New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Protect oxTrust apis by UMA #803

Open
yurem opened this Issue Jan 2, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@yurem
Contributor

yurem commented Jan 2, 2018

  1. oxTrust already uses UMA to protect SCIM and Passport endpoints. We ref-factored UMA services some time ago and now both endpoints uses same services. For /apis we only need to implement new class like this ScimUmaProtectionService.

  2. We need to add filter like this. It should intercept all calls to /restv1/apis and call UMA RPT validation api. This should protect all /apis endpoints. Later we need to move SCIM and Passport UMA validation from endpoints to this filter too.

  3. For each /apis/group_id like /apis/saml we need to register UMA resource with few scopes like:
    https://(domain name)/auth/oxtrust.allow-saml-config-all

  4. In AuthenticationFilter we need to check if RPT is associated with right resourceId and set list of allowed RPT scopes in request scoped bean. oxTrust API endpoint should check if there is scope in this bean before process request.

Instead of 2 and 4 we can use more modern OOP/CDI based solution like:

     @GET
     @Path("/read/{inum}")
     @Produces(MediaType.APPLICATION_JSON)
@UmaSecure("#{umaPermissionService.hasScope("apis_saml", '/auth/oxtrust.allow-saml-config-all', '/auth/oxtrust.allow-saml-modify-all'...)}")
public String read(@PathParam("inum") String inum, @Context HttpServletResponse response) ...

In this annotation interceptor method can get from request Authorization header and call RPT endpoint to get list of allowed permissions, validate them and allow or not execute intercepted method.

In oxService there is annotation @secure which you can use as reference. I can write prototype if needed.

@yurem yurem added this to the 3.2.0 milestone Jan 2, 2018

@dmogn

This comment has been minimized.

Contributor

dmogn commented Jan 2, 2018

The related issue: #783

@yurem

This comment has been minimized.

Contributor

yurem commented Jan 3, 2018

After step #4 I added one solution which will make permission checking code less and very clear.

dmogn added a commit that referenced this issue Jan 15, 2018

dmogn added a commit that referenced this issue Jan 29, 2018

@yurem yurem assigned yurem and unassigned shekhar16 Feb 13, 2018

yurem added a commit that referenced this issue Feb 13, 2018

yurem added a commit that referenced this issue Feb 13, 2018

yurem added a commit that referenced this issue Feb 13, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment