I need to implement custom RBAC support for my product and I stumbled upon casbin/jcasbin that looks promising.
I am checking java API and I do not seem to find a way to fetch all objects of a particular type that a user has access to.
Say, I am implementing an API (not necessarily a REST-based) that is supposed to return a list of all entities the user has read access to.
What jcasbin API call would that be?
I am looking into Enforcer interface and it seems to check whether a user (subject) can do a particular action on the given object.
How do I list all the objects for a user with the given action?
I think RBAC with resource roles is what I want, my model.conf:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act
p, role:viewer, context, read
g, alice, role:viewer
g2, c1, context
g2, c2, context
Here, viewer role grants read permission to the entity type context.
alice is assigned viewer role.
c1 and c2 objects are of type context.
Now, I want to read all contexts for the user alice.
P.S.: I am not sure if SO is the right venue for these types of questions.
Use the new added batchEnforce() API: https://github.com/casbin/jcasbin/issues/187
i am working on XMPP chat app in android, using Prosody as XMPP server.
i have written code for create Multi User Chat room and its working fine when i am using Openfire as server, but when i use Prosody as server it gives me error, as
Creation failed - Missing acknowledge of room creation.:
i.e group is already exist. but it throws same error for any name(New Group Name).
if i replace muc.create(name); with muc.join(name); it creates group. but then i am unable to configure group/room properties.
below is my Prosody Config File:-
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
--"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
--"compression"; -- Stream compression
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};
allow_registration = true -- Allow users to register new accounts
VirtualHost "localhost"
---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "conference.localhost" "muc"
My Group Create Code is:-
MultiUserChat muc = new MultiUserChat(xmppConnection, room);
// Create the room
SmackConfiguration.setPacketReplyTimeout(2000);
String name = xmppConnection.getUser();
System.out.println("name:- " + name);
String name1 = name.substring(0, name.lastIndexOf("#"));
System.out.println("name1:- " + name1);
System.out.println("group name:- " + grpName);
muc.create(name1);
// Get the the room's configuration form
Form form = muc.getConfigurationForm();
// Create a new form to submit based on the original form
Form submitForm = form.createAnswerForm();
// Add default answers to the form to submit
for (Iterator<FormField> fields = form.getFields(); fields.hasNext();) {
FormField field = (FormField) fields.next();
if (!FormField.TYPE_HIDDEN.equals(field.getType()) && field.getVariable() != null) {
// Sets the default value as the answer
submitForm.setDefaultAnswer(field.getVariable());
}
}
// muc.sendConfigurationForm(submitForm);
Form f = new Form(Form.TYPE_SUBMIT);
try {
muc.sendConfigurationForm(f);
} catch (XMPPException xe) {
System.out.println( "Error on sendConfigurationForm:- " + xe);
}
// Sets the new owner of the room
List<String> owners = new ArrayList<String>();
owners.add(xmppConnection.getUser());
submitForm.setAnswer("muc#roomconfig_roomowners", owners);
submitForm.setAnswer("muc#roomconfig_persistentroom", true);
muc.sendConfigurationForm(submitForm);
where i am going wrong?
This is caused by non-standard behavior of prosody's MUC plugin. Basically it behaves like a MUC room already exists, even if it's not the case.
You have to possibilites:
Using Smack's (since 4.0) MultiUserChat.createOrJoin(String), will succeed in this case. See also SMACK-557
Setting prosody's mod MUC property restrict_room_creation to true, will make prosody behaves as specified in XEP-45
Since you want to configure the room, the only option is changing prosody's restrict_room_creation setting.
Note that there is another issue in Smack's MUC code, that will be fixed in Smack 4.1 and likely there will also be a workaround implemented in prosody. But I don't think that this issue is related here, the info is just for completeness.
I have a webapp that's a game, and only after certain score people can become friends and should be automatically added to each other friendlist.
Trying to figure out how to handle rosters in Ejabberd like this
prevent any user from adding anyone else by him/herself
only let webapp handle modifications to rosters ( buddylist )
Using a client JS library like strophe would not be secure I need serverside method of adding users to each others roster. Any thoughts ideas on how to do this with Ejabberd?
