Authorization and Security Enforcement

1. Authorization and Security Enforcement 0 Andy Hind Senior Developer, Alfresco twitter: @andy_hind

3. Methods + Context (node, parent, ...)

4. Principal

5. Authorities

6. Groups, owner

7. Permissions

8. Read, check out

9. ACLs

10. Enforcement

11. What operations can I perform?

12. Configuration

14. pre-execution checks

15. Can I .... ?

16. Check with context

17. PublicServiceAccessService

18. Much more reliable than using hasPermission

19. post-execution checks and filtering

20. public-services-context.xml

22. Public Services 4 Security Enforcement <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren ... org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY </value> </property> </bean> public ChildAssociationRefcreateNode( NodeRefparentRef, QNameassocTypeQName, QNameassocQName, QNamenodeTypeQName) throws InvalidNodeRefException, InvalidTypeException;

23. Public Services 5 Security Enforcement <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren ... org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY </value> </property> </bean> public ChildAssociationRefcreateNode( NodeRefparentRef, QNameassocTypeQName, QNameassocQName, QNamenodeTypeQName) throws InvalidNodeRefException, InvalidTypeException; createNode=ACL_NODE.0.sys:base.CreateChildren

24. Public Services 6 Security Enforcement <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren ... org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY </value> </property> </bean> public ChildAssociationRefcreateNode( NodeRefparentRef, QNameassocTypeQName, QNameassocQName, QNamenodeTypeQName) throws InvalidNodeRefException, InvalidTypeException; createNode=ACL_NODE.0.sys:base.CreateChildren public ChildAssociationRefcreateNode( NodeRefparentRef,

25. Public Services 7 Security Enforcement <bean id="NodeService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="afterInvocationManager"><ref local="afterInvocationManager"/></property> <property name="objectDefinitionSource"> <value> org.alfresco.service.cmr.repository.NodeService.getStores=ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createStore=ACL_METHOD.ROLE_ADMINISTRATOR org.alfresco.service.cmr.repository.NodeService.exists=ACL_ALLOW org.alfresco.service.cmr.repository.NodeService.getNodeStatus=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.getRootNode=ACL_NODE.0.sys:base.ReadProperties org.alfresco.service.cmr.repository.NodeService.createNode=ACL_NODE.0.sys:base.CreateChildren ... org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY </value> </property> </bean> public ChildAssociationRefcreateNode( NodeRefparentRef, QNameassocTypeQName, QNameassocQName, QNamenodeTypeQName) throws InvalidNodeRefException, InvalidTypeException; org.alfresco.service.cmr.repository.NodeService.*=ACL_DENY

27. userName of the Person matched at log in

28. andy

29. Groups

30. GROUP_woof

31. “Role”

32. ROLE_ADMINISTRATOR

33. Group, configuration

34. DynamicAuthority interface

35. ROLE_OWNER

37. hide groups used as RBAC roles

38. APP.DEFAULT

39. APP.SHARE

40. APP.RM

41. AUTH.ALF

42. AUTH.EXT.<ID>

45. An ACL applies to the node and ALL of its properties

46. Content read and write are special

47. There are no property level permissions

48. One global ACL (context free) – applies to all nodes

49. An ACL is a list of ACEs

50. Optionally an ACL inherits ACEs from its primary parent

51. ACE

53. ACLs 13 Example 1 2 6 7 3 8 9 4 5 11 10 13 12 14

54. ACLs 14 Example 1 2 6 7 3 8 9 4 5 11 10 13 12 14

55. ACLs 15 Example 1 2 6 7 3 8 9 4 5 11 10 13 12 14

56. ACLs 16 Example All – Read – Allow – 0 1 2 6 7 3 8 9 4 5 11 10 13 12 14

57. ACLs 17 Example All – Read – Allow – 0 1 All – Read – Allow – 1 2 6 7 3 8 9 4 5 11 10 13 12 14

58. ACLs 18 Example All – Read – Allow – 2 ROLE_OWNER – All – Allow – 0 GROUP_A – Write – Allow – 0 GROUP_A – CreateChildren – Allow – 0 1 2 6 7 3 8 9 4 5 11 10 13 12 14

59. ACLs 19 Example All – Read – Allow – 0 1 All – Read – Allow – 1 2 6 All – Read – Allow – 2 Andy – All – Allow – 0 Bob – Write – Allow – 0 Bob – WriteContent – Deny – 0 7 3 8 9 4 5 11 10 13 12 14

61. ACL_ALLOW,AFTER_ACL_NODE.sys:base.ReadProperties

62. org.alfresco.service.cmr.repository.NodeService.createStore

63. ACL_METHOD.ROLE_ADMINISTRATOR

64. org.alfresco.service.cmr.repository.NodeService.exists

65. ACL_ALLOW

66. org.alfresco.service.cmr.repository.NodeService.getNodeStatus

68. ACL_NODE.0.sys:base.CreateChildren

69. org.alfresco.service.cmr.repository.NodeService.moveNode

70. ACL_NODE.0.sys:base.DeleteNode

72. org.alfresco.service.cmr.repository.NodeService.addChild

74. ACL_NODE.1.sys:base.ReadProperties

75. org.alfresco.service.cmr.repository.NodeService.*

77. ACL_NODE.<#>.<permission>

78. ACL_PARENT.<#>.<permission>

79. ROLE_ . . .

80. GROUP_ . . .

81. AFTER_ACL_NODE.<permission>

83. AVM ACL for every nodes

84. 3.0

85. DM ACL for every node

86. 3.2

87. RM

88. 3.4

89. Query read improvements

90. Removed hibernate

91. Future

92. Integrate read evaluation in the query

94. Global permissions

95. “admin”

96. Node ACLs and dynamic authorities

97. Bulk fetch of node properties

99. Adding a new service and protection

100. Types and aspects

101. Related permissions and permission groups

102. Dynamic authorities

103. Public service

104. Public service security configuration

106. CreateModifyDestroyFoldersCapability

107. Caveats

108. Supplementary marking

109. Property with a list of allowable values

110. Authority assigned one or more values

111. Authority must have one or all matching values to read the record

112. Classified records

113. Hierarchy of security levels

114. Also uses normal ACLs

115. Adds a new AccessDecisionVoter and related classes

116. RM.<Policy>.<#>.<#>...

117. RM_CAP.<Capability>.<#>.<capability>

119. ACL_NODE.0.sys:base.CreateChildren,RM.Create.0.3

120. Create is a combination of RM capabilities

121. NodeService.createNode()

122. NodeService.addChild()

123. FileFolderService.copy()

124. FileFolderService.create()

125. destination

126. node copied or linked OR type created

128. File records capability

129. Create modify destroy folders capability

130. Declare records in closed folders capability

131. Create/modify records in cutoff folders capability

132. Create/modify/destroy fileplan metadata capability

Authorization and Security Enforcement

Recommandé

Recommandé

Contenu connexe

Similaire à Authorization and Security Enforcement

Similaire à Authorization and Security Enforcement (20)

Plus de Alfresco Software

Plus de Alfresco Software (20)

Dernier

Dernier (20)

Authorization and Security Enforcement