I am using Spring-Security in my project.
I have users like Admin(ROLE_ADMIN), Manager(ROLE_MANAGER), User(ROLE_USER). Each has Roles and Permissions.
Admin has all permissions, manager has Add, Edit, and View and user has Add and View.
I want to configured authorization based on permission not by roles.
Page A: Only admin and manager can access and they need Add, View, Edit permission.
Page B: All users can access this page but they need Add, View.
Here the User can easily access Page A because they have "add" and "view" permission.
I did following things in my provider implementation.
Get user role.
Get Permissions based on role.
Put All the permissions in the list of GrantedAuthority.
Should I put all permission with the role in the GrantedAuthority list?
Could you please give me a suggestion for configuration part.
Related
I'm trying to implement IdentityServer4. We need to functionality to login as another user, when we're administrators.
I've already setup the login functionality for regular users, but I'd like a specific endpoint where an administrator can enter the username/id of a regular user.
How would one go about implementing this in IdentityServer4, as well as regular oauth2?
This is outside the scope of OIDC/OAuth2 interactions but there are some conventions for how to respresent such a scenario in the result token/claims. Have a read of https://www.rfc-editor.org/rfc/rfc8693 (in particular the act claim bits) for some inspiration.
We did this via the sign in UI flow but the model was that users could grant other users impersonation permissions explicitly. If when signing in you had valid impersonation grants then you'd be prompted as part of the sign in flow to choose a different account or continue as yourself. In your case you can identify admin users and give them the option to impersonate anyone you like.
If the user choses an impersonatee then it would change the current session to respresent that user but also store claims relating to the original user/session in the actor claim (act) and also add an amr claim of imp. We then made these claims available to clients so that they'd be aware of the fact impersonation was used and could then for example add that info to audit logs etc. We also notify the impersonated user via email and restrict access to account settings - i.e. impersonators can only sign into clients as other users, they cannot change their account settings.
Scenario: Native app with user (user role) present including a user profile page allowing the user to update his profile.
Azure AD v2.0 endpoint used & app registration done accordingly. App is used by many tenants, therefore we have admin consent flow included in the apps sign-up flow.
Account Types: Work & School Account
Admin consented scopes (delegated permission per tenant on registered app):
User.ReadWrite
Directory.AccessAsUser.All (Admin Only)
Directory.ReadWrite.All (Admin Only)
User.ReadWrite.All (Admin Only)
From the documentation:
User permission
User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:
aboutMe
birthday
hireDate
interests
mobilePhone
mySite
pastProjects
photo
preferredName
responsibilities
schools
skills
Question 1: Did we understood the terms and documentation correctly?
Question 2: What about other user fields not in this list? Is there no Graph Scenario at all to change them? The documentation is a bit unclear in terms of if possible with user delegated rights or just application delegated right or not possible at all.
Concrete:
Job Title? Can a user with delegated permission ever updated this field or do we need application permission to do so?
User Profile Photo? Can a user with delegated permission update his/her own profile picture or do we need application permission to do so?
The next sentence after that list you referenced from the documentation explains this:
With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.
So yes, you can only update the full set of user properties using Application permissions (aka the Client_Credentials flow).
I am trying to understand how to create MVC5 website with Active Directory authentication. Also I want to manage users. So for this I created a simple project in VS2013 and selected "Windows Authentication". When I run the application I get authentication popup to enter AD username and password. After that it does says on top right "Hello AD/UserName!".
But I am not seeing logic where it actually calls for authentication. Also I want to save few AD users to database and allow only them to login to website. How can I do this? Also how will my other web pages know whether user is already authenticated. Thank You.
One Approach-
Instead of selecting 'Windows Authentication', you choose 'Anonymous' (doesn't remember exact word here)
Implement logic to Authenticate user against Active Directory. Once user is Authenticate, store that user object into 'User' property of Current Context. So that you can access it and authorised user in subsequent request.
As you are aware, AD can only authenticate user against it. Providing access to few of them is authorisation part which we need to handle as part of our application. Since you want to enable access to website for few people of AD, what you can do is add those users in your application's database and allow authorisation to those only.
In my web app, i need to use Struts2 Tiles for role based access.
I have admin, agent, manager and user roles.
Based on the person logged in, i need to show him the extra links
in the menu.
After login with user if i try to browse admin link directly
in browser the it should not allow to the user
If i have admin logged in and in tiles definition i use for an
attribute role="admin",
How come tiles know that admin has logged in, where does it check for
those roles?
I want to be able to sign up new user even if I am logged in.
Right now if I click "sign up" while logged in, registration form will not show up. Instead the error message will say "you are already signed in".
I want to allow user(admin) to add new users to the system.
Create a UsersController and authenticate the user as admin. Then in new and create actions of the controller, you can put your user creation logic. And copy the content of views/devise/registration/new.html.erb file to views/users/new.html.erb.
Expanded answer:
You can create a role table if there are more than two roles to manage. That will make it easy to manage them. May be you can you cancan and rolify gems to manage scope for a role if needed.
And if there are only two roles (Admin and other/normal users) then you can add a boolean column admin in the users table.