Group items tagged

which assumes Shiro's

String format.

Authorization Sequence

what happens inside Shiro whenever an authorization call is made.

invokes any of the Subject hasRole*, checkRole*, isPermitted*, or checkPermission*

securityManager implements the org.apache.shiro.authz.Authorizer interface

delegates to the application's SecurityManager by calling the securityManager's nearly identical respective hasRole*, checkRole*, isPermitted*, or checkPermission* method variants

relays/delegates to its internal org.apache.shiro.authz.Authorizer instance by calling the authorizer's respective hasRole*, checkRole*, isPermitted*, or checkPermission* method

Realm's own respective hasRole*, checkRole*, isPermitted*, or checkPermission* method is called

Authorization Sequence

implies a set of behaviors (i.e. permissions) based on a role name only

named collection of actual permission statements

your realm is what will tell Shiro whether or not roles or permissions exist

Each Realm interaction functions as follows:

key difference with a RolePermissionResolver however is that the input String is a role name, and not a permission string.

Configuring a global RolePermissionResolver

RolePermissionResolver has the ability to represent Permission instances needed by a Realm to perform permission checks.

translate a role name into a concrete set of Permission instances

globalRolePermissionResolver = com.foo.bar.authz.MyPermissionResolver ... securityManager.authorizer.rolePermissionResolver = $globalRolePermissionResolver

shiro.ini

Principle of least privilege

object-capability model, any software entity can potentially act as both a subject and object

Access control models used by current systems tend to fall into one of two classes:

Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject)

identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did.

Authorization determines what a subject can do on the system

Authorization

Access control models

categorized as either discretionary or non-discretionary

three most widely recognized models are

Attribute-based access control

Discretionary access control

Discretionary access control (DAC) is a policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have.

Every object in the system has an owner

access policy for an object is determined by its owner

DAC systems, each object's initial owner is the subject that caused it to be created

Mandatory access control

Mandatory access control refers to allowing access to a resource

that allow a given user to access the resource

Management is often simplified (over what can be required) if the information can be protected using

or by implementing sensitivity labels.

Sensitivity labels

A subject's sensitivity label specifies its

level of trust required for access

subject must have a sensitivity level equal to or higher than the requested object

Role-based access control

Role-based access control (RBAC) is an

access policy

Access control

Authorization Classes Policy AuthPermission PrivateCredentialPermission

Subject

Principals

Credentials

Authorization Classes

Policy

AuthPermission

resource (door, file, customer record, etc)

define a permission to any depth

Permissions Defined

Permissions represent what can be done in your application

A well formed permission describes a resource types and what actions are possible when you interact with those resources

Roles Defined

Roles are effectively a collection of permissions

Explicit Roles

An explicit role has permissions explicitly assigned to it and therefore is an explicit collection of permissions

Implicit Roles

Annotation Authorization

@RequiresPermissions(“account:create”)‏

Permission Check

Tells the security interceptor to check the permission using "contact" as the resource name, not "contactmanager" inflected from the class name ContactManager

@NamedResource("contact")

 logout() 

An implementation of this interface must be thread safe

If authorization fails, either because the user is not logged in or because it doesn't have required rights, it must throw an appropriate org.granite.messaging.service.security.SecurityServiceException.

Writing a Security Service

nothing to do with a true Flex destination

only one instance of this service is used in the entire web-app and will be called by concurrent threads

This method is called upon each and every service method call invocations (RemoteObject) or subscribe/publish actions (Consumer/Producer). When used with RemoteObjects, the authorize method is responsible for checking security, calling the service method, and returning the corresponding result.

default implementation of this method in AbstractSecurityService is to do nothing

security services are not exposed to outside calls

AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)

Returns an account's authorization-specific information for the specified principals, or null if no account could be found

automatically perform access control checks for the corresponding Subject

Permissions are provided in two ways: A Collection of Strings, where each String can usually be converted into Permission objects by a Realm's PermissionResolver A Collection of Permission objects

most Realms store both sets of data for a Subject

a Realm implementation to utilize an implementation of the Account interface instead, which is a convenience interface that combines both AuthenticationInfo and AuthorizationInfo

If caching is enabled and if any authorization data for an account is changed at runtime, such as adding or removing roles and/or permissions, the subclass implementation should clear the cached AuthorizationInfo for that account via the

getAuthorizationInfo

AuthorizingRealm

AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals)

Returns an account's authorization-specific information for the specified principals, or null if no account could be found

This implementation obtains the actual AuthorizationInfo object

and then caches it for efficient reuse if caching is enabled

clearCachedAuthorizationInfo(PrincipalCollection principals)

Clears out the AuthorizationInfo cache entry for the specified account.

VFML user

Spring 3.1 application

benefit from it.

Only use @link on the first reference to a specific class or method

This avoids excessive hyperlinks cluttering up the Javadoc

"null treated as xxx"

"null returns xxx"

Changes for Hibernate 3.5 applications

if your application uses Hibernate 3 classes that are not available in Hibernate 4, for example, some of the validator or search classes, you may see ClassNotFoundExceptions when you deploy your application. If you encounter this problem, you can try one of two approaches: You may be able to resolve the issue by copying the specific Hibernate 3 JARs containing those classes into the application "/lib" directory or by adding them to the classpath using some other method. In some cases this may result in ClassCastExceptions or other class loading issues due to the mixed use of the Hibernate versions, so you will need to use the second approach. You need to tell the server to use only the Hibernate 3 libraries and you will need to add exclusions for the Hibernate 4 libraries. Details on how to do this are described here: JPA Reference Guide.

In previous versions of the application server, the JCA data source configuration was defined in a file with a suffix of *-ds.xml. This file was then deployed in the server's deploy directory. The JDBC driver was copied to the server lib/ directory or packaged in the application's WEB-INF/lib/ directory. In AS7, this has all changed. You will no longer package the JDBC driver with the application or in the server/lib directory. The *-ds.xml file is now obsolete and the datasource configuration information is now defined in the standalone/configuration/standalone.xml or in the domain/configuration/domain.xml file. A JDBC 4-compliant driver can be installed as a deployment or as a core module. A driver that is JDBC 4-compliant contains a META-INF/services/java.sql.Driver file that specifies the driver class name. A driver that is not JDBC 4-compliant requires additional steps, as noted below.

DataSource Configuration

domain mode, the configuration file is the domain/configuration/domain.xml

standalone mode, you will configure the datasource in the standalone/configuration/standalone.xml

MySQL datasource element:

        <connection-url>jdbc:mysql://localhost:3306/YourApplicationURL</connection-url>        <driver-class> com.mysql.jdbc.Driver </driver-class>        <driver> mysql-connector-java-5.1.15.jar </driver>

       <security>            <user-name> USERID </user-name>            <password> PASSWORD</password>        </security>

example of the driver element for driver that is not JDBC 4-compliant. The driver-class must be specified since it there is no META-INF/services/java.sql.Driver file that specifies the driver class name.

 <driver-class>com.mysql.jdbc.Driver</driver-class>

JDBC driver can be installed into the container in one of two ways: either as a deployment or as a core module

Install the JDBC driver

Install the JDBC driver as a deployment

In AS7 standalone mode, you simply copy the JDBC 4-compliant JAR into the AS7_HOME/standalone/deployments directory

example of a MySQL JDBC driver installed as a deployment:     AS7_HOME/standalone/deployments/mysql-connector-java-5.1.15.jar