Versions Compared

Version Old Version 14 New Version 15
Changes made by

Emil Ifrim

Emil Ifrim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Date:

Author:

Version:

Changes:

Completed

Ext.

Int.

Is in Core

Jira Ref.

0.1

Doc. created

Yes/No

x

 

N/A

 

0.2Brand EnablingYes/Nox N/A 

 

Overview

This page describes the security layers of the REST web app. There are two security layers:

  1. Authentication
    1. Client-authentication:The database table OAUTH_CLIENT_DETAILS describes the servers, which are allowed to make calls to the REST web app. (Typically this will be the selfcare web app and, when in development, the Swagger UI)
    2. User/Operator/App-authentication: A username/password based security layer that upon each requests matches a token from the request against an in-memory map from token to logged in users.
  2. Authorization: A fine grained access rights control implemented in all resources that shall have limited access. This layer is customizabile: The customer can register their own rules. The default rules are all based on "ownership": Account-ownership, BillingGroup-ownership and Subscription-ownership.

 

Authentication

Authentication is triggered by the Authorization layer. If a resource does not require Authorization, then it's considered open for access, unless brand access check is in place. The Authentication protocol used is OAUTH2  and the implementation used is from Spring Framework.

...

  1. User-authenticatio - this corresponds to a Selfcare use-case scenario. The authentication is done by validation username/password in the USERS table. An URL example for this scenario is (note grant_type=password value):

    Code Block
    titleAuthorization URL
    https://host:port/appcontext/oauth/token?username=#myusername&password=#mypassword&grant_type=password&brandKey=#myBrandKey
    Code Block
    titleCURL example
    CURL example:  curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=password&username=#myusername&password=mypassword&brandKey=#myBrandKey"

where:
#myusername, #mypassword are taken from Users table
#myBrandKey is taken from the Brand table
myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS table
    Code Block
    titleAngular example
    function login(credentials) {
      var data = 'username=' +
        encodeURIComponent(credentials.username) +
        '&password=' +
        encodeURIComponent(credentials.password) +
        '&grant_type=password&scope=read%20write&' +
        'client_id=myclientid&' +
        'brandKey=myBrandKey';
      return $http
        .post('/oauth/token',
            data,
            {
              headers : {
                'Content-Type' : 'application/x-www-form-urlencoded',
                'Accept' : 'application/json',
                'Authorization' : 'Basic ' +
                  base64Service.encode('myclientid'	+ ':' + 'myclientsecret')
              }
            }).success(
              function(response) {
                //store the access token
                return response;
              });
    } 
 
 
where:
credentials.username, credentials.password are taken from Users table
myBrandKey is taken from the Brand table
myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS table

  2. Operator-authentication - this correspnds to a Customercare use-case scenario. The authentication is done by validation username/password in the OPERATORS table. An URL example for this scenario is (note grant_type=operator_password value):

    Code Block
    titleAuthorization URL
    https://host:port/appcontext/oauth/token?username=#myusername&password=#mypassword&grant_type=operator_password&brandKey=#myBrandKey
    Code Block
    titleCURL example
    CURL example:  curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=operator_password&username=#myusername&password=mypassword&brandKey=#myBrandKey"

where:
#myusername, #mypassword are taken from Operators table
#myBrandKey is taken from the Brand table
myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS table

Authorization

Authorization is done in two steps:

...

In a customer project, additional mappings need to be added and this can be achieved by implementing the com.cdrator.selfcare.model.security.ownershipcontrol.AccessByOwnershipConfigurationBuilder (respectively com.cdrator.selfcare.model.security.ownershipcontrol.RestrictForOwnershipConfigurationBuilder) interface(s) and using the ServiceLoader feature to load the implementation(s).

Brand Access Check

In case of a multi branded  environment it is possible to restrict access to the "public" endpoints by enabling the brand access check in the configuration file (Properties.txt). This is done by setting the following parameter:

...

Info
titleSwagger

To configure swagger to use this authentication scenario, an additional parameter has to be set in Properties.txt file:

rest.swagger.auth.flow=client_credentials

CORS

In order to be able to access both the AUTH app and REST app from Javascript clients, CORS parameters need to be configured. Below there is an example of how that can be done:

...