How does Nukes do user/group based security?
Each module or block can define a list of security rules it will apply at appropriate points in the module processing. Such tests are used to stop unauthorized users from performing given actions, and also to customize processing, screens etc to only do/display what is relevant to the user. Examples of such checks are:
Can this user view the current HTML document via the HTML module?
Can this user edit the current FAQ category?
Each security rule is made of :
A group which can be : Anonymous (defined by an empty string) , All (defined by ''), or a named group.
A pattern which is a regular expression.
A level which defines the security level that rules grants.
For example:
<permission group='' level='READ' pattern='::'/>
The security levels that can be specified are (in ascending order of precedence):
NONE
OVERVIEW
READ
COMMENT
MODERATE
EDIT
ADD
DELETE
ADMIN
The precedence means, for example, that if a person has ADMIN rights, then they have READ rights.
Given a user with groups, a required security level and a test string, the security testing algorithm is:
find the first rule in the list where the group applies and the pattern matches the test string if such a rule is found security is satisfied if level of rule < required security level (according to precedence) else security is not satisfied
group applies :
If the user is anonymous, the rule applies only if the group of the rule is 'Anonymous' or 'All'
Otherwise, the rule applies if the named group of the rule belongs to one of the user's groups
pattern matches :
the regular expression pattern of the rule matches the test string
The rules are evaluated in the order they are defined.
What test strings are used is up to each module/block. There are a couple of best practices that should be followed by module developers.
Test strings should be of the form: <section1>:<section2>:<section3>. '::' is the minimal test string.
In the module class Javadoc comments, there should be a description of the module's security checks.
The security rules list is defined in a Security attribute within the module/block MBean descriptor and can be stored in the Nukes database. Security can be customized at runtime using the Permission module.
-
The Menu as an example of applying security
Having thoroughly confused you, let's work through an example. Let's look at the menu block as an example.
Here is the menu block class comments.
/** * Security description : * READ/core:menu:/$name:: - displays the block where $name is the block name. * READ/core:menu:/$name:$name:$title - displays the link entitled $title. * READ/core:menu:/$name:$module:$operation - displays the $operation of the $module. * * @author <a href=''mailto:julien@jboss.org''>Julien Viet</a> * @version $Revision: 1.14 $ */
Hmmm, a bit cryptic.
From the menu block MBean description, here is the set of security rules.
<permission group=''*'' level=''READ'' pattern=''::''></permission> <permission group=''*'' level=''READ'' pattern=''menu:Home:''></permission> <permission group=''*'' level=''READ'' pattern=''module:bb:main''></permission> <permission group=''*'' level=''READ'' pattern=''module:downloads:main''></permission> <permission group=''Users'' level=''READ'' pattern=''module:youraccount:main''></permission> <permission group=''Users'' level=''READ'' pattern=''module:user:(logout|memberlist)''></permission> <permission group=''Admins'' level=''ADMIN'' pattern=''.*:.*:.*''></permission>
The menu block does 3 types of security checks.
Can the person see the menu block at all?
The test string for this is the minimal test string, namely:
'::'
.
The relevant rule from the set above is:
<permission group='*' level='READ' pattern='::'></permission>
This means that all users have at least read access to the menu block. The implication is that people who are not logged in (anonymous) do not see the menu.
Checks to see whether the user can see static links defined for the menu
A static link is defined like:
<item title=''Home'' url=''index.html'' description=''Back to the home page.''></item>
The test string the menu uses to check whether a static link appear is:
menu::
The link will display if the person has at least READ access to the link.
The relevant rules from the set above are:
<permission group=''*'' level=''READ'' pattern=''menu:Home:''></permission> <permission group=''Admins'' level=''ADMIN'' pattern=''.*:.*:.*''></permission>
All logged in users will only see the Home static link.
Users that belong to the Admins group will see all static links.
Check to see whether a menu option for a module operation will be displayed
All modules can have a section in their MBean descriptor that defines what menu options should be available for the module. For example, the Your Account module has one menu option:
<attribute name=''Configuration''> <module> <operation name=''main'' display-name=''My Account'' description=''My Account'' image='''' hint=''''></operation> </module> </attribute>
The menu block looks at all running modules, gets the operations defined as above, and checks the menu block security to see whether the operation appears in the menu for the user.
The test string the menu uses to check whether a static link appear is:
module:
The users needs at least READ security.
The relevant rules from the set above are:
<permission group=''*'' level=''READ'' pattern=''module:bb:main''></permission> <permission group=''*'' level=''READ'' pattern=''module:downloads:main''></permission> <permission group=''Users'' level=''READ'' pattern=''module:youraccount:main''></permission> <permission group=''Users'' level=''READ'' pattern=''module:user:(logout|memberlist)''></permission> <permission group=''Admins'' level=''ADMIN'' pattern=''.*:.*:.*''></permission>
All logged in users will see menu options for the 'main' operations of the bb and downloads modules.
Users in the 'Users' group will also see menu options for the 'main' operation of the youraccount module, and 'logout' and 'memberlist' options for the user modules.
Users in the 'Admins' group will see all available options for all running modules.
Comments