{"id":15350013,"url":"https://github.com/shawnmckinney/rbac-abac-sample","last_synced_at":"2025-04-15T04:17:30.810Z","repository":{"id":73104647,"uuid":"142474753","full_name":"shawnmckinney/rbac-abac-sample","owner":"shawnmckinney","description":"Example combining Apache Fortress Role-Based Access Control and Atribute-Based Access Control inside an Apache Wicket Web App","archived":false,"fork":false,"pushed_at":"2023-09-06T08:49:24.000Z","size":728,"stargazers_count":5,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-15T04:17:25.097Z","etag":null,"topics":["abac","attribute-based-access-control","authorization","rbac","role-based-access-control"],"latest_commit_sha":null,"homepage":"https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shawnmckinney.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-26T17:47:23.000Z","updated_at":"2022-08-23T21:24:25.000Z","dependencies_parsed_at":"2024-10-16T01:40:58.766Z","dependency_job_id":"181830fa-8004-44a6-bec3-15a144dd2e45","html_url":"https://github.com/shawnmckinney/rbac-abac-sample","commit_stats":{"total_commits":92,"total_committers":3,"mean_commits":"30.666666666666668","dds":0.2934782608695652,"last_synced_commit":"ad8516259d818ab96cb573d687e2bc704d6436ce"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shawnmckinney%2Frbac-abac-sample","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shawnmckinney%2Frbac-abac-sample/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shawnmckinney%2Frbac-abac-sample/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shawnmckinney%2Frbac-abac-sample/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shawnmckinney","download_url":"https://codeload.github.com/shawnmckinney/rbac-abac-sample/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249003972,"owners_count":21196793,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["abac","attribute-based-access-control","authorization","rbac","role-based-access-control"],"created_at":"2024-10-01T11:56:42.439Z","updated_at":"2025-04-15T04:17:30.792Z","avatar_url":"https://github.com/shawnmckinney.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"© 2023 iamfortress.net\n# Overview of the rbac-abac-sample README\n\n * This document demonstrates how to build and deploy the fortress rbac with abac sample.\n * The intent is to demonstrate using attributes to control role activation within an Apache Wicket Web app.\n * For more info about the idea: \n   - [RBAC-ABAC Sample Wiki](https://github.com/shawnmckinney/rbac-abac-sample/wiki) \n   - [Towards an Attribute-Based Role-Based Access Control System](https://iamfortress.net/2018/07/07/towards-an-attribute-based-role-based-access-control-system/)\n\n-------------------------------------------------------------------------------\n## Table of Contents\n * SECTION 1. Prerequisites\n * SECTION 2. Prepare Tomcat for Java EE Security\n * SECTION 3. Prepare rbac-abac-sample package\n * SECTION 4. Build and deploy rbac-abac-sample\n * SECTION 5. Understand the security policy\n * SECTION 6. Manually Test the RBAC with ABAC sample\n * SECTION 7. Automatically Test the RBAC with ABAC sample (using Selenium)\n * SECTION 8. Under the Hood (Learn how it works here)\n\n-------------------------------------------------------------------------------\n## SECTION I. Prerequisites\n1. Java \u003e= 17\n2. Apache Maven \u003e= 3\n3. Apache Tomcat \u003e= 10\n4. Basic LDAP server setup by completing one of these:\n    * [OpenLDAP \u0026 Fortress QUICKSTART](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md)\n    * [OpenLDAP \u0026 Fortress QUICKSTART on DOCKER](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-SLAPD.md)\n    * [APACHEDS \u0026 Fortress QUICKSTART](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md)    \n    * [APACHEDS \u0026 Fortress QUICKSTART on DOCKER](https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-APACHEDS.md)\n    * [ansible-apache-fortress](https://gitlab.symas.net/symas-public/ansible-apache-fortress)\n\n-------------------------------------------------------------------------------\n## SECTION II. Prepare Tomcat for Java EE Security\n\nThis sample web app uses Java EE security.