Threat Model

Before you start coding, creating content or setting up access control set aside some time to consider what is needed when it comes to securing your application (and what could go wrong). In other words: write a threat model and make sure you keep updating it as you continue developing.

The following references provide a good overview as well as guidance on how to build a threat model:

• https://shostack.org/resources/whitepapers/threat-modeling-what-why-how
• https://owasp.org/www-community/Threat_Modeling
• https://owasp.org/www-community/Threat_Modeling_Process

Content Modelling

As suggested in Jackrabbbit Wiki the content hierarchy in your JCR repository should be designed and not just happen. Access control requirements tend to be a good driver.

Make sure the content design allows for a readable and manageable access control setup later on to secure your data. Excessive complexity is often a strong indicator for problems with your content model, making its security error prone and difficult to reason about (and might ultimately might lead to issues with scaling).

Here is an example of an access control setup (with Sling RepoInit) illustrating why content with different access requirements should be kept in separate trees and how complexity may yield undesired effects (see also section ‘Remember inheritance’ below):

  # Content design that results in complex in ac-setup and a vulnerability
  # ----------------------------------------------------------------------
  
  create path /content
  create path /content/public
  create path /content/content2/also_public   # extra folder with public information
  create path /content/sensitive_info         # sensitive data mixed with regular non-sentive content

  set ACL on /content 
     deny  everyone   jcr:all    # most likely redundant
     allow readers    jcr:read
     allow editors    jcr:read, jcr:write
     deny  readers    jcr:read restriction(rep:subtrees, /sensitive_info)        # what about editors or a subject being both reader and editor?
     allow everyone   jcr:read restriction(rep:subtrees, /public, /also_public) # different public folders??
     
     # ... and what happens with a new node /content/public/abc/sensitive_info?
  end 
  
  # Improved content design
  # ------------------------------------------------------------------------------
  
  create path /content
  create path /content/public
  create path /sensitive_info
  
  set ACL on /content 
      allow readers    jcr:read
      allow editors    jcr:read, jcr:write
  end
  
  set ACL on /content/public     
      allow everyone   jcr:read
  end
  
  # NOTE: no ac setup for sensitive info as neither of the roles must have access

Define Roles and Tasks

Finally, write down basic characteristics and demands of your application without getting into access control details or making any assumptions on how your needs will reflected in the repository:

• what roles are present
• what kind of tasks are those roles designed to perform
• define if you have services accessing the repository and what kind of tasks they need to complete

Note, that this document should be human readable not go into implementation details: Instead of writing principal ‘content-authors’ needs jcr:write on /content, define that you have an asset ‘content’, define what kind of data it contains and how sensitive the data is (similar to the threat model). Then identify what roles are going to interact with this data and how they interact: for example you may identify a role that just reading data, a second role that is expected to read and write, and a third one that will only approve new content and publish it).

Know how to get what you need

Familiarize yourself with JCR access control management and Oak authorization design and extensions before starting to edit the permission setup of your Oak installation. This will help you avoid common pitfalls. If you find yourself granting your content-writers role full access to just make it work, you probably left your application vulnerable.

• JCR Specification sections Access Control Management and Permissions and Capabilities
• Oak Authorization Documentation with separate sections for Access Control Management and Permission Evaluation.
• Exercises for authorization topics below https://github.com/apache/jackrabbit-oak/tree/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization

Principle of least privilege

Keep in mind that not having any permissions granted is equivalent to denying everything (which is in this case redundant). Start without any access and then keep granting permissions as needed, following the principle of least privilege. In other words: only grant the minimal set of privileges required to perform a particular task.

Verification

Write tests upfront and verify that for each role and task the expected effective permissions (see definition of roles) are granted. Neither less nor more.

Ideally, your tests will fail as soon as someone is attempting to make any change to the permission setup. Granting additional permissions may open up the door for a privilege escalation and revoking permissions will break your application (if it doesn't you did not follow the principle of least privilege).

This may also include assertions that no permissions are granted at resources that are outside the scope of a given role/task.

