Modeshape and authorization| JBoss.org Content Archive (Read Only)

1 2 Previous Next 26 Replies Latest reply on Sep 17, 2013 8:39 AM by oleg.kulikov Go to original post

15. Re: Modeshape and authorization

rhauch Sep 10, 2013 11:39 AM (in response to discger)

You're really talking about both authentication and authorization. Yes, you can rely upon container authentication and role-based authorization, and this is actually what ModeShape does out of the box on EAP 6.1. The roles (see Authentication and Authorization) are simple read, readwrite, or admin. If you want different kinds of roles, you can optionally implement a custom authentication and authorization system (see Custom authentication providers).

As you discovered earlier, there is also the new ACL support, which allows your applications to use fine-grained access controls on specific nodes and subgraphs. For more information about how ACLs work and are managed, see Section 16 of the JCR 2.0 specification. This is actually quite powerful, and based upon your high-level summary above seems like it might work for you. Each user's private area would have an ACL that allowed only them (and perhaps administrators) to read and write

Be aware that even before the ACLs are checked, an authenticated Session must have the appropriate roles to perform the activity. For example, in your scenario a user should have access to their private area. This means that each user will need to have at least the readwrite role before they can modify/write any nodes. If you then add ACLs, then the ACLs would be evaluated to determine whether the user can write in the particular area in question.
Actions
16. Re: Modeshape and authorization

discger Sep 11, 2013 3:34 AM (in response to rhauch)

Hello Randall,

thanks for your comment. I know it's possible to create a custom authentication provider. But if possible I want to avoid writing my own code on that topic because I don't know if there will be complications when interacting with other subsystems of the Modeshape system (e.g. versioning).

I agree that ACLs are the most promising solution for my authorization needs. And I agree that the ACL system works fine for somthing like a personal folder.

But when it comes to groups and roles it's much more complicated. How can I map a group/role to an acl entry which is user-based? If for example I add the individual members of the group/role as seperate acl entries I have problems if a group membership change occurs. Then all nodes must be checked if an ACL entry must be added or removed.

If you ask me, authorization is a very important topic in a CMS environment. And if you have a resonable number of users you will need groups and probably roles to administrate access rights. In my opinion such functionality should be provided as a standard component. Do you disagree?

Greetings,

Dieter
Actions
17. Re: Modeshape and authorization

oleg.kulikov Sep 11, 2013 4:09 AM (in response to discger)

Guys, I have created new issue to extend ACL with groups and roles. [#MODE-2042] Extend access manager permissions checking procedure to be able to test privileges for groups or roles - JB…
I think what we need it is just pass security context to the AccessManager to be able to check ACLs for all principals.

--Oleg
Actions
18. Re: Modeshape and authorization

oleg.kulikov Sep 11, 2013 8:54 AM (in response to oleg.kulikov)

I have created new pull request which extends ACL to groups/roles.
https://github.com/ModeShape/modeshape/pull/938

Dieter, you can define now roles for your users and use roles as principals inside access list, so I think it solves your original problem fully.
Waiting for your final test.

--Oleg
Actions
19. Re: Modeshape and authorization

discger Sep 12, 2013 5:46 AM (in response to oleg.kulikov)

Hello Oleg,

I found some time to test the fix for #2036. No it works. But another case I've tested did not work.

Here is the scenario

/ -> full access for admin, read access for dummy
/test1 -> full access for admin, read access for dummy

The dummy user does not see test1 (looked it up via Node.hasNode()) - is this by design or a bug?

But the node is listed if I call root.getNodes() ...

Greetings,

Dieter
Actions
20. Re: Modeshape and authorization

oleg.kulikov Sep 12, 2013 7:34 AM (in response to discger)

Looks like a bug, let me try to reproduce it.

Oleg
Actions
21. Re: Modeshape and authorization

oleg.kulikov Sep 12, 2013 12:16 PM (in response to oleg.kulikov)

Hello Dieter, thanks once again for early detection of the bugs. The problem has fixed so you can try.

Oleg
Actions
22. Re: Modeshape and authorization

discger Sep 13, 2013 3:41 AM (in response to oleg.kulikov)

Hello Oleg,

can I checkout modeprobe/master or do I have to merge a patch?

Greetings,

Dieter
Actions
23. Re: Modeshape and authorization

oleg.kulikov Sep 13, 2013 5:37 AM (in response to discger)

Need to merge patch https://github.com/ModeShape/modeshape/pull/942

Oleg
Actions
24. Re: Modeshape and authorization

discger Sep 17, 2013 3:11 AM (in response to oleg.kulikov)

Hello Oleg,

I tested the second bugfix for acl handling and I found it solves the problem I had. Now - if I find some time - I will look at the solution for group/role handling you provided.

Bye,

Dieter
Actions
25. Re: Modeshape and authorization

discger Sep 17, 2013 5:48 AM (in response to oleg.kulikov)

Hello once more Oleg,

I've tested the new ACL code with roles and it seems to work just fine. Now it should be possible to implement my scenario. Will the changes be part of the 3.6 release?

Thanks for your immediate help.

Greetings,

Dieter
Actions
26. Re: Modeshape and authorization

oleg.kulikov Sep 17, 2013 8:39 AM (in response to discger)

Hello Dieter, nice to hear that it works for you now. Yes, the plan is to include those changes into 3.6 release.

--Oleg
Actions

1 2 Previous Next

Go to original post