\n\n#### 1. Download the fortress realm proxy jar into tomcat/lib folder:\n\n  ```bash\n  wget https://repo.maven.apache.org/maven2/org/apache/directory/fortress/fortress-realm-proxy/[version]/fortress-realm-proxy-[version].jar -P $TOMCAT_HOME/lib\n  ```\n\n * Where `$TOMCAT_HOME` points to the execution env.\n\n Note: The realm proxy enables Tomcat container-managed security functions to call back to fortress.\n\n#### 2. Optional - Prepare tomcat to allow autodeploy of rbac-abac-sample web app:\n\n ```bash\n sudo vi /usr/local/tomcat8/conf/tomcat-users.xml\n ```\n\n#### 3. Optional - Add tomcat user to deploy rbac-abac-sample:\n\n ```xml\n \u003crole rolename=\"manager-script\"/\u003e\n \u003cuser username=\"tcmanager\" password=\"m@nager123\" roles=\"manager-script\"/\u003e\n ```\n\n#### 4. Restart tomcat for new settings to take effect.\n\n-------------------------------------------------------------------------------\n## SECTION III. Prepare rbac-abac-sample package\n\n#### 1. Stage the project.\n\n a. Download and extract from Github:\n\n ```bash\n wget https://github.com/shawnmckinney/rbac-abac-sample/archive/master.zip\n ```\n\n -- Or --\n\n b. Or `git clone` locally:\n\n ```git\n git clone https://github.com/shawnmckinney/rbac-abac-sample.git\n ```\n\n#### 2. Change directory into it:\n\n ```bash\n cd rbac-abac-sample\n ```\n\n#### 3. Enable an LDAP server:\n\n a. Copy the example:\n\n ```bash\n cp src/main/resources/fortress.properties.example src/main/resources/fortress.properties\n ```\n\n b. Edit the file:\n\n ```bash\n vi src/main/resources/fortress.properties\n ```\n\n Pick either Apache Directory or OpenLDAP server:\n\n c. Prepare fortress for ApacheDS usage:\n\n ```properties\n # This param tells fortress what type of ldap server in use:\n ldap.server.type=apacheds\n\n # Use value from [Set Hostname Entry]:\n host=localhost\n\n # ApacheDS defaults to this:\n port=10389\n\n # These credentials are used for read/write access to all nodes under suffix:\n admin.user=uid=admin,ou=system\n admin.pw=secret\n ```\n\n -- Or --\n\n d. Prepare fortress for OpenLDAP usage:\n\n ```properties\n # This param tells fortress what type of ldap server in use:\n ldap.server.type=openldap\n\n # Use value from [Set Hostname Entry]:\n host=localhost\n\n # OpenLDAP defaults to this:\n port=389\n\n # These credentials are used for read/write access to all nodes under suffix:\n admin.user=cn=Manager,dc=example,dc=com\n admin.pw=secret\n ```\n\n-------------------------------------------------------------------------------\n## SECTION IV. Build and deploy rbac-abac-sample\n\n#### 1. Verify the java and maven home env variables are set.\n\n ```maven\n mvn -version\n ```\n\n This sample requires Java \u003e= 11 and Maven \u003e= 3 to be setup within the execution env.\n\n#### 2. Build the sample and load test data:\n\n  ```maven\n mvn install -Dload.file\n  ```\n\n Build Notes:\n * `-Dload.file` automatically loads the [rbac-abac-sample security policy](src/main/resources/rbac-abac-sample-security-policy.xml) data into ldap.\n * This load needs to happen just once for the default test cases to work and may be dropped from future `mvn` commands.\n\n#### 3. Deploy the sample to Tomcat:\n\n a. If using autodeploy feature, verify the Tomcat auto-deploy options are set correctly in the [pom.xml](pom.xml) file:\n ```xml\n \u003cplugin\u003e\n     \u003cgroupId\u003eorg.codehaus.mojo\u003c/groupId\u003e\n     \u003cartifactId\u003etomcat-maven-plugin\u003c/artifactId\u003e\n     \u003cversion\u003e1.0-beta-1\u003c/version\u003e\n     \u003cconfiguration\u003e\n     ...