to the number of parts that can be used
  • three parts - the first is the
  • domain
  • the second is the
  • action(s)
  • third is the
  • instance(s)
  • allow access to
  • all actions
  • all printers
  • can only leave off parts from the end of the string
  • Performance Considerations
  • runtime implication logic must execute for
  • each assigned Permission
  • implicitly using Shiro's default
  • WildcardPermission
  • which executes the necessary implication logic
  • When using permission strings like the ones shown above, you're
  • Shiro's default behavior for Realm
  • for every permission check
  • all of the permissions assigned to that user
  • need to be checked individually for implication
  • as the number of permissions assigned to a user or their roles or groups increase, the time to perform the check will necessarily increase
  • If a Realm implementor has a
  • more efficient way of checking permissions and performing this implication logic
  • Realm isPermitted* method implementations
  • should implement that as part of their
  • implies
  • user:*:12345
  • user:update:12345
  • printer
  • implies
  • printer:print
  • Implication, not Equality
  • permission
  • checks
  • are evaluated by
  • implication
  • logic - not equality checks
  • the former implies the latter
  • superset of functionality
  • implication logic can be executed at runtime
kuni katsuya

This is Stuff: Apache Shiro Part 2 - Realms, Database and PGP Certificates - 0 views

meri-stuff.blogspot.ca/...art-2-realms-database-and.html

security ApacheShiro Realm database

shared by kuni katsuya on 09 Aug 12 - No Cached
  • Apache Shiro Part 2 - Realms, Database and PGP Certificates
  • move user account data to database
  • give users an option to authenticate themselves via PGP certificates
  • ...9 more annotations...
  • log in options: log in with user name/password and log in with certificate
  • how to create custom realm and how to handle multi-realm scenario
  • account credentials and access rights are stored in database. Stored passwords are hashed and salted.
  • Authorization
  • If the realm wishes to do also authorization, it has to implement Authorizer interface. Each Authorizer method takes principal as parameter and checks either role(s) or permission(s)
  • Permissions are supplied either as strings or as permission objects
  • use WildcardPermissionResolver to convert strings into permission objects
  • connect application to database and create tables to store all user account data
  • replace IniRealm with realm able to read from database and salt passwords.
kuni katsuya

Application Security With Apache Shiro - 0 views

www.infoq.com/...apache-shiro

security ApacheShiro

shared by kuni katsuya on 08 Aug 12 - No Cached
  • previously known as the JSecurity project
  • The word Subject is a security term that basically means "the currently executing user"
  • Core Concepts: Subject, SecurityManager, and Realms
  • ...12 more annotations...
  • Subject
  • 'Subject' can mean a human being, but also a 3rd party process, daemon account, or anything similar. It simply means 'the thing that is currently interacting with the software'
  • Subject currentUser = SecurityUtils.getSubject();
  • SecurityManager
  • SecurityManager manages security operations for all users
  • Realms
  • Realm acts as the ‘bridge’ or ‘connector’ between Shiro and your application’s security data. That is, when it comes time to actually interact with security-related data like user accounts to perform authentication (login) and authorization (access control), Shiro looks up many of these things from one or more Realms configured for an application.
  • Realm is essentially a security-specific DAO
  • Shiro provides out-of-the-box Realms to connect to a number of security data sources (aka directories) such as LDAP, relational databases (JDBC), text configuration sources like INI and properties files, and more
  • Authorization
  • A permission is a raw statement of functionality, for example ‘open a door’, ‘create a blog entry’, ‘delete the ‘jsmith’ user’, etc. By having permissions reflect your application’s raw functionality, you only need to change permission checks when you change your application’s functionality. In turn, you can assign permissions to roles or to users as necessary at runtime.
  • “Run As” support for assuming the identity of another Subject
‹ Previous 21 - 40 of 41 Next ›
Showing 20 items per page