Strolch
/
strolch-website
mirror of
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
strolch-website/docs/documentation/priviles/index.html

73 lines
16 KiB
HTML
Raw Blame History

<!doctype html><html lang=en class="js csstransforms3d"><head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=generator content="Hugo 0.80.0"><meta name=description content="Strolch is a parameterized framework for use on servers and IoT"><meta name=author content="Strolch"><link rel=icon href=/favicon.ico type=image/ico><title>Privileges - Strolch</title><link href=/css/nucleus.css?1626091328 rel=stylesheet><link href=/css/fontawesome-all.min.css?1626091328 rel=stylesheet><link href=/css/hybrid.css?1626091328 rel=stylesheet><link href=/css/featherlight.min.css?1626091328 rel=stylesheet><link href=/css/perfect-scrollbar.min.css?1626091328 rel=stylesheet><link href=/css/auto-complete.css?1626091328 rel=stylesheet><link href=/css/atom-one-dark-reasonable.css?1626091328 rel=stylesheet><link href=/css/theme.css?1626091328 rel=stylesheet><link href=/css/hugo-theme.css?1626091328 rel=stylesheet><link href=/css/theme-green.css?1626091328 rel=stylesheet><script src=/js/jquery-3.3.1.min.js?1626091328></script><style>:root #header+#content>#left>#rlblock_left{display:none!important}</style></head><body data-url=/documentation/priviles/><nav id=sidebar><div id=header-wrapper><div id=header><a id=logo href=/><img src=/logo.png></a></div><div class=searchbox><label for=search-by><i class="fas fa-search"></i></label><input data-search-input id=search-by type=search placeholder=Search...>
<span data-search-clear><i class="fas fa-times"></i></span></div><script type=text/javascript src=/js/lunr.min.js?1626091328></script><script type=text/javascript src=/js/auto-complete.js?1626091328></script><script type=text/javascript>var baseurl="https:\/\/strolch.li\/";</script><script type=text/javascript src=/js/search.js?1626091328></script></div><section id=homelinks><ul><li><a class=padding href=/><i class="fas fa-home"></i>Home</a></li></ul></section><div class=highlightable><ul class=topics><li data-nav-id=/api/ title=API class=dd-item><a href=/api/>API</a></li><li data-nav-id=/history/ title=History class=dd-item><a href=/history/>History</a></li><li data-nav-id=/documentation/ title=Documentation class="dd-item
parent"><a href=/documentation/>Documentation</a><ul><li data-nav-id=/documentation/architecture/ title=Architecture class=dd-item><a href=/documentation/architecture/>Architecture</a></li><li data-nav-id=/documentation/model/ title=Model class=dd-item><a href=/documentation/model/>Model</a></li><li data-nav-id=/documentation/do-and-donts/ title="Do and Don't" class=dd-item><a href=/documentation/do-and-donts/>Do and Don't</a></li><li data-nav-id=/documentation/runtime-configuration/ title="Runtime Configuration" class=dd-item><a href=/documentation/runtime-configuration/>Runtime Configuration</a></li><li data-nav-id=/documentation/realms/ title=Realms class=dd-item><a href=/documentation/realms/>Realms</a></li><li data-nav-id=/documentation/components/ title=Components class=dd-item><a href=/documentation/components/>Components</a></li><li data-nav-id=/documentation/services-and-commands/ title="Services and Commands" class=dd-item><a href=/documentation/services-and-commands/>Services and Commands</a></li><li data-nav-id=/documentation/searches/ title=Searches class=dd-item><a href=/documentation/searches/>Searches</a></li><li data-nav-id=/documentation/queries/ title=Queries class=dd-item><a href=/documentation/queries/>Queries</a></li><li data-nav-id=/documentation/transactions/ title=Transactions class=dd-item><a href=/documentation/transactions/>Transactions</a></li><li data-nav-id=/documentation/policies/ title=Policies class=dd-item><a href=/documentation/policies/>Policies</a></li><li data-nav-id=/documentation/observers/ title=Observers class=dd-item><a href=/documentation/observers/>Observers</a></li><li data-nav-id=/documentation/versioning/ title=Versioning class=dd-item><a href=/documentation/versioning/>Versioning</a></li><li data-nav-id=/documentation/reports/ title=Reports class=dd-item><a