+4420 3290 2266

info@coldcore.com

Project Haala

Documentation

Security The Platform HAALA

Extenral users can access the system in two ways:

Requesting a page

When a user enters URL into a browser, the browser goes to fetch a page (or any other resource such as picture or file). Security filter (Spring Security) checks if the user has permissions to access the URL. The user should have roles assigned to her allowing to access the URL or her request cannot proceed. Controller which handles the request also programmatically checks that the user does not attempt to operate on data which should not be accessible to her (e.g. view or modify someone else's resources).

Making AJAX call

Loading Javascript files or updating a database goes by making AJAX calls to server facades. Security aspect checks if the user has permissions to access a facade method. The user should have roles assigned to he allowing to access the method or the request cannot proceed. Another aspect (validation) also checks that the user does not attempt to operate on data which should not be accessible to her (e.g. view or modify someone else's resources).

Anonymous user has very limited permissions. After signing in, the system assigns roles set up for the user thus granting access to more pages, resources and AJAX calls.

HTTPS

The system currently does not support HTTPS. Every form (including sign in form) is submitted by AJAX via plain HTTP protocol.

Roles

There are the following core roles in the system:

Anonymous

The system assumes that a user is anonymous if she does not have any roles assigned. This is by default unless the user signs in.

User

This role is automatically assigned to every user after signing in. Such user can access member area.

Admin

Administrator can access admin area, other pages and bypass restrictions. As admin should have no restrictions then every method testing user roles must take this into account and let admin through.

CMS

User can modify content on her websites through control panel.

Agent

This role can be used for variety of things. Currently it is used to restrict access to expensive external resources which only allow limited requests per day (e.g. geo code or postcode lookup).

Other roles belong to 3rd party packs and control access to pack's features.

Super user

When admin wants to access user account she may put a shell of that user on and the system will treat her as that user but with admin permissions allowing her to do what the regular user could do plus admin functions. This is done to save time of designing special pages for users' administration. As the result some of the pages have special blocks only visible for super users. Such pages provide extra functionality for an admin with regular user functionality. The system stores admin data in user's session and restores it when she takes off the shell. Admin may only put a single user shell on.

AJAX facades

Every method of every facade must be annotated with the roles which can access it. Even the methods which do not need any roles should have anonymous role defined. If a method does not have an annotation then this will result in error as a developer may have forgotten to secure possibly restricted information.

Secured URL

Spring Security makes sure that a user has required roles while trying to access URL which should not be available just to anyone. This is done by URL prefix. For example, all URLs which start with /my/ configured to be available to users after they sign in, everything under /su/ is for admins only. Other prefixes belong to 3rd party packs and control access to pack's URL.

sitemap