I have developed a web application with following architecture:
Frontend : Angular 6
Backend : Java REST APIs with Springboot
I want to add authentication and authorization to it. For that I'm looking for some open source application (e.g. KeyCloak, Gluu etc.). I would like to know in which tool the below scenarios are supported.
There will be predefined set of Activities on UI (e.g. Add, Edit,
Delete etc)
There will be predefined Access Levels (e.g. Read, Write, No Access)
I should be able to create Roles, then assign activities and access levels to those roles and assign those roles to user.
Can you please help me to find out a tool which supports my above scenario?
I tried something for KeyCloak, but i couldn't find a way to add activities, access levels and map roles to it. I think everything there is governed by Role only.
I just realized that I need Activity based authorization and not Role based authorization. Please help me find some tool for that.
I'm not sure what is meant by activity based authorization but i suspect you actually mean permission based authorization, in example: Grant permissions to users to perform certain actions.
Shiro offers you permissions and role based authorization out of the box.
You can create roles, add permissions to these roles and assign them to a user. Supported are implicit and explicit roles, whereas one role can hold any number of permissions. You can even work with wildcards and group the permissions.
For more information you should take a look at the official Shiro entry and especially the web documentation for your project in particular. Shiro offers full support for Spring-Boot applications, you can find a HowTo here.
Shiro fully supports your described scenario.
Related
I scrolled through the documentation of KeyCloak and also set it on my machine to explore.
I also explored fine-grained permissions however I didn't get much detail in documentation around the n-level of nested hierarchies.
Here https://www.keycloak.org/docs/latest/server_admin/ this talks about limiting an admin user to particular client management, however, I want certain users, within the client, to be able to create accounts but with scopes and attributes limited to what's assigned to themselves.
For an example:
For a client(ERP>Transactions) we want to create an Org(our customer) Admin who in return will create teams and team admins. Team admins shall be able to invite their teammates in there.
Now I just want to know if only Keycloak can be used to make sure a user in one Org shouldn't be able to create a user in some other org, in the same way, a team admin shouldn't be able to onboard/invite a user in some other team.
Because if Keycloak in principle can't handle this, our team will start writing custom logic in our application code base for this.
I have an application where right now a user could work in different context : in the same client application he could switch his context and work either for a company1 as "Administrator" or if he switch to the second context , he could work as "Editor" for the company2…
This was done by using a custom homemade authorization module, but we are trying to use openid-connect now so we are trying to find some solutions with KeyCloack.
Is it possible to assure the same kind of thing in Keycloack ?
It's possible. BUT it's not something that anyone who doesn't know the internal of your custom implementation could give you a solution.
Authorization services provided by Keycloak is quite flexible and of course complex. I suggest you to take a look at the following link and see which of of authorization solution can answer your requirements and would also be possible to adopt your system to use it (e.g. RBAC, ABAC, CBAC, etc.).
As an example, one solution could be to consider each company a resource and then each user of the application, can have different roles/permissions on each resource. So in Keycloak you define who has what roles on which resources (companies) and then in your app, you check those to see if user is authorized or not. But I'm pretty sure when you get a better overview of the Authorization Services in Keycloak, you would come up with a much better idea.
Keycloak Authorization Services
The basic architecture of my application is React front-end consuming a RESTful API sitting on top of a polyglot storage layer.
Front-end:
React consuming APIs
Back-end:
Python
Flask
Authentication
Auth0+OKTA
Everything is working great. However, I need to have different roles for the users. In other words, I need to control the actions that a user can perform on a resource based on the role.
Example:
-User A wants to add a new user
-He has a token in his request, so I know User A is Authenticated
-Now I need to make sure he can in fact add users base on his role.
I don't want to hard-code the user roles as suggested in other solutions, and I would like to allow for custom roles to be added.
Also, I want to be respectful of people's time, so if there is a resource that addresses my concern, please feel free to point me to it.
These are my questions:
1. Are there any best practices for implementing what I am trying to accomplish?
2. Could you point me to examples or tutorials discussing authorization(not authentication)?
3. Do I check at each service call if the authenticated user can also perform the action or do I provide the roles in some form after authorization, so a service request contains both the authentication and authorization token?(this seems pretty easy to hack so I am guessing no...)
