1 2 Previous Next 26 Replies Latest reply on Sep 17, 2013 8:39 AM by oleg.kulikov

    Modeshape and authorization

    discger

      Hello,

       

      at the moment I'm evaluating Modeshape for my company. One of the most important things we need is a proper authorization system.

       

      The web application we're working on will be Java EE 6 based and JBoss 7.x will be the app server. Additionally a network drive mapping via webdav would be fine. The user information (credentials, ...) will be stored in a database or in our LDAP directory. The roles are stored in the database.

       

      My first question:

       

      Can I reuse the data stored in the Backends for Modeshape authentication/authorization (users & roles)? Can I reuse the credentials from the form-based login of the web app I already asked the user for?

      After that I would like to create folder structures with fine grained authorization such as:

       

      Given is a structure like that:

       

      /projects/project_a

      /projects/project_b

      /public

       

      User A should be able to read write access project a

      User B should be able to read write access project b

      User B should be able to just read project a

      User C should only see /public

       

      My second question:

       

      Is such a system possible with Modeshape? Can I use groups to assign priviledges?

       

      I played around a bit with the ACLs of version 3.5. Here is a bit of my code:

       

      First I create or retrieve an AccessControlList object

       

      try {
          acl = (AccessControlList) am.getApplicablePolicies(node.getPath()).nextAccessControlPolicy();
      } catch (NoSuchElementException e) {
          acl = (AccessControlList) am.getPolicies(node.getPath())[0];
      }
      
      
      

       

      Then I clear the existing ACLs

       

      for (AccessControlEntry entry : acl.getAccessControlEntries()) {
          acl.removeAccessControlEntry(entry);
      }
      
      
      

       

      To set ACL entries I do

       

      acl.addAccessControlEntry(admin, privileges_all);
      am.setPolicy(node.getPath(), acl);
      session.save();
      
      
      

       

      I have the following directory structure

       

      /test1

       

      As I understand if I set an ACL of JCR_ALL for user admin on the test1 folder no other user should be able to access this folder. But this is not the case. The nodes have the mixin of mode:accessControllable.

       

      My third question:

       

      Where am I wrong? Do I have to do special config changes to activate ACLs? Is there some example code or test cases on how to use ACLs? Will there be some documentation in the future about this topic?

       

      Thanks in advance.

       

      Greetings, Dieter

        • 1. Re: Modeshape and authorization
          rhauch

          The web application we're working on will be Java EE 6 based and JBoss 7.x will be the app server. Additionally a network drive mapping via webdav would be fine. The user information (credentials, ...) will be stored in a database or in our LDAP directory. The roles are stored in the database.

           

          Be aware that ModeShape is built on top of Infinispan, and that the version of Infinispan used in JBoss AS7.x is quite old (relatively speaking) and has lots of clustering issues. For this reason, ModeShape switch our kit to install on EAP 6.1.

           

           

          My first question:

           

          Can I reuse the data stored in the Backends for Modeshape authentication/authorization (users & roles)? Can I reuse the credentials from the form-based login of the web app I already asked the user for?

          After that I would like to create folder structures with fine grained authorization such as:

           

          Given is a structure like that:

           

          /projects/project_a

          /projects/project_b

          /public

           

          User A should be able to read write access project a

          User B should be able to read write access project b

          User B should be able to just read project a

          User C should only see /public

           

          Out of the box, ModeShape can reuse the same basic authentication mechanism that AS7/EAP provides for your web applications. Typically this is JAAS. So if you can have AS7/EAP authenticate your web application's users via your backend systems, then ModeShape would just work with that.

           

          If you need fine-grained authorization, then I'd suggest looking at the Access Control List (ACL) feature recently added. Note that because it is new, we still consider it tech preview.

           

          My second question:

           

          Is such a system possible with Modeshape? Can I use groups to assign priviledges?

           

          I played around a bit with the ACLs of version 3.5. Here is a bit of my code:

           

          First I create or retrieve an AccessControlList object

           

          1. try
          2.     acl = (AccessControlList) am.getApplicablePolicies(node.getPath()).nextAccessControlPolicy(); 
          3. } catch (NoSuchElementException e) { 
          4.     acl = (AccessControlList) am.getPolicies(node.getPath())[0]; 
          5. }  

           

          Then I clear the existing ACLs

           

          1. for (AccessControlEntry entry : acl.getAccessControlEntries()) { 
          2.     acl.removeAccessControlEntry(entry); 

           

          To set ACL entries I do

           

          1. acl.addAccessControlEntry(admin, privileges_all); 
          2. am.setPolicy(node.getPath(), acl); 
          3. session.save(); 

           

          I have the following directory structure

           

          /test1

           

          As I understand if I set an ACL of JCR_ALL for user admin on the test1 folder no other user should be able to access this folder. But this is not the case. The nodes have the mixin of mode:accessControllable.

