jar -xf apache-fortress-demo-master.zip
cd apache-fortress-demo-master/
cp ./src/main/resources/fortress.properties.example ./src/main/resources/fortress.properties
# LDAP host use value from [Set Hostname Entry]: host=fortressdemo2.com # LDAP port uses value from [Apache Fortress Core SSL]: # LDAPS port by default 10636 on apacheds and 636 for openldap. port=10636 # The ldap admin creds required for read/write access to DIT: # LDAP user/pw use same value from [Apache Fortress Core SSL]: admin.user=uid=admin,ou=system admin.pw=secret # Required for SSL Connections: enable.ldap.ssl=true # Useful when things go wrong: enable.ldap.ssl.debug=false # The truststore genned [Managing PKI Keys] or found under /src/test/resources in apache-fortress-demo source package. trust.store=/home/smckinn/fortress/apache-fortress-demo-master/src/test/resources/mytruststore trust.store.password=changeit # Truststore must be specified a fully qualified filename: trust.store.onclasspath=false # The host value from [Set Hostname Entry] step: database.url=jdbc:mysql://fortressdemo2.com:3306/demoDB?useSSL=true&requireSSL=true # The JDBC creds required to match from [Install MySQL] step: database.username=admin database.password=secret # This param informs fortress runtime the type of ldap server in use: ldap.server.type=apacheds #ldap.server.type=openldap # Required: database.driver=com.mysql.jdbc.Driver # Required by the web app framework security components: perms.cached=true
mvn tomcat:deploy -Dload.file
mvn tomcat:redeploy -Dload.file
mvn tomcat:redeploy
mvn test -Dtest=ApacheFortressDemoSeleniumITCase
Firefox must be installed to target machine before running this step.
Selenium verifies the test cases automatically. For each user, attempts are made to hit all pages and components. Positive and negative tests are performed. Failures in test cases will halt the execution of the program. The policy in effect is contained within apache-fortress-demo-load-policy.xml and loaded automatically during the web deployment step.
mvn test -Dtest=ApacheFortressDemoSeleniumITCase -Dweb.driver=chrome
Chrome must be installed to target machine before running this step.
During manual testing, enter creds to login form, matching the entries found in the tables at the end of this document. Activate/deactivate different roles to gain access to different page and customer combinations. A dynamic separation of duty constraint prevents activation of more than one page-customer role at a time. It is best to run the automated selenium tests first, before attempting manual operation, in order to understand how to use this app.
This app's security policy maintains complex role-to-role (inheritance) and user-role assignments. Page roles, e.g. Page1, provide access to the page itself. Page-Customer roles, e.g. Page1_123, provide access to the components and data elements corresponding with that particular page for a given customer. All users (except SuperUser) are assigned combinations of page and page-customer roles. Only one page-customer role may be active in a user's session.
For a user to have access to a given page, customer combination, they must have been, at a minimum, assigned two roles, one for the page, e.g. page1, and one for page-customer, e.g. page1_789. The page roles are not bound by dynamic separation of duty (DSD) constraint. Hence we have users like poweruser, who may navigated across pages without changing roles. On the other hand the page-customer roles are bound by DSD constraint requiring a user to deactivate one page-customer role, e.g. page1_789, before activating another, e.g. page2_789.
The following diagram shows the role-role and user-role relations in place:
The following diagram provides a view of the role-permission relationships in place:
The above diagrams shows that SuperUser has been granted access to all pages, all customers, via their assigned role, SuperUsers. Granting full access in this way is a common security antipattern because it violates the principle of least privilege. Only provide the access needed to perform assigned job tasks at a given point in time - and no more.
PowerUser also has access to all pages, all customers. But this user cannot simultaneously access more than one page-customer combination. This is accomplished by assigning all of the page-customer roles, i.e. Pag1_123, Page2_123, ... Page3_789, to the poweruser. But the roles have a mutual exclusion policy (dynamic separation of duty constraint) preventing activation of more than one at a time.
Here is the DSD policy in effect:
This is a safer approach to granting all access. The rationale: a user cannot simultaneously service two customers at the exact same time so why allow it in the first place?<addsdset> <sdset name="Demo2DSD" setmembers="PAGE1_123,PAGE1_456,PAGE1_789,PAGE2_123,PAGE2_456,PAGE2_789,PAGE3_123,PAGE3_456,PAGE3_789" cardinality="2" setType="DYNAMIC" description="ROLE_TEST DATA roles are mutually exclusive" /> </addsdset>
Based on the name, one may infer what level of access they have. For example user1_123, may access page1's customer 123 functions. User2 has access to all customers on page2. User789 has access to all pages, for customer data 789.
Users may only have one page-customer role activated at a time. To change which role is activated, deactive the old one, and activate the new using the dropdown component at the top of the page.
The following diagram shows the role activation dropdown:
Always activate page-customer roles: page1_123, page1_456, page1_789, page2_123, page2_456, page2_789, page3_123, page3_456, page3_789.
Never activate or deactivate page roles: role_page1, role_page2, role_page3.
Once a page-customer role has been activated/deactivated, its corresponding buttons will appear/disappear from the page.
The following diagram shows User1's page after role activation of page1_789 role occurred. Notice that the buttons, Add, Update, Delete, Search, are visible.
The following diagram shows User1's page after role deactivation of page1_789 occurred. Notice the buttons, Add, Update, Delete, Search, are no longer visible.
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | T | T | T |
Page2 | T | T | T |
Page3 | T | T | T |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | T | T | T |
Page2 | T | T | T |
Page3 | T | T | T |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | T | F | F |
Page2 | T | F | F |
Page3 | T | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | T | F |
Page2 | F | T | F |
Page3 | F | T | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | T |
Page2 | F | F | T |
Page3 | F | F | T |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | T | T | T |
Page2 | F | F | F |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | T | F | F |
Page2 | F | F | F |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | T | F |
Page2 | F | F | F |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | T |
Page2 | F | F | F |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | T | T | T |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | T | F | F |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | F | T | F |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | F | F | T |
Page3 | F | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | F | F | F |
Page3 | T | T | T |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | F | F | F |
Page3 | T | F | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | F | F | F |
Page3 | F | T | F |
Customer 123 | Customer 456 | Customer 789 | |
---|---|---|---|
Page1 | F | F | F |
Page2 | F | F | F |
Page3 | F | F | T |
This is free and unencumbered software released into the public domain.