  PermissionTestRule ptr = ...
  ptr.newPermissionValidator(EveryonePrincipal.NAME)
        .hasNoPermission("/")
        .hasNoPermission("/content")
        .hasNoPermission("/content/protected", READ)
        .hasOnlyPermission("/content/public", READ)
        .hasOnlyPermission("/content/public/child-item, READ)
        .hasNoPermission("/sensitive_info")
        .validate(); 

Avoid deny

All authorization models present with Apache Jackrabbbit Oak start without any access granted by default i.e. implicit deny everywhere. It is therefore recommended to only grant access where needed and avoid adding explicit deny access control entries. In particular in combination with subsequent allow rules the overall effect will be hard to understand as soon as multiple principals are contained in a given subject.

Be wary if you find yourself adding combinations of denies and allows as it might highlight problematic patterns in your content model that will be hard to understand and secure over time.

Avoid redundancy

Don't specify redundant access control setup just to be on the safe side:

• If access is granted, avoid repeating the same setup down the hierarchy.
• Avoid setup for principals with administrative access for which permission evaluation is omitted. It might even create a false sense of security.
• Avoid redundant membership as it will impact performance of permission evaluation

Principal by principle

Oak authorization is designed to work with java.security.Principal which is an abstract representation of any kind of entity like e.g. individual, a role, a corporation, a login id or even a service.

While JCR specification does not define how the repository knows about principals, Jackrabbit API defines a Principal Management extension.

 // everyone always exists even if there is no such group in the user management
 
 PrincipalManager principalMgr = ((JackrabbitSession) session).getPrincipalManager();
 Principal everyone = principalManager.getEveryone();

Understand default access control and permission management

    String parentPath = "/content/parent";
    String toRemove = "/content/parent/child";
    String toAdd = "/content/parent/newchild";
    
    Session session = ...
            
    // Testing Privileges
    // ----------------------------------------------------------------------------------------
    
    AccessControlManager acMgr = session.getAccessControlManager();
    Privilege jcrAddChildNodes = acMgr.privilegeFromName(Privilege.JCR_ADD_CHILD_NODES);
    Privilege jcrRemoveChildNodes = acMgr.privilegeFromName(Privilege.JCR_REMOVE_CHILD_NODES);
    Privilege jcrRemoveNode = acMgr.privilegeFromName(JCR_REMOVE_NODE);
    
    // test if (unspecified) child nodes can be added/removed from the parent
    boolean canModifyChildCollection = acMgr.hasPrivileges(parentPath, new Privilege[]{jcrAddChildNodes, jcrRemoveChildNodes});
    
    # test if existing child node can be removed
    boolean canRemoveNode = acMgr.hasPrivileges(toRemove, new Privilege[]{jcrRemoveNode});
    
    
    // Testing Permissions (on the target node NOT on the parent)
    // ----------------------------------------------------------------------------------------

    // test if not-yet existing node could be added at /content/parent/newchild
    boolean canAddNode = session.hasPermission(toAdd, Session.ACTION_ADD_NODE);
    
    // test if the existing child node can be removed 
    boolean canRemoveItem = session.hasPermission(toRemove, Session.ACTION_REMOVE);
    boolean canRemoveNode = session.hasPermission(toRemove, JackrabbitSession.ACTION_REMOVE_NODE);
    
    // test if a non-existing node could be removed (not possible with privilege evaluation);
    boolean canRemoveNode = session.hasPermission(toAdd, JackrabbitSession.ACTION_REMOVE_NODE);

    // Using PrivilegeCollection
    // ----------------------------------------------------------------------------------------
    
    JackrabbitAccessControlManager acMgr = ...

    PrivilegeCollection pc = acMgr.getPrivilegeCollection(parentPath);
    
    boolean canRemoveChildNodes = pc.includes(Privilege.JCR_REMOVE_CHILD_NODES);
    boolean canModifyChildCollection = pc.includes(Privilege.JCR_REMOVE_CHILD_NODES, Privilege.JCR_ADD_CHILD_NODES);
    
    boolean hasAllPrivileges = pc.includes(Privilege.JCR_ALL);
    assertFalse(hasAllPrivileges);
    
    Privilege[] privilegesOnParentNode = pc.getPrivileges();  

Leverage customizations

Oak allows for customization and extensions of all parts of the authorization setup. If you find yourself struggling to reflect your needs with the built-in functionality, consider extending and customizing the authorization configuration of the repository.