Hi Shawn, After sometime finally, I've already successfully hacking a workaround for fortress implementation client so it is possible to do filtering of attribute allowed. Previously i did successfully implement fortress sso with cas and page filtering, and now i've completely make a full security role base iam implementation (horray)
Here is the example code for content filtering : https://github.com/yudhik/fortress-attribute-base-filtering.git Now the question is how to give it the idea back to the community. tell me what can i do. Here is the list that i did to implement a full stack iam for web. 1. Hacking CAS to make an authentication to fortress instead of ldap 2. Hacking CAS client to get fortress session id and principal 3. Create a custom voter in my apps to populate role and filtering allowed web page 4. Create a custom filter to filtering allowed page attribute I hope the idea of my implementation also can help others to securing their apps. Regards, Yudhi Karunia Surtan -------------------------------------- http://brainmasterexperience.com <http://www.brainmasterexperience.com> On Fri, Nov 20, 2015 at 12:49 AM, Shawn McKinney <[email protected]> wrote: > > > On Nov 19, 2015, at 10:21 AM, Yudhi Karunia Surtan < > [email protected]> wrote: > > > > Do you have any plan to introduce permission object attributes? > > At this moment i saw at LDAP that "ftObjNm" can have a children with > > "ftOpNm". > > Perhaps it is also possible to have other children like "ftAttNm" and > allow > > it to map the roles attribute inside those object. > > > > Anyway, i only want to know what inside your head about these feature > > enhancement in the future. > > > > Currently we can map 0bjects to operations, e.g.: > > Customer.Read > > and can add object ids, e.g.: > > Customer.Read.123 > > There are discussions of adding attributes. Perhaps we add a > multi-occurring attribute to the ftOperation object class to support this > use case. > > > > > On Nov 19, 2015, at 10:21 AM, Yudhi Karunia Surtan < > [email protected]> wrote: > > > > The motivation about my question is when specific user(registered at > > fortress) ask for the object from fortress and fortress could answer it > > with these possibility : > > > > a. access denied because of the user doesn't have permission to see those > > object > > b. access granted, object and attribute is given but only for the > attribute > > that mapped to his role. > > c. access granted but since no attribute is mapped, then only the object > > returned. > > > > Sounds like an interesting idea. There are a few others ideas floating > around so we should gather them all, create a JIRA ticket, and discuss the > pros/cons of each. > > > > > On Nov 19, 2015, at 10:21 AM, Yudhi Karunia Surtan < > [email protected]> wrote: > > > > Do you have any link or resources that i can read regarding to this > > requirement? > > I forget the document number for combining RBAC and ABAC standard. > > > > Here it is. It discusses using ANSI INCITS 494 RBAC Policy Enhanced to > combine attributes with roles: > > http://csrc.nist.gov/groups/SNS/rbac/documents/coyne-weil-13.pdf > > Shawn >
