i'm implementing Application Service that sends statistical data to home page (dashboard application page).
Based on User's Role (the service needs authentication) i would extract/aggregate data from database using WhereIf() based on is role
In particular if user is administrator, I will not apply a data extraction filter using WhereIf()
To do that i've injected IAbpSession inside service constructor to be able to give userid, but how can i ckeck if user is an administrator?
You can check if current user is an administrator by checking the associated roles of that user. You must inject the UserManager which has several methods for role checking. One of them is IsInRole(userId, roleName).
Related
I'm exploring the Spring framework, and in particular I am working on a Cinema Management Application that will be connected to a React.JS SPA (Single Page Application).
The problem is the following. On my database I do have three different tables representing three different types of users, namely Admin, Customer, and Cinema_Employee.
For each type of user, I created a #RestController with a list of RequestMethods that a particular user is able to perform:
"/admin"
"/customer"
"/employee"
What I am trying to achieve now, it's to secure each endpoint offering three different login pages that will handle the authentication the respective type of user.
How can I set up three AuthenticationManager that handle different Authentication objects within a SecurityConfig class given these requirements, and most importantly, how can I override the Authorisation mindful that each user once has logged in, will have access only to the respective endpoint?
I looked carefully at other examples online, and most of them are radical different, following a pattern where the database has another additional 'Authorities' table aside the 'user' one that stores the credential. In my case this solution cannot be applied, not only because the whole design would become redundant, but also because the name of the table where the application will perform the authentication check against, explicitly imply the authorisation that a given user has inside the system.
Your design sounds strange to me.
A user should have a role, e.g. Admin, Customer, Employee and based on the user's role he gets access to methods or not. Have a look at role based access control concepts. For Spring Security there is for example this tutorial:
https://www.baeldung.com/role-and-privilege-for-spring-security-registration
I'm writing web services in Spring Boot and I use Keycloak to protect the application. The app will expose API to manage restaurants.
In Keycloak I have two roles: admin and manager.
A user with admin role can CRUD restaurants. The same company has multiple restaurants and each restaurant has a manager. I want users with manager role to be able to edit only their restaurant (the restaurant they manage).
According to my understanding of Keycloak's documentation I have to use Resource with Permission but they stated that:
[] you can also have a different resource named Alice’s Banking Account, which represents a single resource owned by a single customer, which can have its own set of authorization policies.
To do that I have to create a resource like this /api/restaurants/12345 but the thing is that I can't hardcode an ID like this.
For now I protected my endpoint like this in spring boot:
http
.authorizeRequests()
.mvcMatchers(HttpMethod.PUT, "/api/restaurants/*").hasAnyRole("ADMIN", "MANAGER")
.anyRequest().permitAll();
This means that any manager from any restaurant can edit another restaurant. I want to limit that to their restaurant only (the restaurant they manage). How can I do that in Keycloak if at all possible?
What you are looking for is User managed access (UMA). It allows to manage the access permission for each resource.
The permissions can be managed with the user's authentication. So if a user enters a new restaurant you can automatically grant access permissions to him without involving a process with elevated privileges.
The best introduction is probably the Photoz example. Instead of restaurants, it's about photo albums.
I'm developing an application using Grails and Spring Security.
My wish is, when the user creates his account informing his company name, the app creates an entry in the company, role and user tables and relates that role and user with the company entry.
The role created will be like an administrator which has permission for do every thing. This user with that role can creates new roles specifying the permissions but all roles created should be only in the company scope, so those roles should not be available for users of others companies.
I've seen that the Spring Security has a feature called Requestmap which for each URL, the application can specify the roles which will have access.
I don't know if this is the best solution, because in my app the number of roles will increase at least as many as the number of user.
Do you guys have some advice of how to solve this problem?
Thank you for all.
You should have a look on Spring Security ACL plugin.
With this plugin you would be able to add permissions (like write or read permission) to certain users on certain domain models.
Have a look on example taken from documentation:
#Transactional
#PreAuthorize("hasPermission(#report, write) or " +
"hasPermission(#report, admin)")
Report updateReport(Report report, params) {
report.properties = params
report.save()
report
}
By using PreAuthorize annotation it is checked if user has write (or admin) permission on this certain Report entity.
We are trying to use Spring SAML Extension to implement identity federation which is a use case described in Security Assertion Markup Language (SAML) V2.0 Technical Overview (5.4.3 Federation Using Persistent Pseudonym Identifiers).
Our application try to associate remote users with local accounts(in out app) for SSO between business partners. Our application is a SP and partner's application is a IDP.
In this scenario, if a user attempt to access secure resource and does not have logon session on our app, the SP will redirect user to IDP. After user is authenticated at IDP site, a HTTP request will send to SP Assertion Consumer Service with a name identifier. At SP site, if the name identifier was not mapped to a local account, our app will present a login page to challenge user to provide local identity of our app. After user provider valid credential then a local session is created and user can access secure resource. Also a federation of two account (SP and IDP) is created and persisted.
I have searched many examples but have not found a configuration that clearly describes what I need. I have not found a Spring document that describes how I can implement this.
Basically, my questions are how to create/config custom login screens and persist this identity federation. Any thoughts, examples or documents?
btw, this is very similar to Account Linking in Ping federation.
Thanks for any help, much appreciated.
One approach to go about it is to:
implement a custom SAMLUserDetailsService which maps content of the Assertion (persistent NameID) to the local account
in case the local account exists it populates e.g. a UserDetails object with user's data and adds a GrantedAuthority e.g. ROLE_FULL_ACCESS
otherwise it returns an object which indicates that local account is missing, but doesn't throw an exception
implement a custom AuthenticationSuccessHandler which detects whether user has a local account (based on the Authentication object with data populated from the SAMLUserDetailsService)
in case user has a local account continue to the default page
otherwise redirect user to page with challenge for linking of the local identity
implement e.g. an MVC Controller, or another Spring Security authentication endpoint which accepts callback from the local identity linking page (with user's credentials to the local account)
store the link between persistent ID and local account
update the current Authentication object with the new UserDetails object reflecting the selected local account
redirect user to the default page
Content which should be available only to fully authenticated users (i.e. users with local account) should be secured with role ROLE_FULL_ACCESS, so it cannot be accessed by users who authenticated using the IDP, but who haven't performed the linking yet.
User(ROLE_USER) Login url:
www.aaa.com/user/info.do
Administrator(ROLE_ADMIN) Login url:
www.aaa.com/manager/info.do
I use Spring Security.
I don't want the administrator to log out When a user logs in.(
also I don't want the user to log out When administrator logs in.
One man has User(ROLE_USER) ID and Administrator(ROLE_ADMIN) ID and uses one browser.
I want to use two ID in one browser at the same time.
ex)a website customer service center staff uses manager site and user site with two ID.
Is this possible?
Sounds like it's just a matter of assigning to administrators ROLE_USER in addition to ROLE_ADMIN. A single user can have more than 1 role (check getAuthorities() method in UserDetails interface).