Adroitlogic Integration Platform as a Service (IPS) is the solution to deploy UltraESB as a service in a private/public cloud environment. This post describe about how the user management aspect is addressed in the current solution.
JWT based Authentication
Authentication of the application happens based on JWT tokens. Following diagram shows the main authentication flow of application.
 |
| Authentication flow |
1. Receive username, password from web interface on user login
2. Authenticate the user from shiro realm (Supported LDAP realm)
3. Successful authentication by the ldap server
4. Create a JWT token including the following claims
- username, user_permissions, user_ldap_groups, issuer (configurable), expiration_date (configurable)
5. Signs this JWS token with the specified Message Authentication Code (MAC) signer using a shared key
6. Encrypt the token with Base64 with a hashkey
7. Save the encrypted token over username in redis cache(This is to avoid disk access on later for token validation)
7. Save the encrypted token over username in redis cache(This is to avoid disk access on later for token validation)
8. Return the encrypted token to the user
After user get a valid token at the first login, he can use the same token in next logins until the token expires. Following diagram shows the authentication flow when user request come with a JWT token.
 |
| Authentication with token |
1. Request is filtered by JWTAuthorizationFilter.
2. JWT token extracted from AUTHORIZATION header
3. Verify the token whether the token is expired and similar to the token issued by the application earlier. (first compares with token saved in the cache)
4. Decrypt the token
5. Token values are fed to AuthDataContainer object (these information is used over the application for authorization purpose and this is valid only for a one session)
5. Token values are fed to AuthDataContainer object (these information is used over the application for authorization purpose and this is valid only for a one session)
6. Authentication success returned to the user
LDAP Groups, ROLEs and Permissions
Every project defined in the IPS has collaborators/users and each of these users belongs to a specific LDAP GROUP. Each LDAP group has a set of ROLES which is defined by the admin. Permissions that belongs to each ROLE are defined by the admin. The following diagram shows the the relationship between the Clusters, Projects, LDAP_Groups, Roles and Permissions.
 |
| Permission model |
Fine grained authorization with Apache Shiro
Each
action of the application has a defined permission. Any user needs to access any resource/ perform any action on a resource need to have that
particular permission defined in his ROLE.
Create a ROLE
Admin of the application can create new ROLEs as required and assign the permissions as below. Permissions are categorized in to 8 groups for the convenience. Users will get the union of the permissions belongs to his ROLEs.
 |
| Create a new ROLE |
 |
| List Roles |
Create a LDAP_GROUP
LDAP group represents a group created in real LDAP server. The name of the LDAP group should match the group name in real LDAP server. Also you need to define what are the ROLEs belongs to this group so that at user login user will be given these roles according to their LDAP group.
 |
| Create a new LDAP Group |
 |
| List existing LDAP groups |
No comments:
Post a Comment