Authentication and Authorization
OpenRegistry currently uses Spring Security to provide authentication and authorization capabilities. Out of the box, its configured to utilize the Jasig Central Authentication Service for authentication of the web UI and RESTful API. In both instances, a set of database users and associated roles are configured(schema for oracle database and sample dml is provided below). Sample authorization configuration for coarse grain access is provided using spring expression language SpEL. Fine grain access control can be implemented using spring security tag library and security trimming mechanism.
Location of Files
The authentication and authorization information is located in the OPEN_REGISTRY/WEB-INF/securityContext.xml file. Deployers who wish to completely swap the configuration may replace that file (or OVERLAY it if using the Maven2 WAR Overlay method).
Replacing Database Schema for Role Persistence
Spring Security's out of the box implementation "JdbcDaoImpl" of "UserDetailsService" is configured. "UserDetailsService" is what Spring Security utilizes to convert the provided authenticated username to a user that Spring Security understands. This is referenced by the Bean Id: jdbcUserService
Current configuration utilizes the schema that is provided below , deployers who wish to use their own schema need to provide 'usersByUsernameQuery' and 'groupAuthoritiesByUsernameQuery' queries to jdbcUserService.
RESTful API Authentication
Open registry utilizes CAS for authenticating web UI users as well as REStful API clients. While WEB UI clients are directed to CAS loging page (standard CAS) ,RESTful api clients authentication happens in two phase.
- REST client first need to get ticket from CAS server by providing username,password and the service url (essently service URL of open registry) either by invoking heavy weight SOAP service or REST call to CAS server.
- The client then need to pass username='cas_stateless' and password ='ticket got from CAS in step 1 to open registry.
Authorization on Service Layer
Security Trimming
Implementation of the Open registry may want to restrict the search results based on authorized principal's granted authority. This is must be done at service layer. Necessary configuration has been made in the security context to create spring security aop proxies to apply the pre/post filtration/authorization on the service layer. Security trimming is done by the following annotation in the default person service
@PostFilter("hasPermission(filterObject, 'read')")
Default Implementation of permission evaluation has been provided in the class org.openregistry.core.service.security.auth.DefaultPermissionEvaluator
That returns true i.e. doesn't apply security criteria on the service layer.
PreAuthorization
Implementation of the Open registry may want to restrict the adding of the person based on the authorized principal's granted authority and the data.Reauthorization on the service layer has been done using the following annotation
@PreAuthorize("hasPermission(#sorRole, 'admin')")
Default implementation that doesn't apply any pre authorization criteria has been provided in class PermissionEvaluator
Schema for Role Persistence
Data model for authorization is now part of open registry core data model.