Jetspeed Proposal: role-based authorization concept LAST MODIFIED: $Date$ AUTHOR: marcus.schwarz@sap.com STATUS: approved **************************************************************************** * WARNING: THIS DOCUMENT WAS INITIALLY A PROPOSAL. PLEASE CHECK THE DATE * AS THIS MAY HAVE BECOME OLD. * **************************************************************************** This proposal should not replace security stuff from Turbine. Still we will and should use Turbine to support JetSpeed with role/permission information. But it should enable JetSpeed to apply these security configurations to portlets. So *still* Turbine will be the framework, which is containing the user, role and permission information. History: - have changed structure and some concepts in 2 (thanks to Jeff) - changed API in 3 (thanks to Kevin) - skipped 4 "Storage of roles inside of JetSpeed" - some organisatins must still do it, but should be seperated from JetSpeed using the Turbine framework. So inclusion to standard make no sense. **************************************************************************** 1. Default permission concept **************************************************************************** We can go two ways: - by default each role is allowed to access all portlets. We have to define which roles are not allowed to. - by default nobody is allowed to access a portlet. We have to define which role is allowed to. In the first look approach one seems easier. But we will run in too much security issues. Just think about 'confidential' portlets, like the above-mentioned salary portlet. Because everybody would have access by default, we would need to add all roles to the configuration, which are not allowed to access - and these are the most! Now imagine the situation that we need to add a new role: The administrator would have to take care that the access to all the confidential portlets would be restricted in adding the new role to the 'deny'-list! And now imagine he/she would forget the salary-portlet by accident.... The example shows: the allow-everything approach is not feasible from a security point of view! So we have to deny access by default. Of course the most portlets would be allowed to be viewed by every role. **************************************************************************** 2. Storage of authorization information **************************************************************************** The information should be stored in the registry: ... ... role1 perm1 perm2 role2 user1 role3 user2 ... ... The access-tag is describing the access to a portlet. With the everyone="true" attribute we can grant access permissions to all generic portlet functions without listing all exisiting roles/users. In general every role/user is not allowed to access the functionality. The allow-tag contains all roles/users allowed to access the functionality. In detail all users in the specific role, which are owning one of the specified permissions, are allowed to access. If just a role without any permission is specified any members of this role independed of the permission will have access. That's especially important, because some user managements don't handle permissions just roles. The deny-tag allows to deny access inside of these group. In example we will allow access to the role 'HR-department' but will exclude user 'John'. In the most cases it makes no sense to deny access to a role, because by default each role has no access. But if one is using a user management which can handle roles and sub-roles this tag is interesting. The usage of the user-tag depends on the strategy of the organisation. In some cases it is useful to define everything with roles. Then we don't have to exclude a user, because this user will be a member of a different role. But JetSpeed should be able to handle both scenarios. **************************************************************************** 3. API to access this information **************************************************************************** To allow other parts of JetSpeed to retrieve this information we should add a new method to org.apache.jetspeed.registry.peer.PortletEntry: public Access[] getAccess(); Definition of Access: public class Access { public boolean allowsEveryone(String mode); public Role[] getRole(String mode); public boolean allowsRole(String mode); } Both methods need the input parameter 'mode' to know, which access operation are requested (view, edit, maximize, ...) **************************************************************************** 4. Additions in administration UI **************************************************************************** The new capabilities must be reflected in the administration UI. We need the following functionality: - Define access permissions on role-base for the portlets We have to provide a matrix-based screens the administrator can use to define which access-option (view, edit, maximize) of a portlet a role should have. A button on the left hand should enable to set the above mentioned -tag --> every role (also new roles) will have access to this functionality. The screen should look similar to this: all | Portlet | Role1 | Role2 | Role3 ---------------------------------------------------- | News Feed | | | O | - view | X | X | O O | - edit | X | O | O O | - maximize | X | X | O ---------------------------------------------------- | Bulletin Board | | | X | - view | X | X | X .... If "all" is selected automatically the whole row is selected. If "view" for a role is disabled all the other functions (edit, maximize) are automatically disabled. - Create, modify, delete JetSpeed role Will come soon....