> On Dec 12, 2015, at 6:35 AM, Yudhi Karunia Surtan <[email protected]> > wrote: > > Hi Shawn, > > After sometime finally, I've already successfully hacking a workaround for > fortress implementation client so it is possible to do filtering of > attribute allowed. > Previously i did successfully implement fortress sso with cas and page > filtering, and now i've completely make a full security role base iam > implementation (horray) > > Here is the example code for content filtering : > > https://github.com/yudhik/fortress-attribute-base-filtering.git >
I would characterize your work as a new web policy enforcement point (PEP). It is interesting because it binds with fortress in a novel way. It is valuable because policy enforcement is where help is most needed (pain) with security and your demonstration of a declarative policy enforcement (easy to use) while still capable of fine-grained enforcement (good). > > On Dec 12, 2015, at 6:35 AM, Yudhi Karunia Surtan <[email protected]> > wrote: > > Now the question is how to give it the idea back to the community. > tell me what can i do. > > Here is the list that i did to implement a full stack iam for web. > 1. Hacking CAS to make an authentication to fortress instead of ldap > 2. Hacking CAS client to get fortress session id and principal > 3. Create a custom voter in my apps to populate role and filtering allowed > web page > 4. Create a custom filter to filtering allowed page attribute > > I hope the idea of my implementation also can help others to securing their > apps. This brings up the need for a separate conversation. The Apache Directory Fortress sub-project needs a repository to house related policy enforcement components. A healthy access management system will have dozens of ways in which to use and it makes sense that there is place to keep them. We could also try to push your ideas into other projects, e.g. Spring, CAS, Shibboleth, but my inclination is to keep them close for the time being. Shawn
