Authentication and Authorization
The "Authentication and Authorization" category provides a comprehensive framework for managing user access and security settings within Jive communities. This section is crucial for ensuring that sensitive information is protected while enabling appropriate user access.
Jive SBS has multiple facilities to handle the three primary facets of network application security. This topic describes each and highlights APIs commonly of interest to developers customizing installations.
Fundamental terminology
The following terms are used commonly in the remainder of this section and are outlined here for clarification:
-
User (or Principal): Representation of an authenticated party in the application system. Each HTTP request processed by the system is performed as a User. In the case of guest or anonymous access, Jive SBS uses the
AnonymousUserclass to represent the security context of the current request. -
Federated user: A user belonging to a system of record external to the installation, such as when configured for LDAP authentication.
-
External user: A federated user who has no formal account in the system with which to authenticate.
-
Authentication: The act of identifying a user given a set of credentials.
-
Credentials: Data used by an untrusted user to prove their identity to the system. Examples include passwords, X509 certificates, and SAML Requests.
-
Application Security Layer: A series of J2EE Servlet Filters that examine every inbound request and enforce security constraints.
-
Application Layer: Application-level code downstream of the Application Security Layer. Each HTTP request must pass through the Application Security Layer before entering the Application Layer.
Supporting Libraries
Jive SBS relies on common security patterns established in the Spring Security (formerly Acegi Security) library. By leveraging Spring Security, the application uses terminology familiar to Spring users to standardize integration and leverage existing Spring libraries and idioms.
Authentication
Authentication is performed by a series of Spring Security filter chains, linked together. Each chain element has a dedicated responsibility while working toward the overall goals of handling a request. Ultimately, these chains must prepare the request to fulfill a single contract enforced by the last link in the primary security filter chain.
Security Context
Each thread of execution, including background jobs and asynchronous tasks, is associated with a Spring Security SecurityContext instance, which holds information about the Authentication associated with the request.
Jive extends the Spring Security Authentication interface with the JiveAuthentication class, exposing the current user representation through a strongly-typed contract and metadata about the user, such as anonymity.
Security Context: URI mappings
Each URI handled by the system passes through a series of J2EE Servlet Filters in the Application Security Layer before entering the Application Layer. Common URI contexts include:
/upgrade/**: All upgrade requests./post-upgrade/**: Requests post-upgrade./admin/**: Requests for the Admin Console./rpc/xmlrpc: XML-RPC web service requests./rpc/rest: RESTful HTTP service requests./rpc/soap: SOAP HTTP service requests./**: All requests not fitting the above patterns.
The sequence of filters can be customized through the Plugin system.
Security Context: Security Filter Chains
Jive SBS defines several Security Filter Chains mapped to specific URL patterns. The default filter chain setup in spring-securityContext.xml includes:
| Place in chain | Filter used | Description | As defined in spring.xml |
|---|---|---|---|
| 1 | Session Integration filter | Associates HTTP requests with a security context when previously authenticated or entering as a guest. | httpSessionContextIntegrationFilter |
| 2 | Authentication filters | Delegates to internal AuthenticationProvider implementations. | formAuthenticationFilter |
| 3 | Cookie Authentication filter | Processes RememberMe cookies for long-lived user authentication. | rememberMeProcessingFilter |
| 4 | Feed Basic Authentication filter | Performs HTTP Basic Authentication for RSS/Atom feeds. | feedBasicAuthenticationFilter |
| 5 | Exception Translation filter | Routes security-related exception redirects to application URLs. | exceptionTranslationFilter |
| 6 | Authentication Translation filter | Enforces the authentication contract between the Application Security Layer and Application Code. | jiveAuthenticationTranslationFilter |
Security Context: Authentication Contract
The authentication contract defines assumptions made by application-level code concerning the security context of any given request. This contract is met by application functionality in standalone and LDAP-based configurations.
Enforcement occurs via the JiveAuthenticationTranslationFilter, which ensures that the SecurityContext contains a valid JiveAuthentication before transferring request handling to the application layer.
To fulfill the contract, the SecurityContext must contain:
- An instance of
JiveAuthentication. - An authenticated
Userinstance accessible viagetPrincipal()orgetDetails().
If no authentication is present, AnonymousAuthentication is set in the SecurityContext, allowing application-level code to operate without null checks on user references.
Authorization
Authorization in Jive SBS is managed through three constructs in the Application Layer:
-
Permissions: Managed via the Admin Console, permissions are granted on application containers (e.g., communities, blogs).
-
Groups: Groups encapsulate permissions and users, enabling permission assignment at the group level.
-
Proxies: These restrict access to application layer objects based on permissions, generally transparently.
Permissions behavior is overseen by the PermissionsManager API, while group membership is managed by the GroupManager API. Proxies enforce access security based on the SecurityContext associated with each request, harnessing the contained JiveAuthentication.
This category serves as a vital resource for administrators and security professionals seeking to implement robust security measures in Jive, ensuring that the right users have the appropriate level of access while safeguarding community integrity.