          Perhaps a more complete set of code might be useful. What is the 'admin' object?

           

           

           

          My third question:

           

          Where am I wrong? Do I have to do special config changes to activate ACLs? Is there some example code or test cases on how to use ACLs? Will there be some documentation in the future about this topic?

           

          Yes, we do plan to add documentation for this quite soon. I'll ask that Oleg provide some samples, but you can look at some of the tests that are in https://github.com/ModeShape/modeshape/blob/master/modeshape-jcr/src/test/java/org/modeshape/jcr/security/AccessControlM…

          • 2. Re: Modeshape and authorization
            discger

            Hello Randall,

             

            wow - thanks for your fast reply. I've attached some code to my question.

             

            It contains two methods:

             

            The first one deletes all ACL entries from the root node and sets an admin ACL on the "test-1" node below it. The second method tests if another user can access the node "test-1". And that's the case.

             

            In my opinion this shouldn't be possible. Am I wrong.

             

            By the way: I use EAP 6.1 and the sample repository that is available after installation (without changing the configuration). Do I have to configure something?

             

            Greetings,

             

            Dieter

            • 3. Re: Modeshape and authorization
              discger

              Hello,

               

              I tested a bit more. If I use the AccessControlManager.hasPrivileges method to test if my dummy user has read access to a node the method returns false. But I can still access the node and the properties of the node.

               

              To me it lokks like that access control is not enabled - again do I have to adapt the configuration of the default sample repository?

               

              Greetings,

               

              Dieter

              • 4. Re: Modeshape and authorization
                rhauch

                Does your dummy user correspond to a user that you can authenticate as? For example, if you add an ACL to a node with a Principal for "admin", then that ACL should apply only when you log into the repository with that "admin" username. In other words, the principal MUST correspond to a valid user (unless you're using the "everyone" principal).

                 

                I'm not sure there are appropriate debug or trace log messages in the ACL code yet (we need to fix that), but can you debug? If so, put a breakpoint in the private JcrSession.hasPermission(...) method, and step through that method to see what logic is being considered.

                 

                Or, create a simple test case that we can run locally.

                • 5. Re: Modeshape and authorization
                  discger

                  Hello,

                   

                  as I understand the JcrSession.hasPermissions method checks if an AuthorizationProvider is configured. If not, only role-based authorization takes place on the repository level (read, read-write, admin). In the sample repository that is available after executing the setup, no authorization provider is configured. So no ACLs are checked. The corresponding if statements are skipped.

                   

                  After looking at the authorization providers of the Modeprobe distribution I found that none of them implements the interface AuthorizationProvider. So it seems to me that it is not possible to implement an ACL based access control using only the distribution. Of course one can implement a custom AuthorizationProvider class.

                   

                  Am I right?

                   

                  Greetings,

                   

                  Dieter

                  • 6. Re: Modeshape and authorization
                    rhauch

                    as I understand the JcrSession.hasPermissions method checks if an AuthorizationProvider is configured. If not, only role-based authorization takes place on the repository level (read, read-write, admin). In the sample repository that is available after executing the setup, no authorization provider is configured. So no ACLs are checked. The corresponding if statements are skipped.

                    Yes, that's what the method does. However, all of this is predicated on the repository knowing it needs to check ACLs - if that is wrong, then this greatly helps isolate the problem. Can you verify by debugging that the checkAcl variable has a value of 'true'?

                     

                    After looking at the authorization providers of the Modeprobe distribution I found that none of them implements the interface AuthorizationProvider. So it seems to me that it is not possible to implement an ACL based access control using only the distribution. Of course one can implement a custom AuthorizationProvider class.

                    Actually, the ACL checking is not done via the AuthorizationProvider or AdvancedAuthorizationProvider implementations. Instead, the ACLs are applied on top of any (Advanced)AuthorizationProvider implementation or (if there are none) the role-based authorizations. You can see the ACL checks here, here and here.

                     

                    Once again, I'm going to ask you for a complete test case that replicates the problem. A test case will make it much easier for us to find and fix the underlying problem. If not, the first thing we have to do is build a test case that does replicate the problem - sometimes this is easy to do, but when it is not easy we often have to spend hours (and sometimes days) just trying to reproduce a problem. Please help us help you by providing that test case.

                    • 7. Re: Modeshape and authorization
                      discger

                      Hello,

                      Yes, that's what the method does. However, all of this is predicated on the repository knowing it needs to check ACLs - if that is wrong, then this greatly helps isolate the problem. Can you verify by debugging that the checkAcl variable has a value of 'true'?

                      The value of this variable is true.