If I sound confused on the topic of authorization, it is because I am. Please feel free to point me to any resource that have been helpful to you.
Thank you in advance for taking the time to help! I really appreciate it.
You can use a framework like Yosai that is based on Apache Shiro.
These are some features:
Enables Role-Based Access Control policies through permission-level and role-level access control
Two-Factor Authentication, featuring Time-based One-Time Passwords
Native Support for Caching and Serialization
Event-driven Processing
Ready for Web Integration
I am new in apache shiro, and I read almost 60% of tutorials in apache shiro page.
It is a wonderful framework, however I wonder if it can meet my requirements.
I am interested in the permission-based authentication.
For example, to make sure if the user have the permission of delete resources, we can use this:
currentUser.isPermitted( "resource:delete" );
However in our application, even a user have the permission of delete resources, he can only delete some specified resources, not all of them.
For example(just an exmaple), the resource have an filed named createdby to record the one who create this resource.
Now user can only delete the resources created by himself if he have the resouce:delete permission.
In fact, the resources which can be deleted by the user(who have authenticated and have delete permission) will be calculated by more constraints.
Now how to make shiro work in this suitation?
You can do this in Shiro but you will have to write some code. Either create a subclass of Authorizer and inject it into the security manager or create a subclass of one of the realm classes such as JdbcRealm. Then override the isPermitted method. This will need to have access to your permissions model, for example the database table or a document in a NoSQL database.
Your call to isPermitted will need to specify the resource you are deleting so you can look it up in your overridden method.
If you override the isPermitted method in the AuthorizingRealm subclass you will have access to the logged in user's principals and the user's Roles: this gives you quite a bit of flexibility because you can have says: user (principal) Fred with roles: Manager, Administrator. Your permissions model can then decide if Fred, a Manager or and Administrator can perform the task on the specified resource.
Hope that gives you some ideas.
From the extent, I have explored Shiro, I don't think it gives that level of flexibility to have a customized check. It basically functions based on roles and permission defined in the config file.
For this functionality I would suggest that you display only those records the user is allowed to delete, by have this check at query fetch level. (or) add a condition at the UI level not display the delete button if logged in user is same as created by. This is just a suggestion.
I have an MVC2 site that now allows access to it via windows authentication and uses ASP.net Role provider to provide authorization. I am trying to come up with a way for the site to allow the user access to the site if his username is a member of certain groups so I won't have to sign up user in sql, but just sign up a group with access. Anybody have any idea how to do this? Is there a quick and dirty way? So far in my internet perusals I haven't found a quick and dirty way to do this? Any help would be great.
Thanks
Looking up Role/Group information for a User
ASP.NET provides a useful “Role Management” capability, which allows developers to map users into logical “Roles” that can then be used to better control end-user capabilities and authorization access. For example, as a developer I could create a role called “managers” for my web application, and then limit access to portions of the site to only those users within the “managers” role (note: I will be posting additional recipes in the future that discuss how to fully use the Role Management authorization and capabilities features more).
When using Windows Authentication, ASP.NET allows developers to create and populate roles from multiple sources. For example, a developer could setup the built-in ASP.NET 2.0 SqlRoleProvider to map Windows users to custom application roles that are store within a database. This approach is very useful for scenarios where there might be application-specific role mappings that don’t make sense to push into a centralized Active Directory tree/store.
ASP.NET also makes it easy to access central Windows and Active Directory group mappings from within an application as well. For example, if there is a Windows group on the Active Directory network called “DOMAIN\managers”, an ASP.NET application could lookup whether the current Windows authenticated user visiting the ASP.NET site belongs to this group by writing code like this:
If User.IsInRole("DOMAIN\managers") Then
Label1.Text = User.Identity.Name & " is a manager"
Else
Label1.Text = User.Identity.Name & " is not a manager"
End If
Note that the role/group look-up is done via the “User.IsInRole(rolename)” method that is a peer of the User.Identity.Name property.
src
http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx