Security System

Introduction

Ontimize security allows you to set permissions to each role that you assign to a specific user, so that different users can access (or not) the project services and methods.

Prerequisites

You can follow this tutorial using your own application, although for this example we will use an application created using the archetype that can be found on this page and with a REST service.

There are 2 options to follow this tutorial, clone the repository with the initial state and follow the tutorial step by step, or download the final example and see which files are new and which have been updated.

Initial project

/$ git clone https://github.com/ontimize/ontimize-examples 
/ontimize-examples$ cd ontimize-examples
/ontimize-examples$ git checkout boot-security-initial

Final example

/$ git clone https://github.com/ontimize/ontimize-examples 
/ontimize-examples$ cd ontimize-examples
/ontimize-examples$ git checkout boot-security

To simplify the code being written, three dots (…) may appear in some parts of the code. This indicates that there may be previous code before and after those dots.

Steps

Add new profile and user

We will add the following elements to the database:

  • New user
INSERT INTO TUSER VALUES('candidate','candidate','candidate','candidate',NULL,'99999999R',NULL,'2020-07-03 11:50:40.665000',NULL)
  • New user role
INSERT INTO TROLE VALUES(1,'candidate','<?xml version="1.0" encoding="UTF-8"?><security></security>')
  • Relationship between the new user and the new role
INSERT INTO TUSER_ROLE VALUES(1,1,'candidate')

Modify the service to add security

In the projectwiki-boot module we will add the annotation @EnableAspectJAutoProxy(proxyTargetClass = false) to the ServerApplication.java class and to each service method the @Secured({ PermissionsProviderSecured.SECURED }) annotation.

ServerApplication.java

package com.ontimize.projectwiki;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.EnableAspectJAutoProxy;


@SpringBootApplication
@EnableAspectJAutoProxy(proxyTargetClass = false)
public class ServerApplication {

	public static void main(String[] args) {
		SpringApplication.run(ServerApplication.class, args);
	}

}

CustomerService.java

package com.ontimize.projectwiki.model.core.service;

. . .
import org.springframework.security.access.annotation.Secured;


. . . 
import com.ontimize.jee.common.security.PermissionsProviderSecured;

. . .

public class CandidateService implements ICandidateService {

. . .

	@Override
	@Secured({ PermissionsProviderSecured.SECURED })
	public EntityResult candidateQuery(Map<String, Object> keyMap, List<String> attrList)
			throws OntimizeJEERuntimeException {
		return this.daoHelper.query(this.candidateDao, keyMap, attrList);
	}

	@Override
	@Secured({ PermissionsProviderSecured.SECURED })
	@Transactional(rollbackFor = Exception.class)
	public EntityResult candidateInsert(Map<String, Object> attrMap) throws OntimizeJEERuntimeException {
		return this.daoHelper.insert(this.candidateDao, attrMap);
	}

	@Override
	@Secured({ PermissionsProviderSecured.SECURED })
	@Transactional(rollbackFor = Exception.class)
	public EntityResult candidateUpdate(Map<String, Object> attrMap, Map<String, Object> keyMap)
			throws OntimizeJEERuntimeException {
		return this.daoHelper.update(this.candidateDao, attrMap, keyMap);
	}

	@Override
	@Secured({ PermissionsProviderSecured.SECURED })
	public EntityResult candidateDelete(Map<String, Object> keyMap) throws OntimizeJEERuntimeException {
		return this.daoHelper.delete(this.candidateDao, keyMap);
	}
	
}

Add permissions for methods

Once the methods have been noted, it is necessary to add the interface of the service and the method that we have noted to the table of the DB that stores those elements and to the table that indicates the methods for which the role has permission.

INSERT INTO TSERVER_PERMISSION VALUES('com.ontimize.projectwiki.api.core.service.ICandidateService/candidateQuery')
INSERT INTO TSERVER_PERMISSION VALUES('com.ontimize.projectwiki.api.core.service.ICandidateService/candidateInsert')
INSERT INTO TSERVER_PERMISSION VALUES('com.ontimize.projectwiki.api.core.service.ICandidateService/candidateUpdate')
INSERT INTO TSERVER_PERMISSION VALUES('com.ontimize.projectwiki.api.core.service.ICandidateService/candidateDelete')

INSERT INTO TROLE_SERVER_PERMISSION VALUES(0,1)
INSERT INTO TROLE_SERVER_PERMISSION VALUES(0,2)
INSERT INTO TROLE_SERVER_PERMISSION VALUES(0,3)
INSERT INTO TROLE_SERVER_PERMISSION VALUES(0,4)

If we try to make requests through Postman to the service of CandidateService, changing the authentication by the user candidate and password candidate, it will give an error, since the user candidate does not belong to the role admin which is the only role that has permissions to make these queries.