href=/documentation/reports/>Reports</a></li><li data-nav-id=/documentation/priviles/ title=Privileges class="dd-item active"><a href=/documentation/priviles/>Privileges</a></li></ul></li><li data-nav-id=/plc/ title=PLC class=dd-item><a href=/plc/>PLC</a><ul><li data-nav-id=/plc/architecture/ title=Architecture class=dd-item><a href=/plc/architecture/>Architecture</a></li><li data-nav-id=/plc/example-set-up/ title="Example Set-Up" class=dd-item><a href=/plc/example-set-up/>Example Set-Up</a></li></ul></li><li data-nav-id=/tutorial/ title=Tutorial class=dd-item><a href=/tutorial/>Tutorial</a><ul><li data-nav-id=/tutorial/configuration/ title=Configuration class=dd-item><a href=/tutorial/configuration/>Configuration</a></li><li data-nav-id=/tutorial/model/ title=Model class=dd-item><a href=/tutorial/model/>Model</a></li><li data-nav-id=/tutorial/crud-book/ title="CRUD Book" class=dd-item><a href=/tutorial/crud-book/>CRUD Book</a></li></ul></li><li data-nav-id=/download/ title=Download class=dd-item><a href=/download/>Download</a></li><li data-nav-id=/development/ title=Development class=dd-item><a href=/development/>Development</a></li></ul><section id=shortcuts><h3>More</h3><ul><li><a class=padding href=https://strolch.li/tags><i class="fas fa-tags"></i>Tags</a></li><li><a class=padding href=https://github.com/strolch-li><i class="fab fa-github"></i>GitHub project</a></li></ul></section><section id=footer><p>Built with <a href=https://github.com/matcornic/hugo-theme-learn><i class="fas fa-heart"></i></a>from <a href=https://getgrav.org>Grav</a> and <a href=https://gohugo.io/>Hugo</a></p></section></div></nav><section id=body><div id=overlay></div><div class="padding highlightable"><div><div id=top-bar><div id=top-github-link><a class=github-link title="Edit this page" href=https://github.com/Pi4J/pi4j.github.io/tree/main/contentdocumentation/priviles.md target=blank><i class="fas fa-code-branch"></i><span id=top-github-link-text>Edit this page</span></a></div><div id=breadcrumbs itemscope itemtype=http://data-vocabulary.org/Breadcrumb><span id=sidebar-toggle-span><a href=# id=sidebar-toggle data-sidebar-toggle><i class="fas fa-bars"></i></a></span><span id=toc-menu><i class="fas fa-list-alt"></i></span><span class=links><a href=/>Strolch Overview</a> > <a href=/documentation/>Documentation</a> > Privileges</span></div><div class=progress><div class=wrapper><nav id=TableOfContents><ul><li><a href=#privileges>Privileges</a></li></ul></nav></div></div></div></div><div id=head-tags></div><div id=body-inner><h1>Privileges</h1><h2 id=privileges>Privileges</h2><p>No framework is complete without user management and privilege validation. The
basic form would be Users and Roles, and then validating that an authenticated
user has a given role. In Strolch we go a step further: A User has roles
assigned, and each role has a set of Privileges. The privileges can overlap, a
validation is performed to make sure that the one role doesn&rsquo;t deny and another
role allows a specific action.</p><p>As explained in
the <a href=/documentation/runtime-configuration.md>Privilege Configuration</a> section,
users are defined in the <code>PrivilegeUsers.xml</code> file, and roles are defined in the
<code>PrivilegeRoles.xml</code> file.</p><p>Let&rsquo;s assume the following user and role definition:</p><div class=highlight><pre style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-xml data-lang=xml><span style=color:#f92672>&lt;Users&gt;</span>
<span style=color:#f92672>&lt;User</span> <span style=color:#a6e22e>userId=</span><span style=color:#e6db74>&#34;1&#34;</span> <span style=color:#a6e22e>username=</span><span style=color:#e6db74>&#34;jill&#34;</span> <span style=color:#a6e22e>password=</span><span style=color:#e6db74>&#34;$PBKDF2WithHmacSHA512,10000,256$61646d696e$cb69962946617da006a2f95776d78b49e5ec7941d2bdb2d25cdb05f957f64344&#34;</span><span style=color:#f92672>&gt;</span>
<span style=color:#f92672>&lt;Firstname&gt;</span>Jill<span style=color:#f92672>&lt;/Firstname&gt;</span>
<span style=color:#f92672>&lt;Lastname&gt;</span>Someone<span style=color:#f92672>&lt;/Lastname&gt;</span>
