I am working on a project that requires that i implement a mechanism for controlling data access to the content that displayed on the pages.
First off to clarify, i am not refering to the ability for different users to log on to a specific page and or view specific pages. That is a different type of access control. I am more interested in the "Data Access" i.e. where multiple users can view the same page but the data that is displayed depend on the data access control privileges they have.
I am intersted to know of the different approaches out there to implementing "data access" control. is there a framework out there for this kind of thing? I am currently using Struts.
I'm thinking to do this, i will need to somehow to categorize and store the kinds of data i keep and which configure which users can view/amend it. I want to try and avoid produce something completely from scratch so I'm wondering how the experts do this and what frameworks technologies assist them in doing it.
I guess you need Spring Security Framework. With this framework, you assign different roles to different users. For example, we can define two roles: ROLE_USER, ROLE_ADMIN. Then we assign those roles to users. For example, a user A can have only one role, ROLE_USER and a user B can have both of the roles. Now if on a particular JSP, you want to show something to user B only, you can put the code into a pair of authorization tags:
<sec:authorize ifAllGranted="ROLE_USER, ROLE_ADMIN">
<!-- html, jsp scriplets, jstl tags inside here will be visible to user B only -->
</sec:authorize>
Similarly if you want to show something to both of them:
<sec:authorize ifAllGranted="ROLE_USER">
<!-- anything inside here will be visible to both users -->
</sec:authorize>
Hope it helps.
You are looking for a authorization solution? Have you already checked JAAS, OSUser and similars?
The authentication requirements can vary greatly, i think you need to be more specific, try adding a use case.
I think he was pretty specific with his question, though I also do not yet know the answer for it.
In any well build Enterprise application, you have two levels of security:
(a) Functionlity ACL.
Can user search for other in facebook? (etc..
(b) Which data are you granted access to read and update.
e.g. Which users profiles can you open and read in facebook?
For some users, e.g. those in your firends list, you can see their profiles. For others you can't.
Thus, the fact that you can open a JSP that lists entities, does not mean that you will be able to sell the full set of entities in the system.
(a) Is easily solvable with Java EE users and roles security concepts.
(b) How do you associate your database data to specific JNDI users and roles?
do you alwas have to reinvent the wheel when it comes to data access ACL?
Related
I have a spring application that allows administrators to manage several sub-sections of the application, with each sub-section having its own users. The sub-sections are loaded depending on the URL that's being used to access the app. I've had some pretty simple experience using Spring security and setting up a pretty simple custom UserDetailsService, adding roles and granting authority to users, etc.
What I'd like to be able to do is have users be allowed to register under different sub-sections with the same username, and then ideally instead of loadUserByUsername in UserDetailsService for example, use something more like "loadUserByUsernameAndSubSection". So for example user 'scott75' could be registered on subsection1.myApp.com and also on subsection2.myApp.com.
I'm not looking for anyone to write a solution for me, but hopefully point me in the right direction in terms of classes in Spring Security that could do something like this. Or, alternatively, tell me I'm crazy and to go about it another way, like building an interface around adding/removing sub-section access to/from users, or adding/removing users from sub-sections.
We have a system that comprises of several functions and I am requested to separate some functionality from our existing system.
Basically, the system have only one user which has access to the whole system functionality, however, the requirement here is to limit the access some users have to the system.
I would appreciate some kind help in the direction i am suppose to take with this assignment.
Thanks in advance
PS if its not clear enough you can follow up by comment.
The first question you need to answer is - where do you want to keep your access information? i.e. who can access what. some options include a LDAP server, hard coding into the app, or some sort of encrypted file, etc. How you asnwer this will dictate the technology you use.
For example, if you decide to use a LDAP server, then you need to have your app setup a connection to it, prompt the user for a userid and password, logon, and retrieve their security groups. Then when you are setting up the GUI, you can query the retrieved groups to see what the user can see or access.
It's pretty much always a good idea to relate a user to one or more security groups. From there you can decide to either assign GUI functionality to individual groups, or to decouple a step further and assign function to privilages, and then define group to privilage relationships.
Java comes with JAAS which is a built in security framework. But it can take some time to get your head around and (AFAIK) is not a completely solution, just a starting point.
It also may be that you simply don't need anything as complex as LDAP and JAAS. If it's a simple app then perhaps you only need an admin id which only one or two people know the password to, and some shared other ids, in that case you can simply store the data in the app. Although this is the least flexible solution.
Finally you should make sure that the difficultly of accessing the system should match the importance of the information being stored. ie. don't put bank level security in front of editing the staff's contact information.
Whats the best approach to create a hierarchy of portal?
lets make "Computer" as an example.
"Computer" would be the Parent of all portals. Computer will be having a sub-portal/child like "Laptop", "Desktop" and "Printers". Then for each child it would also have another sub-portal/child like "HP Laptop", "Lenovo Laptop" or "HP Desktop" etc.
For every portal it would have different look and feel. Some of the portal will share portlet and content from each other. example "USB Products" will borrow portlets from "IBM Desktop" or "Brothers Printers" will borrow content from "HP Laptop".
Any user of the "Portal" can access all those portal without signing-up again. That means a user from "HP Printers" can access "HP Laptops". Each Portal is an individual of each own, it will have its own domain But at the backend they share portlets and other resources.
I hope this make sense.
Whats the best way to do it?
Is it creating a "Portal Instance"?
or it should be in "Organization"?
Thanks in advance!
In Liferay Portal here is how the data is scoped:
Portal Instance
Community
Content data (wiki, message boards, etc)
Users
Organizations
Content data (wiki, message boards, etc)
Roles
etc.
And then there is of course the Global scope that will allow you to share content data if it makes sense to.
For creating a system like the Yahoo! portal, I would use a single Portal Instance (so that you can reuse users) and have a different Community for each service (eg Answers, Finance) as they don't share content data.
You have several options here:
Create a hierarchy of organizations. Each organization will have its own set of pages. Advantage is that you can assign different domain names to each organization. Downside is that it is more difficult to share content between organizations.
Create one big organization or community and use the page hierarchy to direct your users to the proper parts of the site. Advantage is the ease of configuration and the single point of administration. Downside is that you can't have different domain names for each "subsite".
From my experience, most of the time it is easier to actually make everything in one group (community or organization). You lose the advantage to have separate domain names for each subsite, but the same effect can be reached by using proper, human-readable URLs.
If you still want to use multiple organizations, be aware that your content is not easily shared unless you use the Global Scope. But if you do that, there is really no point of using diffent groups at all, apart from the domain name issue.
Do the following:
Create new tab on the tab bar by clicking it and selecting new.
Go to Manage Pages and there you can add Childs and so on.
Some new ideas:
Organizations approach keeps the pages inside the same program when the instance thing runs several instances on the same server that are separate of each other by URL. Building hierarchies and having different layouts is as easy or complicated on both but common user rights may be easier on organization approach. You don't have to think about the passing of the session to another instance.
Are there any possible ways by which a malicious user on a web application can manipulate the input that is sent by the front-end of web application (not talking about the FORM DATA, of course) but the requests that are sent like for e.g., when I allow him to edit his profile or his content, he may manipulate the IDs (userId or the contentId) so that he may maliciously do evil with other users content? These inputs are fixed on a webpage & are not editable but still can the users manipulate them?
Is it possible that users may do harm in this manner? How can I safeguard my application against this? Besides, verifying user's identity and his contents/properties on the application prior to allowing each of his actions.
Yes of course. Anything that comes from the client can be modified and cannot be trusted at all.
You need to do server-side checks if the user is editing his own profile or something he's allowed to edit.
For things like editing the profile you could simply use the userid stored in his session though (assuming it's secure, i.e. stored server-side or in cryptographically signed cookies). Only let data go through the client if it's necessary - if the data is already available on the server, you don't even have to give the user the feeling that he might be able to tamper with it. Even though it could be used as a honey-pot - but that's not really the purpose of most webapps...
Yes, it is possible and it is a real danger.
There are two things you can do:
Implement an access control / permission system which controls which data records a user can access or modify.
Store information that is none of their business in a session object on the server.
(By the way, these are not exclusive options, ideally you should do both.)
Both solutions still leave you prone to session hijacking though, which is a different, more global problem.
I am working to configure Spring-Security with an existing application, for just basic security (i.e. what pages a user can see based on their roles). The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml.
The idea is to store them in a table in our database, so we can easily change them with out a redeployment. Is this possible? How?
Yes you can configure Spring-Security programmatically. But I don't think that is what you want / need to do.
The question came up wondering if we could set what roles are required for each page in java instead of the ApplicationContext.xml.
You could implement your own AccessDecisionManager class that queries your database to fetch the rules (or whatever) for each resource / page. This is described in Section IV of the SpringSecurity manual.
Alternatively, you could embed your own custom access control logic inside your MVC controller. Use SpringSecurityContext to fetch the request's Authorization object, fish out the identity and/or authorities, and implement the decision making however you want to.
We did this using Interceptors. Basically a MethodInterceptor proxies any call to any method you want (i.e. getting an object from your database). You can then, programmatically intercept the object and check the current user and do pretty much anything you want in terms of access control. If that means querying the database for a list of users who has access (and hence a list you can changes without modifying code) the so be it.