Re: Authorisation with Syncope 2.x
Fantastic answer, thanks Francesco ! De : Francesco Chicchiriccò À : user@syncope.apache.org Envoyé le : Vendredi 15 juillet 2016 18h07 Objet : Re: Authorisation with Syncope 2.x On 15/07/2016 17:51, Adrian Gonzalez wrote: Hi Francesco, That's it exactly. I'm mapping syncope roles -> Spring GrantedAuthorities for the moment to authorize users to my services APIs. Perhaps I should modify it and used Syncope groups instead Roles are used to define and enforce delegated administration for the Syncope REST methods and admin console, they are not meant for external usage. Waiting for the reference guide to be completed, you can find some notes about the internal security model in Syncope 2.0 at https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Realms#id-[DISCUSS]Realms-Newsecuritymodel as the information you report below is instead applying to Syncope 1.X. One day maybe Syncope will provide complete privilege management features, but for the moment I would suggest you to: A. In Syncope 1. define an enum multi-value schema on Syncope - say "privilege", where possible values are all the privileges you want to manage - so "photo.read", "photo.update", etc 2. assign such "privilege" schema to the GROUP type, via some any type class 3. create some groups, where you can set one or more privileges 4. assign users to groups At this point, in your application Spring-Security classes, you can grant, to a given user, all the authorities corresponding to the "privilege" values owned by the groups such user is assigned to. For example: * if group G1 has privilege values ["photo.read"] and group G2 has privilege values ["photo.create", "photo.update"] * if user U1 is in G1 and user U2 is in G2 you can grant "photo.read" to U1 and "photo.read", "photo.create", "photo.update" to U2 I hope it is clear. Regards. De : Francesco Chicchiriccò À : user@syncope.apache.org Envoyé le : Vendredi 15 juillet 2016 16h47 Objet : Re: Authorisation with Syncope 2.x Hi Adrian, I need to understand what is your use case. It seems to me that you are attempting to use Syncope for privilege management, e.g. you want to: 1. enlist application privileges into Syncope 2. associate such privileges with some Syncope entity (I'd say you're using roles, but groups should be more appropriate in this case) 3. write your application(s) authentication / authorization logic so that it depends on Syncope's REST services and data (and you're using Spring Security for this purpose) Is this correct? On 12/07/2016 12:16, Adrian Gonzalez wrote: Hi Fabio, I was thinking about creating my own apps (let's say PhotoGalleryApp). With a service like : @PreAuthorize("hasRole('photo.read')") public Photo find(Long id) { ..bla } @PreAuthorize("hasRole('photo.update')") public Photo update(Photo photo) { ..bla } } This is really a basic sample (it won't be Cruds only). How can I customize Syncope in order to have photo.read and photo.update for instance ? Moreover, I'm not at ease if customisation requires code modification for each new entitlement since I'm gonna have a lot of apps. Thanks for your insights, Adrian De : Fabio Martelli À : user@syncope.apache.org Envoyé le : Mardi 12 juillet 2016 12h03 Objet : Re: Authorisation with Syncope 2.x Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal'
Re: Authorisation with Syncope 2.x
On 15/07/2016 17:51, Adrian Gonzalez wrote: Hi Francesco, That's it exactly. I'm mapping syncope roles -> Spring GrantedAuthorities for the moment to authorize users to my services APIs. Perhaps I should modify it and used Syncope groups instead Roles are used to define and enforce delegated administration for the Syncope REST methods and admin console, they are not meant for external usage. Waiting for the reference guide to be completed, you can find some notes about the internal security model in Syncope 2.0 at https://cwiki.apache.org/confluence/display/SYNCOPE/%5BDISCUSS%5D+Realms#id-[DISCUSS]Realms-Newsecuritymodel as the information you report below is instead applying to Syncope 1.X. One day maybe Syncope will provide complete privilege management features, but for the moment I would suggest you to: A. In Syncope 1. define an enum multi-value schema on Syncope - say "privilege", where possible values are all the privileges you want to manage - so "photo.read", "photo.update", etc 2. assign such "privilege" schema to the GROUP type, via some any type class 3. create some groups, where you can set one or more privileges 4. assign users to groups At this point, in your application Spring-Security classes, you can grant, to a given user, all the authorities corresponding to the "privilege" values owned by the groups such user is assigned to. For example: * if group G1 has privilege values ["photo.read"] and group G2 has privilege values ["photo.create", "photo.update"] * if user U1 is in G1 and user U2 is in G2 you can grant "photo.read" to U1 and "photo.read", "photo.create", "photo.update" to U2 I hope it is clear. Regards. *De :* Francesco Chicchiriccò *À :* user@syncope.apache.org *Envoyé le :* Vendredi 15 juillet 2016 16h47 *Objet :* Re: Authorisation with Syncope 2.x Hi Adrian, I need to understand what is your use case. It seems to me that you are attempting to use Syncope for privilege management, e.g. you want to: 1. enlist application privileges into Syncope 2. associate such privileges with some Syncope entity (I'd say you're using roles, but groups should be more appropriate in this case) 3. write your application(s) authentication / authorization logic so that it depends on Syncope's REST services and data (and you're using Spring Security for this purpose) Is this correct? On 12/07/2016 12:16, Adrian Gonzalez wrote: Hi Fabio, I was thinking about creating my own apps (let's say PhotoGalleryApp). With a service like : @PreAuthorize("hasRole('photo.read')") public Photo find(Long id) { ..bla } @PreAuthorize("hasRole('photo.update')") public Photo update(Photo photo) { ..bla } } This is really a basic sample (it won't be Cruds only). How can I customize Syncope in order to have photo.read and photo.update for instance ? Moreover, I'm not at ease if customisation requires code modification for each new entitlement since I'm gonna have a lot of apps. Thanks for your insights, Adrian ------------ *De :* Fabio Martelli <mailto:fabio.marte...@gmail.com> *À :* user@syncope.apache.org <mailto:user@syncope.apache.org> *Envoyé le :* Mardi 12 juillet 2016 12h03 *Objet :* Re: Authorisation with Syncope 2.x Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on what
Re: Authorisation with Syncope 2.x
Hi Francesco, That's it exactly.I'm mapping syncope roles -> Spring GrantedAuthorities for the moment to authorize users to my services APIs.Perhaps I should modify it and used Syncope groups instead Thanks ! De : Francesco Chicchiriccò À : user@syncope.apache.org Envoyé le : Vendredi 15 juillet 2016 16h47 Objet : Re: Authorisation with Syncope 2.x Hi Adrian, I need to understand what is your use case. It seems to me that you are attempting to use Syncope for privilege management, e.g. you want to: 1. enlist application privileges into Syncope 2. associate such privileges with some Syncope entity (I'd say you're using roles, but groups should be more appropriate in this case) 3. write your application(s) authentication / authorization logic so that it depends on Syncope's REST services and data (and you're using Spring Security for this purpose) Is this correct? On 12/07/2016 12:16, Adrian Gonzalez wrote: Hi Fabio, I was thinking about creating my own apps (let's say PhotoGalleryApp). With a service like : @PreAuthorize("hasRole('photo.read')") public Photo find(Long id) { ..bla } @PreAuthorize("hasRole('photo.update')") public Photo update(Photo photo) { ..bla } } This is really a basic sample (it won't be Cruds only). How can I customize Syncope in order to have photo.read and photo.update for instance ? Moreover, I'm not at ease if customisation requires code modification for each new entitlement since I'm gonna have a lot of apps. Thanks for your insights, Adrian De : Fabio Martelli À : user@syncope.apache.org Envoyé le : Mardi 12 juillet 2016 12h03 Objet : Re: Authorisation with Syncope 2.x Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application). Exactly! BTW you can perform some customization in order to extends the set of entitlements in order to use them to authorize access to some custom rest methods provided for your specific aims. This customization is not simple but feasible if strongly required. Thanks, Adrian P.S. Using Syncope 2.0.0-M2 [1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html entitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods. [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer, PonyMail PPMC http://home.apache.org/~ilgrosso/
Re: Authorisation with Syncope 2.x
Hi Adrian, I need to understand what is your use case. It seems to me that you are attempting to use Syncope for privilege management, e.g. you want to: 1. enlist application privileges into Syncope 2. associate such privileges with some Syncope entity (I'd say you're using roles, but groups should be more appropriate in this case) 3. write your application(s) authentication / authorization logic so that it depends on Syncope's REST services and data (and you're using Spring Security for this purpose) Is this correct? On 12/07/2016 12:16, Adrian Gonzalez wrote: Hi Fabio, I was thinking about creating my own apps (let's say PhotoGalleryApp). With a service like : @PreAuthorize("hasRole('photo.read')") public Photo find(Long id) { ..bla } @PreAuthorize("hasRole('photo.update')") public Photo update(Photo photo) { ..bla } } This is really a basic sample (it won't be Cruds only). How can I customize Syncope in order to have photo.read and photo.update for instance ? Moreover, I'm not at ease if customisation requires code