EDIT:
Ok, it seems mod_rest for ejabberd gives restfull access to (all?) the ejabbard methods
Ok so after I was on the right track I managed to figure it out in an hour..
install ejabberd
install mod_rest
install mod_admin_extra
command:
ejabberdctl help process_rosteritems
:
Command Name: process_rosteritems
Arguments: action::string
subs::string
asks::string
users::string
contacts::string
Returns: res::rescode
Tags: roster
Description: List or delete rosteritems that match filtering options
Explanation of each argument:
- action: what to do with each rosteritem that matches all the filtering options
- subs: subscription type
- asks: pending subscription
- users: the JIDs of the local user
- contacts: the JIDs of the contact in the roster
Allowed values in the arguments:
ACTION = list | delete
SUBS = SUB[:SUB]* | any
SUB = none | from | to | both
ASKS = ASK[:ASK]* | any
ASK = none | out | in
USERS = JID[:JID]* | any
CONTACTS = JID[:JID]* | any
JID = characters valid in a JID, and can use the globs: *, ?, ! and [...]
This example will list roster items with subscription 'none', 'from' or 'to' that have any ask property, of local users which JID is in the virtual host 'example.org'
and that the contact JID is either a bare server name (without user part) or that has a user part and the server part contains the word 'icq':
list none:from:to any *#example.org *:*#*icq*
I'm working on a SaaS (Software as a Service) web app and I'm using subdomains for separate accounts.
Which subdomains should I prevent the user from using.
The ones I currently have are... admin, administrator, blog, support and help. I remember seeing a question on Quora about it but I can't find it any more.
Thanks for your suggestions. I've made a Rubygem for blocking a load of subdomains which can be found here - https://github.com/deanperry/saas_deny_subdomains
Just add deny_subdomains :subdomain (:subdomain) being the field, and it will block/deny a massive list of subdomains.
Here is my version in PHP. I added some of mine + ones suggested in the thread + dean perry's.
I was able to cover lots of scenarios by using some regex.
/**
* Checks if the subdomain is good. e.g. forbidden names are: ssl, secure, test, tester etc.
* #see http://stackoverflow.com/questions/11868191/which-saas-subdomains-to-block
* #see https://github.com/deanperry/saas_deny_subdomains/blob/master/lib/saas_deny_subdomains/subdomains.rb
* #return boolean
*/
public function isSubdomainAvailable($subdomain) {
$banned_subdomains_csv = 'admin, login, administrator, blog, dashboard, admindashboard, images?, img, files?, videos?, help, support, cname, test, cache, mystore, biz, investors?
api\d*, js, static, s\d*,ftp, e?mail,webmail, webdisk, ns\d*, register, join, registration, pop\d?, beta\d*, stage, deploy, deployment,staging, testers?, https?, donate, payments, smtp,
ad, admanager, ads, adsense, adwords?, about, abuse, affiliate, affiliates, store, shop, clients?, code, community, forum?, discussions?, order, buy, cpanel, store, payment,
whm, dev, devel, developers?, development, docs?, whois, signup, gettingstarted, home, invoice, invoices, ios, ipad, iphone, logs?, my, status, networks?,
new, newsite, news, partner, partners, partnerpage, popular, wiki, redirect, random, public, resolver, sandbox, search, servers?, service,uploads?, validation,
signin, signup, sitemap, sitenews, sites, sms, sorry, ssl, staging,features, stats?, statistics?, graphs?, surveys?, talk, trac, git, svn, translate, validations, webmaster,
www\d*, feeds?, rss, asset[s\d]*, cp\d*, control panel, online, media, jobs?, secure, demo, i\d*, img\d*, css\d*, js\d*';
$regex = $banned_subdomains_csv;
$regex = preg_replace('#\s#si', '', $regex); // rm new lines, spaces etc
$regex = preg_replace("#,+#si", '|', $regex); // more than one comma
$regex = trim($regex, ','); // remove any leading/trailing commas
$regex = '#^(?:' . $regex . ')$#si'; // let's create a nice regex.
$status = !preg_match($regex, $subdomain); // without main domain added
return $status;
}
Slavi
http://orbisius.com
To name a view:
www
help
support
admin
api
assets0-x
In addition to those mentioned:
test
stage/staging
dev/development
status
mail
webmail
ftp
feeds
ssl/secure
demo
git/svn
files/docs
Might also want to reserve your own name and any variations.
Edit: Just a thought, and perhaps over the top, but you could also consider reserving something like i.example.com ("i" being for internal) then you've got a whole namespace of *.i.example.com for internal use.
Another way of approaching this would be app-tenant.domain.com where tenant is your customer's username or company. Which means you can willcard your users with something like app-*.domain.com in your DNS settings. But if you use an application level load balancer that should be easier. This looks prettier IMHO.
Note: app.**.domain.com is not valid AFAIK