You are viewing the documentation for an outdated or unreleased 9.5 version.
This page is also available in versions: 8.0, 8.1, 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.7 (current), devel

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

9.5:documentation:security [2019/02/01 13:08] (current)
Line 1: Line 1:
 +<- .:​password_policies | Password policies ^ .:start | Documentation ^ .:​notifications | Notifications ->
 +
 +====== Security ======
 +{{tag> security authentication authorization}}
 +
 +===== API authentication =====
 +
 +API access requires the user to be authenticated,​ excluding a few public endpoints. We can divide the sign in into two parts:
 +
 +  * authentication - the user proves his identity
 +  * authorization - the user has access to given resource
 +
 +===== Authentication =====
 +
 +Authentication is realized through a request filterchain. The filters must always follow specified behavior:
 +
 +  * if credentials are OK, continue to authorization
 +  * if credentials do not match, pass request to another filter in chain
 +
 +In reality there is only one authentication servlet filter - ''​%%AuthenticationFilter%%''​. Others filters are Spring beans implementing ''​%%IdmAuthenticationFilter%%''​ interface. An exception in filters is the ''​%%ExtendExpirationFilter%%'',​ which is another servlet filter handling the extension of expiration date of JWT tokens. This filter also controls possible exceptions in authentication flow.
 +
 +===== Authorization and JWT token =====
 +
 +User authorization is checked on the API endpoint layer and enforced by Spring Security. The content of IdM JWT:
 +
 +  * currentUsername - effective user's login
 +  * originalUsername - logged user's login
 +  * currentIdentityId - effective user's ID
 +  * originalIdentityId - logged user's ID
 +  * exp - token expiration date
 +  * iat - issued at date
 +
 +All IdM JWT tokens are signed using HMAC256 algorithm. The symmetric encryption key is configuration property of CzechIdM, stored as "​idm.sec.security.jwt.secret.token"​. Default token expiration time is 10 minutes. JWT tokens are persisted in database (''​%%IdmToken%%''​ entity) with assigned authorities. When identity is logged out, token is disabled. Disabled and expired tokens are purged periodically by internal scheduled task.
 +
 +Backend of CzechIdM supports immediate detection of user's authorization change. Each modification type is implemented as application event processor, for further details please check the source code and tests :) When user's authorization changes, then persisted tokens, which user owns, are disabled => user is logged out. Types of modifications:​
 +
 +  * removal of role, which carries application permissions => user losses some permission.
 +  * disabling the user
 +  * role's permissions change - revokes tokens of all users which have the role assigned
 +
 +===== Admin guide (to be completed) =====
 +  * [[.adm:​security|Security overview]]
 +
 +===== Devel Guide =====
 +
 +{{indexmenu>​.security:​dev#​1|tsort}}