\n         \u003curl\u003ehttp://localhost:8080/manager/text\u003c/url\u003e\n         \u003cpath\u003e/${project.artifactId}\u003c/path\u003e\n         \u003cusername\u003etcmanager\u003c/username\u003e\n         \u003cpassword\u003em@nager123\u003c/password\u003e\n     \u003c/configuration\u003e\n \u003c/plugin\u003e\n ```\n\n b. Now, automatically deploy to tomcat server:\n\n  ```maven\n mvn clean tomcat:deploy\n  ```\n\n c. To automatically redeploy sample app:\n\n  ```maven\n mvn clean tomcat:redeploy\n  ```\n\n d. To manually deploy app to Tomcat:\n\n ```bash\n cp target/rbac-abac-sample.war $TOMCAT_HOME/webapps\n ```\n\n * Where `$TOMCAT_HOME` points to the execution env.\n\n-------------------------------------------------------------------------------\n## SECTION V. Understand the security policy\n\nTo gain full understanding, check out the file used to load it into the LDAP directory: [rbac-abac-sample security policy](src/main/resources/rbac-abac-sample-security-policy.xml).\n\nApp comprised of three pages, each has buttons and links that are guarded by permissions.  The permissions are granted to a particular user via their role activations.\n\n#### 1. User-to-Role Assignment Table\n\n For this app, user-to-role assignments are:\n\n| user       | Tellers     | Washers  |\n| ---------- | ----------- | -------- |\n| curly      | true        | true     |\n| moe        | true        | true     |\n| larry      | true        | true     |\n\n#### 2. User-to-Role Activation Table by Branch\n\n But we want to control role activation using attributes based on Branch location:\n\n| user       | Tellers   | Washers       |\n| ---------- | --------- | ------------- |\n| curly      | East      | North, South  |\n| moe        | North     | East, South   |\n| larry      | South     | North, East   |\n\n *Even though the test users are assigned both roles, they are limited which can be activated by branch.*\n\n#### 3. Role-to-Role Dynamic Separation of Duty Constraint Table\n\n Furthermore due to toxic combination, we must never let a user activate both roles simultaneously regardless of location. For that, we'll use a dynamic separation of duty policy.\n\n| set name      | Set Members   | Cardinality   |\n| ------------- | ------------- | ------------- |\n| Bank Safe     | Washers       | 2             |\n|               | Tellers       |               |\n|               |               |               |\n\n#### 4. Role-Permission Table Links\n\n The page links are guarded by RBAC permissions that dependent on which roles are active in the session.\n\n| role       | WashersPage | TellersPage |\n| ---------- | ----------- | ----------- |\n| Tellers    | false       | true        |\n| Washers    | true        | false       |\n\n#### 5. Role-Permission Table Buttons\n\n The buttons on the page are also guarded by RBAC permissions.\n\n| role       | Account.deposit | Account.withdrawal | Account.inquiry  | Currency.soak | Currency.rise | Currency.dry |\n| ---------- | --------------- | ------------------ | ---------------- | ------------- | ------------- | ------------ |\n| Tellers    | true            | true               | true             | false         | false         | false        |\n| Washers    | false           | false              | false            | true          | true          | true         |\n\n-------------------------------------------------------------------------------\n## SECTION VI. Manually Test the RBAC with ABAC sample\n\n#### 1. Open link to [http://localhost:8080/rbac-abac-sample](http://localhost:8080/rbac-abac-sample)\n\n#### 2. Login with Java EE authentication form:\n\n#### 3. User-Password Table\n\n | userId        | Password      |\n | ------------- | ------------- |\n | curly         | password      |\n | moe           | password      |\n | larry         | password      |\n\n#### 4. Enter a location for user and click on the button.