<span style=color:#f92672>&lt;State&gt;</span>ENABLED<span style=color:#f92672>&lt;/State&gt;</span>
<span style=color:#f92672>&lt;Locale&gt;</span>en-GB<span style=color:#f92672>&lt;/Locale&gt;</span>
<span style=color:#f92672>&lt;Roles&gt;</span>
<span style=color:#f92672>&lt;Role&gt;</span>AppUser<span style=color:#f92672>&lt;/Role&gt;</span>
<span style=color:#f92672>&lt;/Roles&gt;</span>
<span style=color:#f92672>&lt;Properties&gt;</span>
<span style=color:#f92672>&lt;Property</span> <span style=color:#a6e22e>name=</span><span style=color:#e6db74>&#34;realm&#34;</span> <span style=color:#a6e22e>value=</span><span style=color:#e6db74>&#34;execution&#34;</span> <span style=color:#f92672>/&gt;</span>
<span style=color:#f92672>&lt;/Properties&gt;</span>
<span style=color:#f92672>&lt;/User&gt;</span>
<span style=color:#f92672>&lt;/Users&gt;</span>
</code></pre></div><div class=highlight><pre style=color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4><code class=language-xml data-lang=xml><span style=color:#f92672>&lt;Roles&gt;</span>
<span style=color:#f92672>&lt;Role</span> <span style=color:#a6e22e>name=</span><span style=color:#e6db74>&#34;AppUser&#34;</span><span style=color:#f92672>&gt;</span>
<span style=color:#f92672>&lt;Privilege</span> <span style=color:#a6e22e>name=</span><span style=color:#e6db74>&#34;li.strolch.service.api.Service&#34;</span> <span style=color:#a6e22e>policy=</span><span style=color:#e6db74>&#34;DefaultPrivilege&#34;</span><span style=color:#f92672>&gt;</span>
<span style=color:#f92672>&lt;AllAllowed&gt;</span>true<span style=color:#f92672>&lt;/AllAllowed&gt;</span>
<span style=color:#f92672>&lt;/Privilege&gt;</span>
<span style=color:#f92672>&lt;Privilege</span> <span style=color:#a6e22e>name=</span><span style=color:#e6db74>&#34;li.strolch.model.query.StrolchQuery&#34;</span> <span style=color:#a6e22e>policy=</span><span style=color:#e6db74>&#34;DefaultPrivilege&#34;</span><span style=color:#f92672>&gt;</span>
<span style=color:#f92672>&lt;AllAllowed&gt;</span>true<span style=color:#f92672>&lt;/AllAllowed&gt;</span>
<span style=color:#f92672>&lt;/Privilege&gt;</span>
<span style=color:#f92672>&lt;Privilege</span> <span style=color:#a6e22e>name=</span><span style=color:#e6db74>&#34;li.strolch.search.StrolchSearch&#34;</span> <span style=color:#a6e22e>policy=</span><span style=color:#e6db74>&#34;DefaultPrivilege&#34;</span><span style=color:#f92672>&gt;</span>
<span style=color:#f92672>&lt;AllAllowed&gt;</span>true<span style=color:#f92672>&lt;/AllAllowed&gt;</span>
<span style=color:#f92672>&lt;/Privilege&gt;</span>
<span style=color:#f92672>&lt;/Role&gt;</span>
<span style=color:#f92672>&lt;/Roles&gt;</span>
</code></pre></div><p>This configuration contains one user and one role. The user <code>jill</code> has the role
<code>AppUser</code> and the role <code>AppUser</code> has three privileges assigned.</p><p>Note how the user&rsquo;s password is configured similar to a unix password
definition: Using the dollar sign & first the hashing algorithm is configured (
algorithm, iterations, key length), then the salt, followed by the password
hash.</p><div class="notices tip"><p>Note: The password can also still be saved using two separate fields: a salt and
password field. This configuration will be immediately changed to the unix form,
so won&rsquo;t be described further here.</p></div><p>Further a user always has a firstname and last name. Optionally a locale can be
set, otherwise the system locale is used. The user&rsquo;s state must be defined as
one of <code>NEW</code>, <code>ENABLED</code>, <code>DISABLED</code>, <code>EXPIRED</code> or <code>SYSTEM</code>. A user can only
authenticate/login with the state <code>ENABLED</code>. A user can have any number of
properties, which can then be used at runtime. A user can also reference any
number of roles, the assigned privilege can overlap, a global configuration mode
defines how duplicate privileges are handled.</p><p>Roles have a name and any number of <code>Privilege</code> definitions. A Privilege has a
name, which in many cases is the name of Java class/interface on which an action
