Thanks for the answer Shawn.
The truth is that i didn't know the definition of role engineering. :)
In reality i am searching for a way to monitor authentication and access
on services/application that could be widely adaptable. Authentication
for me was just a simple check so i am fine with it and how to report it.
The access monitoring control has put me into thoughts cause i need to
define metric/s of that type (being widely adaptable), but the thing is
that the community is full of services and applications and i am not
sure how such a metric is of importance in a monitoring system.
From the other hand perhaps i could refer for accessing only for RBAC
services/application starting from fortress.
I'll check your posts for further information.
My regards,
Damian
On 7/28/2016 6:32 PM, Shawn McKinney wrote:
On Jul 28, 2016, at 9:40 AM, Damianos Metallidis <[email protected]> wrote:
Thanks a lot for your detailed answer.
I am in the process of monitoring apache-fortress and currently about the
access part. Based on the architecture of my monitoring system i should detect
and report in-appropriate accesses. For example in an RBAC situation a role has
access only on two certain links and not three.
I think the first tutorial is sufficient in order to do such checks.
You’re welcome Damian.
Please bear in mind that the first tutorial isn’t as much of a security how-to
as it is an integration how-to. For example it doesn’t apply page level
controls. For the first tutorial I wanted most of all to show how to embed an
access control system like Fortress in with a simple Web app.
The second one, apache fortress end-to-end security tutorial, has the complete
security coverage but it comes with added complexity of setting up the test
environment, with certs, database, etc.
But there’s a third tutorial:
https://github.com/shawnmckinney/role-engineering-sample
Which provides a more plausible set of use cases along with a more complete
security strategy, that uses spring (in conjunction with fortress), to ensure
the user can’t bypass a secured link by manually entering the url in browser.
It has a selenium test class that demonstrates the positive and negative
security use cases:
https://github.com/shawnmckinney/role-engineering-sample/blob/master/src/test/java/org/rolesample/RoleSampleSeleniumITCase.java
Shawn
