Slides from the workshop on Authorisation at LJC's (London Java Community) Workshop Day on 28 July 2018.
The workshop was aimed at intermediate and skilled Java developers who are interested in learning about information security in general and authorisation in particular.
The workshop starts with an introduction to authorisation and explains the difference between authorisation and authentication, which is often misunderstood. Apache Shiro, an open source Java security framework is then introduced with a focus on its authorisation features. This is followed by a hands-on coding exercise involving the use of Shiro to secure a simple console application. Introduction to an extension to Shiro’s domain model is presented which can facilitate application domain level authorisation abstractions like application licensing, compound entitlements etc.
5. Essentials of Information Security
● Authentication
– Confirming the identity of a subject.
● Authorisation
– Specifying, determining and enforcing a subject’s entitlements.
● Encryption
– Encoding information in flight and at rest making it difficult for
consumption even when access to it has been compromised.
10. Authorisation
● Specification of access rights/privileges/
entitlements to resources.
● Entitlements allow subjects to perform specific
actions on specified resources.
● Resources include physical, computational and
data assets of an information system.
● Entitlements specified as access policies.
● Effective authorisation based on denying access
unless permitted via an entitlement.
11. Authorisation
● Entitlements
– Defined on an action and a resource.
– Entitlement levels
● Resource
● Instance of a resource
● Attributes of a resource or an instance of a resource.
19. Implicit and Explicit Roles
● Implicit Roles
– Application implies a set of permissions based on the
role name only.
● E.g., John is Admin so he can delete all the data.
– Brittle: changing permissions on a role require code
change.
● Explicit Roles
– Roles have explicit permissions assigned to them.
● E.g., Jane is Document Owner and Document Owner can
modify the document. So Jane can modify the document.
– Sustainable: changing permissions require changes to
entitlements configuration.
20. Decomposing Authorisation
● Entitlements are implementations of organisational
policies enforcing access control.
● Components of an authorisation function include
– Policy Administration Point (PAP)
● Where the access control policy is specified to the system.
– Policy Decision Point (PDP)
● Where access control policy is evaluated in context of the
incoming request to decide to allow or deny acess.
– Policy Enforcement Point (PEP)
● Where the outcome from the PDP is enforced and the access
is allowed or denied.
23. Apache Shiro
● Java security framework performing,
– Authentication
– Authorisation
– Cryptography
– Session Management.
● Suitable for any type of application,
– Command line programs,
– Mobile apps,
– Web services,
– Enterprise systems.
24. Core Concepts
● Subject
– The currently executing identity.
● The thing that is currently interacting with the system.
– Represents security operations for the current user.
● SecurityManager
– Singleton managing security operations of all users.
● Realm
– A security specific DAO.
– At least one realm needed for authentication and/or
authorisation data.
25. Realms
● Available realms,
– LDAP
– JDBC
– INI and properties files.
● Custom realms
– Implementation of realm interfaces.
– Extension of realm abstract classes.
28. Shiro Authorisation
● Programmatic
– Using if-else statements checking for entitlements
around the restricted operations.
● Annotation based
– Requires AOP support.
– Annotations applied on methods performing restricted
operations.
● JSP TagLib
– Using the Shiro tag library for JSP/GSP applications.
29. Programmatic Authorisation
Realm realm = new StubRealm();
realm.setCredentialsMatcher(new CredentialsMatcher() {...})
SecurityManager securityManager = new DefaultSecurityManager(realm);
SecurityUtils.setSecurityManager(securityManager);
final Subject user = SecurityUtils.getSubject();
user.login(new UsernamePasswordToken("Sam", "S@mmy".toCharArray()));
if (user.hasRole(“admin”)) {
// Operation permitted
} else {
// Operation denied
}
if (user.isPermitted(new MyPermission(...)) {
// Operation permitted
} else {
// Operation denied
}
30. Exercise
● Implement AuthorizingRealm for a custom
credentials and permissions store.
● Implement authorisation in PersonApp demo
application.
– RW role can read and modify data except delete all.
– RO role can only read data.
– SU role can perform all operations.
32. Access Control Types
● Role Based Access Control (RBAC)
– Users in a specific role acquire entitlements specific to
that role.
– Implict RBAC
● Entitlements are implied in the application based on the role
assigned to a subject.
– Explicit RBAC
● A role is associated with specific entitlements on specific
resources.
● A subject’s permissions within their role are queried.
● Also referred to as Resource Based Access Control
33. Access Control Types
● Attribute Based Access Control (ABAC)
– Access based on different attribute types.
● User attributes
● Role attributes
● Resource attributes
● Action attributes
● Entitlement attributes
– Example attributes
● Entitlement times, durations
● Resource instances
34. ABAC vs RBAC
● RBAC is relatively course grained.
● ABAC allows fine grained, temporal access control.
● ABAC allows constraints over permissions.
● Select frameworks that are hybrid.
– Less is more
● Use RBAC to start with.
● Fine tune with ABAC.
35. Domain Specific Access Control
Authz
Service
Permissions
Store
License
Service
Admin
Services
Applications
Licenses
License Groups
Subject
Role
Resources
Entitlements
User Groups
Subject
Role
Example: Application Licensing
Applications = Resources
Licenses = Entitlements