First assumption is that Authorization and authentication of the end user will happen in different ends:
- Monolith will guard Authentication of the incoming HTTP requests
- Live Editor Service will receive HTTP requests that contains Identification of the user (JWT token)
- Live Editor wil perform authentication based on JWT token data
- Live Editor will perform Authorization for the user requests based on its ACL configuration.
- Searchlight will own permission of so called "Administrator" - user that will grand access to other users
See sequence Diagram
Only searchlight authenticated user will be able to make calls to Live Editor service Only configured list (in Live Editor) will be able to perform changes Live Editor will process only requests with valid signed JWT token Valid signed JWT token will be created only with valid JWT secret Only production system (monolith) should have access to valid JWT secret for prod env This solution support role separation + domain controlling: user may be PUBLISHER but he/she may publish only to its configured domains
POC configured with 3 users:
1
- has ROLE_PUBLISHER for domains conductor.com
and apple.com
2
- has ROLE_PUBLISHER for apple.com
3
- has ROLE_ADMIN for conductor.com
and apple.com
and example.com
Application has configured domains(web property). Roles are assigned to domains. Domains has Changes. Each Change inherit permissions from the domain.
- make sure you have mysql is running on your
localhost:3306
- start an application
mvn spring-boot:run
- after application is started get authentication token (ideally Monolith will generate it based on authenticated user) authenticate 3 users (generate 3 JWT tokens:
USER1=$(curl -X POST "http://localhost:8081/authenticate" -d '{"user":1}' -H "Content-Type: application/json")
USER2=$(curl -X POST "http://localhost:8081/authenticate" -d '{"user":2}' -H "Content-Type: application/json")
USER3=$(curl -X POST "http://localhost:8081/authenticate" -d '{"user":3}' -H "Content-Type: application/json")
- using previously generated JWT token, check thet each user has different visibility (according to ACL configuration) for the Domain Changes
User 3
can see changes for domains conductor.com
and apple.com
and example.com
curl -X GET "http://localhost:8081/changes" -H "Authorization:$USER3"
User 2
can see changes only for domains conductor.com
curl -X GET "http://localhost:8081/changes" -H "Authorization:$USER2"
User 1
can see changes for domains conductor.com
and apple.com
curl -X GET "http://localhost:8081/changes" -H "Authorization:$USER1"
and can publish new changes to one of those domains
curl -X POST "http://localhost:8081/changes" -d '{"id":33,"changeContent": "new change","webProperty": {"id": 3,"name": "conductor.com"}}' -H "Content-Type: application/json" -H "Authorization:$USER1"
however can not publish to example.com
curl -X POST "http://localhost:8081/changes" -d '{"id": 34,"changeContent": "new change","webProperty": {"id": 1,"name": "example.com"}}' -H "Content-Type: application/json" -H "Authorization:$USER1"