I'm working on role-based security implementation in LDAP and Java. Specifically, I have the following objects that I need to represent in LDAP:
Users
Corporate groups of users - HR, Finance etc.
Permissions - DOCUMENT_READ, DOCUMENT_MODIFY etc.
Roles - ADMIN, GUEST etc.
Roles are basically groups of permissions, and they can be assigned to a user or to a group of users.
I was thinking of representing them in LDAP as folows:
Users - Person and uidObject classes with userPassword attribute.
Groups of users - organizationalUnit class, under which the users are
located.
Roles - groupOfNames object class.
Permissions - not sure about this one, perhaps also groupOfNames
class.
The idea is to have a quick access from a user or a group to a list of roles that this user or group have. I know that I can put users and groups in a "member" attributes of a role, but then I will have to scan all roles to find which ones have this user listed. Is there a way to have something like the "member" attribute in a Person object?
Generally, does anyone know of a good role-based security implementation in LDAP? I could not find good documentation or tutorials on this subject. I'm using ApacheDS as an LDAP server currently, but I'm open to suggestions.
Users: inetOrgPerson
Collections: organizationalUnit, but beware of trying to replicate your organizational structure in your LDAP directory: this is usually a mistake, as organizations change and users move around the organization. You should consider using the ou attribute.
Roles: organizationalRole. I used groups of roles as groupOfUniqueNames, but that was a mistake, I should have kept using organizationalRole so that roles are simply recursive.
Permission: this is just a role really, or an attribute of a role. If you use CMA they are defined in web.xml, not LDAP.
As I said, don't try to make your LDAP tree mirror your organization. Make it mirror its own organization. I use multiple-valued attributes wherever necessary. I use organizationalUnit mainly for layers within LDAP itself, or where I have broken my rules above ;-)
OpenLDAP has a referential integrity overlay which can keep a lot of this straight for you.
There are some very good hints on LDAP structure in Mastering OpenLDAP by Matt Butcher, and a higher level view of it all in Understanding and Deploying LDAP Directory Services by Howes et al.
One more option: check out attribute-based access control (abac). ABAC is an evolution of RBAC. It uses attributes (which are labels about the user, the resource, the context) and policies to determine what is allowed and what isn't.
Example: A user with the role==manager in the department==sales can do the action==edit on a document of type==purchase order if the PO's amount<=the user's approval limit.
You can read more on ABAC at the NIST website.
Check out Fortress. It is ANSI RBAC INCITS 359 compliant and built on LDAP. The source code is open source and you can pull down pre-built binaries that include OpenLDAP from here: http://iamfortress.org/
Related
We have a multi-tenant (used by multiple organizations) application in Java Spring Boot. We have to implement authentication as well as authorization in such a way that;
There can be multiple users in an organization and a user can also be part of multiple organizations.
At a time user can view data of only one organization but he can simply switch between organizations.
In an organization, there can be multiple teams.
A user can have different level of access/permissions for each team. Like maybe a user A is manager of team 1 and same time he can be member of team 2 etc.
We are planning to use keycloak for IAM. So the question is, either this type of access management will be possible to achieve in keycloak or we have to manage these permissions on database level in code? And for multi-tenancy, a separate realm for each tenant will be good or we should go for single realm and multiple groups?
Looking for expert opinions.
My requirement is the following: We have an application that uses roles lets said (ADMIN/USER/GUEST), depending on the role they can access to different sections on the application. However in an specific section, some of them can see some actions/options/buttons/tabs, it means for two ADMIN users, the configuration of the screen and available option could be different.
I was reading about DomainACL in spring security and spring-security permissions, I believe use DomainACL is not what I need to cover this requirement as I don't need to have object granular security.
My question is there is specific out-of-the box feature of spring-security that can solve this requirement that I don't know, taking in consideration that I need to add some java tags in the jsp to remove buttons/controls from the UI.
Other question is : permissions without DomainACL will be enough to solve this requirement or I am missing something.
Basically I need to save actions that can be executed for some users + the role of the users, lets said that I want to store in the database the permissions as "EXECUTE SEARCH", "VIEW_USER_TAB".
ADMIN / peter / "EXECUTE SEARCH", "VIEW_USER_TAB"
ADMIN / sarah / "EXECUTE SEARCH"
USER / john / "VIEW_USER_TAB"
I'm using spring-security3.2 and jsp pages as my view technology.
