Extenral users can access the system in two ways:
Requesting a page
When a user enters URL into a browser, the browser goes to fetch a page (or any other resource such as picture or file). Security filter (Spring Security) checks if the user has permissions to access the URL. The user should have roles assigned to her allowing to access the URL or her request cannot proceed. Controller which handles the request also programmatically checks that the user does not attempt to operate on data which should not be accessible to her (e.g. view or modify someone else's resources).
Making AJAX call
Anonymous user has very limited permissions. After signing in, the system assigns roles set up for the user thus granting access to more pages, resources and AJAX calls.
The system currently does not support HTTPS. Every form (including sign in form) is submitted by AJAX via plain HTTP protocol.
There are the following core roles in the system:
The system assumes that a user is anonymous if she does not have any roles assigned. This is by default unless the user signs in.
This role is automatically assigned to every user after signing in. Such user can access member area.
Administrator can access admin area, other pages and bypass restrictions. As admin should have no restrictions then every method testing user roles must take this into account and let admin through.
User can modify content on her websites through control panel.
This role can be used for variety of things. Currently it is used to restrict access to expensive external resources which only allow limited requests per day (e.g. geo code or postcode lookup).
Other roles belong to 3rd party packs and control access to pack's features.
When admin wants to access user account she may put a shell of that user on and the system will treat her as that user but with admin permissions allowing her to do what the regular user could do plus admin functions. This is done to save time of designing special pages for users' administration. As the result some of the pages have special blocks only visible for super users. Such pages provide extra functionality for an admin with regular user functionality. The system stores admin data in user's session and restores it when she takes off the shell. Admin may only put a single user shell on.
Every method of every facade must be annotated with the roles which can access it. Even the methods which do not need any roles should have anonymous role defined. If a method does not have an annotation then this will result in error as a developer may have forgotten to secure possibly restricted information.
Spring Security makes sure that a user has required roles while trying to access URL which should not be available just to anyone. This is done by URL prefix. For example, all URLs which start with /my/ configured to be available to users after they sign in, everything under /su/ is for admins only. Other prefixes belong to 3rd party packs and control access to pack's URL.