Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Last revision Both sides next revision | ||
devel:documentation:security [2018/03/27 08:34] stloukalp |
devel:documentation:security [2019/02/01 13:08] kotisovam admin guide section |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <- .: | ||
+ | |||
+ | ====== Security ====== | ||
+ | {{tag> security authentication authorization}} | ||
+ | |||
+ | ===== API authentication ===== | ||
+ | |||
+ | API access requires the user to be authenticated, | ||
+ | |||
+ | * authentication - the user proves his identity | ||
+ | * authorization - the user has access to given resource | ||
+ | |||
+ | ===== Authentication ===== | ||
+ | |||
+ | Authentication is realized through a request filterchain. The filters must always follow specified behavior: | ||
+ | |||
+ | * if credentials are OK, continue to authorization | ||
+ | * if credentials do not match, pass request to another filter in chain | ||
+ | |||
+ | In reality there is only one authentication servlet filter - '' | ||
+ | |||
+ | ===== Authorization and JWT token ===== | ||
+ | |||
+ | User authorization is checked on the API endpoint layer and enforced by Spring Security. The content of IdM JWT: | ||
+ | |||
+ | * currentUsername - effective user's login | ||
+ | * originalUsername - logged user's login | ||
+ | * currentIdentityId - effective user's ID | ||
+ | * originalIdentityId - logged user's ID | ||
+ | * exp - token expiration date | ||
+ | * iat - issued at date | ||
+ | |||
+ | All IdM JWT tokens are signed using HMAC256 algorithm. The symmetric encryption key is configuration property of CzechIdM, stored as " | ||
+ | |||
+ | Backend of CzechIdM supports immediate detection of user's authorization change. Each modification type is implemented as application event processor, for further details please check the source code and tests :) When user's authorization changes, then persisted tokens, which user owns, are disabled => user is logged out. Types of modifications: | ||
+ | |||
+ | * removal of role, which carries application permissions => user losses some permission. | ||
+ | * disabling the user | ||
+ | * role's permissions change - revokes tokens of all users which have the role assigned | ||
+ | |||
+ | ===== Admin guide (to be completed) ===== | ||
+ | * [[.adm: | ||
+ | |||
+ | ===== Devel Guide ===== | ||
+ | |||
+ | {{indexmenu> | ||