Versions Compared

Old Version 9

changes.mady.by.user muhammad siddique

Saved on

compared with

New Version Current

changes.mady.by.user muhammad siddique

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Implementation of the Open registry may want to restrict the search results based on authorized principal's granted authority. This is must be done at service layer. Necessary configuration has been made in the security context to create spring security aop proxies to apply the pre/post filtration/authorization on the service layer. Security trimming is done by the following annotation in the default person service
@PostFilter("hasPermission(filterObject, 'read')")
Default Implementation of permission evaluation has been provided in the class org.openregistry.core.service.security.auth.PermissionEvaluatorDefaultPermissionEvaluator
That returns true i.e. doesn't apply security criteria on the service layer.

...

Implementation of the Open registry may want to restrict the adding of the person based on the authorized principal's granted authority and the data.Reauthorization on the service layer has been done using the following annotation
@PreAuthorize("hasPermission(#sorRole, 'admin')")
Default implementation that doesn't apply any pre authorization criteria has been provided in class PermissionEvaluator

Schema for Role Persistence 

...

create table users(
      username varchar2(50) not null primary key ,
--a password field to make spring security's out of the box  implementation working, 
--we would be storing NOT_USED in it. Actual authentication (user/pwd) is being handled by CAS  
      password varchar2(50) ,
      description varchar2(50),
      enabled number(1,0)  not null check  ( enabled in (1, 0))      );
      
create table groups (
  id number(19,0)  primary key,
  group_name varchar2(50) not null ,
  description varchar2(50),
  unique(group_name)
  );  
  
create table group_authorities (
  id number(19,0) primary key,
  group_id number(19,0) not null,
--may be we need to put authority in a seperate table and refrence here
  authority varchar(50) not null,
  constraint fk_group_authorities_group foreign key(group_id) references groups(id));
  
create table group_members (
  id number(19,0)  primary key,
  username varchar2(50) not null,
  group_id number(19,0) not null,
  constraint fk_group_members_group foreign key(group_id) references groups(id),
  constraint fk_group_members_users foreign key(username) references users(username));
CREATE SEQUENCE groups_seq ;
CREATE SEQUENCE group_authorities_seq ;  
CREATE SEQUENCE group_members_seq ;  
create table users(

      username varchar2(50) not null primary key ,

--a password field to make spring security's out of the box  implementation working, 

--we would be storing NOT_USED in it. Actual authentication (user/pwd) is being handled by CAS  

      password varchar2(50) ,

      description varchar2(50),

      enabled number(1,0)  not null check  ( enabled in (1, 0))      );

      

create table groups (

  id number(19,0)  primary key,

  group_name varchar2(50) not null ,

  description varchar2(50),

  unique(group_name)

  );  

  create table group_authorities (

  id number(19,0) primary key,

  group_id number(19,0) not null,

--may be we need to put authority in a seperate table and refrence here

  authority varchar(50) not null,

  constraint fk_group_authorities_group foreign key(group_id) references groups(id));

  create table group_members (

  id number(19,0)  primary key,

  username varchar2(50) not null,

  group_id number(19,0) not null,

  constraint fk_group_members_group foreign key(group_id) references groups(id),

  constraint fk_group_members_users foreign key(username) references users(username));

CREATE SEQUENCE groups_seq ;

CREATE SEQUENCE group_authorities_seq ;  

...

Data model for authorization is now part of open registry core data model.