Slides from the workshop on Authorisation at LJC's (London Java Community) Workshop Day on 28 July 2018. The workshop was aimed at intermediate and skilled Java developers who are interested in learning about information security in general and authorisation in particular. The workshop starts with an introduction to authorisation and explains the difference between authorisation and authentication, which is often misunderstood. Apache Shiro, an open source Java security framework is then introduced with a focus on its authorisation features. This is followed by a hands-on coding exercise involving the use of Shiro to secure a simple console application. Introduction to an extension to Shiro’s domain model is presented which can facilitate application domain level authorisation abstractions like application licensing, compound entitlements etc.

1. Authorisation
Omar Bashir
https://www.linkedin.com/in/obprofile/
@OmarBashir_40
obashir@yahoo.com

5. Essentials of Information Security
● Authentication
– Confirming the identity of a subject.
● Authorisation
– Specifying, determining and enforcing a subject’s entitlements.
● Encryption
– Encoding information in flight and at rest making it difficult for
consumption even when access to it has been compromised.

6. Security in Practice
Subject
Resource

7. Security in Practice
Subject
Resource
Credentials:
Username
Password

8. Security in Practice
Subject
Resource
Credentials:
Username
Password
Access Control/
Authorisation
Access Control/
Authorisation

9. Security in Practice
Subject
Resource
Credentials:
Username
Password
Access Control/
Authorisation
Access Control/
Authorisation

10. Authorisation
● Specification of access rights/privileges/
entitlements to resources.
● Entitlements allow subjects to perform specific
actions on specified resources.
● Resources include physical, computational and
data assets of an information system.
● Entitlements specified as access policies.
● Effective authorisation based on denying access
unless permitted via an entitlement.

11. Authorisation
● Entitlements
– Defined on an action and a resource.
– Entitlement levels
● Resource
● Instance of a resource
● Attributes of a resource or an instance of a resource.

12. Authorisation Constructs
Subject Resource
Modify
Action

13. Authorisation Constructs
Subject Resource
Modify
Action
Entitlement

14. Authorisation Constructs
Subject
Resource
Modify
Action
Entitlement
Resource
View
Action
Entitlement
Subject can Modify and View the Resource

15. Authorisation Constructs
Subject
Resource
Modify
Action
Entitlement
View
Action

16. Authorisation Constructs
Subject
Resource A
Modify
Action
Entitlement
View
Action
Subject can Modify and View both Resource A and Resource B
Resource B

17. Authorisation Constructs
Subjects
Resource
Modify
Action
Entitlement
Role

18. Authorisation Constructs
Subjects
Resource
Modify
Action
Role
Resource
Modify
Action
Resource
Modify
Action
Resource
Modify
Action
Groups

19. Implicit and Explicit Roles
● Implicit Roles
– Application implies a set of permissions based on the
role name only.
● E.g., John is Admin so he can delete all the data.
– Brittle: changing permissions on a role require code
change.
● Explicit Roles
– Roles have explicit permissions assigned to them.
● E.g., Jane is Document Owner and Document Owner can
modify the document. So Jane can modify the document.
– Sustainable: changing permissions require changes to
entitlements configuration.

20. Decomposing Authorisation
● Entitlements are implementations of organisational
policies enforcing access control.
● Components of an authorisation function include
– Policy Administration Point (PAP)
● Where the access control policy is specified to the system.
– Policy Decision Point (PDP)
● Where access control policy is evaluated in context of the
incoming request to decide to allow or deny acess.
– Policy Enforcement Point (PEP)
● Where the outcome from the PDP is enforced and the access
is allowed or denied.

21. Authorisation Service
Authz
Service
Permissions
Store
App
Services
Admin
Services
PAP
PDP
PEP
PEP
PAP
PEP

23. Apache Shiro
● Java security framework performing,
– Authentication
– Authorisation
– Cryptography
– Session Management.
● Suitable for any type of application,
– Command line programs,
– Mobile apps,
– Web services,
– Enterprise systems.

24. Core Concepts
● Subject
– The currently executing identity.
● The thing that is currently interacting with the system.
– Represents security operations for the current user.
● SecurityManager
– Singleton managing security operations of all users.
● Realm
– A security specific DAO.
– At least one realm needed for authentication and/or
authorisation data.

25. Realms
● Available realms,
– LDAP
– JDBC
– INI and properties files.
● Custom realms
– Implementation of realm interfaces.
– Extension of realm abstract classes.

26. Brief Architecture
Subject
Application
SecurityManager
Realm

27. Architecture
Security Manager
Cryptography
Application
Subject
Authoriser
Session
Manager
Cache
Manager
Realm Session DAORealm Realm
RDBMS LDAP CustomRDBMS
Session
Store
Authenticator
Authn
Strategy

28. Shiro Authorisation
● Programmatic
– Using if-else statements checking for entitlements
around the restricted operations.
● Annotation based
– Requires AOP support.
– Annotations applied on methods performing restricted
operations.
● JSP TagLib
– Using the Shiro tag library for JSP/GSP applications.

29. Programmatic Authorisation
Realm realm = new StubRealm();
realm.setCredentialsMatcher(new CredentialsMatcher() {...})
SecurityManager securityManager = new DefaultSecurityManager(realm);
SecurityUtils.setSecurityManager(securityManager);
final Subject user = SecurityUtils.getSubject();
user.login(new UsernamePasswordToken("Sam", "S@mmy".toCharArray()));
if (user.hasRole(“admin”)) {
// Operation permitted
} else {
// Operation denied
}
if (user.isPermitted(new MyPermission(...)) {
// Operation permitted
} else {
// Operation denied
}

30. Exercise
● Implement AuthorizingRealm for a custom
credentials and permissions store.
● Implement authorisation in PersonApp demo
application.
– RW role can read and modify data except delete all.
– RO role can only read data.
– SU role can perform all operations.

31. Beyond Shiro

32. Access Control Types
● Role Based Access Control (RBAC)
– Users in a specific role acquire entitlements specific to
that role.
– Implict RBAC
● Entitlements are implied in the application based on the role
assigned to a subject.
– Explicit RBAC
● A role is associated with specific entitlements on specific
resources.
● A subject’s permissions within their role are queried.
● Also referred to as Resource Based Access Control

33. Access Control Types
● Attribute Based Access Control (ABAC)
– Access based on different attribute types.
● User attributes
● Role attributes
● Resource attributes
● Action attributes
● Entitlement attributes
– Example attributes
● Entitlement times, durations
● Resource instances

34. ABAC vs RBAC
● RBAC is relatively course grained.
● ABAC allows fine grained, temporal access control.
● ABAC allows constraints over permissions.
● Select frameworks that are hybrid.
– Less is more
● Use RBAC to start with.
● Fine tune with ABAC.

35. Domain Specific Access Control
Authz
Service
Permissions
Store
License
Service
Admin
Services
Applications
Licenses
License Groups
Subject
Role
Resources
Entitlements
User Groups
Subject
Role
Example: Application Licensing
Applications = Resources
Licenses = Entitlements

36. Compound Entitlements
Subject
Resource A
Modify
Action
Entitlement
Resource B
View
Action
Entitlement
How do we allow Modify on Resource A only when the Subject can also view Resource B ?

37. Entitlement Groups
Subject
Resource A
Modify
Action
Resource B
View
Action
Entitlement
Entitlement
Entitlement Group
Entitlement Groups
Implicit via attributes on
entitlements.
Explicit via additional constructs.