\n\n ```\n Enter North, South or East\n ```\n\n ![Image1](images/EnterBranch.png \"Set Branch Location\")\n\n#### 5. Once the location is set, a link will appear corresponding with the user's allowed role for that location.\n\n ![Image2](images/Washer.png \"Washer Link\")\n\n#### 6. Click on the link, and then buttons appear simulating user access for that particular location.\n\n ![Image3](images/WashersPage.png \"Washers Page\")\n\n#### 7. Change locations, and a different link appears, with different operations.\n\n This is RBAC with ABAC in action, limiting which role may be activated in the session by location.\n\n#### 8. Try a different user.\n\n Each has different access rights to application.\n\n## SECTION VII. Automatically Test the RBAC with ABAC sample\n\n Run the selenium automated test:\n\n```maven\nmvn test -Dtest=RbacAbacSampleSeleniumITCase\n```\n\n Selenium Test Notes:\n * *This test will log in as each user, perform positive and negative test cases.*\n * *Requires Firefox on target machine.*\n\n-------------------------------------------------------------------------------\n## SECTION VII. Under the Hood\n\n How does this work?  Have a look at some code...\n\n Paraphrased from [WicketSampleBasePage.java](src/main/java/org/rbacabac/WicketSampleBasePage.java):\n\n ```java\n// Nothing new here:\nString userId = \"curly\";\nUser user = new User(userId);\n\n// This is new:\nRoleConstraint constraint = new RoleConstraint( );\n\n// In practice we're not gonna pass hard-coded key-values in here, but you get the idea:\nconstraint.setKey( \"locale\" );\nconstraint.setValue( \"north\" );\n\n// This is just boilerplate goop:\nList\u003cRoleConstraint\u003e constraints = new ArrayList();\nconstraints.add( constraint );\n\ntry\n{\n    // Now, create the RBAC session with an ABAC constraint, locale=north, asserted:\n    Session session = accessMgr.createSession( user, constraints );\n    ...\n}\n ```\n\n Pushing the **locale** attribute into the User's RBAC session the runtime will match that instance data with their stored policy.\n\n ![Image4](images/CurlyUser.png \"View Curly Data\")\n *Notice that this user has been assigned both Teller and Washer, via **ftRA** attribute, and that another attribute, **ftRC**, constrains where it can be activated.*\n\n### How the ABAC algorithm works:\n * When the runtime iterates over assigned roles (ftRA), trying to activate them one-by-one, it matches the constraint pushed in, e.g. locale=north, with its associated role constraint (ftRC).\n * If it finds a match, the role can be activated into the session, otherwise not.\n\n### When does it get executed:\n * During the [createSession](https://directory.apache.org/fortress/gen-docs/latest/apidocs/org/apache/directory/fortress/core/AccessMgr.html#createSession-org.apache.directory.fortress.core.model.User-boolean-) call, there's a role activation phase, where all of the constraints are applied.\n * Applying constraints is not a new concept with Fortress, check out, [What Are Temporal Constraints?](https://iamfortress.net/2015/06/11/what-are-temporal-constraints/), for more info.\n * Constraints are enabled via [fortress' configuration subsystem](https://github.com/apache/directory-fortress-core/blob/master/README-CONFIG.md).  Currently ABAC (user-role) and temporal constraints are turned on by default.\n\nFor example, user-role constraint enabled via the fortress.propeties file:\n\n```properties\n...\n# Enable the ABAC constraint validator:\ntemporal.validator.5:org.apache.directory.fortress.core.util.time.UserRoleConstraint\n```\n\n### One more thing:\n * ABAC constraints work with any kind of instance data, e.g. account, organization, etc.  Let your imagination set the boundaries.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshawnmckinney%2Frbac-abac-sample","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshawnmckinney%2Frbac-abac-sample","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshawnmckinney%2Frbac-abac-sample/lists"}