modification for each new entitlement since I'm gonna have a lot of apps. Thanks for your insights, Adrian *De :* Fabio Martelli *À :* user@syncope.apache.org *Envoyé le :* Mardi 12 juillet 2016 12h03 *Objet :* Re: Authorisation with Syncope 2.x Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application). Exactly! BTW you can perform some customization in order to extends the set of entitlements in order to use them to authorize access to some custom rest methods provided for your specific aims. This customization is not simple but feasible if strongly required. Thanks, Adrian P.S. Using Syncope 2.0.0-M2 [1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html entitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods. [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Involved at The Apache Software Foundation: member, Syncope PMC chair, Cocoon PMC, Olingo PMC, CXF Committer, OpenJPA Committer, PonyMail PPMC http://home.apache.org/~ilgrosso/
Re: Authorisation with Syncope 2.x
Hi Fabio, I was thinking about creating my own apps (let's say PhotoGalleryApp). With a service like : @PreAuthorize("hasRole('photo.read')") public Photo find(Long id) { ..bla } @PreAuthorize("hasRole('photo.update')") public Photo update(Photo photo) { ..bla } } This is really a basic sample (it won't be Cruds only).How can I customize Syncope in order to have photo.read and photo.update for instance ? Moreover, I'm not at ease if customisation requires code modification for each new entitlement since I'm gonna have a lot of apps. Thanks for your insights, Adrian De : Fabio Martelli À : user@syncope.apache.org Envoyé le : Mardi 12 juillet 2016 12h03 Objet : Re: Authorisation with Syncope 2.x Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application). Exactly! BTW you can perform some customization in order to extends the set of entitlements in order to use them to authorize access to some custom rest methods provided for your specific aims. This customization is not simple but feasible if strongly required. Thanks, Adrian P.S. Using Syncope 2.0.0-M2 [1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html entitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods. [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization -- Fabio Martelli Tirasa - Open Source Excellence http://www.tirasa.net/ Apache Syncope PMC http://people.apache.org/~fmartelli/
Re: Authorisation with Syncope 2.x
Il 11/07/2016 16:27, Adrian Gonzalez ha scritto: Hello, Sorry once more :( Hi Adrian, do not apologize. Thank you, instead. Reporting and interaction in public ML is always welcome. See below for my comments. Best regards, F. I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ? I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles. You have to use the entitlements. You can assign entitlements to a user by assigning them to a role and a role to the user: the user owning that role will own those entitlements. This is the standard for Apache Syncope. Therefore you can think to add your own authorization method for some customizations. Please, if you will do in this way do it carefully. But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application). Exactly! BTW you can perform some customization in order to extends the set of entitlements in order to use them to authorize access to some custom rest methods provided for your specific aims. This customization is not simple but feasible if strongly required. Thanks, Adrian P.S. Using Syncope 2.0.0-M2 [1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.html entitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods. [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization -- Fabio Martelli Tirasa - Open Source Excellence http://www.tirasa.net/ Apache Syncope PMC http://people.apache.org/~fmartelli/
Authorisation with Syncope 2.x
Hello, Sorry once more :( I would like to use Syncope in my app (using Spring Security) for user authentication and authorisation. I would like to know if mapping GrantedAuthority to Syncope's role is the way to go ?I'm a bit lost, since there's also the notion of entitlements and groups. In fact, when I look into syncope's code, I see : @PreAuthorize("hasRole('" + StandardEntitlement.ROLE_CREATE + "')") public RoleTO create(final RoleTO roleTO) { So I would say I should use entitlements and not roles.But entitlement appears to be fixed (in StandardEntitlement class) and for syncope 'internal' use [1] and [2] (aka checking if user has right to perform an action on syncope - and not checking if user has right to peform action on whatever application). Thanks,Adrian P.S. Using Syncope 2.0.0-M2 [1] http://syncope-user.1051894.n5.nabble.com/Entitlements-how-do-we-create-change-these-tp5707009p5707010.htmlentitlements are not meant to be extended: their primary purpose is to define security constraints on RESTful methods. [2] https://cwiki.apache.org/confluence/display/SYNCOPE/Authentication+and+authorization