ActivePivot Security
A secured application means that a user can access only the services he is granted. Security can be divided into several layers, comprising:
- Authentication: the process of identifying a user (usually by asking a username and password)
- Authorization: once authenticated, grant and/or restrict access to some services
This article explains how to customize these security layers for an application based on ActivePivot.
Authentication
Authentication validates the credentials of a user. Authentication in ActivePivot's sandbox relies on the
Spring Security framework, a mature and widely used
security framework. The ActivePivotServerSecurityConfig
class provides an example of how to configure an
application with Spring Security.
Authorization
Entitlements apply through context values
Let's start with an example. In ActivePivot, it is possible to make a European user see only the data regarding Europe, or see the prices in euro. This is configured through the subcube properties.
Subcube properties are controlled by context values, that are assigned after authentication and at each query start.
Once authenticated, a user is thus assigned a set of context values depending on its roles that define for example the resources he/she can access, or change how the results are computed.
Then, at each query start, a Spring filter (the ContextValueFilter
) calls ActivePivot's
ContextValueManager
. The latter will provide the context values that will be attached to
the context of this query, and thus define the subcube properties.
ContextValueManager
: how context values are attributed
When there are several possible values for a context value (for example, the user is a european user
but he set an option to see the prices in us dollars), the ContextValueManager
will give priority
to local transient values, then to global transient values, then to the values set through
the IActivePivotContentService
, and finally to the values set through the IEntitlementProvider
.
IEntitlementProvider
: defines which entitlements to attribute
Spring-Security tokens are materialized in ActivePivot as ISecurityDetails
, which simply
hold a user roles and username.
An IEntitlementsProvider
defines which entitlements (i.e. context values) are associated with
each ISecurityDetails
.
Roles are ordered to be able to choose which context value to set when two roles define the
same context value. The order is defined by an IAuthorityComparator
.
For example, USER role and ADMIN role may both define a value for the query time limit.
If the ADMIN role is considered of higher authority than the USER role by the
IAuthorityComparator
, then its value will be used to set the query time limit.
Sandbox Example
Entry-point
The sandbox uses Spring-Security, and its security configuration entry point is
ActivePivotServerSecurityConfig
. This defines to use the ContextValueFilter
class as a filter
at each query start. As explained above, this filter will initialize the context values by calling
the provided ContextValueManager
.
Defining Entitlements
The sandbox defines its IEntitlementsProvider
in RoleContextConfig.entitlementsProvider()
,
and its IAuthorityComparator
in ASecurityConfig.authorityComparator()
.
Advanced topics
By default, ISecurityDetails
simply hold the username and the user roles, but it is
possible to generate richer details. To do so, simply define your own ISecurityFacade
and
inject it in the ContextValueManager
using the setSecurityFacade
method. The sandbox provides
an example through its SpringSecurityFacade
.