I did ROLES and OPERATION in my Application.
Look at this answer, it helped me:
Difference between Role and GrantedAuthority in Spring Security
Basically what the article said is there is no difference between roles and permissions both are granted authorities and need to be placed in top of the security context to be able to manage the access to the different resources. Use hasRole or hasPermission is just only about specify something that is more readable for the developer, but both operates analyzing the granted authorities domain.
I am using Spring-Security in my project. I have a question about it because I have 3 roles in my IS. User, manager, admin. In my system is many rooms, which every room have one manager. But manager can manage only his own room. What is the best way for this? Now I have only basic security manager can manage all rooms. But this is correct only for administrator. My question are what is best and fastest way? (Because this solution seems to be little bit huge)
use role and permissions in controller
#PreAuthorize("hasRole('ROLE_FORUM_MANAGER') and hasPermission(#forum,'update'))
and domain ACL
and Domain ACLs
http://docs.spring.io/spring-security/site/docs/3.1.x/reference/domain-acls.html
or something else?
I am asking for purpose easiest and fastest way.
This is the most usual case for using the ACLs based solution, because the permission can only be determined depending on the domain object being used.
To do this in Acls, start by creating an Acl for each room. Then each user as a security identity on type principal in the SID table. Then grant to each user access to it's room by creating an ACE (access control entry) linking the room ACL to the users SID.
Role based authentication (RBAC) should not be applicable here, as it does not allow to give fine grained permissions dependent on the relation between the user and a domain object.
Its possible to combine RBAC hasRole with Acl hasPermission(#forum,'update') but since we will already use Acls, it's better to use only Acls in order to push the permission access to the data only.
If later we change ideas about who accesses a given room there is not code impact, only security reference data impact.
I'm new to web applications and security and I have a basic question.
Imagine a single java web application with a single database but multiple accounts. Let's think about a to-do list for simplicity where people can access only their own 'items' at /item/item-id. EG:
User1 creates items 1 and 2;
User2 creates items 3 and 4;
How do I prevent User2 from accessing /item/1 for instance?
This seems to go beyond Authentication (who is this?) and Authorization (what role does he/she have?) to me.
Should I keep a persisted map of user-items and check every time before returning a response?
Are there any Spring (or other) tricks/helpers for this problem?
Authorization isn't "What role do you have?". It's "Are you allowed to do this?". The role will play a part in deciding if the subject is allowed.
What you are describing is exactly the purpose of authorization.
User2 is trying to access (think of CRUD in HTTP GET,POST,DELETE,PUT) the resource at /item/1. Are they allowed? No. So deny them access.
Should I keep a persisted map of user-items and check every time before returning a response?
How you perform authorization is up to you. Spring security definitely offers some good tools to do it from a database while separating that logic from your application logic (if need be).
I'd also like to recommend another security framework: Apache Shiro. I think it's a little easier to configure than Spring security and I find its authentication/authorization logic more straightforward .
In addition to Spring Security and Apache Shiro, you want to consider XACML-based authorization frameworks e.g. SunXACML, WSO2, Axiomatics (disclaimer: I work for Axiomatics).
XACML is the eXtensible Access Control Markup Language. It's the de-facto standard for fine-grained authorization. Much like SAML is great at identity federation / SSO, XACML helps you achieve authorization.
XACML gives you an architecture (see picture below) as well as an authorization language which you can use to express specific authorization scenarios e.g.
doctors can view medical records of patients they are assigned to
nurses can view medical records of patients that belong to the same clinic
patients can view their own records and that of patients for whom they are the guardian
You can have as many rules as you like. There is no limit.
I am planing to start a web-based project that involves user registrations just like forums/CMS, but my barrier is that I have not idea how to implement the so-called role-based access control.
I googled for "role-based access control" and I found in the results books about:
Design Patters.
Is this related to what I need?
Is there a tutorial about implementing this idea?
Is the implementation on database-side or language programming-side?
Any reference? Any title?
Design your tables such that user can have one or multiple role based on your system
Define your access to pages for group
admin.allowed = .*
user.allowed=/home/.*,/profile/.*
in some properties file
Create a Web Filter that reads the user from session and determines the role and sees if the page it is being requested is allowed if not it redirects to some other page
See Also
Writing an authorization filter for my web app(JSF 2.0)