is being invoked. The <code>policy</code> value defines which policy to use when evaluating
the privilege access. The privilege definition is defined in the
<code>PrivilegeConfig.xml</code> and is the name of a class to call for privilege validation.</p><p>Further the privilege definitions can have a <code>AllAllowed</code> boolean flag, or any
number of Allow or Deny values. How these values are interpreted is defined in
the policy implementation. A policy takes three input parameters:</p><ul><li><code>PrivilegeContext</code> → supplied by privilege and gives access to the Certificate,
thus identifying the user for which privilege access is to be validated.</li><li><code>IPrivilege</code> → Contains the privilege values: <code>AllAllowed</code>, <code>Allow</code> and <code>Deny</code></li><li><code>Restrictable</code> → An interface from which the privilege name is retrieved, and
the associated value. The value is an object, and is cast to the relevant
input in the concrete privilege policy.</li></ul><p>The following privilege policies are already implemented:</p><ul><li><code>DefaultPrivilege</code> → simple policy where the passed <code>Restrictable</code> is expected to
return a String value, which is compared with allow and deny values.</li><li>Internal: <code>RoleAccessPrivilege</code> → policy used for the internal privileges
<code>PrivilegeGetRole</code>, <code>PrivilegeAddRole</code>, <code>PrivilegeModifyRole</code> or <code>PrivilegeModifyRole</code></li><li>Internal: <code>UserAccessPrivilege</code> → policy used for the internal privileges
<code>PrivilegeGetUser</code>, <code>PrivilegeAddUser</code>, <code>PrivilegeRemoveUser</code>, <code>PrivilegeModifyUser</code>,
<code>PrivilegeAddRoleToUser</code>, <code>PrivilegeRemoveRoleFromUser</code>, <code>PrivilegeSetUserState</code>,
<code>PrivilegeSetUserLocale</code> or <code>PrivilegeSetUserPassword</code></li><li>Internal: <code>UserAccessWithSameOrganisationPrivilege</code> → Same as the
<code>UserAccessPrivilege</code> but expects the authenticated user to have a property
<code>organisation</code> and validates that the user being modified is in the same
organisation.</li><li>Internal: <code>UsernameFromCertificatePrivilege</code> → This policy expects a
<code>Restrictable</code> to return the <code>certificate</code> of another authenticated user and is
used when modifying an authenticated user, i.e. killing a session, or
modifying its current state, e.g. locale etc.</li><li>Internal: <code>UsernameFromCertificateWithSameOrganisationPrivilege</code> → Same as
<code>UsernameFromCertificatePrivilege</code> but expects the authenticated user to have a
property <code>organisation</code> and validates that the user being modified is in the
same organisation.</li></ul><div class="notices tip"><p>Note: As a rule, the sequence is <code>AllAllowed → Allow → Deny → default deny</code></p></div><footer class=footline></footer></div></div><div id=navigation><a class="nav nav-prev" href=/documentation/reports/ title=Reports><i class="fa fa-chevron-left"></i></a><a class="nav nav-next" href=/plc/ title=PLC style=margin-right:0><i class="fa fa-chevron-right"></i></a></div></section><div style=left:-1000px;overflow:scroll;position:absolute;top:-1000px;border:none;box-sizing:content-box;height:200px;margin:0;padding:0;width:200px><div style=border:none;box-sizing:content-box;height:200px;margin:0;padding:0;width:200px></div></div><script src=/js/clipboard.min.js?1626091328></script><script src=/js/perfect-scrollbar.min.js?1626091328></script><script src=/js/perfect-scrollbar.jquery.min.js?1626091328></script><script src=/js/jquery.sticky.js?1626091328></script><script src=/js/featherlight.min.js?1626091328></script><script src=/js/highlight.pack.js?1626091328></script><script>hljs.initHighlightingOnLoad();</script><script src=/js/modernizr.custom-3.6.0.js?1626091328></script><script src=/js/learn.js?1626091328></script><script src=/js/hugo-learn.js?1626091328></script><script src=/mermaid/mermaid.js?1626091328></script><script>mermaid.initialize({startOnLoad:true});</script></body></html>
Reference in New Issue View Git Blame Copy Permalink