                      Actually, the ACL checking is not done via the AuthorizationProvider or AdvancedAuthorizationProvider implementations. Instead, the ACLs are applied on top of any (Advanced)AuthorizationProvider implementation or (if there are none) the role-based authorizations. You can see the ACL checks here, here and here.

                       

                      Once again, I'm going to ask you for a complete test case that replicates the problem. A test case will make it much easier for us to find and fix the underlying problem. If not, the first thing we have to do is build a test case that does replicate the problem - sometimes this is easy to do, but when it is not easy we often have to spend hours (and sometimes days) just trying to reproduce a problem. Please help us help you by providing that test case.

                       

                      Ok, I try to create a test case. It will take some time. But before I do that I will give you some information about my findings so far.

                       

                      - I open a session as the system-knowm dummy user

                      - The JSession.hasPermission calls AccessControlManagerImpl.hasPermission from the role based section

                      - The path parameter is null, action contains "read"

                      - Because of the resulting NullPointerException AccessControlManagerImpl.hasPermission returns with true

                      - when I access a node with an acl defined no further calls to JSession.hasPermission happens.

                      - if I call node.hasPrivileges the correct result is returned (no access)

                      - but if I access the node it's no problem and I can read it's properties

                       

                      Greetings,

                       

                      Dieter

                      • 8. Re: Modeshape and authorization
                        oleg.kulikov

                        Dieter, what you are doing with code is correct and the result you are expecting also correct. Let me check what actually happens.

                         

                        --Oleg

                        • 9. Re: Modeshape and authorization
                          oleg.kulikov

                          Dieter, I have just completed several tests and everything work fine. Can you please provide more details about privileges applied to the node? What I need to know to replicate the problem:

                          -list of privileges;

                          -relative path of the node;

                          -principal name of the access list;

                          -method you are calling and with which principal.

                           

                          Thanks,

                          Oleg

                          • 10. Re: Modeshape and authorization
                            discger

                            Hello Oleg,

                             

                            perhaps you may look at the code I've attached to my first message. It contains 2 methods. The first methods does the acl setup of the tree - basically it's just a node "test-1" I've created. Then I delete all ACL entries of the root node and assign an admin acl to the "test-1" node. So no ACL on the root node -> everybody has access & admin acl on the "test-1" node -> only admin has access.

                             

                            The second method tests what I debugged above.

                             

                            What I don't understand is node.hasPrivileges tells me - no access but root.getnode("test-1") works without a problem. ???

                             

                            Greetings,

                             

                            Dieter

                            • 11. Re: Modeshape and authorization
                              oleg.kulikov
                              • 12. Re: Modeshape and authorization
                                oleg.kulikov

                                Hi Dieter, thanks you for discovering problem. The fix is available with this pull request https://github.com/ModeShape/modeshape/pull/934

                                Can you please try it and confirm that problem fixed from your side?

                                 

                                Thanks,

                                Oleg

                                • 13. Re: Modeshape and authorization
                                  discger

                                  Hello,

                                   

                                  thanks for fixing the bug.

                                   

                                  Do I have to rebuild the server or are there any ci builds I can use? If I have to rebuild the server I need some time (probably tomorrow).

                                   

                                  Another (more high level) topic in my original question was how to manage access rights for JCR ressources. Let me clarify what I have in mind. We plan to create a CMS web application based on JavaEE6 running on JBoss EAP 6.1. Because I would like to use container managed security I thought about using a role based security concept.

                                   

                                  When it comes to content management, 3 types of access rights come to my mind.

                                   

                                  1.) A user has some kind of a "personal" folder with an acl entry only for him-/herself.

                                  2.) A user belongs to one or more organizational groups that own folders used for sharing information - the acl entries must allow access for these organizational groups

                                  3.) A user is assigned different general roles. Each of these roles requires access to a set of ressources. For example if a user is a member of a project team access to a /projects folder is required.

                                   

                                  Sometimes it is a mixture of these types - for example

                                   

                                  /projects/projectA

                                  /projects/projectB

                                   

                                  If a user is a member of "projectB" but not "projectA" read access to "projects" is required (role based access as project member) and full access to "projectB" (user based access - user is a member of "projectB").

                                   

                                  I found that there are some classes that can be used in a web application (ServletCredentials, ServletProvider) but I don't know how to use these classes to create an authorization system to handle the requirements I mentioned above.

                                   

                                  I'd like to hear your opinion about this topic. Thanks.

                                   

                                  Greetings,

                                   

                                  Dieter

                                  • 14. Re: Modeshape and authorization
                                    oleg.kulikov

                                    Yes, you need to merge pull request and then rebuild the server.

                                     

                                    I got you primary question regarding access right, let me think a bit and provide most best solution.

                                     

                                    --Oleg

                                    1 2 Previous Next