...
- Authentication:
- Client-authentication:The database table
OAUTH_CLIENT_DETAILSdescribes the servers, which are allowed to make calls to the REST web app. (Typically this will be the selfcare web app and, when in development, the Swagger UI) - User/Operator/App-authentication: A username/password based security layer that upon each requests matches a token from the request against an in-memory map from token to logged in users.
- Client-authentication:The database table
- Authorization: A fine grained access rights control implemented in all resources that shall have limited access. This layer is customizable: The customer can register their own rules. The default rules are all based on "ownership": Account-ownership, BillingGroup-ownership and Subscription-ownership.
...
In order to call REST resources that require Authorization, the calling client has to provide an Access Token. Obtaining an Access Token can be done by calling a specific URL. There are three strategies/scenarios to obtain an Access Token.
User-authentication - this corresponds to a Selfcare use-case scenario. The authentication is done by validation username/password in the USERS table. An URL example for this scenario is (note grant_type=password value):
Code Block title Authorization URL https://host:port/appcontext/oauth/token?username=#myusername&password=#mypassword&grant_type=password
...
Code Block title CURL example CURL example: curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=password&username=#myusername&password=mypassword" where: #myusername, #mypassword are taken from Users table myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS tableCode Block title Angular example function login(credentials) { var data = 'username=' + encodeURIComponent(credentials.username) + '&password=' + encodeURIComponent(credentials.password) + '&grant_type=password&scope=read%20write&' + 'client_id=myclientid'; return $http .post('/oauth/token', data, { headers : { 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept' : 'application/json', 'Authorization' : 'Basic ' + base64Service.encode('myclientid' + ':' + 'myclientsecret') } }).success( function(response) { //store the access token return response; }); } where: credentials.username, credentials.
...
password are taken from Users table myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS table
Operator-authentication - this correspnds to a Customecare use-case scenario. The authentication is done by validation username/password in the OPERATORS table. An URL example for this scenario is (note grant_type=cc_password value):
Code Block title Authorization URL https://host:port/appcontext/oauth/token?username=#myusername&password=#mypassword&grant_type=cc_passwordCode Block title CURL example CURL example: curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=cc_password&username=#myusername&password=mypassword" where: #myusername, #mypassword are taken from Operators table myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS tableTrusted app-authentication - this corresponds to a "backend" use-case scenario. The authentication is done by validation username/password in the OAUTH_CLIENT_DETAILS table. An URL example for this scenario is (note grant_type=client_credentials value):
Code Block title Authorization URL https://host:port/appcontext/oauth/token?grant_type=client_credentialsCode Block title CURL example CURL example: curl -v -X POST -u myclientid:myclientsecret http://host:port/appcontext/oauth/token -H "Accept: application/json" -d "grant_type=client_credentials" where: myclientid, myclientsecret are taken from OAUTH_CLIENT_DETAILS table
Authorization
Fine-grained access control is about limiting the access to specific resources, or even to limit the access to code blocks within a single resource. The current version of the REST app uses our own framework for this. The framework defines two abstract classes, whose implementations stand in a one-to-one relationship with a resource (an @Path annotated method). The two classes reflect the kind of questions/checks needed in the code.
...